diff options
| -rw-r--r-- | RELEASE-NOTES | 31 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/api/ApiFormatBase.php | 7 |
3 files changed, 37 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index a2bc56c5..ac1b7a47 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,37 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.10.2 == + +September 10, 2007 + +This is a security fix update to the Spring 2007 quarterly release snapshot. +A possible HTML/XSS injection vector in the API pretty-printing mode has +been found and fixed. + +The vulnerability may be worked around in an unfixed version by simply +disabling the API interface if it is not in use, by adding this to +LocalSettings.php: + + $wgEnableAPI = false; + +Not vulnerable versions: +* 1.11 >= 1.11.0 +* 1.10 >= 1.10.2 +* 1.9 >= 1.9.4 +* 1.8 >= 1.8.5 + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.1 +* 1.9 <= 1.9.3 +* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include +the faulty function, however the BotQuery extension is similarly +vulnerable unless updated to the latest SVN version. + + == MediaWiki 1.10.1 == July 13, 2007 diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index d9bd3760..d8f9a621 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.10.1'; +$wgVersion = '1.10.2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 192c51a7..782a4161 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -145,8 +145,11 @@ for more information. * This method also replaces any '<' with < */ protected function formatHTML($text) { - // encode all tags as safe blue strings - $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text); + // Escape everything first for full coverage + $text = htmlspecialchars($text); + + // encode all comments or tags as safe blue strings + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); // identify URLs $protos = "http|https|ftp|gopher"; $text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text); |