== MediaWiki 1.6.10 ==1.6.10

February 20, 2007

This is a security and bug-fix update to the Spring 2006 quarterly release.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* (bug 8819) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
  'text/html' by default when the script didn't specify more details,
  which some inconsiderate browsers consider a license to autodetect
  the deadly, hard-to-escape UTF-7.
    This fixes an issue with the Ajax interface error message on MSIE when
  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
  http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type

11 files changed, 43 insertions, 9 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 18708bfa969f..d9b70850c01c 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,14 +3,41 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
-= Mediawiki 1.6.10 ==
+== MediaWiki 1.6.10 ==
 
-?? ?, ????
+February 20, 2007
+
+This is a security and bug-fix update to the Spring 2006 quarterly release.
+
+An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
+charset autodetection was located in the AJAX support module, affecting MSIE
+users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
+enabled.
+
+If you are using an extension based on the optional Ajax module,
+either disable it or upgrade to a version containing the fix:
+
+* 1.9: fixed in 1.9.3
+* 1.8: fixed in 1.8.4
+* 1.7: fixed in 1.7.3
+* 1.6: fixed in 1.6.10
+
+There is no known danger in the default configuration, with $wgUseAjax off.
 
 * (bug 8819) Fix full path disclosure with skins dependencies
+* Add 'charset' to Content-Type headers on various HTTP error responses
+  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
+  'text/html' by default when the script didn't specify more details,
+  which some inconsiderate browsers consider a license to autodetect
+  the deadly, hard-to-escape UTF-7.
+    This fixes an issue with the Ajax interface error message on MSIE when
+  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+  http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
 
 
-== Mediawiki 1.6.9 ==
+== MediaWiki 1.6.9 ==
 
 January 9, 2007
 
@@ -34,7 +61,7 @@ either disable it or upgrade to a version containing the fix:
 * 1.6: fixed in 1.6.9
 
 
-== Mediawiki 1.6.8 ==
+== MediaWiki 1.6.8 ==
 
 July 8, 2006
 
@@ -54,7 +81,7 @@ if it's not being used.
 * Fixed potential XSS in profileinfo.php
 
 
-== Mediawiki 1.6.7 ==
+== MediaWiki 1.6.7 ==
 
 June 6, 2006
 
diff --git a/img_auth.php b/img_auth.php
index fb58ba282335..a443d20b1e5e 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -50,6 +50,7 @@ wfStreamFile( $filename );
 
 function wfForbidden() {
 	header( 'HTTP/1.0 403 Forbidden' );
+	header( 'Content-Type: text/html; charset=utf-8' );
 	print
 "<html><body>
 <h1>Access denied</h1>
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index c8c494c1f674..594bc9098270 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -67,6 +67,7 @@ class AjaxDispatcher {
 		wfProfileIn( 'AjaxDispatcher::performAction' );
 
 		if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
+			header( 'Content-Type: text/html; charset=utf-8', true );
 			echo "-:" . htmlspecialchars( (string)$this->func_name ) . " not callable";
 		} else {
 			echo "+:";
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index aa374e41d47d..b11feabc518a 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' );
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.6.9';
+$wgVersion			= '1.6.10';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
diff --git a/includes/EditPage.php b/includes/EditPage.php
index b39c825d69a5..534790b1861e 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1568,7 +1568,7 @@ END
 	function livePreview() {
 		global $wgOut;
 		$wgOut->disable();
-		header( 'Content-type: text/xml' );
+		header( 'Content-type: text/xml; charset=utf-8' );
 		header( 'Cache-control: no-cache' );
 		# FIXME
 		echo $this->getPreviewText( );
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index b4e75dabcd54..563ea6e47f76 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -1034,7 +1034,7 @@ function wfHttpError( $code, $label, $desc ) {
 	header( "Status: $code $label" );
 	$wgOut->sendCacheControl();
 
-	header( 'Content-type: text/html' );
+	header( 'Content-type: text/html; charset=utf-8' );
 	print "<html><head><title>" .
 		htmlspecialchars( $label ) .
 		"</title></head><body><h1>" .
diff --git a/includes/Metadata.php b/includes/Metadata.php
index d78ef66b2355..9df4dc74b5f7 100644
--- a/includes/Metadata.php
+++ b/includes/Metadata.php
@@ -80,7 +80,7 @@ function rdfSetup() {
 		return false;
 	} else {
 		$wgOut->disable();
-		header( "Content-type: {$rdftype}" );
+		header( "Content-type: {$rdftype}; charset=utf-8" );
 		$wgOut->sendCacheControl();
 		return true;
 	}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 7d8c0e0cf1e8..2e41b62d0421 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -500,6 +500,7 @@ class OutputPage {
 
 			$this->sendCacheControl();
 
+			header("Content-Type: text/html; charset=utf-8");
 			if( $wgDebugRedirects ) {
 				$url = htmlspecialchars( $this->mRedirect );
 				print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n";
diff --git a/includes/StreamFile.php b/includes/StreamFile.php
index ce7650a674c0..e4dd5368201e 100644
--- a/includes/StreamFile.php
+++ b/includes/StreamFile.php
@@ -6,6 +6,7 @@ function wfStreamFile( $fname ) {
 	$stat = @stat( $fname );
 	if ( !$stat ) {
 		header( 'HTTP/1.0 404 Not Found' );
+		header( 'Content-Type: text/html; charset=utf-8' );
 		echo "<html><body>
 <h1>File not found</h1>
 <p>Although this PHP script ({$_SERVER['SCRIPT_NAME']}) exists, the file requested for output
diff --git a/thumb.php b/thumb.php
index 9f5eeba583f9..ad8af52da0d5 100644
--- a/thumb.php
+++ b/thumb.php
@@ -70,6 +70,7 @@ if ( $thumb && $thumb->path ) {
 } else {
 	$badtitle = wfMsg( 'badtitle' );
 	$badtitletext = wfMsg( 'badtitletext' );
+	header( 'Content-Type: text/html; charset=utf-8' );
 	echo "<html><head>
 	<title>$badtitle</title>
 	<body>
diff --git a/trackback.php b/trackback.php
index f00f040304b2..b95e5cf35b45 100644
--- a/trackback.php
+++ b/trackback.php
@@ -27,6 +27,7 @@ require_once('DatabaseFunctions.php');
  *
  */
 function XMLsuccess() {
+	header("Content-Type: application/xml; charset=utf-8");
 	echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>
@@ -38,6 +39,7 @@ function XMLsuccess() {
 
 function XMLerror($err = "Invalid request.") {
 	header("HTTP/1.0 400 Bad Request");
+	header("Content-Type: application/xml; charset=utf-8");
 	echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>