summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES-1.208
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/Import.php7
-rw-r--r--includes/media/SVGMetadataExtractor.php11
-rw-r--r--includes/parser/Parser.php5
5 files changed, 30 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20
index a7197ec1..d03ca1fa 100644
--- a/RELEASE-NOTES-1.20
+++ b/RELEASE-NOTES-1.20
@@ -3,6 +3,14 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
+== MediaWiki 1.20.4 ==
+
+This is a security release of the MediaWiki 1.20 branch.
+
+=== Changes since 1.20.3 ===
+* (bug 47251) SECURITY: Disable external entities in Import
+* (bug 46859) SECURITY: Disable external entities in XMLReader
+* (bug 46084) SECURITY: Sanitize $limitReport before outputting
== MediaWiki 1.20.3 ==
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 426c11ad..ed566b3b 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -59,7 +59,7 @@ if( !defined( 'MEDIAWIKI' ) ) {
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.20.3';
+$wgVersion = '1.20.4';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/Import.php b/includes/Import.php
index 11f37952..c32c6793 100644
--- a/includes/Import.php
+++ b/includes/Import.php
@@ -432,9 +432,15 @@ class WikiImporter {
* @return bool
*/
public function doImport() {
+
+ // Calls to reader->read need to be wrapped in calls to
+ // libxml_disable_entity_loader() to avoid local file
+ // inclusion attacks (bug 46932).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->read();
if ( $this->reader->name != 'mediawiki' ) {
+ libxml_disable_entity_loader( $oldDisable );
throw new MWException( "Expected <mediawiki> tag, got ".
$this->reader->name );
}
@@ -473,6 +479,7 @@ class WikiImporter {
}
}
+ libxml_disable_entity_loader( $oldDisable );
return true;
}
diff --git a/includes/media/SVGMetadataExtractor.php b/includes/media/SVGMetadataExtractor.php
index 851fe428..e0740385 100644
--- a/includes/media/SVGMetadataExtractor.php
+++ b/includes/media/SVGMetadataExtractor.php
@@ -77,7 +77,12 @@ class SVGReader {
// Expand entities, since Adobe Illustrator uses them for xmlns
// attributes (bug 31719). Note that libxml2 has some protection
// against large recursive entity expansions so this is not as
- // insecure as it might appear to be.
+ // insecure as it might appear to be. However, it is still extremely
+ // insecure. It's necessary to wrap any read() calls with
+ // libxml_disable_entity_loader() to avoid arbitrary local file
+ // inclusion, or even arbitrary code execution if the expect
+ // extension is installed (bug 46859).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->setParserProperty( XMLReader::SUBST_ENTITIES, true );
$this->metadata['width'] = self::DEFAULT_WIDTH;
@@ -99,9 +104,11 @@ class SVGReader {
// Note, if this happens, the width/height will be taken to be 0x0.
// Should we consider it the default 512x512 instead?
wfRestoreWarnings();
+ libxml_disable_entity_loader( $oldDisable );
throw $e;
}
wfRestoreWarnings();
+ libxml_disable_entity_loader( $oldDisable );
}
/**
@@ -115,7 +122,7 @@ class SVGReader {
* Read the SVG
* @return bool
*/
- public function read() {
+ protected function read() {
$keepReading = $this->reader->read();
/* Skip until first element */
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 2a24bee7..10765de2 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -490,6 +490,11 @@ class Parser {
"Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n".
$PFreport;
wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) );
+
+ // Sanitize for comment. Note '‐' in the replacement is U+2010,
+ // which looks much like the problematic '-'.
+ $limitReport = str_replace( array( '-', '&' ), array( '‐', '&amp;' ), $limitReport );
+
$text .= "\n<!-- \n$limitReport-->\n";
}
$this->mOutput->setText( $text );