diff options
author | Tim Starling <tstarling@users.mediawiki.org> | 2008-12-15 07:20:44 +0000 |
---|---|---|
committer | Tim Starling <tstarling@users.mediawiki.org> | 2008-12-15 07:20:44 +0000 |
commit | b68d777bda9bc51636930de9c2e3d5cd2a094b9f (patch) | |
tree | b5d141a308f01006d09a72f5c2296d2e7f196003 | |
parent | 090212a3cae792afc9f33f4c19d7eaf7bff3e886 (diff) |
* Fixed a couple of missing lines in 1.121.6.11
* Added missing autoloader entry in 1.13
* Prepared the 1.6 branch for release, with a cut-down version of the security fixes
* Rewrote the RELEASE-NOTES entry for all 3 branches
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/44600
-rw-r--r-- | RELEASE-NOTES | 40 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 4 | ||||
-rw-r--r-- | includes/SpecialImport.php | 29 | ||||
-rw-r--r-- | includes/SpecialUpload.php | 12 | ||||
-rw-r--r-- | languages/Messages.php | 2 |
5 files changed, 71 insertions, 16 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d9b70850c01c..052fe9f2af83 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,7 +1,43 @@ = MediaWiki release notes = -Security reminder: MediaWiki does not require PHP's register_globals -setting since version 1.2.0. If you have it on, turn it *off* if you can. +For upgrade instructions please see the UPGRADE file in this directory. + +== MediaWiki 1.6.11 == + +December 15, 2008 + +This is a security update to the Spring 2006 quarterly release. + +David Remahl of Apple's Product Security team has identified a number of +security issues in previous releases of MediaWiki. Subsequent analysis by the +MediaWiki development team expanded the scope of these vulnerabilities. The +issues with a significant impact are as follows: + +* An XSS vulnerability affecting Internet Explorer clients for all MediaWiki + installations with uploads enabled. [CVE-2008-5250] +* An XSS vulnerability affecting clients with SVG scripting capability (such as + Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled. + [CVE-2008-5250] +* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki + installations since the feature was introduced in 1.3.0. [CVE-2008-5252] + +XSS (cross-site scripting) vulnerabilities allow an attacker to steal an +authorised user's login session, and to act as that user on the wiki. The +authorised user must visit a web page controlled by the attacker in order to +activate the attack. Intranet wikis are vulnerable if the attacker can +determine the intranet URL, even if the attacker cannot access it. + +CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, +but unlike an XSS vulnerability, the attacker can only act as the user in a +specific and restricted way. The present CSRF vulnerability allows pages to be +edited, with forged revision histories. Like an XSS vulnerability, the +authorised user must visit the malicious web page to activate the attack. + +Rather than backport our SVG validation code to this ancient branch, we have +instead disabled SVG uploads. To enable SVG uploads, please upgrade to MediaWiki +1.13.3 or later. + +The other two issues have been fixed. == MediaWiki 1.6.10 == diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index b11feabc518a..d97fcc8acd51 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.6.10'; +$wgVersion = '1.6.11'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; @@ -1195,7 +1195,7 @@ $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); /** Files with these extensions will never be allowed as uploads. */ $wgFileBlacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs - 'html', 'htm', 'js', 'jsb', + 'html', 'htm', 'js', 'jsb', 'svg', # PHP scripts may execute arbitrary code on the server 'php', 'phtml', 'php3', 'php4', 'phps', # Other types that may be interpreted by some servers diff --git a/includes/SpecialImport.php b/includes/SpecialImport.php index d918c4c9212b..b46b0f85a1f6 100644 --- a/includes/SpecialImport.php +++ b/includes/SpecialImport.php @@ -38,20 +38,26 @@ function wfSpecialImport( $page = '' ) { ### if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') { - switch( $wgRequest->getVal( "source" ) ) { - case "upload": + $sourceName = $wgRequest->getVal( "source" ); + if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'editToken' ) ) ) { + $source = new WikiErrorMsg( 'import-token-mismatch' ); + } elseif ( $sourceName == 'upload' ) { if( $wgUser->isAllowed( 'importupload' ) ) { $source = ImportStreamSource::newFromUpload( "xmlimport" ); } else { return $wgOut->permissionRequired( 'importupload' ); } - break; - case "interwiki": - $source = ImportStreamSource::newFromInterwiki( - $wgRequest->getVal( "interwiki" ), - $wgRequest->getText( "frompage" ) ); - break; - default: + } elseif ( $sourceName == "interwiki" ) { + $interwiki = $wgRequest->getVal( 'interwiki' ); + if ( !in_array( $interwiki, $wgImportSources ) ) { + $source = new WikiErrorMsg( "import-invalid-interwiki" ); + } else { + $frompage = $wgRequest->getText( "frompage" ); + $source = ImportStreamSource::newFromInterwiki( + $interwiki, + $frompage ); + } + } else { $source = new WikiError( "Unknown import source type" ); } @@ -82,7 +88,9 @@ function wfSpecialImport( $page = '' ) { <input type='hidden' name='source' value='upload' /> <input type='hidden' name='MAX_FILE_SIZE' value='2000000' /> <input type='file' name='xmlimport' value='' size='30' /> - <input type='submit' value='" . wfMsgHtml( "uploadbtn" ) . "'/> + <input type='hidden' name='editToken' value=\"" . + htmlspecialchars( $wgUser->editToken() ) . "\"/> + <input type='submit' value=\"" . wfMsgHtml( "uploadbtn" ) . "\"/> </form> </fieldset> " ); @@ -99,6 +107,7 @@ function wfSpecialImport( $page = '' ) { <form method='post' action=\"$action\"> <input type='hidden' name='action' value='submit' /> <input type='hidden' name='source' value='interwiki' /> + <input type='hidden' name='editToken' value=\"" . htmlspecialchars( $wgUser->editToken() ) . "\"/> <select name='interwiki'> " ); foreach( $wgImportSources as $interwiki ) { diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index 1c486e605f5f..27741603a7ef 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -847,6 +847,7 @@ class UploadForm { } $chunk= strtolower( $chunk ); + $originalChunk = $chunk; if (!$chunk) return false; @@ -855,7 +856,8 @@ class UploadForm { elseif (substr($chunk,0,2)=="\xff\xfe") $enc= "UTF-16LE"; else $enc= NULL; - if ($enc) $chunk= iconv($enc,"ASCII//IGNORE",$chunk); + if ($enc) $chunk = iconv($enc,"ASCII//IGNORE",$chunk); + $chunk= trim($chunk); @@ -890,13 +892,19 @@ class UploadForm { '<pre', '<script', #also in safari '<table', - '<title' #also in safari + '<title', #also in safari + '<a href', + '<plaintext', + '<scriptlet', ); foreach( $tags as $tag ) { if( false !== strpos( $chunk, $tag ) ) { return true; } + if( false !== strpos( $originalChunk, $tag ) ) { + return true; + } } /* diff --git a/languages/Messages.php b/languages/Messages.php index 9116ff80faee..1640e04bc40f 100644 --- a/languages/Messages.php +++ b/languages/Messages.php @@ -1452,6 +1452,8 @@ In the latter case you can also use a link, e.g. [[{{ns:Special}}:Export/{{Media 'importnosources' => 'No transwiki import sources have been defined and direct history uploads are disabled.', 'importnofile' => 'No import file was uploaded.', 'importuploaderror' => 'Upload of import file failed; perhaps the file is bigger than the allowed upload size.', +'import-token-mismatch' => 'Loss of session data. Please try again.', +'import-invalid-interwiki' => 'Cannot import from the specified wiki.', # Keyboard access keys for power users 'accesskey-search' => 'f', |