diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:11:11 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:11:11 +0000 |
commit | d4c1b28f00128ee38e4c9ca6a85beba08e0e1090 (patch) | |
tree | ae10ebdcc8b9f0ee8f6b1e45811a510d73b02f24 | |
parent | d102e470e79918482f119dcfacb7e3d5430e9022 (diff) |
== MediaWiki 1.7.3 ==1.7.3origin/REL1_7
February 20, 2007
This is a security and bug-fix update to the Summer 2006 quarterly release.
An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/20011
-rw-r--r-- | RELEASE-NOTES | 32 | ||||
-rw-r--r-- | img_auth.php | 1 | ||||
-rw-r--r-- | includes/AjaxDispatcher.php | 1 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/EditPage.php | 2 | ||||
-rw-r--r-- | includes/GlobalFunctions.php | 2 | ||||
-rw-r--r-- | includes/Metadata.php | 2 | ||||
-rw-r--r-- | includes/OutputPage.php | 1 | ||||
-rw-r--r-- | includes/StreamFile.php | 1 | ||||
-rw-r--r-- | thumb.php | 1 | ||||
-rw-r--r-- | trackback.php | 2 |
11 files changed, 43 insertions, 4 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 75f2cff93c20..bd1eb27129d7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,38 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.7.3 == + +February 20, 2007 + +This is a security and bug-fix update to the Summer 2006 quarterly release. + +An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 +charset autodetection was located in the AJAX support module, affecting MSIE +users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is +enabled. + +If you are using an extension based on the optional Ajax module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.3 +* 1.8: fixed in 1.8.4 +* 1.7: fixed in 1.7.3 +* 1.6: fixed in 1.6.10 + +There is no known danger in the default configuration, with $wgUseAjax off. + +* Add 'charset' to Content-Type headers on various HTTP error responses + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. + This fixes an issue with the Ajax interface error message on MSIE when + $wgUseAjax is enabled (not default configuration); this UTF-7 variant + on a previously fixed attack vector was discovered by Moshe BA from BugSec: + http://www.bugsec.com/articles.php?Security=24 +* Trackback responses now specify XML content type + == MediaWiki 1.7.2 == diff --git a/img_auth.php b/img_auth.php index fb58ba282335..a443d20b1e5e 100644 --- a/img_auth.php +++ b/img_auth.php @@ -50,6 +50,7 @@ wfStreamFile( $filename ); function wfForbidden() { header( 'HTTP/1.0 403 Forbidden' ); + header( 'Content-Type: text/html; charset=utf-8' ); print "<html><body> <h1>Access denied</h1> diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 9b6c4bb39ad7..dcfb2b70c546 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -67,6 +67,7 @@ class AjaxDispatcher { wfProfileIn( 'AjaxDispatcher::performAction' ); if (! in_array( $this->func_name, $wgAjaxExportList ) ) { + header( 'Content-Type: text/html; charset=utf-8', true ); echo "-:" . htmlspecialchars( (string)$this->func_name ) . " not callable"; } else { echo "+:"; diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 39a6fb5f5411..357f39c1fdc9 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.7.2'; +$wgVersion = '1.7.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/EditPage.php b/includes/EditPage.php index d43a12026def..f412cc4773d4 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1701,7 +1701,7 @@ END function livePreview() { global $wgOut; $wgOut->disable(); - header( 'Content-type: text/xml' ); + header( 'Content-type: text/xml; charset=utf-8' ); header( 'Cache-control: no-cache' ); # FIXME echo $this->getPreviewText( ); diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index e2033486cc7e..8ec4f9a1d350 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1090,7 +1090,7 @@ function wfHttpError( $code, $label, $desc ) { header( "Status: $code $label" ); $wgOut->sendCacheControl(); - header( 'Content-type: text/html' ); + header( 'Content-type: text/html; charset=utf-8' ); print "<html><head><title>" . htmlspecialchars( $label ) . "</title></head><body><h1>" . diff --git a/includes/Metadata.php b/includes/Metadata.php index af40ab212d3d..b8373576ed84 100644 --- a/includes/Metadata.php +++ b/includes/Metadata.php @@ -80,7 +80,7 @@ function rdfSetup() { return false; } else { $wgOut->disable(); - header( "Content-type: {$rdftype}" ); + header( "Content-type: {$rdftype}; charset=utf-8" ); $wgOut->sendCacheControl(); return true; } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 31a0781a3f3a..269dc52c49c2 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -512,6 +512,7 @@ class OutputPage { $this->sendCacheControl(); + header("Content-Type: text/html; charset=utf-8"); if( $wgDebugRedirects ) { $url = htmlspecialchars( $this->mRedirect ); print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n"; diff --git a/includes/StreamFile.php b/includes/StreamFile.php index 83417185fdc6..17b3d251b778 100644 --- a/includes/StreamFile.php +++ b/includes/StreamFile.php @@ -6,6 +6,7 @@ function wfStreamFile( $fname ) { $stat = @stat( $fname ); if ( !$stat ) { header( 'HTTP/1.0 404 Not Found' ); + header( 'Content-Type: text/html; charset=utf-8' ); echo "<html><body> <h1>File not found</h1> <p>Although this PHP script ({$_SERVER['SCRIPT_NAME']}) exists, the file requested for output diff --git a/thumb.php b/thumb.php index 54ec64cf00e7..d829435e8586 100644 --- a/thumb.php +++ b/thumb.php @@ -71,6 +71,7 @@ if ( $thumb && $thumb->path ) { } else { $badtitle = wfMsg( 'badtitle' ); $badtitletext = wfMsg( 'badtitletext' ); + header( 'Content-Type: text/html; charset=utf-8' ); echo "<html><head> <title>$badtitle</title> <body> diff --git a/trackback.php b/trackback.php index 274a1c82d729..e7bb5b722660 100644 --- a/trackback.php +++ b/trackback.php @@ -26,6 +26,7 @@ require_once('DatabaseFunctions.php'); * */ function XMLsuccess() { + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> @@ -37,6 +38,7 @@ function XMLsuccess() { function XMLerror($err = "Invalid request.") { header("HTTP/1.0 400 Bad Request"); + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> |