diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2007-01-09 07:14:59 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2007-01-09 07:14:59 +0000 |
commit | 73c7bd9e24caaac35a3c229588d4faaa66262f9a (patch) | |
tree | ba0374a700d4d999d8f42aa3e59edceb71953f78 | |
parent | a58539d534bbfdbc813083881898ea3799662e9b (diff) |
Merge r19013 and r19015 from trunk: XSS fix with $wgUseAjax enabled1.9.0rc2
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/19016
-rw-r--r-- | RELEASE-NOTES | 17 | ||||
-rw-r--r-- | includes/AjaxDispatcher.php | 2 | ||||
-rw-r--r-- | includes/AjaxFunctions.php | 2 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/Title.php | 2 |
5 files changed, 21 insertions, 4 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 1d38d0d974aa..fc6c9948e645 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -18,6 +18,23 @@ will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN +== Security fixes == + +An XSS injection vulnerability was located in the AJAX support module, +affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax +is enabled. + +There is no danger in the default configuration, with $wgUseAjax off. + +If you are using an extension based on the optional Ajax module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.0rc2 +* 1.8: fixed in 1.8.3 +* 1.7: fixed in 1.7.2 +* 1.6: fixed in 1.6.9 + + == Compatibility changes == === Zend Optimizer === diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index d19035e5473d..89062f8770dc 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -55,7 +55,7 @@ class AjaxDispatcher { if (! in_array( $this->func_name, $wgAjaxExportList ) ) { header( 'Status: 400 Bad Request', true, 400 ); - echo "unknown function {$this->func_name}"; + print "unknown function " . htmlspecialchars( (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); diff --git a/includes/AjaxFunctions.php b/includes/AjaxFunctions.php index 3e74a19b1c88..eee2a1a4e604 100644 --- a/includes/AjaxFunctions.php +++ b/includes/AjaxFunctions.php @@ -135,7 +135,7 @@ function wfSajaxSearch( $term ) { * @param $watch String 'w' to watch, 'u' to unwatch * @return String '<w#>' or '<u#>' on successful watch or unwatch, respectively, or '<err#>' on error (invalid XML in case we want to add HTML sometime) */ -function wfAjaxWatch($pageID, $watch) { +function wfAjaxWatch($pageID = "", $watch = "") { if(wfReadOnly()) return '<err#>'; // redirect to action=(un)watch, which will display the database lock message diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 06433462c3d0..3f461fd65ecc 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.9.0rc1'; +$wgVersion = '1.9.0rc2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Title.php b/includes/Title.php index a8abb6fe1cfe..56414c8a84b1 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -190,7 +190,7 @@ class Title { * @access public * @static */ - function newFromID( $id ) { + public static function newFromID( $id ) { $fname = 'Title::newFromID'; $dbr =& wfGetDB( DB_SLAVE ); $row = $dbr->selectRow( 'page', array( 'page_namespace', 'page_title' ), |