Changeset 1918
- Timestamp:
- 05/12/2011 11:45:36 AM (13 months ago)
- Location:
- trunk
- Files:
-
- 7 edited
-
. (modified) (1 prop)
-
w/INSTALL (modified) (1 diff)
-
w/RELEASE-NOTES (modified) (2 diffs)
-
w/img_auth.php (modified) (1 diff)
-
w/includes/DefaultSettings.php (modified) (1 diff)
-
w/includes/User.php (modified) (4 diffs)
-
w/includes/WebRequest.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:externals
-
old new 1 w/bin http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/bin2 w/cache http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/cache3 w/config http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/config4 w/docs http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/docs5 w/languages http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/languages6 w/maintenance http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/maintenance7 w/math http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/math8 w/serialized http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/phase3/serialized9 w/extensions/Interwiki http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_ 4/extensions/Interwiki1 w/bin http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/bin 2 w/cache http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/cache 3 w/config http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/config 4 w/docs http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/docs 5 w/languages http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/languages 6 w/maintenance http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/maintenance 7 w/math http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/math 8 w/serialized http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/serialized 9 w/extensions/Interwiki http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/extensions/Interwiki
-
- Property svn:externals
-
trunk/w/INSTALL
r1484 r1918 7 7 8 8 Required software: 9 * Web server with PHP 5. x or higher.9 * Web server with PHP 5.1 or higher (this will be the last release to support 5.1.x) 10 10 * A MySQL server, 4.0.14 or higher OR a Postgres server, 8.1 or higher 11 11 -
trunk/w/RELEASE-NOTES
r1915 r1918 1 1 = MediaWiki release notes = 2 2 3 == MediaWiki 1.16. 4==4 5 2011-0 4-146 7 This is a security and maintenancerelease of the MediaWiki 1.16 branch.3 == MediaWiki 1.16.5 == 4 5 2011-05-05 6 7 This is a security release of the MediaWiki 1.16 branch. 8 8 9 9 === Summary of selected changes in 1.16 === … … 44 44 you have the DBA extension for PHP installed, this will improve performance 45 45 further. 46 47 == Changes since 1.16.4 48 49 * (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third 50 attempt at fixing bug 28235. 51 * (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin 52 is enabled. 46 53 47 54 == Changes since 1.16.3 == -
trunk/w/img_auth.php
r1915 r1918 40 40 // Check for bug 28235: QUERY_STRING overriding the correct extension 41 41 if ( isset( $_SERVER['QUERY_STRING'] ) 42 && preg_match( '/\.[ a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )42 && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) 43 43 { 44 44 wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); -
trunk/w/includes/DefaultSettings.php
r1915 r1918 34 34 35 35 /** MediaWiki version number */ 36 $wgVersion = '1.16. 4';36 $wgVersion = '1.16.5'; 37 37 38 38 /** Name of the site. It must be changed in LocalSettings.php */ -
trunk/w/includes/User.php
r1484 r1918 898 898 899 899 $passwordCorrect = FALSE; 900 $this->mId = $sId; 901 if ( !$this->loadFromId() ) { 902 # Not a valid ID, loadFromId has switched the object to anon for us 900 $proposedUser = User::newFromId( $sId ); 901 if ( !$proposedUser->isLoggedIn() ) { 902 # Not a valid ID 903 $this->loadDefaults(); 903 904 return false; 904 905 } 905 906 906 907 global $wgBlockDisablesLogin; 907 if( $wgBlockDisablesLogin && $ this->isBlocked() ) {908 if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { 908 909 # User blocked and we've disabled blocked user logins 909 910 $this->loadDefaults(); … … 912 913 913 914 if ( isset( $_SESSION['wsToken'] ) ) { 914 $passwordCorrect = $ _SESSION['wsToken'] == $this->mToken;915 $passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken']; 915 916 $from = 'session'; 916 917 } else if ( isset( $_COOKIE["{$wgCookiePrefix}Token"] ) ) { 917 $passwordCorrect = $ this->mToken== $_COOKIE["{$wgCookiePrefix}Token"];918 $passwordCorrect = $proposedUser->getToken() === $_COOKIE["{$wgCookiePrefix}Token"]; 918 919 $from = 'cookie'; 919 920 } else { … … 923 924 } 924 925 925 if ( ( $sName == $this->mName ) && $passwordCorrect ) { 926 if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { 927 $this->loadFromUserObject( $proposedUser ); 926 928 $_SESSION['wsToken'] = $this->mToken; 927 929 wfDebug( "Logged in from $from\n" ); … … 932 934 $this->loadDefaults(); 933 935 return false; 936 } 937 } 938 939 /** 940 * Load the data for this user object from another user object. 941 */ 942 protected function loadFromUserObject( $user ) { 943 $user->load(); 944 $user->loadGroups(); 945 $user->loadOptions(); 946 foreach ( self::$mCacheVars as $var ) { 947 $this->$var = $user->$var; 934 948 } 935 949 } -
trunk/w/includes/WebRequest.php
r1915 r1918 698 698 699 699 if ( isset( $_SERVER['QUERY_STRING'] ) 700 && preg_match( '/\.[ a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )700 && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) 701 701 { 702 702 // Bug 28235
Note: See TracChangeset
for help on using the changeset viewer.
