* Fixed a couple of missing lines in 1.121.6.11

* Added missing autoloader entry in 1.13
* Prepared the 1.6 branch for release, with a cut-down version of the security fixes
* Rewrote the RELEASE-NOTES entry for all 3 branches

5 files changed, 71 insertions, 16 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index d9b70850c01c..052fe9f2af83 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,7 +1,43 @@
 = MediaWiki release notes =
 
-Security reminder: MediaWiki does not require PHP's register_globals
-setting since version 1.2.0. If you have it on, turn it *off* if you can.
+For upgrade instructions please see the UPGRADE file in this directory.
+
+== MediaWiki 1.6.11 ==
+
+December 15, 2008
+
+This is a security update to the Spring 2006 quarterly release.
+
+David Remahl of Apple's Product Security team has identified a number of 
+security issues in previous releases of MediaWiki. Subsequent analysis by the
+MediaWiki development team expanded the scope of these vulnerabilities. The
+issues with a significant impact are as follows:
+
+* An XSS vulnerability affecting Internet Explorer clients for all MediaWiki
+  installations with uploads enabled. [CVE-2008-5250]
+* An XSS vulnerability affecting clients with SVG scripting capability (such as
+  Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled.
+  [CVE-2008-5250]
+* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki 
+  installations since the feature was introduced in 1.3.0. [CVE-2008-5252]
+
+XSS (cross-site scripting) vulnerabilities allow an attacker to steal an
+authorised user's login session, and to act as that user on the wiki. The
+authorised user must visit a web page controlled by the attacker in order to
+activate the attack. Intranet wikis are vulnerable if the attacker can 
+determine the intranet URL, even if the attacker cannot access it.
+
+CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki,
+but unlike an XSS vulnerability, the attacker can only act as the user in a
+specific and restricted way. The present CSRF vulnerability allows pages to be
+edited, with forged revision histories. Like an XSS vulnerability, the
+authorised user must visit the malicious web page to activate the attack.
+
+Rather than backport our SVG validation code to this ancient branch, we have
+instead disabled SVG uploads. To enable SVG uploads, please upgrade to MediaWiki
+1.13.3 or later.
+
+The other two issues have been fixed.
 
 == MediaWiki 1.6.10 ==
 
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index b11feabc518a..d97fcc8acd51 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' );
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.6.10';
+$wgVersion			= '1.6.11';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
@@ -1195,7 +1195,7 @@ $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
 /** Files with these extensions will never be allowed as uploads. */
 $wgFileBlacklist = array(
 	# HTML may contain cookie-stealing JavaScript and web bugs
-	'html', 'htm', 'js', 'jsb',
+	'html', 'htm', 'js', 'jsb', 'svg',
 	# PHP scripts may execute arbitrary code on the server
 	'php', 'phtml', 'php3', 'php4', 'phps',
 	# Other types that may be interpreted by some servers
diff --git a/includes/SpecialImport.php b/includes/SpecialImport.php
index d918c4c9212b..b46b0f85a1f6 100644
--- a/includes/SpecialImport.php
+++ b/includes/SpecialImport.php
@@ -38,20 +38,26 @@ function wfSpecialImport( $page = '' ) {
 	###
 
 	if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') {
-		switch( $wgRequest->getVal( "source" ) ) {
-		case "upload":
+		$sourceName = $wgRequest->getVal( "source" );
+		if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'editToken' ) ) ) {
+			$source = new WikiErrorMsg( 'import-token-mismatch' );
+		} elseif ( $sourceName == 'upload' ) {
 			if( $wgUser->isAllowed( 'importupload' ) ) {
 				$source = ImportStreamSource::newFromUpload( "xmlimport" );
 			} else {
 				return $wgOut->permissionRequired( 'importupload' );
 			}
-			break;
-		case "interwiki":
-			$source = ImportStreamSource::newFromInterwiki(
-				$wgRequest->getVal( "interwiki" ),
-				$wgRequest->getText( "frompage" ) );
-			break;
-		default:
+		} elseif ( $sourceName == "interwiki" ) {
+			$interwiki = $wgRequest->getVal( 'interwiki' );			
+			if ( !in_array( $interwiki, $wgImportSources ) ) {
+				$source = new WikiErrorMsg( "import-invalid-interwiki" );
+			} else {
+				$frompage = $wgRequest->getText( "frompage" );
+				$source = ImportStreamSource::newFromInterwiki(
+					$interwiki,
+					$frompage );
+			}
+		} else {
 			$source = new WikiError( "Unknown import source type" );
 		}
 
@@ -82,7 +88,9 @@ function wfSpecialImport( $page = '' ) {
 		<input type='hidden' name='source' value='upload' />
 		<input type='hidden' name='MAX_FILE_SIZE' value='2000000' />
 		<input type='file' name='xmlimport' value='' size='30' />
-		<input type='submit' value='" . wfMsgHtml( "uploadbtn" ) . "'/>
+		<input type='hidden' name='editToken' value=\"" . 
+			htmlspecialchars( $wgUser->editToken() ) . "\"/>
+		<input type='submit' value=\"" . wfMsgHtml( "uploadbtn" ) . "\"/>
 	</form>
 </fieldset>
 " );
@@ -99,6 +107,7 @@ function wfSpecialImport( $page = '' ) {
 	<form method='post' action=\"$action\">
 		<input type='hidden' name='action' value='submit' />
 		<input type='hidden' name='source' value='interwiki' />
+		<input type='hidden' name='editToken' value=\"" . htmlspecialchars( $wgUser->editToken() ) . "\"/>
 		<select name='interwiki'>
 " );
 		foreach( $wgImportSources as $interwiki ) {
diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
index 1c486e605f5f..27741603a7ef 100644
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@@ -847,6 +847,7 @@ class UploadForm {
 		}
 
 		$chunk= strtolower( $chunk );
+		$originalChunk = $chunk;
 
 		if (!$chunk) return false;
 
@@ -855,7 +856,8 @@ class UploadForm {
 		elseif (substr($chunk,0,2)=="\xff\xfe") $enc= "UTF-16LE";
 		else $enc= NULL;
 
-		if ($enc) $chunk= iconv($enc,"ASCII//IGNORE",$chunk);
+		if ($enc) $chunk = iconv($enc,"ASCII//IGNORE",$chunk);
+
 
 		$chunk= trim($chunk);
 
@@ -890,13 +892,19 @@ class UploadForm {
 			'<pre',
 			'<script', #also in safari
 			'<table',
-			'<title'   #also in safari
+			'<title',  #also in safari
+			'<a href',
+			'<plaintext',
+			'<scriptlet',
 			);
 
 		foreach( $tags as $tag ) {
 			if( false !== strpos( $chunk, $tag ) ) {
 				return true;
 			}
+			if( false !== strpos( $originalChunk, $tag ) ) {
+				return true;
+			}
 		}
 
 		/*
diff --git a/languages/Messages.php b/languages/Messages.php
index 9116ff80faee..1640e04bc40f 100644
--- a/languages/Messages.php
+++ b/languages/Messages.php
@@ -1452,6 +1452,8 @@ In the latter case you can also use a link, e.g. [[{{ns:Special}}:Export/{{Media
 'importnosources' => 'No transwiki import sources have been defined and direct history uploads are disabled.',
 'importnofile' => 'No import file was uploaded.',
 'importuploaderror' => 'Upload of import file failed; perhaps the file is bigger than the allowed upload size.',
+'import-token-mismatch'      => 'Loss of session data. Please try again.',
+'import-invalid-interwiki'   => 'Cannot import from the specified wiki.',
 
 # Keyboard access keys for power users
 'accesskey-search' => 'f',