diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2004-09-30 19:49:04 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2004-09-30 19:49:04 +0000 |
commit | 797e3bc0faf1537cd38638848dca222c798b7820 (patch) | |
tree | 2c0efa002fecda28c0f380ddf8125674665df938 | |
parent | c7d650cd7d1a96d9619701a98fed46c299cddb01 (diff) |
== Version 1.3.5, 2004-09-30 ==1.3.5
Changes from 1.3.4:
* Clean up input validation in 'raw' page output mode which was a potential
cross-site scripting opportunity.
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/5601
-rw-r--r-- | RELEASE-NOTES | 7 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/RawPage.php | 15 |
3 files changed, 13 insertions, 11 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 2b2acae2356c..f0f1e5ff58bc 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,13 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== Version 1.3.5, 2004-09-30 == + +Changes from 1.3.4: +* Clean up input validation in 'raw' page output mode which was a potential + cross-site scripting opportunity. + + == Version 1.3.4, 2004-09-28 == ************************** SECURITY NOTE! ****************************** diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index a72b8747b1aa..a81a63a14a77 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -9,7 +9,7 @@ if( defined( "MEDIAWIKI" ) ) { # like $wgScriptPath, you must also localize everything that # depends on it. -$wgVersion = '1.3.4'; +$wgVersion = '1.3.5'; $wgSitename = 'MediaWiki'; # Please customize! $wgMetaNamespace = FALSE; # will be same as you set $wgSitename diff --git a/includes/RawPage.php b/includes/RawPage.php index 003ab452f782..09b2eb9fc69b 100644 --- a/includes/RawPage.php +++ b/includes/RawPage.php @@ -14,9 +14,8 @@ class RawPage { $this->mTitle =& $article->mTitle; $ctype = $wgRequest->getText( 'ctype' ); - $charset = $wgRequest->getText( 'charset' ); - $smaxage = $wgRequest->getText( 'smaxage' ); - $maxage = $wgRequest->getText( 'maxage' ); + $smaxage = $wgRequest->getInt( 'smaxage', $wgSquidMaxage ); + $maxage = $wgRequest->getInt( 'maxage', $wgSquidMaxage ); $this->mOldId = $wgRequest->getInt( 'oldid' ); # special case for 'generated' raw things: user css/js $gen = $wgRequest->getText( 'gen' ); @@ -31,9 +30,9 @@ class RawPage { } else { $this->mGen = false; } - $this->mCharset = !empty($charset) ? $charset : $wgInputEncoding; - $this->mSmaxage = ($smaxage != '') ? $smaxage : 0; - $this->mMaxage = ($maxage != '') ? $maxage : 86400; + $this->mCharset = $wgInputEncoding; + $this->mSmaxage = $smaxage; + $this->mMaxage = $maxage; if(empty($ctype) or !in_array($ctype, $allowedCTypes)) { $this->mContentType = 'text/x-wiki'; } else { @@ -67,8 +66,6 @@ class RawPage { # special case if($ns == NS_MEDIAWIKI) { $rawtext = wfMsg($t); - if($wgInputEncoding != $this->mCharset) - $rawtext = $wgLang->iconv( $wgInputEncoding, $this->mCharset, $rawtext ); return $rawtext; } # else get it from the DB @@ -85,8 +82,6 @@ class RawPage { $res = wfQuery( $sql, DB_READ ); if( $s = wfFetchObject( $res ) ) { $rawtext = Article::getRevisionText( $s, "" ); - if($wgInputEncoding != $this->mCharset) - $rawtext = $wgLang->iconv( $wgInputEncoding, $this->mCharset, $rawtext ); header( 'Last-modified: '.gmdate( "D, j M Y H:i:s", wfTimestamp2Unix( $s->timestamp )).' GMT' ); return $rawtext; } else { |