diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2008-03-03 05:51:10 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2008-03-03 05:51:10 +0000 |
commit | 961e6ab71ef87fcd3d1fab53f0b1b38109b1f1b1 (patch) | |
tree | 0c03974775d1c132c6513a545625395cb6ce3883 | |
parent | e530d80f0eb4424e55f31744c26ad6c891b2b383 (diff) |
Bump to 1.11.2; merge API safety fix from trunk1.11.2origin/REL1_11
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/31485
-rw-r--r-- | RELEASE-NOTES | 18 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/api/ApiFormatJson.php | 2 | ||||
-rw-r--r-- | includes/api/ApiMain.php | 8 | ||||
-rw-r--r-- | includes/api/ApiQueryBase.php | 4 |
5 files changed, 32 insertions, 2 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5115778ea229..4876d79b04a7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,24 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.11.2 == + +March 2, 2008 + +This is a security release of the Fall 2007 snapshot release of MediaWiki. +Possible cross-site information leaks using the callback parameter for +JSON-formatted results in the API are prevented by dropping user credentials. + +MediaWiki release versions prior to 1.11 are not vulnerable, as they do +not include the callback feature which allows client-side JavaScript on +other sites to reach API data. + +Changes in this release: + +* User credentials are dropped for API JSON requests using a callback +* Edit tokens are not reported for API JSON requests using a callback + + == MediaWiki 1.11.1 == January 23, 2008 diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 5afb969d56eb..ad682b72fc57 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.11.1'; +$wgVersion = '1.11.2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index 23fbb1e122fc..ec536b907ff3 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -74,7 +74,7 @@ class ApiFormatJson extends ApiFormatBase { protected function getParamDescription() { return array ( - 'callback' => 'If specified, wraps the output into a given function call', + 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.', ); } diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 87e77666f205..291ea1b84c4f 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -98,6 +98,14 @@ class ApiMain extends ApiBase { // If the current user cannot read, // Remove all modules other than login global $wgUser; + + if( $request->getVal( 'callback' ) !== null ) { + // JSON callback allows cross-site reads. + // For safety, strip user credentials. + wfDebug( "API: stripping user credentials for JSON callback\n" ); + $wgUser = new User(); + } + if (!$wgUser->isAllowed('read')) { self::$Modules = array( 'login' => self::$Modules['login'], diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php index 69492dbe979d..447599a835d1 100644 --- a/includes/api/ApiQueryBase.php +++ b/includes/api/ApiQueryBase.php @@ -215,6 +215,10 @@ abstract class ApiQueryBase extends ApiBase { } public function getTokenFlag($tokenArr, $action) { + if ($this->getMain()->getRequest()->getVal('callback') !== null) { + // Don't do any session-specific data. + return false; + } if (in_array($action, $tokenArr)) { global $wgUser; if ($wgUser->isAllowed($action)) |