summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
Diffstat (limited to 'includes')
-rw-r--r--includes/Article.php5
-rw-r--r--includes/DefaultSettings.php32
-rw-r--r--includes/HTMLForm.php3
-rw-r--r--includes/HistoryPage.php19
-rw-r--r--includes/ImagePage.php26
-rw-r--r--includes/OutputPage.php43
-rw-r--r--includes/Skin.php2
-rw-r--r--includes/Title.php5
-rw-r--r--includes/api/ApiBase.php12
-rw-r--r--includes/api/ApiBlock.php6
-rw-r--r--includes/api/ApiDelete.php6
-rw-r--r--includes/api/ApiEditPage.php6
-rw-r--r--includes/api/ApiEmailUser.php6
-rw-r--r--includes/api/ApiImport.php6
-rw-r--r--includes/api/ApiMove.php6
-rw-r--r--includes/api/ApiPatrol.php6
-rw-r--r--includes/api/ApiProtect.php8
-rw-r--r--includes/api/ApiQueryAllUsers.php11
-rw-r--r--includes/api/ApiQueryRevisions.php7
-rw-r--r--includes/api/ApiUnblock.php6
-rw-r--r--includes/api/ApiUndelete.php6
-rw-r--r--includes/api/ApiUpload.php4
-rw-r--r--includes/api/ApiUserrights.php6
-rw-r--r--includes/diff/DifferenceInterface.php3
-rw-r--r--includes/json/Services_JSON.php2
-rw-r--r--includes/specials/SpecialAllpages.php1
-rw-r--r--includes/specials/SpecialCategories.php1
-rw-r--r--includes/specials/SpecialContributions.php10
-rw-r--r--includes/specials/SpecialLinkSearch.php4
-rw-r--r--includes/specials/SpecialSearch.php1
-rw-r--r--includes/specials/SpecialSpecialpages.php1
-rw-r--r--includes/specials/SpecialUpload.php38
-rw-r--r--includes/specials/SpecialVersion.php1
33 files changed, 253 insertions, 46 deletions
diff --git a/includes/Article.php b/includes/Article.php
index d3863c77..5edfc10d 100644
--- a/includes/Article.php
+++ b/includes/Article.php
@@ -792,6 +792,9 @@ class Article {
return;
}
+ # Allow frames by default
+ $wgOut->allowClickjacking();
+
# Should the parser cache be used?
$useParserCache = $this->useParserCache( $oldid );
wfDebug( 'Article::view using parser cache: ' . ( $useParserCache ? 'yes' : 'no' ) . "\n" );
@@ -1452,6 +1455,8 @@ class Article {
);
if ( !$dbr->numRows( $tbs ) ) return;
+ $wgOut->preventClickjacking();
+
$tbtext = "";
while ( $o = $dbr->fetchObject( $tbs ) ) {
$rmvtxt = "";
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a369fccd..c118075e 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) {
}
/** MediaWiki version number */
-$wgVersion = '1.16.0';
+$wgVersion = '1.16.1';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
@@ -2502,6 +2502,11 @@ $wgRightsUrl = null;
$wgRightsText = null;
$wgRightsIcon = null;
+/**
+ * Set to an array of metadata terms. Else they will be loaded based on $wgRightsUrl
+ */
+$wgLicenseTerms = false;
+
/** Set this to some HTML to override the rights icon with an arbitrary logo */
$wgCopyrightIcon = null;
@@ -3981,12 +3986,33 @@ $wgParserTestFiles = array(
$wgParserTestRemote = false;
/**
- * Break out of framesets. This can be used to prevent external sites from
- * framing your site with ads.
+ * Break out of framesets. This can be used to prevent clickjacking attacks,
+ * or to prevent external sites from framing your site with ads.
*/
$wgBreakFrames = false;
/**
+ * The X-Frame-Options header to send on pages sensitive to clickjacking
+ * attacks, such as edit pages. This prevents those pages from being displayed
+ * in a frame or iframe. The options are:
+ *
+ * - 'DENY': Do not allow framing. This is recommended for most wikis.
+ *
+ * - 'SAMEORIGIN': Allow framing by pages on the same domain. This can be used
+ * to allow framing within a trusted domain. This is insecure if there
+ * is a page on the same domain which allows framing of arbitrary URLs.
+ *
+ * - false: Allow all framing. This opens up the wiki to XSS attacks and thus
+ * full compromise of local user accounts. Private wikis behind a
+ * corporate firewall are especially vulnerable. This is not
+ * recommended.
+ *
+ * For extra safety, set $wgBreakFrames = true, to prevent framing on all pages,
+ * not just edit pages.
+ */
+$wgEditPageFrameOptions = 'DENY';
+
+/**
* Set this to an array of special page names to prevent
* maintenance/updateSpecialPages.php from updating those pages.
*/
diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index fddc887b..12687dc4 100644
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -311,6 +311,9 @@ class HTMLForm {
$this->displayErrors( $submitResult );
}
+ # For good measure (it is the default)
+ $wgOut->preventClickjacking();
+
$html = ''
. $this->mHeader
. $this->getBody()
diff --git a/includes/HistoryPage.php b/includes/HistoryPage.php
index e515d3dd..8f5c2dda 100644
--- a/includes/HistoryPage.php
+++ b/includes/HistoryPage.php
@@ -166,6 +166,7 @@ class HistoryPage {
$pager->getBody() .
$pager->getNavigationBar()
);
+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
wfProfileOut( __METHOD__ );
}
@@ -301,6 +302,7 @@ class HistoryPage {
class HistoryPager extends ReverseChronologicalPager {
public $lastRow = false, $counter, $historyPage, $title, $buttons, $conds;
protected $oldIdChecked;
+ protected $preventClickjacking = false;
function __construct( $historyPage, $year='', $month='', $tagFilter = '', $conds = array() ) {
parent::__construct();
@@ -382,6 +384,7 @@ class HistoryPager extends ReverseChronologicalPager {
$this->buttons = '<div>';
if( $wgUser->isAllowed('deleterevision') ) {
+ $this->preventClickjacking();
$float = $wgContLang->alignEnd();
# Note bug #20966, <button> is non-standard in IE<8
$this->buttons .= Xml::element( 'button',
@@ -488,6 +491,7 @@ class HistoryPager extends ReverseChronologicalPager {
$del = '';
// User can delete revisions...
if( $wgUser->isAllowed( 'deleterevision' ) ) {
+ $this->preventClickjacking();
// If revision was hidden from sysops, disable the checkbox
if( !$rev->userCan( Revision::DELETED_RESTRICTED ) ) {
$del = Xml::check( 'deleterevisions', false, array( 'disabled' => 'disabled' ) );
@@ -534,6 +538,7 @@ class HistoryPager extends ReverseChronologicalPager {
# Rollback and undo links
if( !is_null( $next ) && is_object( $next ) ) {
if( $latest && $this->title->userCan( 'rollback' ) && $this->title->userCan( 'edit' ) ) {
+ $this->preventClickjacking();
$tools[] = '<span class="mw-rollback-link">'.
$this->getSkin()->buildRollbackLink( $rev ).'</span>';
}
@@ -721,6 +726,20 @@ class HistoryPager extends ReverseChronologicalPager {
return '';
}
}
+
+ /**
+ * This is called if a write operation is possible from the generated HTML
+ */
+ function preventClickjacking( $enable = true ) {
+ $this->preventClickjacking = $enable;
+ }
+
+ /**
+ * Get the "prevent clickjacking" flag
+ */
+ function getPreventClickjacking() {
+ return $this->preventClickjacking;
+ }
}
/**
diff --git a/includes/ImagePage.php b/includes/ImagePage.php
index dd2c2ab1..f16acc33 100644
--- a/includes/ImagePage.php
+++ b/includes/ImagePage.php
@@ -600,6 +600,7 @@ EOT
$this->loadFile();
$pager = new ImageHistoryPseudoPager( $this );
$wgOut->addHTML( $pager->getBody() );
+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
$this->img->resetHistory(); // free db resources
@@ -803,6 +804,7 @@ EOT
class ImageHistoryList {
protected $imagePage, $img, $skin, $title, $repo, $showThumb;
+ protected $preventClickjacking = false;
public function __construct( $imagePage ) {
global $wgUser, $wgShowArchiveThumbnails;
@@ -929,6 +931,7 @@ class ImageHistoryList {
# Don't link to unviewable files
$row .= '<span class="history-deleted">' . $wgLang->timeAndDate( $timestamp, true ) . '</span>';
} elseif( $file->isDeleted(File::DELETED_FILE) ) {
+ $this->preventClickjacking();
$revdel = SpecialPage::getTitleFor( 'Revisiondelete' );
# Make a link to review the image
$url = $this->skin->link(
@@ -1015,9 +1018,19 @@ class ImageHistoryList {
return wfMsgHtml( 'filehist-nothumb' );
}
}
+
+ protected function preventClickjacking( $enable = true ) {
+ $this->preventClickjacking = $enable;
+ }
+
+ public function getPreventClickjacking() {
+ return $this->preventClickjacking;
+ }
}
class ImageHistoryPseudoPager extends ReverseChronologicalPager {
+ protected $preventClickjacking = false;
+
function __construct( $imagePage ) {
parent::__construct();
$this->mImagePage = $imagePage;
@@ -1058,6 +1071,10 @@ class ImageHistoryPseudoPager extends ReverseChronologicalPager {
$s .= $list->imageHistoryLine( !$file->isOld(), $file );
}
$s .= $list->endImageHistoryList($navLink);
+
+ if ( $list->getPreventClickjacking() ) {
+ $this->preventClickjacking();
+ }
}
return $s;
}
@@ -1140,4 +1157,13 @@ class ImageHistoryPseudoPager extends ReverseChronologicalPager {
}
$this->mQueryDone = true;
}
+
+ protected function preventClickjacking( $enable = true ) {
+ $this->preventClickjacking = $enable;
+ }
+
+ public function getPreventClickjacking() {
+ return $this->preventClickjacking;
+ }
+
}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 4333383c..97e26110 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -37,6 +37,7 @@ class OutputPage {
var $mPageTitleActionText = '';
var $mParseWarnings = array();
var $mSquidMaxage = 0;
+ var $mPreventClickjacking = true;
var $mRevisionId = null;
protected $mTitle = null;
@@ -1348,6 +1349,41 @@ class OutputPage {
}
/**
+ * Set a flag which will cause an X-Frame-Options header appropriate for
+ * edit pages to be sent. The header value is controlled by
+ * $wgEditPageFrameOptions.
+ *
+ * This is the default for special pages. If you display a CSRF-protected
+ * form on an ordinary view page, then you need to call this function.
+ */
+ public function preventClickjacking( $enable = true ) {
+ $this->mPreventClickjacking = $enable;
+ }
+
+ /**
+ * Turn off frame-breaking. Alias for $this->preventClickjacking(false).
+ * This can be called from pages which do not contain any CSRF-protected
+ * HTML form.
+ */
+ public function allowClickjacking() {
+ $this->mPreventClickjacking = false;
+ }
+
+ /**
+ * Get the X-Frame-Options header value (without the name part), or false
+ * if there isn't one. This is used by Skin to determine whether to enable
+ * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
+ */
+ public function getFrameOptions() {
+ global $wgBreakFrames, $wgEditPageFrameOptions;
+ if ( $wgBreakFrames ) {
+ return 'DENY';
+ } elseif ( $this->mPreventClickjacking && $wgEditPageFrameOptions ) {
+ return $wgEditPageFrameOptions;
+ }
+ }
+
+ /**
* Send cache control HTTP headers
*/
public function sendCacheControl() {
@@ -1561,6 +1597,13 @@ class OutputPage {
$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+ // Prevent framing, if requested
+ $frameOptions = $this->getFrameOptions();
+ if ( $frameOptions ) {
+ $wgRequest->response()->header( "X-Frame-Options: $frameOptions" );
+ }
+
+
if ($this->mArticleBodyOnly) {
$this->out($this->mBodytext);
} else {
diff --git a/includes/Skin.php b/includes/Skin.php
index d1a0016d..18867cbe 100644
--- a/includes/Skin.php
+++ b/includes/Skin.php
@@ -413,7 +413,7 @@ class Skin extends Linker {
'wgUserGroups' => $wgUser->isAnon() ? null : $wgUser->getEffectiveGroups(),
'wgUserLanguage' => $wgLang->getCode(),
'wgContentLanguage' => $wgContLang->getCode(),
- 'wgBreakFrames' => $wgBreakFrames,
+ 'wgBreakFrames' => $wgOut->getFrameOptions() == 'DENY',
'wgCurRevisionId' => isset( $wgArticle ) ? $wgArticle->getLatest() : 0,
'wgVersion' => $wgVersion,
'wgEnableAPI' => $wgEnableAPI,
diff --git a/includes/Title.php b/includes/Title.php
index 8d7275ff..be41a85a 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2606,9 +2606,8 @@ class Title {
// purge variant urls as well
if($wgContLang->hasVariants()){
$variants = $wgContLang->getVariants();
- foreach($variants as $vCode){
- if($vCode==$wgContLang->getCode()) continue; // we don't want default variant
- $urls[] = $this->getInternalURL('',$vCode);
+ foreach ( $variants as $vCode ) {
+ $urls[] = $this->getInternalURL( '', $vCode );
}
}
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index b703ab4f..708a3a40 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1006,6 +1006,14 @@ abstract class ApiBase {
}
/**
+ * Returns whether this module requires a Token to execute
+ * @returns bool
+ */
+ public function needsToken() {
+ return false;
+ }
+
+ /**
* Returns the token salt if there is one, '' if the module doesn't require a salt, else false if the module doesn't need a token
* @returns bool
*/
@@ -1033,7 +1041,7 @@ abstract class ApiBase {
$ret[] = array( 'writedisabled' );
}
- if ( $this->getTokenSalt() !== false ) {
+ if ( $this->needsToken() ) {
$ret[] = array( 'missingparam', 'token' );
$ret[] = array( 'sessionfailure' );
}
@@ -1184,6 +1192,6 @@ abstract class ApiBase {
* @return string
*/
public static function getBaseVersion() {
- return __CLASS__ . ': $Id: ApiBase.php 70066 2010-07-28 05:52:32Z tstarling $';
+ return __CLASS__ . ': $Id: ApiBase.php 79562 2011-01-04 06:15:54Z tstarling $';
}
}
diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 91bbaf6d..23de07d6 100644
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -175,6 +175,10 @@ class ApiBlock extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -187,6 +191,6 @@ class ApiBlock extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiBlock.php 62766 2010-02-21 12:32:46Z ashley $';
+ return __CLASS__ . ': $Id: ApiBlock.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiDelete.php b/includes/api/ApiDelete.php
index 2b349bd7..c4550a96 100644
--- a/includes/api/ApiDelete.php
+++ b/includes/api/ApiDelete.php
@@ -230,6 +230,10 @@ class ApiDelete extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -242,6 +246,6 @@ class ApiDelete extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiDelete.php 62703 2010-02-19 12:54:09Z ashley $';
+ return __CLASS__ . ': $Id: ApiDelete.php 74217 2010-10-03 15:53:07Z reedy $';
}
} \ No newline at end of file
diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php
index 50a9836a..e78f66bc 100644
--- a/includes/api/ApiEditPage.php
+++ b/includes/api/ApiEditPage.php
@@ -454,6 +454,10 @@ class ApiEditPage extends ApiBase {
);
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -470,6 +474,6 @@ class ApiEditPage extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiEditPage.php 62600 2010-02-16 22:01:38Z reedy $';
+ return __CLASS__ . ': $Id: ApiEditPage.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiEmailUser.php b/includes/api/ApiEmailUser.php
index 912480ef..66f2dff5 100644
--- a/includes/api/ApiEmailUser.php
+++ b/includes/api/ApiEmailUser.php
@@ -112,6 +112,10 @@ class ApiEmailUser extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -123,7 +127,7 @@ class ApiEmailUser extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiEmailUser.php 62599 2010-02-16 21:59:16Z reedy $';
+ return __CLASS__ . ': $Id: ApiEmailUser.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
\ No newline at end of file
diff --git a/includes/api/ApiImport.php b/includes/api/ApiImport.php
index 032b684c..d33a472a 100644
--- a/includes/api/ApiImport.php
+++ b/includes/api/ApiImport.php
@@ -149,6 +149,10 @@ class ApiImport extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -161,7 +165,7 @@ class ApiImport extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiImport.php 62599 2010-02-16 21:59:16Z reedy $';
+ return __CLASS__ . ': $Id: ApiImport.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php
index 71010de7..c234f084 100644
--- a/includes/api/ApiMove.php
+++ b/includes/api/ApiMove.php
@@ -219,6 +219,10 @@ class ApiMove extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -230,6 +234,6 @@ class ApiMove extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiMove.php 62810 2010-02-22 03:34:56Z mah $';
+ return __CLASS__ . ': $Id: ApiMove.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiPatrol.php b/includes/api/ApiPatrol.php
index 3b2b2046..79916117 100644
--- a/includes/api/ApiPatrol.php
+++ b/includes/api/ApiPatrol.php
@@ -92,6 +92,10 @@ class ApiPatrol extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -103,6 +107,6 @@ class ApiPatrol extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiPatrol.php 69578 2010-07-20 02:46:20Z tstarling $';
+ return __CLASS__ . ': $Id: ApiPatrol.php 74217 2010-10-03 15:53:07Z reedy $';
}
} \ No newline at end of file
diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index ca47c1b8..0b1ae4c8 100644
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -184,8 +184,12 @@ class ApiProtect extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
- return null;
+ return '';
}
protected function getExamples() {
@@ -196,6 +200,6 @@ class ApiProtect extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiProtect.php 62557 2010-02-15 23:53:43Z reedy $';
+ return __CLASS__ . ': $Id: ApiProtect.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiQueryAllUsers.php b/includes/api/ApiQueryAllUsers.php
index f8d475cc..611fc98c 100644
--- a/includes/api/ApiQueryAllUsers.php
+++ b/includes/api/ApiQueryAllUsers.php
@@ -184,7 +184,14 @@ class ApiQueryAllUsers extends ApiQueryBase {
}
}
- $db->freeResult( $res );
+ if ( is_array( $lastUserData ) ) {
+ $fit = $result->addValue( array( 'query', $this->getModuleName() ),
+ null, $lastUserData );
+ if ( !$fit ) {
+ $this->setContinueEnumParameter( 'from',
+ $this->keyToTitle( $lastUserData['name'] ) );
+ }
+ }
$result->setIndexedTagName_internal( array( 'query', $this->getModuleName() ), 'u' );
}
@@ -244,6 +251,6 @@ class ApiQueryAllUsers extends ApiQueryBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiQueryAllUsers.php 69932 2010-07-26 08:03:21Z tstarling $';
+ return __CLASS__ . ': $Id: ApiQueryAllUsers.php 79562 2011-01-04 06:15:54Z tstarling $';
}
}
diff --git a/includes/api/ApiQueryRevisions.php b/includes/api/ApiQueryRevisions.php
index 6166b6a2..3992d6a9 100644
--- a/includes/api/ApiQueryRevisions.php
+++ b/includes/api/ApiQueryRevisions.php
@@ -125,7 +125,7 @@ class ApiQueryRevisions extends ApiQueryBase {
}
$db = $this->getDB();
- $this->addTables( array( 'page', 'revision' ) );
+ $this->addTables( 'page' );
$this->addFields( Revision::selectFields() );
$this->addWhere( 'page_id = rev_page' );
@@ -189,6 +189,9 @@ class ApiQueryRevisions extends ApiQueryBase {
$this->section = false;
}
+ //Bug 24166 - API error when using rvprop=tags
+ $this->addTables( 'revision' );
+
$userMax = ( $this->fld_content ? ApiBase::LIMIT_SML1 : ApiBase::LIMIT_BIG1 );
$botMax = ( $this->fld_content ? ApiBase::LIMIT_SML2 : ApiBase::LIMIT_BIG2 );
$limit = $params['limit'];
@@ -603,6 +606,6 @@ class ApiQueryRevisions extends ApiQueryBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiQueryRevisions.php 69932 2010-07-26 08:03:21Z tstarling $';
+ return __CLASS__ . ': $Id: ApiQueryRevisions.php 72117 2010-09-01 16:50:07Z reedy $';
}
}
diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
index 2ffae504..1c4a4ade 100644
--- a/includes/api/ApiUnblock.php
+++ b/includes/api/ApiUnblock.php
@@ -116,6 +116,10 @@ class ApiUnblock extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -128,6 +132,6 @@ class ApiUnblock extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiUnblock.php 62599 2010-02-16 21:59:16Z reedy $';
+ return __CLASS__ . ': $Id: ApiUnblock.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php
index 9efba5f3..ae705b69 100644
--- a/includes/api/ApiUndelete.php
+++ b/includes/api/ApiUndelete.php
@@ -125,6 +125,10 @@ class ApiUndelete extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
@@ -137,6 +141,6 @@ class ApiUndelete extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiUndelete.php 62599 2010-02-16 21:59:16Z reedy $';
+ return __CLASS__ . ': $Id: ApiUndelete.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 6b91b223..06688997 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -306,6 +306,10 @@ class ApiUpload extends ApiBase {
) );
}
+ public function needsToken() {
+ return true;
+ }
+
public function getTokenSalt() {
return '';
}
diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index 6296a8f8..be0750d6 100644
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -101,6 +101,10 @@ class ApiUserrights extends ApiBase {
array( 'missingparam', 'user' ),
) );
}
+
+ public function needsToken() {
+ return true;
+ }
public function getTokenSalt() {
$params = $this->extractRequestParams();
@@ -123,6 +127,6 @@ class ApiUserrights extends ApiBase {
}
public function getVersion() {
- return __CLASS__ . ': $Id: ApiUserrights.php 62686 2010-02-19 01:25:57Z reedy $';
+ return __CLASS__ . ': $Id: ApiUserrights.php 74217 2010-10-03 15:53:07Z reedy $';
}
}
diff --git a/includes/diff/DifferenceInterface.php b/includes/diff/DifferenceInterface.php
index d7d36799..0e9ca9f6 100644
--- a/includes/diff/DifferenceInterface.php
+++ b/includes/diff/DifferenceInterface.php
@@ -112,6 +112,8 @@ class DifferenceEngine {
global $wgUser, $wgOut, $wgUseExternalEditor, $wgUseRCPatrol;
wfProfileIn( __METHOD__ );
+ # Allow frames except in certain special cases
+ $wgOut->allowClickjacking();
# If external diffs are enabled both globally and for the user,
# we'll use the application/x-external-editor interface to call
@@ -199,6 +201,7 @@ CONTROL;
// Check if page is editable
$editable = $this->mNewRev->getTitle()->userCan( 'edit' );
if ( $editable && $this->mNewRev->isCurrent() && $wgUser->isAllowed( 'rollback' ) ) {
+ $wgOut->preventClickjacking();
$rollback = '&nbsp;&nbsp;&nbsp;' . $sk->generateRollback( $this->mNewRev );
} else {
$rollback = '';
diff --git a/includes/json/Services_JSON.php b/includes/json/Services_JSON.php
index 94233520..588ece9c 100644
--- a/includes/json/Services_JSON.php
+++ b/includes/json/Services_JSON.php
@@ -50,7 +50,7 @@
* @author Matt Knapp <mdknapp[at]gmail[dot]com>
* @author Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright 2005 Michal Migurski
-* @version CVS: $Id: Services_JSON.php 65683 2010-04-30 05:56:15Z tstarling $
+* @version CVS: $Id: Services_JSON.php 79562 2011-01-04 06:15:54Z tstarling $
* @license http://www.opensource.org/licenses/bsd-license.php
* @see http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
diff --git a/includes/specials/SpecialAllpages.php b/includes/specials/SpecialAllpages.php
index a36cdca7..19816dcd 100644
--- a/includes/specials/SpecialAllpages.php
+++ b/includes/specials/SpecialAllpages.php
@@ -40,6 +40,7 @@ class SpecialAllpages extends IncludableSpecialPage {
$this->setHeaders();
$this->outputHeader();
+ $wgOut->allowClickjacking();
# GET values
$from = $wgRequest->getVal( 'from', null );
diff --git a/includes/specials/SpecialCategories.php b/includes/specials/SpecialCategories.php
index a649eafd..eb49fdbc 100644
--- a/includes/specials/SpecialCategories.php
+++ b/includes/specials/SpecialCategories.php
@@ -12,6 +12,7 @@ function wfSpecialCategories( $par=null ) {
} else {
$from = $par;
}
+ $wgOut->allowClickjacking();
$cap = new CategoryPager( $from );
$cap->doQuery();
$wgOut->addHTML(
diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php
index 392f4332..b5d6107a 100644
--- a/includes/specials/SpecialContributions.php
+++ b/includes/specials/SpecialContributions.php
@@ -107,6 +107,7 @@ class SpecialContributions extends SpecialPage {
'<p>' . $pager->getNavigationBar() . '</p>'
);
}
+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
# Show the appropriate "footer" message - WHOIS tools, etc.
@@ -428,6 +429,7 @@ class ContribsPager extends ReverseChronologicalPager {
public $mDefaultDirection = true;
var $messages, $target;
var $namespace = '', $mDb;
+ var $preventClickjacking = false;
function __construct( $target, $namespace = false, $year = false, $month = false, $tagFilter = false ) {
parent::__construct();
@@ -565,6 +567,7 @@ class ContribsPager extends ReverseChronologicalPager {
if( !$row->page_is_new && $page->quickUserCan( 'rollback' )
&& $page->quickUserCan( 'edit' ) )
{
+ $this->preventClickjacking();
$topmarktext .= ' '.$sk->generateRollback( $rev );
}
}
@@ -671,4 +674,11 @@ class ContribsPager extends ReverseChronologicalPager {
return $this->mDb;
}
+ protected function preventClickjacking() {
+ $this->preventClickjacking = true;
+ }
+
+ public function getPreventClickjacking() {
+ return $this->preventClickjacking;
+ }
}
diff --git a/includes/specials/SpecialLinkSearch.php b/includes/specials/SpecialLinkSearch.php
index 5913f4b4..70b2257a 100644
--- a/includes/specials/SpecialLinkSearch.php
+++ b/includes/specials/SpecialLinkSearch.php
@@ -44,8 +44,10 @@ function wfSpecialLinkSearch( $par ) {
$protocol = '';
}
- $self = Title::makeTitle( NS_SPECIAL, 'Linksearch' );
+ $wgOut->allowClickjacking();
+ $self = Title::makeTitle( NS_SPECIAL, 'Linksearch' );
+
$wgOut->addWikiMsg( 'linksearch-text', '<nowiki>' . $wgLang->commaList( $wgUrlProtocols ) . '</nowiki>' );
$s = Xml::openElement( 'form', array( 'id' => 'mw-linksearch-form', 'method' => 'get', 'action' => $GLOBALS['wgScript'] ) ) .
Xml::hidden( 'title', $self->getPrefixedDbKey() ) .
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index da054e02..40b28236 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -364,6 +364,7 @@ class SpecialSearch {
$wgOut->setRobotPolicy( 'noindex,nofollow' );
// add javascript specific to special:search
$wgOut->addScriptFile( 'search.js' );
+ $wgOut->allowClickjacking();
}
/**
diff --git a/includes/specials/SpecialSpecialpages.php b/includes/specials/SpecialSpecialpages.php
index 84ab689a..8e97f9b7 100644
--- a/includes/specials/SpecialSpecialpages.php
+++ b/includes/specials/SpecialSpecialpages.php
@@ -13,6 +13,7 @@ function wfSpecialSpecialpages() {
$wgMessageCache->loadAllMessages();
$wgOut->setRobotPolicy( 'noindex,nofollow' ); # Is this really needed?
+ $wgOut->allowClickjacking();
$sk = $wgUser->getSkin();
$pages = SpecialPage::getUsablePages();
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 9569945d..68ee8efc 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -23,30 +23,30 @@ class SpecialUpload extends SpecialPage {
}
/** Misc variables **/
- protected $mRequest; // The WebRequest or FauxRequest this form is supposed to handle
- protected $mSourceType;
- protected $mUpload;
- protected $mLocalFile;
- protected $mUploadClicked;
+ public $mRequest; // The WebRequest or FauxRequest this form is supposed to handle
+ public $mSourceType;
+ public $mUpload;
+ public $mLocalFile;
+ public $mUploadClicked;
/** User input variables from the "description" section **/
- public $mDesiredDestName; // The requested target file name
- protected $mComment;
- protected $mLicense;
-
+ public $mDesiredDestName; // The requested target file name
+ public $mComment;
+ public $mLicense;
+
/** User input variables from the root section **/
- protected $mIgnoreWarning;
- protected $mWatchThis;
- protected $mCopyrightStatus;
- protected $mCopyrightSource;
+ public $mIgnoreWarning;
+ public $mWatchThis;
+ public $mCopyrightStatus;
+ public $mCopyrightSource;
/** Hidden variables **/
- protected $mDestWarningAck;
- protected $mForReUpload; // The user followed an "overwrite this file" link
- protected $mCancelUpload; // The user clicked "Cancel and return to upload form" button
- protected $mTokenOk;
- protected $mUploadSuccessful = false; // Subclasses can use this to determine whether a file was uploaded
-
+ public $mDestWarningAck;
+ public $mForReUpload; // The user followed an "overwrite this file" link
+ public $mCancelUpload; // The user clicked "Cancel and return to upload form" button
+ public $mTokenOk;
+ public $mUploadSuccessful = false; // Subclasses can use this to determine whether a file was uploaded
+
/** Text injection points for hooks not using HTMLForm **/
public $uploadFormTextTop;
public $uploadFormTextAfterSummary;
diff --git a/includes/specials/SpecialVersion.php b/includes/specials/SpecialVersion.php
index 7da6023e..ebc50bab 100644
--- a/includes/specials/SpecialVersion.php
+++ b/includes/specials/SpecialVersion.php
@@ -32,6 +32,7 @@ class SpecialVersion extends SpecialPage {
$this->setHeaders();
$this->outputHeader();
+ $wgOut->allowClickjacking();
$wgOut->addHTML( Xml::openElement( 'div',
array( 'dir' => $wgContLang->getDir() ) ) );