Bump to 1.9.41.9.4

3 files changed, 32 insertions, 5 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index af97f16cf115..32cdd95c61b0 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -5,13 +5,37 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
 == MediaWiki 1.9.4 ==
 
-?? ??, 2007
+September 10, 2007
 
-This is a bug fix update to the Winter 2007 quarterly release.
+This is a security and bug fix update to the Winter 2007 quarterly release.
 Minor compatibility fixes for IIS 5 are included.
 
 * (bug 8847) Strip spurious #fragments from request URI to fix redirect
   loops on some server configurations
+* A possible HTML/XSS injection vector in the API pretty-printing mode
+  has been found and fixed.
+
+The vulnerability may be worked around in an unfixed version by simply
+disabling the API interface if it is not in use, by adding this to
+LocalSettings.php:
+
+  $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.11 >= 1.11.0
+* 1.10 >= 1.10.2
+* 1.9 >= 1.9.4
+* 1.8 >= 1.8.5
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.1
+* 1.9 <= 1.9.3
+* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the faulty function, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
 
 
 == MediaWiki 1.9.3 ==
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 0692401d2319..58ffcf8e5f24 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' );
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.9.3';
+$wgVersion			= '1.9.4';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index 1ed71a6f914f..ec131ad3b76e 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -143,8 +143,11 @@ for more information.
 	* This method also replaces any '<' with &lt;
 	*/
 	protected function formatHTML($text) {
-		// encode all tags as safe blue strings
-		$text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
+		// Escape everything first for full coverage
+		$text = htmlspecialchars($text);
+		
+		// encode all comments or tags as safe blue strings
+		$text = preg_replace('/\&lt;(!--.*?--|.*?)\&gt;/', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
 		// identify URLs
 		$protos = "http|https|ftp|gopher";
 		$text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text);