From 124299758ca7454561118f466a0470905758924f Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Wed, 13 Apr 2011 05:42:02 +0200 Subject: update to MediaWiki 1.16.3 --- includes/DefaultSettings.php | 2 +- includes/RawPage.php | 2 +- includes/Sanitizer.php | 47 +++++++++++++++++++++++++++---------- includes/WebRequest.php | 17 ++++++++++++++ includes/specials/SpecialImport.php | 29 ++++++++++++++++++++--- 5 files changed, 79 insertions(+), 18 deletions(-) (limited to 'includes') diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 155bb7c0..7993d95c 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.16.2'; +$wgVersion = '1.16.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/RawPage.php b/includes/RawPage.php index 8e515af3..2b610318 100644 --- a/includes/RawPage.php +++ b/includes/RawPage.php @@ -125,7 +125,7 @@ class RawPage { # # Just return a 403 Forbidden and get it over with. wfHttpError( 403, 'Forbidden', - 'Invalid file extension found in PATH_INFO. ' . + 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' . 'Raw pages must be accessed through the primary script entry point.' ); return; } diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index b5725ce8..26837b3c 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -726,29 +726,35 @@ class Sanitizer { /** * Pick apart some CSS and check it for forbidden or unsafe structures. - * Returns a sanitized string, or false if it was just too evil. + * Returns a sanitized string. This sanitized string will have + * character references and escape sequences decoded, and comments + * stripped. If the input is just too evil, only a comment complaining + * about evilness will be returned. * * Currently URL references, 'expression', 'tps' are forbidden. * + * NOTE: Despite the fact that character references are decoded, the + * returned string may contain character references given certain + * clever input strings. These character references must + * be escaped before the return value is embedded in HTML. + * * @param $value String - * @return Mixed + * @return String */ static function checkCss( $value ) { + // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); - // Remove any comments; IE gets token splitting wrong - $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); - - // Remove anything after a comment-start token, to guard against - // incorrect client implementations. - $commentPos = strpos( $value, '/*' ); - if ( $commentPos !== false ) { - $value = substr( $value, 0, $commentPos ); - } - // Decode escape sequences and line continuation // See the grammar in the CSS 2 spec, appendix D. - static $decodeRegex, $reencodeTable; + // This has to be done AFTER decoding character references. + // This means it isn't possible for this function to return + // unsanitized escape sequences. It is possible to manufacture + // input that contains character references that decode to + // escape sequences that decode to character references, but + // it's OK for the return value to contain character references + // because the caller is supposed to escape those anyway. + static $decodeRegex; if ( !$decodeRegex ) { $space = '[\\x20\\t\\r\\n\\f]'; $nl = '(?:\\n|\\r\\n|\\r|\\f)'; @@ -763,6 +769,21 @@ class Sanitizer { } $value = preg_replace_callback( $decodeRegex, array( __CLASS__, 'cssDecodeCallback' ), $value ); + + // Remove any comments; IE gets token splitting wrong + // This must be done AFTER decoding character references and + // escape sequences, because those steps can introduce comments + // This step cannot introduce character references or escape + // sequences, because it replaces comments with spaces rather + // than removing them completely. + $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + + // Remove anything after a comment-start token, to guard against + // incorrect client implementations. + $commentPos = strpos( $value, '/*' ); + if ( $commentPos !== false ) { + $value = substr( $value, 0, $commentPos ); + } // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { diff --git a/includes/WebRequest.php b/includes/WebRequest.php index b6d6d27a..8a0ef48b 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -688,10 +688,27 @@ class WebRequest { * but only by prefixing it with the script name and maybe some other stuff, * the extension is not mangled. So this should be a reasonably portable * way to perform this security check. + * + * Also checks for anything that looks like a file extension at the end of + * QUERY_STRING, since IE 6 and earlier will use this to get the file type + * if there was no dot before the question mark (bug 28235). */ public function isPathInfoBad() { global $wgScriptExtension; + if ( isset( $_SERVER['QUERY_STRING'] ) + && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) + { + // Bug 28235 + // Block only Internet Explorer, and requests with missing UA + // headers that could be IE users behind a privacy proxy. + if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) + || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) ) + { + return true; + } + } + if ( !isset( $_SERVER['PATH_INFO'] ) ) { return false; } diff --git a/includes/specials/SpecialImport.php b/includes/specials/SpecialImport.php index 6beeab7f..248709a8 100644 --- a/includes/specials/SpecialImport.php +++ b/includes/specials/SpecialImport.php @@ -45,7 +45,7 @@ class SpecialImport extends SpecialPage { * Execute */ function execute( $par ) { - global $wgRequest; + global $wgRequest, $wgUser, $wgOut; $this->setHeaders(); $this->outputHeader(); @@ -56,6 +56,28 @@ class SpecialImport extends SpecialPage { return; } + if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) ) + return $wgOut->permissionRequired( 'import' ); + + # TODO: allow Title::getUserPermissionsErrors() to take an array + # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what + # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected' + $errors = wfMergeErrorArrays( + $this->getTitle()->getUserPermissionsErrors( + 'import', $wgUser, true, + array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' ) + ), + $this->getTitle()->getUserPermissionsErrors( + 'importupload', $wgUser, true, + array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' ) + ) + ); + + if( $errors ){ + $wgOut->showPermissionsErrorPage( $errors ); + return; + } + if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) { $this->doImport(); } @@ -84,6 +106,9 @@ class SpecialImport extends SpecialPage { return $wgOut->permissionRequired( 'importupload' ); } } elseif ( $sourceName == "interwiki" ) { + if( !$wgUser->isAllowed( 'import' ) ){ + return $wgOut->permissionRequired( 'import' ); + } $this->interwiki = $wgRequest->getVal( 'interwiki' ); if ( !in_array( $this->interwiki, $wgImportSources ) ) { $source = new WikiErrorMsg( "import-invalid-interwiki" ); @@ -133,8 +158,6 @@ class SpecialImport extends SpecialPage { private function showForm() { global $wgUser, $wgOut, $wgRequest, $wgImportSources, $wgExportMaxLinkDepth; - if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) ) - return $wgOut->permissionRequired( 'import' ); $action = $this->getTitle()->getLocalUrl( array( 'action' => 'submit' ) ); -- cgit v1.2.2