diff options
| -rw-r--r-- | RELEASE-NOTES-1.22 | 10 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/MimeMagic.php | 18 | ||||
| -rw-r--r-- | includes/upload/UploadBase.php | 15 |
4 files changed, 37 insertions, 8 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 56a7e3d3..be1d96a7 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,16 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.8 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.7 === + +* (bug 65839) SECURITY: Prevent external resources in SVG files. +* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects + like only extracting the tail of the file partially or not at all. + == MediaWiki 1.22.7 == This is a security and maintenance release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 850c2cfb..4eb979ac 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.7'; +$wgVersion = '1.22.8'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/MimeMagic.php b/includes/MimeMagic.php index 8220e92f..9180218b 100644 --- a/includes/MimeMagic.php +++ b/includes/MimeMagic.php @@ -570,20 +570,30 @@ class MimeMagic { * @param string $file * @param mixed $ext * @return bool|string + * @throws MWException */ private function doGuessMimeType( $file, $ext ) { // TODO: remove $ext param // Read a chunk of the file wfSuppressWarnings(); - // @todo FIXME: Shouldn't this be rb? - $f = fopen( $file, 'rt' ); + $f = fopen( $file, 'rb' ); wfRestoreWarnings(); if ( !$f ) { return 'unknown/unknown'; } + + $fsize = filesize( $file ); + if ( $fsize === false ) { + return 'unknown/unknown'; + } + $head = fread( $f, 1024 ); - fseek( $f, -65558, SEEK_END ); - $tail = fread( $f, 65558 ); // 65558 = maximum size of a zip EOCDR + $tailLength = min( 65558, $fsize ); // 65558 = maximum size of a zip EOCDR + if ( fseek( $f, -1 * $tailLength, SEEK_END ) === -1 ) { + throw new MWException( + "Seeking $tailLength bytes from EOF failed in " . __METHOD__ ); + } + $tail = fread( $f, $tailLength ); fclose( $f ); wfDebug( __METHOD__ . ": analyzing head and tail of $file for magic numbers.\n" ); diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index c0c37b3f..40b3b19a 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -1283,11 +1283,20 @@ abstract class UploadBase { return true; } - # href with javascript target - if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) { - wfDebug( __METHOD__ . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" ); + # href with non-local target (don't allow http://, javascript:, etc) + if ( $stripped == 'href' + && strpos( $value, 'data:' ) !== 0 + && strpos( $value, '#' ) !== 0 + ) { + if ( !( $strippedElement === 'a' + && preg_match( '!^https?://!im', $value ) ) + ) { + wfDebug( __METHOD__ . ": Found href attribute <$strippedElement " + . "'$attrib'='$value' in uploaded file.\n" ); + return true; } + } # href with embedded svg as target if ( $stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value ) ) { |