summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES-1.228
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/OutputPage.php73
3 files changed, 54 insertions, 29 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 34ced35a..34292e1f 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,14 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.22.12 ==
+
+This is a security release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.11 ===
+* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
+ allowance.
+
== MediaWiki 1.22.11 ==
This is a security release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1ec2ea35..84374c42 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
* MediaWiki version number
* @since 1.2
*/
-$wgVersion = '1.22.11';
+$wgVersion = '1.22.12';
/**
* Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 6bfba78b..363f2b62 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -151,12 +151,12 @@ class OutputPage extends ContextSource {
var $mFeedLinksAppendQuery = null;
- # What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page?
- # @see ResourceLoaderModule::$origin
- # ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden;
- protected $mAllowedModules = array(
- ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL,
- );
+ /**
+ * @var int
+ * The level of 'untrustworthiness' allowed for modules loaded on this page.
+ * @see ResourceLoaderModule::$origin
+ */
+ protected $mAllowedModuleOrigin = ResourceLoaderModule::ORIGIN_ALL;
/**
* @EasterEgg I just love the name for this self documenting variable.
@@ -1271,14 +1271,13 @@ class OutputPage extends ContextSource {
}
/**
- * Do not allow scripts which can be modified by wiki users to load on this page;
- * only allow scripts bundled with, or generated by, the software.
+ * Restrict the page to loading modules bundled the software.
+ *
+ * Disallows the queue to contain any modules which can be modified by wiki
+ * users to load on this page.
*/
public function disallowUserJs() {
- $this->reduceAllowedModules(
- ResourceLoaderModule::TYPE_SCRIPTS,
- ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL
- );
+ $this->reduceAllowedModuleOrigin( ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL );
}
/**
@@ -1293,37 +1292,55 @@ class OutputPage extends ContextSource {
}
/**
- * Show what level of JavaScript / CSS untrustworthiness is allowed on this page
+ * Get the level of JavaScript / CSS untrustworthiness allowed on this page.
+ *
* @see ResourceLoaderModule::$origin
- * @param string $type ResourceLoaderModule TYPE_ constant
+ * @param string $type Unused: Module origin allowance used to be fragmented by
+ * ResourceLoaderModule TYPE_ constants.
* @return Int ResourceLoaderModule ORIGIN_ class constant
*/
- public function getAllowedModules( $type ) {
- if ( $type == ResourceLoaderModule::TYPE_COMBINED ) {
- return min( array_values( $this->mAllowedModules ) );
- } else {
- return isset( $this->mAllowedModules[$type] )
- ? $this->mAllowedModules[$type]
- : ResourceLoaderModule::ORIGIN_ALL;
- }
+ public function getAllowedModules( $type = null ) {
+ return $this->mAllowedModuleOrigin;
}
/**
* Set the highest level of CSS/JS untrustworthiness allowed
+ *
+ * @deprecated since 1.24 Raising level of allowed untrusted content is no longer supported.
+ * Use reduceAllowedModuleOrigin() instead.
+ *
* @param $type String ResourceLoaderModule TYPE_ constant
- * @param $level Int ResourceLoaderModule class constant
+ * @param int $level ResourceLoaderModule ORIGIN_ constant
*/
public function setAllowedModules( $type, $level ) {
- $this->mAllowedModules[$type] = $level;
+ wfDeprecated( __METHOD__, '1.24' );
+ $this->reduceAllowedModuleOrigin( $level );
}
/**
- * As for setAllowedModules(), but don't inadvertently make the page more accessible
- * @param $type String
- * @param $level Int ResourceLoaderModule class constant
+ * Limit the highest level of CSS/JS untrustworthiness allowed.
+ *
+ * @deprecated since 1.24 Module allowance is no longer fragmented by content type.
+ * Use reduceAllowedModuleOrigin() instead.
+ *
+ * @param string $type ResourceLoaderModule TYPE_ constant
+ * @param int $level ResourceLoaderModule ORIGIN_ class constant
*/
public function reduceAllowedModules( $type, $level ) {
- $this->mAllowedModules[$type] = min( $this->getAllowedModules( $type ), $level );
+ wfDeprecated( __METHOD__, '1.24' );
+ $this->reduceAllowedModuleOrigin( $level );
+ }
+
+ /**
+ * Limit the highest level of CSS/JS untrustworthiness allowed.
+ *
+ * If passed the same or a higher level than the current level of untrustworthiness set, the
+ * level will remain unchanged.
+ *
+ * @param int $level ResourceLoaderModule class constant
+ */
+ public function reduceAllowedModuleOrigin( $level ) {
+ $this->mAllowedModuleOrigin = min( $this->mAllowedModuleOrigin, $level );
}
/**