diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2008-01-24 00:22:14 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2008-01-24 00:22:14 +0000 |
commit | 2f923416b95b2916e3ec7a698716abebc610c613 (patch) | |
tree | e34605993de5f861e0d97b62755dc58500dade23 | |
parent | 3cfe2da4fbb1e7952edfb91e1a7c2b8a7b89b479 (diff) |
Merge 30087 and bump to 1.10.31.10.3
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/30093
-rw-r--r-- | RELEASE-NOTES | 32 | ||||
-rw-r--r-- | api.php | 23 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
3 files changed, 56 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ac1b7a47ed05..b4b9e6bf3048 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,38 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.10.3 == + +January 23, 2008 + +This is a security update to the Winter 2007 quarterly release. A potential +XSS injection vector affecting api.php only for Microsoft Internet Explorer +users has been closed. + + +To work around the vulnerability without upgrading, you may disable the +API if you don't need it: + + $wgEnableAPI = false; + +Not vulnerable versions: +* 1.12 or later +* 1.11 >= 1.11.1 +* 1.10 >= 1.10.3 +* 1.9 >= 1.9.5 +* 1.8 any version (if $wgEnableAPI has been left off) + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.2 +* 1.9 <= 1.9.4 +* 1.8 any version (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include +the API functionality, however the BotQuery extension is similarly +vulnerable unless updated to the latest SVN version. + + == MediaWiki 1.10.2 == September 10, 2007 @@ -27,6 +27,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index d8f9a6213c11..cc4d7bc87637 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.10.2'; +$wgVersion = '1.10.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; |