From 8f93926e1bc6e96fc11b4d0d201025022d471de7 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Tue, 4 Jan 2011 12:24:29 +0100
Subject: update to MediaWiki 1.16.1

---
 includes/Article.php                       |  5 ++++
 includes/DefaultSettings.php               | 32 +++++++++++++++++++---
 includes/HTMLForm.php                      |  3 +++
 includes/HistoryPage.php                   | 19 +++++++++++++
 includes/ImagePage.php                     | 26 ++++++++++++++++++
 includes/OutputPage.php                    | 43 ++++++++++++++++++++++++++++++
 includes/Skin.php                          |  2 +-
 includes/Title.php                         |  5 ++--
 includes/api/ApiBase.php                   | 12 +++++++--
 includes/api/ApiBlock.php                  |  6 ++++-
 includes/api/ApiDelete.php                 |  6 ++++-
 includes/api/ApiEditPage.php               |  6 ++++-
 includes/api/ApiEmailUser.php              |  6 ++++-
 includes/api/ApiImport.php                 |  6 ++++-
 includes/api/ApiMove.php                   |  6 ++++-
 includes/api/ApiPatrol.php                 |  6 ++++-
 includes/api/ApiProtect.php                |  8 ++++--
 includes/api/ApiQueryAllUsers.php          | 11 ++++++--
 includes/api/ApiQueryRevisions.php         |  7 +++--
 includes/api/ApiUnblock.php                |  6 ++++-
 includes/api/ApiUndelete.php               |  6 ++++-
 includes/api/ApiUpload.php                 |  4 +++
 includes/api/ApiUserrights.php             |  6 ++++-
 includes/diff/DifferenceInterface.php      |  3 +++
 includes/json/Services_JSON.php            |  2 +-
 includes/specials/SpecialAllpages.php      |  1 +
 includes/specials/SpecialCategories.php    |  1 +
 includes/specials/SpecialContributions.php | 10 +++++++
 includes/specials/SpecialLinkSearch.php    |  4 ++-
 includes/specials/SpecialSearch.php        |  1 +
 includes/specials/SpecialSpecialpages.php  |  1 +
 includes/specials/SpecialUpload.php        | 38 +++++++++++++-------------
 includes/specials/SpecialVersion.php       |  1 +
 33 files changed, 253 insertions(+), 46 deletions(-)

(limited to 'includes')

diff --git a/includes/Article.php b/includes/Article.php
index d3863c77..5edfc10d 100644
--- a/includes/Article.php
+++ b/includes/Article.php
@@ -792,6 +792,9 @@ class Article {
 			return;
 		}
 
+		# Allow frames by default
+		$wgOut->allowClickjacking();
+
 		# Should the parser cache be used?
 		$useParserCache = $this->useParserCache( $oldid );
 		wfDebug( 'Article::view using parser cache: ' . ( $useParserCache ? 'yes' : 'no' ) . "\n" );
@@ -1452,6 +1455,8 @@ class Article {
 		);
 		if ( !$dbr->numRows( $tbs ) ) return;
 
+		$wgOut->preventClickjacking();
+
 		$tbtext = "";
 		while ( $o = $dbr->fetchObject( $tbs ) ) {
 			$rmvtxt = "";
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a369fccd..c118075e 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) {
 }
 
 /** MediaWiki version number */
-$wgVersion = '1.16.0';
+$wgVersion = '1.16.1';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
@@ -2502,6 +2502,11 @@ $wgRightsUrl = null;
 $wgRightsText = null;
 $wgRightsIcon = null;
 
+/**
+ * Set to an array of metadata terms. Else they will be loaded based on $wgRightsUrl
+ */
+$wgLicenseTerms = false;
+
 /** Set this to some HTML to override the rights icon with an arbitrary logo */
 $wgCopyrightIcon = null;
 
@@ -3981,11 +3986,32 @@ $wgParserTestFiles = array(
 $wgParserTestRemote = false;
 
 /**
- * Break out of framesets. This can be used to prevent external sites from
- * framing your site with ads.
+ * Break out of framesets. This can be used to prevent clickjacking attacks,
+ * or to prevent external sites from framing your site with ads.
  */
 $wgBreakFrames = false;
 
+/**
+ * The X-Frame-Options header to send on pages sensitive to clickjacking 
+ * attacks, such as edit pages. This prevents those pages from being displayed
+ * in a frame or iframe. The options are:
+ *
+ *   - 'DENY': Do not allow framing. This is recommended for most wikis.
+ *
+ *   - 'SAMEORIGIN': Allow framing by pages on the same domain. This can be used
+ *         to allow framing within a trusted domain. This is insecure if there
+ *         is a page on the same domain which allows framing of arbitrary URLs.
+ *
+ *   - false: Allow all framing. This opens up the wiki to XSS attacks and thus 
+ *         full compromise of local user accounts. Private wikis behind a 
+ *         corporate firewall are especially vulnerable. This is not 
+ *         recommended.
+ *
+ * For extra safety, set $wgBreakFrames = true, to prevent framing on all pages,
+ * not just edit pages.
+ */
+$wgEditPageFrameOptions = 'DENY';
+
 /**
  * Set this to an array of special page names to prevent
  * maintenance/updateSpecialPages.php from updating those pages.
diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index fddc887b..12687dc4 100644
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -311,6 +311,9 @@ class HTMLForm {
 			$this->displayErrors( $submitResult );
 		}
 
+		# For good measure (it is the default)
+		$wgOut->preventClickjacking();
+
 		$html = ''
 			. $this->mHeader
 			. $this->getBody()
diff --git a/includes/HistoryPage.php b/includes/HistoryPage.php
index e515d3dd..8f5c2dda 100644
--- a/includes/HistoryPage.php
+++ b/includes/HistoryPage.php
@@ -166,6 +166,7 @@ class HistoryPage {
 			$pager->getBody() .
 			$pager->getNavigationBar()
 		);
+		$wgOut->preventClickjacking( $pager->getPreventClickjacking() );
 
 		wfProfileOut( __METHOD__ );
 	}
@@ -301,6 +302,7 @@ class HistoryPage {
 class HistoryPager extends ReverseChronologicalPager {
 	public $lastRow = false, $counter, $historyPage, $title, $buttons, $conds;
 	protected $oldIdChecked;
+	protected $preventClickjacking = false;
 
 	function __construct( $historyPage, $year='', $month='', $tagFilter = '', $conds = array() ) {
 		parent::__construct();
@@ -382,6 +384,7 @@ class HistoryPager extends ReverseChronologicalPager {
 
 		$this->buttons = '<div>';
 		if( $wgUser->isAllowed('deleterevision') ) {
+			$this->preventClickjacking();
 			$float = $wgContLang->alignEnd();
 			# Note bug #20966, <button> is non-standard in IE<8
 			$this->buttons .= Xml::element( 'button',
@@ -488,6 +491,7 @@ class HistoryPager extends ReverseChronologicalPager {
 		$del = '';
 		// User can delete revisions...
 		if( $wgUser->isAllowed( 'deleterevision' ) ) {
+			$this->preventClickjacking();
 			// If revision was hidden from sysops, disable the checkbox
 			if( !$rev->userCan( Revision::DELETED_RESTRICTED ) ) {
 				$del = Xml::check( 'deleterevisions', false, array( 'disabled' => 'disabled' ) );
@@ -534,6 +538,7 @@ class HistoryPager extends ReverseChronologicalPager {
 		# Rollback and undo links
 		if( !is_null( $next ) && is_object( $next ) ) {
 			if( $latest && $this->title->userCan( 'rollback' ) && $this->title->userCan( 'edit' ) ) {
+				$this->preventClickjacking();
 				$tools[] = '<span class="mw-rollback-link">'.
 					$this->getSkin()->buildRollbackLink( $rev ).'</span>';
 			}
@@ -721,6 +726,20 @@ class HistoryPager extends ReverseChronologicalPager {
 			return '';
 		}
 	}
+
+	/**
+	 * This is called if a write operation is possible from the generated HTML
+	 */
+	function preventClickjacking( $enable = true ) {
+		$this->preventClickjacking = $enable;
+	}
+
+	/**
+	 * Get the "prevent clickjacking" flag
+	 */
+	function getPreventClickjacking() {
+		return $this->preventClickjacking;
+	}
 }
 
 /**
diff --git a/includes/ImagePage.php b/includes/ImagePage.php
index dd2c2ab1..f16acc33 100644
--- a/includes/ImagePage.php
+++ b/includes/ImagePage.php
@@ -600,6 +600,7 @@ EOT
 		$this->loadFile();
 		$pager = new ImageHistoryPseudoPager( $this );
 		$wgOut->addHTML( $pager->getBody() );
+		$wgOut->preventClickjacking( $pager->getPreventClickjacking() );
 
 		$this->img->resetHistory(); // free db resources
 
@@ -803,6 +804,7 @@ EOT
 class ImageHistoryList {
 
 	protected $imagePage, $img, $skin, $title, $repo, $showThumb;
+	protected $preventClickjacking = false;
 
 	public function __construct( $imagePage ) {
 		global $wgUser, $wgShowArchiveThumbnails;
@@ -929,6 +931,7 @@ class ImageHistoryList {
 			# Don't link to unviewable files
 			$row .= '<span class="history-deleted">' . $wgLang->timeAndDate( $timestamp, true ) . '</span>';
 		} elseif( $file->isDeleted(File::DELETED_FILE) ) {
+			$this->preventClickjacking();
 			$revdel = SpecialPage::getTitleFor( 'Revisiondelete' );
 			# Make a link to review the image
 			$url = $this->skin->link(
@@ -1015,9 +1018,19 @@ class ImageHistoryList {
 			return wfMsgHtml( 'filehist-nothumb' );
 		}
 	}
+
+	protected function preventClickjacking( $enable = true ) {
+		$this->preventClickjacking = $enable;
+	}
+
+	public function getPreventClickjacking() {
+		return $this->preventClickjacking;
+	}
 }
 
 class ImageHistoryPseudoPager extends ReverseChronologicalPager {
+	protected $preventClickjacking = false;
+
 	function __construct( $imagePage ) {
 		parent::__construct();
 		$this->mImagePage = $imagePage;
@@ -1058,6 +1071,10 @@ class ImageHistoryPseudoPager extends ReverseChronologicalPager {
 				$s .= $list->imageHistoryLine( !$file->isOld(), $file );
 			}
 			$s .= $list->endImageHistoryList($navLink);
+
+			if ( $list->getPreventClickjacking() ) {
+				$this->preventClickjacking();
+			}
 		}
 		return $s;
 	}
@@ -1140,4 +1157,13 @@ class ImageHistoryPseudoPager extends ReverseChronologicalPager {
 		}
 		$this->mQueryDone = true;
 	}
+	
+	protected function preventClickjacking( $enable = true ) {
+		$this->preventClickjacking = $enable;
+	}
+
+	public function getPreventClickjacking() {
+		return $this->preventClickjacking;
+	}
+
 }
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 4333383c..97e26110 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -37,6 +37,7 @@ class OutputPage {
 	var $mPageTitleActionText = '';
 	var $mParseWarnings = array();
 	var $mSquidMaxage = 0;
+	var $mPreventClickjacking = true;
 	var $mRevisionId = null;
 	protected $mTitle = null;
 
@@ -1347,6 +1348,41 @@ class OutputPage {
 		}
 	}
 
+	/**
+	 * Set a flag which will cause an X-Frame-Options header appropriate for 
+	 * edit pages to be sent. The header value is controlled by 
+	 * $wgEditPageFrameOptions.
+	 *
+	 * This is the default for special pages. If you display a CSRF-protected 
+	 * form on an ordinary view page, then you need to call this function.
+	 */
+	public function preventClickjacking( $enable = true ) {
+		$this->mPreventClickjacking = $enable;
+	}
+
+	/**
+	 * Turn off frame-breaking. Alias for $this->preventClickjacking(false).
+	 * This can be called from pages which do not contain any CSRF-protected
+	 * HTML form.
+	 */
+	public function allowClickjacking() {
+		$this->mPreventClickjacking = false;
+	}
+
+	/**
+	 * Get the X-Frame-Options header value (without the name part), or false 
+	 * if there isn't one. This is used by Skin to determine whether to enable 
+	 * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
+	 */
+	public function getFrameOptions() {
+		global $wgBreakFrames, $wgEditPageFrameOptions;
+		if ( $wgBreakFrames ) {
+			return 'DENY';
+		} elseif ( $this->mPreventClickjacking && $wgEditPageFrameOptions ) {
+			return $wgEditPageFrameOptions;
+		}
+	}
+
 	/**
 	 * Send cache control HTTP headers
 	 */
@@ -1561,6 +1597,13 @@ class OutputPage {
 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
 
+		// Prevent framing, if requested
+		$frameOptions = $this->getFrameOptions();
+		if ( $frameOptions ) {
+			$wgRequest->response()->header( "X-Frame-Options: $frameOptions" );
+		}
+
+
 		if ($this->mArticleBodyOnly) {
 			$this->out($this->mBodytext);
 		} else {
diff --git a/includes/Skin.php b/includes/Skin.php
index d1a0016d..18867cbe 100644
--- a/includes/Skin.php
+++ b/includes/Skin.php
@@ -413,7 +413,7 @@ class Skin extends Linker {
 			'wgUserGroups' => $wgUser->isAnon() ? null : $wgUser->getEffectiveGroups(),
 			'wgUserLanguage' => $wgLang->getCode(),
 			'wgContentLanguage' => $wgContLang->getCode(),
-			'wgBreakFrames' => $wgBreakFrames,
+			'wgBreakFrames' => $wgOut->getFrameOptions() == 'DENY',
 			'wgCurRevisionId' => isset( $wgArticle ) ? $wgArticle->getLatest() : 0,
 			'wgVersion' => $wgVersion,
 			'wgEnableAPI' => $wgEnableAPI,
diff --git a/includes/Title.php b/includes/Title.php
index 8d7275ff..be41a85a 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2606,9 +2606,8 @@ class Title {
 		// purge variant urls as well
 		if($wgContLang->hasVariants()){
 			$variants = $wgContLang->getVariants();
-			foreach($variants as $vCode){
-				if($vCode==$wgContLang->getCode()) continue; // we don't want default variant
-				$urls[] = $this->getInternalURL('',$vCode);
+			foreach ( $variants as $vCode ) {
+				$urls[] = $this->getInternalURL( '', $vCode );
 			}
 		}
 
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index b703ab4f..708a3a40 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1005,6 +1005,14 @@ abstract class ApiBase {
 		return false;
 	}
 
+	/**
+	 * Returns whether this module requires a Token to execute
+	 * @returns bool
+	 */
+	public function needsToken() {
+		return false;
+	}
+
 	/**
 	 * Returns the token salt if there is one, '' if the module doesn't require a salt, else false if the module doesn't need a token
 	 * @returns bool
@@ -1033,7 +1041,7 @@ abstract class ApiBase {
 			$ret[] = array( 'writedisabled' );
 		}
 
-		if ( $this->getTokenSalt() !== false ) {
+		if ( $this->needsToken() ) {
 			$ret[] = array( 'missingparam', 'token' );
 			$ret[] = array( 'sessionfailure' );
 		}
@@ -1184,6 +1192,6 @@ abstract class ApiBase {
 	 * @return string
 	 */
 	public static function getBaseVersion() {
-		return __CLASS__ . ': $Id: ApiBase.php 70066 2010-07-28 05:52:32Z tstarling $';
+		return __CLASS__ . ': $Id: ApiBase.php 79562 2011-01-04 06:15:54Z tstarling $';
 	}
 }
diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 91bbaf6d..23de07d6 100644
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -175,6 +175,10 @@ class ApiBlock extends ApiBase {
 		) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -187,6 +191,6 @@ class ApiBlock extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiBlock.php 62766 2010-02-21 12:32:46Z ashley $';
+		return __CLASS__ . ': $Id: ApiBlock.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiDelete.php b/includes/api/ApiDelete.php
index 2b349bd7..c4550a96 100644
--- a/includes/api/ApiDelete.php
+++ b/includes/api/ApiDelete.php
@@ -230,6 +230,10 @@ class ApiDelete extends ApiBase {
 		) );
 	}
 
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -242,6 +246,6 @@ class ApiDelete extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiDelete.php 62703 2010-02-19 12:54:09Z ashley $';
+		return __CLASS__ . ': $Id: ApiDelete.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
\ No newline at end of file
diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php
index 50a9836a..e78f66bc 100644
--- a/includes/api/ApiEditPage.php
+++ b/includes/api/ApiEditPage.php
@@ -454,6 +454,10 @@ class ApiEditPage extends ApiBase {
 		);
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -470,6 +474,6 @@ class ApiEditPage extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiEditPage.php 62600 2010-02-16 22:01:38Z reedy $';
+		return __CLASS__ . ': $Id: ApiEditPage.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiEmailUser.php b/includes/api/ApiEmailUser.php
index 912480ef..66f2dff5 100644
--- a/includes/api/ApiEmailUser.php
+++ b/includes/api/ApiEmailUser.php
@@ -112,6 +112,10 @@ class ApiEmailUser extends ApiBase {
         ) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -123,7 +127,7 @@ class ApiEmailUser extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiEmailUser.php 62599 2010-02-16 21:59:16Z reedy $';
+		return __CLASS__ . ': $Id: ApiEmailUser.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
 	
\ No newline at end of file
diff --git a/includes/api/ApiImport.php b/includes/api/ApiImport.php
index 032b684c..d33a472a 100644
--- a/includes/api/ApiImport.php
+++ b/includes/api/ApiImport.php
@@ -149,6 +149,10 @@ class ApiImport extends ApiBase {
 		) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -161,7 +165,7 @@ class ApiImport extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiImport.php 62599 2010-02-16 21:59:16Z reedy $';
+		return __CLASS__ . ': $Id: ApiImport.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
 
diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php
index 71010de7..c234f084 100644
--- a/includes/api/ApiMove.php
+++ b/includes/api/ApiMove.php
@@ -219,6 +219,10 @@ class ApiMove extends ApiBase {
 		) );
 	}
 
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -230,6 +234,6 @@ class ApiMove extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiMove.php 62810 2010-02-22 03:34:56Z mah $';
+		return __CLASS__ . ': $Id: ApiMove.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiPatrol.php b/includes/api/ApiPatrol.php
index 3b2b2046..79916117 100644
--- a/includes/api/ApiPatrol.php
+++ b/includes/api/ApiPatrol.php
@@ -92,6 +92,10 @@ class ApiPatrol extends ApiBase {
         ) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -103,6 +107,6 @@ class ApiPatrol extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiPatrol.php 69578 2010-07-20 02:46:20Z tstarling $';
+		return __CLASS__ . ': $Id: ApiPatrol.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
\ No newline at end of file
diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index ca47c1b8..0b1ae4c8 100644
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -184,8 +184,12 @@ class ApiProtect extends ApiBase {
 		) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
-		return null;
+		return '';
 	}
 
 	protected function getExamples() {
@@ -196,6 +200,6 @@ class ApiProtect extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiProtect.php 62557 2010-02-15 23:53:43Z reedy $';
+		return __CLASS__ . ': $Id: ApiProtect.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiQueryAllUsers.php b/includes/api/ApiQueryAllUsers.php
index f8d475cc..611fc98c 100644
--- a/includes/api/ApiQueryAllUsers.php
+++ b/includes/api/ApiQueryAllUsers.php
@@ -184,7 +184,14 @@ class ApiQueryAllUsers extends ApiQueryBase {
 			}
 		}
 
-		$db->freeResult( $res );
+		if ( is_array( $lastUserData ) ) {
+		        $fit = $result->addValue( array( 'query', $this->getModuleName() ),
+		                        null, $lastUserData );
+		        if ( !$fit ) {
+		                $this->setContinueEnumParameter( 'from',
+		                                $this->keyToTitle( $lastUserData['name'] ) );
+		        }
+		}
 
 		$result->setIndexedTagName_internal( array( 'query', $this->getModuleName() ), 'u' );
 	}
@@ -244,6 +251,6 @@ class ApiQueryAllUsers extends ApiQueryBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiQueryAllUsers.php 69932 2010-07-26 08:03:21Z tstarling $';
+		return __CLASS__ . ': $Id: ApiQueryAllUsers.php 79562 2011-01-04 06:15:54Z tstarling $';
 	}
 }
diff --git a/includes/api/ApiQueryRevisions.php b/includes/api/ApiQueryRevisions.php
index 6166b6a2..3992d6a9 100644
--- a/includes/api/ApiQueryRevisions.php
+++ b/includes/api/ApiQueryRevisions.php
@@ -125,7 +125,7 @@ class ApiQueryRevisions extends ApiQueryBase {
 		}
 
 		$db = $this->getDB();
-		$this->addTables( array( 'page', 'revision' ) );
+		$this->addTables( 'page' );
 		$this->addFields( Revision::selectFields() );
 		$this->addWhere( 'page_id = rev_page' );
 
@@ -189,6 +189,9 @@ class ApiQueryRevisions extends ApiQueryBase {
 				$this->section = false;
 		}
 
+		//Bug 24166 - API error when using rvprop=tags
+		$this->addTables( 'revision' );
+
 		$userMax = ( $this->fld_content ? ApiBase::LIMIT_SML1 : ApiBase::LIMIT_BIG1 );
 		$botMax  = ( $this->fld_content ? ApiBase::LIMIT_SML2 : ApiBase::LIMIT_BIG2 );
 		$limit = $params['limit'];
@@ -603,6 +606,6 @@ class ApiQueryRevisions extends ApiQueryBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiQueryRevisions.php 69932 2010-07-26 08:03:21Z tstarling $';
+		return __CLASS__ . ': $Id: ApiQueryRevisions.php 72117 2010-09-01 16:50:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
index 2ffae504..1c4a4ade 100644
--- a/includes/api/ApiUnblock.php
+++ b/includes/api/ApiUnblock.php
@@ -116,6 +116,10 @@ class ApiUnblock extends ApiBase {
         ) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -128,6 +132,6 @@ class ApiUnblock extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiUnblock.php 62599 2010-02-16 21:59:16Z reedy $';
+		return __CLASS__ . ': $Id: ApiUnblock.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php
index 9efba5f3..ae705b69 100644
--- a/includes/api/ApiUndelete.php
+++ b/includes/api/ApiUndelete.php
@@ -125,6 +125,10 @@ class ApiUndelete extends ApiBase {
 		) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
@@ -137,6 +141,6 @@ class ApiUndelete extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiUndelete.php 62599 2010-02-16 21:59:16Z reedy $';
+		return __CLASS__ . ': $Id: ApiUndelete.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 6b91b223..06688997 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -306,6 +306,10 @@ class ApiUpload extends ApiBase {
         ) );
 	}
 	
+	public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';
 	}
diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index 6296a8f8..be0750d6 100644
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -101,6 +101,10 @@ class ApiUserrights extends ApiBase {
 			array( 'missingparam', 'user' ),
         ) );
 	}
+
+	public function needsToken() {
+		return true;
+	}
 	
 	public function getTokenSalt() {
 		$params = $this->extractRequestParams();
@@ -123,6 +127,6 @@ class ApiUserrights extends ApiBase {
 	}
 
 	public function getVersion() {
-		return __CLASS__ . ': $Id: ApiUserrights.php 62686 2010-02-19 01:25:57Z reedy $';
+		return __CLASS__ . ': $Id: ApiUserrights.php 74217 2010-10-03 15:53:07Z reedy $';
 	}
 }
diff --git a/includes/diff/DifferenceInterface.php b/includes/diff/DifferenceInterface.php
index d7d36799..0e9ca9f6 100644
--- a/includes/diff/DifferenceInterface.php
+++ b/includes/diff/DifferenceInterface.php
@@ -112,6 +112,8 @@ class DifferenceEngine {
 		global $wgUser, $wgOut, $wgUseExternalEditor, $wgUseRCPatrol;
 		wfProfileIn( __METHOD__ );
 
+		# Allow frames except in certain special cases
+		$wgOut->allowClickjacking();
 
 		# If external diffs are enabled both globally and for the user,
 		# we'll use the application/x-external-editor interface to call
@@ -199,6 +201,7 @@ CONTROL;
 		// Check if page is editable
 		$editable = $this->mNewRev->getTitle()->userCan( 'edit' );
 		if ( $editable && $this->mNewRev->isCurrent() && $wgUser->isAllowed( 'rollback' ) ) {
+			$wgOut->preventClickjacking();
 			$rollback = '&nbsp;&nbsp;&nbsp;' . $sk->generateRollback( $this->mNewRev );
 		} else {
 			$rollback = '';
diff --git a/includes/json/Services_JSON.php b/includes/json/Services_JSON.php
index 94233520..588ece9c 100644
--- a/includes/json/Services_JSON.php
+++ b/includes/json/Services_JSON.php
@@ -50,7 +50,7 @@
 * @author Matt Knapp <mdknapp[at]gmail[dot]com>
 * @author Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
 * @copyright 2005 Michal Migurski
-* @version CVS: $Id: Services_JSON.php 65683 2010-04-30 05:56:15Z tstarling $
+* @version CVS: $Id: Services_JSON.php 79562 2011-01-04 06:15:54Z tstarling $
 * @license http://www.opensource.org/licenses/bsd-license.php
 * @see http://pear.php.net/pepr/pepr-proposal-show.php?id=198
 */
diff --git a/includes/specials/SpecialAllpages.php b/includes/specials/SpecialAllpages.php
index a36cdca7..19816dcd 100644
--- a/includes/specials/SpecialAllpages.php
+++ b/includes/specials/SpecialAllpages.php
@@ -40,6 +40,7 @@ class SpecialAllpages extends IncludableSpecialPage {
 
 		$this->setHeaders();
 		$this->outputHeader();
+		$wgOut->allowClickjacking();
 
 		# GET values
 		$from = $wgRequest->getVal( 'from', null );
diff --git a/includes/specials/SpecialCategories.php b/includes/specials/SpecialCategories.php
index a649eafd..eb49fdbc 100644
--- a/includes/specials/SpecialCategories.php
+++ b/includes/specials/SpecialCategories.php
@@ -12,6 +12,7 @@ function wfSpecialCategories( $par=null ) {
 	} else {
 		$from = $par;
 	}
+	$wgOut->allowClickjacking();
 	$cap = new CategoryPager( $from );
 	$cap->doQuery();
 	$wgOut->addHTML(
diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php
index 392f4332..b5d6107a 100644
--- a/includes/specials/SpecialContributions.php
+++ b/includes/specials/SpecialContributions.php
@@ -107,6 +107,7 @@ class SpecialContributions extends SpecialPage {
 					'<p>' . $pager->getNavigationBar() . '</p>'
 				);
 			}
+			$wgOut->preventClickjacking( $pager->getPreventClickjacking() );
 
 
 			# Show the appropriate "footer" message - WHOIS tools, etc.
@@ -428,6 +429,7 @@ class ContribsPager extends ReverseChronologicalPager {
 	public $mDefaultDirection = true;
 	var $messages, $target;
 	var $namespace = '', $mDb;
+	var $preventClickjacking = false;
 
 	function __construct( $target, $namespace = false, $year = false, $month = false, $tagFilter = false ) {
 		parent::__construct();
@@ -565,6 +567,7 @@ class ContribsPager extends ReverseChronologicalPager {
 			if( !$row->page_is_new && $page->quickUserCan( 'rollback' )
 				&& $page->quickUserCan( 'edit' ) )
 			{
+				$this->preventClickjacking();
 				$topmarktext .= ' '.$sk->generateRollback( $rev );
 			}
 		}
@@ -671,4 +674,11 @@ class ContribsPager extends ReverseChronologicalPager {
 		return $this->mDb;
 	}
 
+	protected function preventClickjacking() {
+		$this->preventClickjacking = true;
+	}
+
+	public function getPreventClickjacking() {
+		return $this->preventClickjacking;
+	}
 }
diff --git a/includes/specials/SpecialLinkSearch.php b/includes/specials/SpecialLinkSearch.php
index 5913f4b4..70b2257a 100644
--- a/includes/specials/SpecialLinkSearch.php
+++ b/includes/specials/SpecialLinkSearch.php
@@ -44,8 +44,10 @@ function wfSpecialLinkSearch( $par ) {
 		$protocol = '';
 	}
 
-	$self = Title::makeTitle( NS_SPECIAL, 'Linksearch' );
+	$wgOut->allowClickjacking();
 
+	$self = Title::makeTitle( NS_SPECIAL, 'Linksearch' );
+	
 	$wgOut->addWikiMsg( 'linksearch-text', '<nowiki>' . $wgLang->commaList( $wgUrlProtocols ) . '</nowiki>' );
 	$s =	Xml::openElement( 'form', array( 'id' => 'mw-linksearch-form', 'method' => 'get', 'action' => $GLOBALS['wgScript'] ) ) .
 		Xml::hidden( 'title', $self->getPrefixedDbKey() ) .
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index da054e02..40b28236 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -364,6 +364,7 @@ class SpecialSearch {
 		$wgOut->setRobotPolicy( 'noindex,nofollow' );
 		// add javascript specific to special:search
 		$wgOut->addScriptFile( 'search.js' );
+		$wgOut->allowClickjacking();
 	}
 
 	/**
diff --git a/includes/specials/SpecialSpecialpages.php b/includes/specials/SpecialSpecialpages.php
index 84ab689a..8e97f9b7 100644
--- a/includes/specials/SpecialSpecialpages.php
+++ b/includes/specials/SpecialSpecialpages.php
@@ -13,6 +13,7 @@ function wfSpecialSpecialpages() {
 	$wgMessageCache->loadAllMessages();
 
 	$wgOut->setRobotPolicy( 'noindex,nofollow' );  # Is this really needed?
+	$wgOut->allowClickjacking();
 	$sk = $wgUser->getSkin();
 
 	$pages = SpecialPage::getUsablePages();
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 9569945d..68ee8efc 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -23,30 +23,30 @@ class SpecialUpload extends SpecialPage {
 	}
 
 	/** Misc variables **/
-	protected $mRequest;			// The WebRequest or FauxRequest this form is supposed to handle
-	protected $mSourceType;
-	protected $mUpload;
-	protected $mLocalFile;
-	protected $mUploadClicked;
+	public $mRequest;			// The WebRequest or FauxRequest this form is supposed to handle
+	public $mSourceType;
+	public $mUpload;
+	public $mLocalFile;
+	public $mUploadClicked;
 
 	/** User input variables from the "description" section **/
-	public    $mDesiredDestName;	// The requested target file name
-	protected $mComment;
-	protected $mLicense;
-	
+	public $mDesiredDestName;	// The requested target file name
+	public $mComment;
+	public $mLicense;
+
 	/** User input variables from the root section **/
-	protected $mIgnoreWarning;
-	protected $mWatchThis;
-	protected $mCopyrightStatus;
-	protected $mCopyrightSource;
+	public $mIgnoreWarning;
+	public $mWatchThis;
+	public $mCopyrightStatus;
+	public $mCopyrightSource;
 
 	/** Hidden variables **/
-	protected $mDestWarningAck;
-	protected $mForReUpload;		// The user followed an "overwrite this file" link
-	protected $mCancelUpload;		// The user clicked "Cancel and return to upload form" button
-	protected $mTokenOk;
-	protected $mUploadSuccessful = false;	// Subclasses can use this to determine whether a file was uploaded
-	
+	public $mDestWarningAck;
+	public $mForReUpload;		// The user followed an "overwrite this file" link
+	public $mCancelUpload;		// The user clicked "Cancel and return to upload form" button
+	public $mTokenOk;
+	public $mUploadSuccessful = false;	// Subclasses can use this to determine whether a file was uploaded
+
 	/** Text injection points for hooks not using HTMLForm **/
 	public $uploadFormTextTop;
 	public $uploadFormTextAfterSummary;
diff --git a/includes/specials/SpecialVersion.php b/includes/specials/SpecialVersion.php
index 7da6023e..ebc50bab 100644
--- a/includes/specials/SpecialVersion.php
+++ b/includes/specials/SpecialVersion.php
@@ -32,6 +32,7 @@ class SpecialVersion extends SpecialPage {
 
 		$this->setHeaders();
 		$this->outputHeader();
+		$wgOut->allowClickjacking();
 
 		$wgOut->addHTML( Xml::openElement( 'div',
 			array( 'dir' => $wgContLang->getDir() ) ) );
-- 
cgit v1.2.2