Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1915

Timestamp:

04/16/2011 11:58:59 AM (13 months ago)

Author:

Xiping.Wang

Message:

[trunk]Upgrade to mediawiki 1.16.4

Location:

trunk

Files:

: 9 edited

. (modified) (1 prop)
w/RELEASE-NOTES (modified) (2 diffs)
w/api.php (modified) (1 diff)
w/img_auth.php (modified) (1 diff)
w/includes/DefaultSettings.php (modified) (1 diff)
w/includes/RawPage.php (modified) (1 diff)
w/includes/Sanitizer.php (modified) (2 diffs)
w/includes/WebRequest.php (modified) (1 diff)
w/includes/specials/SpecialImport.php (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk

Property svn:externals

-                      old
+                      new
 w/bin http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/bin
 w/cache http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/cache
 w/config http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/config
 w/docs http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/docs
 w/languages http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/languages
 w/maintenance http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/maintenance
 w/math http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/math
 w/serialized http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/serialized
 w/extensions/Interwiki http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/extensions/Interwiki
+w/bin http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/bin
+w/cache http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/cache
+w/config http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/config
+w/docs http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/docs
+w/languages http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/languages
+w/maintenance http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/maintenance
+w/math http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/math
+w/serialized http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/phase3/serialized
+w/extensions/Interwiki http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_4/extensions/Interwiki

trunk/w/RELEASE-NOTES

-                      r1881
+                      r1915
 = MediaWiki release notes =
 == MediaWiki 1.16.2 ==
 -02-01
+== MediaWiki 1.16.4 ==
+-04-14
 This is a security and maintenance release of the MediaWiki 1.16 branch.
 …
 you have the DBA extension for PHP installed, this will improve performance
 further.
+== Changes since 1.16.3 ==
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
+  clients) was not actually sufficient to fix that bug. This release contains
+  a second attempt, hopefully we have fixed it this time.
+== Changes since 1.16.2 ==
+* (bug 28449) Fixed permissions checks in Special:Import which allowed users
+  without the 'import' permission to import pages from the configured import
+  sources.
+* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those
+  browsers looking for a file extension in the query string of the URL, and
+  ignoring the Content-Type header if one is found.
+* (bug 28450) Fixed a CSS validation issue involving escaped comments, which
+  led to XSS for Internet Explorer clients and privacy loss for other clients.
 == Changes since 1.16.1 ==

trunk/w/api.php

-                      r1484
+                      r1915
 if ( $wgRequest->isPathInfoBad() ) {
         wfHttpError( 403, 'Forbidden',
+                'Invalid file extension found in PATH_INFO. ' .
+                'The API must be accessed through the primary script entry point.' );
+                'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
         return;
+}

trunk/w/img_auth.php

-                      r1484
+                      r1915
+{
         wfForbidden('img-auth-accessdenied','img-auth-public');
+}
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+        && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+{
+        wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}

trunk/w/includes/DefaultSettings.php

r1881	r1915
34	34
35	35	/** MediaWiki version number */
36		$wgVersion = '1.16.2';
	36	$wgVersion = '1.16.4';
37	37
38	38	/** Name of the site. It must be changed in LocalSettings.php */

trunk/w/includes/RawPage.php

r1484	r1915
126	126	# Just return a 403 Forbidden and get it over with.
127	127	wfHttpError( 403, 'Forbidden',
128		'Invalid file extension found in PATH_INFO. ' .
	128	'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
129	129	'Raw pages must be accessed through the primary script entry point.' );
130	130	return;

trunk/w/includes/Sanitizer.php

-                      r1881
+                      r1915
         /**
          * Pick apart some CSS and check it for forbidden or unsafe structures.
+         * Returns a sanitized string, or false if it was just too evil.
+         * Returns a sanitized string. This sanitized string will have
+         * character references and escape sequences decoded, and comments
+         * stripped. If the input is just too evil, only a comment complaining
+         * about evilness will be returned.
+         *
          * Currently URL references, 'expression', 'tps' are forbidden.
+         *
+         * NOTE: Despite the fact that character references are decoded, the
+         * returned string may contain character references given certain
+         * clever input strings. These character references must
+         * be escaped before the return value is embedded in HTML.
+         *
          * @param $value String
          * @return Mixed
+         * @return String
          */
         static function checkCss( $value ) {
+                // Decode character references like &#123;
                 $value = Sanitizer::decodeCharReferences( $value );
-                // Remove any comments; IE gets token splitting wrong
-                $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
-                // Remove anything after a comment-start token, to guard against
-                // incorrect client implementations.
-                $commentPos = strpos( $value, '/*' );
-                if ( $commentPos !== false ) {
-                        $value = substr( $value, 0, $commentPos );
+                }
                 // Decode escape sequences and line continuation
                 // See the grammar in the CSS 2 spec, appendix D.
+                static $decodeRegex, $reencodeTable;
+                // This has to be done AFTER decoding character references.
+                // This means it isn't possible for this function to return
+                // unsanitized escape sequences. It is possible to manufacture
+                // input that contains character references that decode to
+                // escape sequences that decode to character references, but
+                // it's OK for the return value to contain character references
+                // because the caller is supposed to escape those anyway.
+                static $decodeRegex;
                 if ( !$decodeRegex ) {
                         $space = '[\\x20\\t\\r\\n\\f]';
 …
                 $value = preg_replace_callback( $decodeRegex,
                         array( __CLASS__, 'cssDecodeCallback' ), $value );
+                // Remove any comments; IE gets token splitting wrong
+                // This must be done AFTER decoding character references and
+                // escape sequences, because those steps can introduce comments
+                // This step cannot introduce character references or escape
+                // sequences, because it replaces comments with spaces rather
+                // than removing them completely.
+                $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+                // Remove anything after a comment-start token, to guard against
+                // incorrect client implementations.
+                $commentPos = strpos( $value, '/*' );
+                if ( $commentPos !== false ) {
+                        $value = substr( $value, 0, $commentPos );
+                }
                 // Reject problematic keywords and control characters

trunk/w/includes/WebRequest.php

-                      r1881
+                      r1915
          * the extension is not mangled. So this should be a reasonably portable
          * way to perform this security check.
+         *
+         * Also checks for anything that looks like a file extension at the end of
+         * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+         * if there was no dot before the question mark (bug 28235).
          */
         public function isPathInfoBad() {
                 global $wgScriptExtension;
+                if ( isset( $_SERVER['QUERY_STRING'] )
+                        && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+                {
+                        // Bug 28235
+                        // Block only Internet Explorer, and requests with missing UA
+                        // headers that could be IE users behind a privacy proxy.
+                        if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
+                                || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
+                        {
+                                return true;
+                        }
+                }
                 if ( !isset( $_SERVER['PATH_INFO'] ) ) {

trunk/w/includes/specials/SpecialImport.php

-                      r1484
+                      r1915
          */
         function execute( $par ) {
                 global $wgRequest;
+                global $wgRequest, $wgUser, $wgOut;
                 $this->setHeaders();
 …
+                }
+                if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
+                        return $wgOut->permissionRequired( 'import' );
+                # TODO: allow Title::getUserPermissionsErrors() to take an array
+                # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
+                # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
+                $errors = wfMergeErrorArrays(
+                        $this->getTitle()->getUserPermissionsErrors(
+                                'import', $wgUser, true,
+                                array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+                        ),
+                        $this->getTitle()->getUserPermissionsErrors(
+                                'importupload', $wgUser, true,
+                                array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+                        )
+                );
+                if( $errors ){
+                        $wgOut->showPermissionsErrorPage( $errors );
+                        return;
+                }
                 if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
                         $this->doImport();
 …
+                        }
                 } elseif ( $sourceName == "interwiki" ) {
+                        if( !$wgUser->isAllowed( 'import' ) ){
+                                return $wgOut->permissionRequired( 'import' );
+                        }
                         $this->interwiki = $wgRequest->getVal( 'interwiki' );
                         if ( !in_array( $this->interwiki, $wgImportSources ) ) {
 …
         private function showForm() {
                 global $wgUser, $wgOut, $wgRequest, $wgImportSources, $wgExportMaxLinkDepth;
-                if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
-                        return $wgOut->permissionRequired( 'import' );
                 $action = $this->getTitle()->getLocalUrl( array( 'action' => 'submit' ) );

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 1915

Legend:

Download in other formats: