From 027fc6e70f7f9ce8422d4798fb02e67ff271ae4c Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Thu, 31 Jul 2014 06:43:27 +0200 Subject: Update to MediaWiki 1.22.9 --- RELEASE-NOTES-1.22 | 14 ++++++++++++++ includes/DefaultSettings.php | 2 +- includes/ImagePage.php | 2 ++ includes/OutputPage.php | 12 ++++++++++++ includes/api/ApiFormatJson.php | 4 +++- includes/filerepo/file/LocalFile.php | 2 ++ includes/parser/ParserOutput.php | 13 +++++++++++++ resources/Resources.php | 6 +++++- .../mediawiki.page/mediawiki.page.image.pagination.js | 11 ++++++++++- 9 files changed, 62 insertions(+), 4 deletions(-) diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index be1d96a7..44067ff8 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,20 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.9 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.8 === + +* (bug 68187) SECURITY: Prepend jsonp callback with comment. +* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used + for loading a new page in Javascript,instead of relying on the URL in the link + that has been clicked. +* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and + ParserOutput. +* (bug 59147) The img_metadata field was not being decoded from bytea into text. + == MediaWiki 1.22.8 == This is a security and maintenance release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 4eb979ac..cd631a8b 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.8'; +$wgVersion = '1.22.9'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/ImagePage.php b/includes/ImagePage.php index 7ea06b0e..d696a17c 100644 --- a/includes/ImagePage.php +++ b/includes/ImagePage.php @@ -420,6 +420,8 @@ class ImagePage extends Article { if ( $page > 1 ) { $label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false ); + // on the client side, this link is generated in ajaxifyPageNavigation() + // in the mediawiki.page.image.pagination module $link = Linker::linkKnown( $this->getTitle(), $label, diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 7f0454f6..6bfba78b 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -1574,6 +1574,8 @@ class OutputPage extends ContextSource { $this->addModuleScripts( $parserOutput->getModuleScripts() ); $this->addModuleStyles( $parserOutput->getModuleStyles() ); $this->addModuleMessages( $parserOutput->getModuleMessages() ); + $this->mPreventClickjacking = $this->mPreventClickjacking + || $parserOutput->preventClickjacking(); // Template versioning... foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) { @@ -1873,6 +1875,16 @@ class OutputPage extends ContextSource { $this->mPreventClickjacking = false; } + /** + * Get the prevent-clickjacking flag + * + * @since 1.24 + * @return boolean + */ + public function getPreventClickjacking() { + return $this->mPreventClickjacking; + } + /** * Get the X-Frame-Options header value (without the name part), or false * if there isn't one. This is used by Skin to determine whether to enable diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index 342a580f..4140583e 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -65,7 +65,9 @@ class ApiFormatJson extends ApiFormatBase { $callback = $params['callback']; if ( $callback !== null ) { $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ); - $this->printText( "$callback($json)" ); + # Prepend a comment to try to avoid attacks against content + # sniffers, such as bug 68187. + $this->printText( "/**/$callback($json)" ); } else { $this->printText( $json ); } diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php index fe769be2..d18f42e4 100644 --- a/includes/filerepo/file/LocalFile.php +++ b/includes/filerepo/file/LocalFile.php @@ -423,6 +423,8 @@ class LocalFile extends File { $decoded['timestamp'] = wfTimestamp( TS_MW, $decoded['timestamp'] ); + $decoded['metadata'] = $this->repo->getSlaveDB()->decodeBlob( $decoded['metadata'] ); + if ( empty( $decoded['major_mime'] ) ) { $decoded['mime'] = 'unknown/unknown'; } else { diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php index 502f0fd1..460f3211 100644 --- a/includes/parser/ParserOutput.php +++ b/includes/parser/ParserOutput.php @@ -55,6 +55,7 @@ class ParserOutput extends CacheTime { private $mExtensionData = array(); # extra data used by extensions private $mLimitReportData = array(); # Parser limit report data private $mParseStartTime = array(); # Timestamps for getTimeSinceStart() + private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)())#'; @@ -330,6 +331,7 @@ class ParserOutput extends CacheTime { $this->addModuleMessages( $out->getModuleMessages() ); $this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() ); + $this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking(); } /** @@ -629,4 +631,15 @@ class ParserOutput extends CacheTime { function setLimitReportData( $key, $value ) { $this->mLimitReportData[$key] = $value; } + + /** + * Get or set the prevent-clickjacking flag + * + * @since 1.24 + * @param boolean|null $flag New flag value, or null to leave it unchanged + * @return boolean Old flag value + */ + public function preventClickjacking( $flag = null ) { + return wfSetVar( $this->mPreventClickjacking, $flag ); + } } diff --git a/resources/Resources.php b/resources/Resources.php index 06120008..3b06e1be 100644 --- a/resources/Resources.php +++ b/resources/Resources.php @@ -981,7 +981,11 @@ return array( ), 'mediawiki.page.image.pagination' => array( 'scripts' => 'resources/mediawiki.page/mediawiki.page.image.pagination.js', - 'dependencies' => array( 'jquery.spinner' ) + 'dependencies' => array( + 'mediawiki.Uri', + 'mediawiki.util', + 'jquery.spinner', + ) ), /* MediaWiki Special pages */ diff --git a/resources/mediawiki.page/mediawiki.page.image.pagination.js b/resources/mediawiki.page/mediawiki.page.image.pagination.js index fb44a76f..11ed0ae4 100644 --- a/resources/mediawiki.page/mediawiki.page.image.pagination.js +++ b/resources/mediawiki.page/mediawiki.page.image.pagination.js @@ -31,7 +31,16 @@ function ajaxifyPageNavigation() { // Intercept the default action of the links in the thumbnail navigation $( '.multipageimagenavbox' ).one( 'click', 'a', function ( e ) { - loadPage( this.href ); + var page, uri; + + // Generate the same URL on client side as the one generated in ImagePage::openShowImage. + // We avoid using the URL in the link directly since it could have been manipulated (bug 66608) + page = Number( mw.util.getParamValue( 'page', this.href ) ); + uri = new mw.Uri( mw.util.wikiScript() ) + .extend( { title: mw.config.get( 'wgPageName' ), page: page } ) + .toString(); + + loadPage( uri ); e.preventDefault(); } ); -- cgit v1.2.2