diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/ImagePage.php | 2 | ||||
| -rw-r--r-- | includes/OutputPage.php | 12 | ||||
| -rw-r--r-- | includes/api/ApiFormatJson.php | 4 | ||||
| -rw-r--r-- | includes/filerepo/file/LocalFile.php | 2 | ||||
| -rw-r--r-- | includes/parser/ParserOutput.php | 13 |
6 files changed, 33 insertions, 2 deletions
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 4eb979ac..cd631a8b 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.8'; +$wgVersion = '1.22.9'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/ImagePage.php b/includes/ImagePage.php index 7ea06b0e..d696a17c 100644 --- a/includes/ImagePage.php +++ b/includes/ImagePage.php @@ -420,6 +420,8 @@ class ImagePage extends Article { if ( $page > 1 ) { $label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false ); + // on the client side, this link is generated in ajaxifyPageNavigation() + // in the mediawiki.page.image.pagination module $link = Linker::linkKnown( $this->getTitle(), $label, diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 7f0454f6..6bfba78b 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -1574,6 +1574,8 @@ class OutputPage extends ContextSource { $this->addModuleScripts( $parserOutput->getModuleScripts() ); $this->addModuleStyles( $parserOutput->getModuleStyles() ); $this->addModuleMessages( $parserOutput->getModuleMessages() ); + $this->mPreventClickjacking = $this->mPreventClickjacking + || $parserOutput->preventClickjacking(); // Template versioning... foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) { @@ -1874,6 +1876,16 @@ class OutputPage extends ContextSource { } /** + * Get the prevent-clickjacking flag + * + * @since 1.24 + * @return boolean + */ + public function getPreventClickjacking() { + return $this->mPreventClickjacking; + } + + /** * Get the X-Frame-Options header value (without the name part), or false * if there isn't one. This is used by Skin to determine whether to enable * JavaScript frame-breaking, for clients that don't support X-Frame-Options. diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index 342a580f..4140583e 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -65,7 +65,9 @@ class ApiFormatJson extends ApiFormatBase { $callback = $params['callback']; if ( $callback !== null ) { $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ); - $this->printText( "$callback($json)" ); + # Prepend a comment to try to avoid attacks against content + # sniffers, such as bug 68187. + $this->printText( "/**/$callback($json)" ); } else { $this->printText( $json ); } diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php index fe769be2..d18f42e4 100644 --- a/includes/filerepo/file/LocalFile.php +++ b/includes/filerepo/file/LocalFile.php @@ -423,6 +423,8 @@ class LocalFile extends File { $decoded['timestamp'] = wfTimestamp( TS_MW, $decoded['timestamp'] ); + $decoded['metadata'] = $this->repo->getSlaveDB()->decodeBlob( $decoded['metadata'] ); + if ( empty( $decoded['major_mime'] ) ) { $decoded['mime'] = 'unknown/unknown'; } else { diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php index 502f0fd1..460f3211 100644 --- a/includes/parser/ParserOutput.php +++ b/includes/parser/ParserOutput.php @@ -55,6 +55,7 @@ class ParserOutput extends CacheTime { private $mExtensionData = array(); # extra data used by extensions private $mLimitReportData = array(); # Parser limit report data private $mParseStartTime = array(); # Timestamps for getTimeSinceStart() + private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#'; @@ -330,6 +331,7 @@ class ParserOutput extends CacheTime { $this->addModuleMessages( $out->getModuleMessages() ); $this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() ); + $this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking(); } /** @@ -629,4 +631,15 @@ class ParserOutput extends CacheTime { function setLimitReportData( $key, $value ) { $this->mLimitReportData[$key] = $value; } + + /** + * Get or set the prevent-clickjacking flag + * + * @since 1.24 + * @param boolean|null $flag New flag value, or null to leave it unchanged + * @return boolean Old flag value + */ + public function preventClickjacking( $flag = null ) { + return wfSetVar( $this->mPreventClickjacking, $flag ); + } } |