diff options
| -rw-r--r-- | RELEASE-NOTES | 37 | ||||
| -rw-r--r-- | img_auth.php | 1 | ||||
| -rw-r--r-- | includes/AjaxDispatcher.php | 12 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/EditPage.php | 2 | ||||
| -rw-r--r-- | includes/GlobalFunctions.php | 2 | ||||
| -rw-r--r-- | includes/Metadata.php | 2 | ||||
| -rw-r--r-- | includes/OutputPage.php | 1 | ||||
| -rw-r--r-- | includes/SpecialRecentchangeslinked.php | 2 | ||||
| -rw-r--r-- | includes/StreamFile.php | 2 | ||||
| -rw-r--r-- | includes/Wiki.php | 3 | ||||
| -rw-r--r-- | thumb.php | 2 | ||||
| -rw-r--r-- | trackback.php | 2 |
13 files changed, 56 insertions, 14 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 77ae6c5f..472409da 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,43 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.9.3 == + +February 20, 2007 + +This is a security and bug-fix update to the Winter 2007 quarterly release. +Minor compatibility fixes for IIS and PostgreSQL are included. + +An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 +charset autodetection was located in the AJAX support module, affecting MSIE +users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is +enabled. + +If you are using an extension based on the optional Ajax module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.3 +* 1.8: fixed in 1.8.4 +* 1.7: fixed in 1.7.3 +* 1.6: fixed in 1.6.10 + +There is no known danger in the default configuration, with $wgUseAjax off. + +* (bug 8992) Fix a remaining raw use of REQUEST_URI in history +* (bug 8984) Fix a database error in Special:Recentchangeslinked + when using the PostgreSQL database. +* Add 'charset' to Content-Type headers on various HTTP error responses + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. + This fixes an issue with the Ajax interface error message on MSIE when + $wgUseAjax is enabled (not default configuration); this UTF-7 variant + on a previously fixed attack vector was discovered by Moshe BA from BugSec: + http://www.bugsec.com/articles.php?Security=24 +* Trackback responses now specify XML content type + + == MediaWiki 1.9.2 == February 4, 2007 diff --git a/img_auth.php b/img_auth.php index 8794bc78..e0a6459f 100644 --- a/img_auth.php +++ b/img_auth.php @@ -49,6 +49,7 @@ wfLogProfilingData(); function wfForbidden() { header( 'HTTP/1.0 403 Forbidden' ); + header( 'Content-Type: text/html; charset=utf-8' ); print "<html><body> <h1>Access denied</h1> diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 89062f87..39ec19f8 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -54,15 +54,15 @@ class AjaxDispatcher { wfProfileIn( __METHOD__ ); if (! in_array( $this->func_name, $wgAjaxExportList ) ) { - header( 'Status: 400 Bad Request', true, 400 ); - print "unknown function " . htmlspecialchars( (string) $this->func_name ); + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); if ( $result === false || $result === NULL ) { - header( 'Status: 500 Internal Error', true, 500 ); - echo "{$this->func_name} returned no data"; + wfHttpError( 500, 'Internal Error', + "{$this->func_name} returned no data" ); } else { if ( is_string( $result ) ) { @@ -75,8 +75,8 @@ class AjaxDispatcher { } catch (Exception $e) { if (!headers_sent()) { - header( 'Status: 500 Internal Error', true, 500 ); - print $e->getMessage(); + wfHttpError( 500, 'Internal Error', + $e->getMessage() ); } else { print $e->getMessage(); } diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index df1b9d55..0692401d 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.9.2'; +$wgVersion = '1.9.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/EditPage.php b/includes/EditPage.php index c53389cc..7688a64a 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1765,7 +1765,7 @@ END function livePreview() { global $wgOut; $wgOut->disable(); - header( 'Content-type: text/xml' ); + header( 'Content-type: text/xml; charset=utf-8' ); header( 'Cache-control: no-cache' ); # FIXME echo $this->getPreviewText( ); diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index da24e4a7..de07b321 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1078,7 +1078,7 @@ function wfHttpError( $code, $label, $desc ) { header( "Status: $code $label" ); $wgOut->sendCacheControl(); - header( 'Content-type: text/html' ); + header( 'Content-type: text/html; charset=utf-8' ); print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">". "<html><head><title>" . htmlspecialchars( $label ) . diff --git a/includes/Metadata.php b/includes/Metadata.php index b48ced0d..4e0d91b7 100644 --- a/includes/Metadata.php +++ b/includes/Metadata.php @@ -81,7 +81,7 @@ function rdfSetup() { return false; } else { $wgOut->disable(); - header( "Content-type: {$rdftype}" ); + header( "Content-type: {$rdftype}; charset=utf-8" ); $wgOut->sendCacheControl(); return true; } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 4ca9e88a..6d3cc0ac 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -561,6 +561,7 @@ class OutputPage { $this->sendCacheControl(); + $wgRequest->response()->header("Content-Type: text/html; charset=utf-8"); if( $wgDebugRedirects ) { $url = htmlspecialchars( $this->mRedirect ); print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n"; diff --git a/includes/SpecialRecentchangeslinked.php b/includes/SpecialRecentchangeslinked.php index 2214576c..15292898 100644 --- a/includes/SpecialRecentchangeslinked.php +++ b/includes/SpecialRecentchangeslinked.php @@ -73,7 +73,7 @@ function wfSpecialRecentchangeslinked( $par = NULL ) { $GROUPBY = " GROUP BY rc_cur_id,rc_namespace,rc_title, rc_user,rc_comment,rc_user_text,rc_timestamp,rc_minor, - rc_new, rc_id, rc_this_oldid, rc_last_oldid, rc_bot, rc_patrolled, rc_type + rc_new, rc_id, rc_this_oldid, rc_last_oldid, rc_bot, rc_patrolled, rc_type, rc_old_len, rc_new_len " . ($uid ? ",wl_user" : "") . " ORDER BY rc_timestamp DESC LIMIT {$limit}"; diff --git a/includes/StreamFile.php b/includes/StreamFile.php index 949422d6..dc653e57 100644 --- a/includes/StreamFile.php +++ b/includes/StreamFile.php @@ -7,7 +7,7 @@ function wfStreamFile( $fname ) { if ( !$stat ) { header( 'HTTP/1.0 404 Not Found' ); header( 'Cache-Control: no-cache' ); - header( 'Content-Type: text/html' ); + header( 'Content-Type: text/html; charset=utf-8' ); $encFile = htmlspecialchars( $fname ); $encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] ); echo "<html><body> diff --git a/includes/Wiki.php b/includes/Wiki.php index 06ae8cfe..06248b35 100644 --- a/includes/Wiki.php +++ b/includes/Wiki.php @@ -422,7 +422,8 @@ class MediaWiki { } break; case 'history': - if( $_SERVER['REQUEST_URI'] == $title->getInternalURL( 'action=history' ) ) { + global $wgRequest; + if( $wgRequest->getFullRequestURL() == $title->getInternalURL( 'action=history' ) ) { $output->setSquidMaxage( $this->getVal( 'SquidMaxage' ) ); } $history = new PageHistory( $article ); @@ -74,7 +74,7 @@ if ( $thumb && $thumb->path ) { $badtitle = wfMsg( 'badtitle' ); $badtitletext = wfMsg( 'badtitletext' ); header( 'Cache-Control: no-cache' ); - header( 'Content-Type: text/html' ); + header( 'Content-Type: text/html; charset=utf-8' ); echo "<html><head> <title>$badtitle</title> <body> diff --git a/trackback.php b/trackback.php index 6d2d826b..6e4ee982 100644 --- a/trackback.php +++ b/trackback.php @@ -12,6 +12,7 @@ require_once('DatabaseFunctions.php'); * */ function XMLsuccess() { + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> @@ -23,6 +24,7 @@ function XMLsuccess() { function XMLerror($err = "Invalid request.") { header("HTTP/1.0 400 Bad Request"); + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> |