diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2007-09-10 21:36:51 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2007-09-10 21:36:51 +0000 |
commit | 7a703849af737152245ce04a592a66b42a59adbd (patch) | |
tree | a7b01cf8e6778410ded2584fe487fa0c4140e621 | |
parent | 0b6073149bd82f0fac67d5d599ef3bd773322a54 (diff) |
Bump to 1.11.01.11.0
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/25746
-rw-r--r-- | RELEASE-NOTES | 36 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/api/ApiFormatBase.php | 7 |
3 files changed, 40 insertions, 5 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 84715a13f3a7..94fec25193e0 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,9 +3,11 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. -== MediaWiki 1.11.0rc1 == +== MediaWiki 1.11.0 == -This is a release candidate of the Fall 2007 snapshot release of MediaWiki. +September 10, 2007 + +This is the Fall 2007 snapshot release of MediaWiki. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept @@ -18,6 +20,36 @@ will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN +== Changes since 1.11.0rc1 == + +A possible HTML/XSS injection vector in the API pretty-printing mode has +been found and fixed. + +The vulnerability may be worked around in an unfixed version by simply +disabling the API interface if it is not in use, by adding this to +LocalSettings.php: + + $wgEnableAPI = false; + +(This is the default setting in 1.8.x.) + +Not vulnerable versions: +* 1.11 >= 1.11.0 +* 1.10 >= 1.10.2 +* 1.9 >= 1.9.4 +* 1.8 >= 1.8.5 + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.1 +* 1.9 <= 1.9.3 +* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include +the faulty function, however the BotQuery extension is similarly +vulnerable unless updated to the latest SVN version. + + == Configuration changes since 1.10 == * $wgThumbUpright - Adjust width of upright images when parameter 'upright' is diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index a226881e5df0..1ed8779affa6 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.11.0rc1'; +$wgVersion = '1.11.0'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 209abd23d411..b69ebafe0972 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -158,8 +158,11 @@ See <a href='http://www.mediawiki.org/wiki/API'>complete documentation</a>, or * This method also replaces any '<' with < */ protected function formatHTML($text) { - // encode all tags as safe blue strings - $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text); + // Escape everything first for full coverage + $text = htmlspecialchars($text); + + // encode all comments or tags as safe blue strings + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); // identify URLs $protos = "http|https|ftp|gopher"; $text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '<a href="\\0">\\0</a>', $text); |