diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:10:23 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:10:23 +0000 |
commit | 95828bd404c3e0519e823ee7cdd047dd8e09d30c (patch) | |
tree | dd2b4620df927923ba2995f19835e1816958768f | |
parent | 4cde80bf5a8e2aec29a515f2872e696a13079b65 (diff) |
== MediaWiki 1.8.4 ==1.8.4
February 20, 2007
This is a security and bug-fix update to the Fall 2006 quarterly release.
An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* (bug 8819) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/20010
-rw-r--r-- | RELEASE-NOTES | 30 | ||||
-rw-r--r-- | img_auth.php | 1 | ||||
-rw-r--r-- | includes/AjaxDispatcher.php | 12 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/EditPage.php | 2 | ||||
-rw-r--r-- | includes/GlobalFunctions.php | 2 | ||||
-rw-r--r-- | includes/Metadata.php | 2 | ||||
-rw-r--r-- | includes/OutputPage.php | 1 | ||||
-rw-r--r-- | includes/StreamFile.php | 1 | ||||
-rw-r--r-- | thumb.php | 1 | ||||
-rw-r--r-- | trackback.php | 2 |
11 files changed, 45 insertions, 11 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d091809894fa..559a0c7f3040 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -5,9 +5,37 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.8.4 == -?? ??, ???? +February 20, 2007 + +This is a security and bug-fix update to the Fall 2006 quarterly release. + +An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 +charset autodetection was located in the AJAX support module, affecting MSIE +users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is +enabled. + +If you are using an extension based on the optional Ajax module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.3 +* 1.8: fixed in 1.8.4 +* 1.7: fixed in 1.7.3 +* 1.6: fixed in 1.6.10 + +There is no known danger in the default configuration, with $wgUseAjax off. * (bug 8819) Fix full path disclosure with skins dependencies +* Add 'charset' to Content-Type headers on various HTTP error responses + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. + This fixes an issue with the Ajax interface error message on MSIE when + $wgUseAjax is enabled (not default configuration); this UTF-7 variant + on a previously fixed attack vector was discovered by Moshe BA from BugSec: + http://www.bugsec.com/articles.php?Security=24 +* Trackback responses now specify XML content type + == MediaWiki 1.8.3 == diff --git a/img_auth.php b/img_auth.php index cfe005e93697..384bb17cc2d1 100644 --- a/img_auth.php +++ b/img_auth.php @@ -42,6 +42,7 @@ wfLogProfilingData(); function wfForbidden() { header( 'HTTP/1.0 403 Forbidden' ); + header( 'Content-Type: text/html; charset=utf-8' ); print "<html><body> <h1>Access denied</h1> diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index c274498051c8..51e0fad2626d 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -54,15 +54,15 @@ class AjaxDispatcher { wfProfileIn( 'AjaxDispatcher::performAction' ); if (! in_array( $this->func_name, $wgAjaxExportList ) ) { - header( 'Status: 400 Bad Request', true, 400 ); - print "unknown function " . htmlspecialchars( (string) $this->func_name ); + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); if ( $result === false || $result === NULL ) { - header( 'Status: 500 Internal Error', true, 500 ); - echo "{$this->func_name} returned no data"; + wfHttpError( 500, 'Internal Error', + "{$this->func_name} returned no data" ); } else { if ( is_string( $result ) ) { @@ -75,8 +75,8 @@ class AjaxDispatcher { } catch (Exception $e) { if (!headers_sent()) { - header( 'Status: 500 Internal Error', true, 500 ); - print $e->getMessage(); + wfHttpError( 500, 'Internal Error', + $e->getMessage() ); } else { print $e->getMessage(); } diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index ee1ed3a0980f..15dcff732996 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.8.3'; +$wgVersion = '1.8.4'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/EditPage.php b/includes/EditPage.php index a1207d1038f5..815eb9044add 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1701,7 +1701,7 @@ END function livePreview() { global $wgOut; $wgOut->disable(); - header( 'Content-type: text/xml' ); + header( 'Content-type: text/xml; charset=utf-8' ); header( 'Cache-control: no-cache' ); # FIXME echo $this->getPreviewText( ); diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 623f9d3b5086..5b998c8f30c8 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1062,7 +1062,7 @@ function wfHttpError( $code, $label, $desc ) { header( "Status: $code $label" ); $wgOut->sendCacheControl(); - header( 'Content-type: text/html' ); + header( 'Content-type: text/html; charset=utf-8' ); print "<html><head><title>" . htmlspecialchars( $label ) . "</title></head><body><h1>" . diff --git a/includes/Metadata.php b/includes/Metadata.php index af40ab212d3d..b8373576ed84 100644 --- a/includes/Metadata.php +++ b/includes/Metadata.php @@ -80,7 +80,7 @@ function rdfSetup() { return false; } else { $wgOut->disable(); - header( "Content-type: {$rdftype}" ); + header( "Content-type: {$rdftype}; charset=utf-8" ); $wgOut->sendCacheControl(); return true; } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 0d55c2e09637..670f794ccb2b 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -513,6 +513,7 @@ class OutputPage { $this->sendCacheControl(); + $wgRequest->response()->header("Content-Type: text/html; charset=utf-8"); if( $wgDebugRedirects ) { $url = htmlspecialchars( $this->mRedirect ); print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n"; diff --git a/includes/StreamFile.php b/includes/StreamFile.php index 81538a846eef..515f57c5b86f 100644 --- a/includes/StreamFile.php +++ b/includes/StreamFile.php @@ -6,6 +6,7 @@ function wfStreamFile( $fname ) { $stat = @stat( $fname ); if ( !$stat ) { header( 'HTTP/1.0 404 Not Found' ); + header( 'Content-Type: text/html; charset=utf-8' ); $encFile = htmlspecialchars( $fname ); $encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] ); echo "<html><body> diff --git a/thumb.php b/thumb.php index a056dccdac9a..e2fef8d59cfc 100644 --- a/thumb.php +++ b/thumb.php @@ -73,6 +73,7 @@ if ( $thumb && $thumb->path ) { } else { $badtitle = wfMsg( 'badtitle' ); $badtitletext = wfMsg( 'badtitletext' ); + header( 'Content-Type: text/html; charset=utf-8' ); echo "<html><head> <title>$badtitle</title> <body> diff --git a/trackback.php b/trackback.php index 6d2d826b9b39..6e4ee9828eed 100644 --- a/trackback.php +++ b/trackback.php @@ -12,6 +12,7 @@ require_once('DatabaseFunctions.php'); * */ function XMLsuccess() { + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> @@ -23,6 +24,7 @@ function XMLsuccess() { function XMLerror($err = "Invalid request.") { header("HTTP/1.0 400 Bad Request"); + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> |