diff options
author | Tim Starling <tstarling@users.mediawiki.org> | 2010-05-28 07:09:28 +0000 |
---|---|---|
committer | Tim Starling <tstarling@users.mediawiki.org> | 2010-05-28 07:09:28 +0000 |
commit | ba381ac02db88a97b04787050ea79e62e7f2924a (patch) | |
tree | 3d4f7987d14444ca5f86d159dbe55fce153eff43 | |
parent | c28503640c7a4a4a6f3e3a3ae2cf92008f0fb46b (diff) |
MFT r66990 (CSS escape sequence normalisation), and updates for release of 1.16.0beta3.1.16.0beta3
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/66993
-rw-r--r-- | RELEASE-NOTES | 9 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/Sanitizer.php | 43 |
3 files changed, 31 insertions, 23 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 3b08953c0398..8dcc4a206a8b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -2,6 +2,8 @@ == MediaWiki 1.16 beta 3 == +2010-05-28 + This is a pre-release beta of the MediaWiki 1.16 branch. === Summary of selected changes in 1.16 === @@ -40,9 +42,6 @@ set $wgCacheDirectory to a writable path on the local filesystem. Make sure you have the DBA extension for PHP installed, this will improve performance further. -* (bug 23371) Fixed holes in Special:Userlogin which could lead to abuse of -the system, and disclosure of information from private wikis. - == Changes since 1.16 beta 2 == * Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of @@ -72,6 +71,10 @@ the system, and disclosure of information from private wikis. * Fixed a bug in uploads for non-JavaScript clients. An empty string was used as the default destination filename, instead of the source filename as expected. +* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create + account" and "create by e-mail" features of [[Special:Userlogin]] +* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS + validation issue. === Changes since 1.16 beta 1 === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 2e48255428b3..63441b937c2f 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.16.0beta2'; +$wgVersion = '1.16.0beta3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 45b2cf6c1345..f6a9773d8048 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -644,10 +644,6 @@ class Sanitizer { # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp if( $attribute == 'style' ) { $value = Sanitizer::checkCss( $value ); - if( $value === false ) { - # haxx0r - continue; - } } if ( $attribute === 'id' ) { @@ -744,10 +740,8 @@ class Sanitizer { $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); // Decode escape sequences and line continuation - // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. - // IE 8 doesn't implement it at all, but there's no way to introduce url() into - // IE that doesn't hit Mozilla also. - static $decodeRegex; + // See the grammar in the CSS 2 spec, appendix D. + static $decodeRegex, $reencodeTable; if ( !$decodeRegex ) { $space = '[\\x20\\t\\r\\n\\f]'; $nl = '(?:\\n|\\r\\n|\\r|\\f)'; @@ -756,29 +750,40 @@ class Sanitizer { (?: ($nl) | # 1. Line continuation ([0-9A-Fa-f]{1,6})$space? | # 2. character number - (.) # 3. backslash cancelling special meaning + (.) | # 3. backslash cancelling special meaning + () | # 4. backslash at end of string )/xu"; } - $decoded = preg_replace_callback( $decodeRegex, + $value = preg_replace_callback( $decodeRegex, array( __CLASS__, 'cssDecodeCallback' ), $value ); - if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { - // Not allowed - return false; - } else { - // Allowed, return CSS with comments stripped - return $value; + + // Reject problematic keywords and control characters + if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { + return '/* invalid control char */'; + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { + return '/* insecure input */'; } + return $value; } static function cssDecodeCallback( $matches ) { if ( $matches[1] !== '' ) { + // Line continuation return ''; } elseif ( $matches[2] !== '' ) { - return codepointToUtf8( hexdec( $matches[2] ) ); + $char = codepointToUtf8( hexdec( $matches[2] ) ); } elseif ( $matches[3] !== '' ) { - return $matches[3]; + $char = $matches[3]; + } else { + $char = '\\'; + } + if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) { + // These characters need to be escaped in strings + // Clean up the escape sequence to avoid parsing errors by clients + return '\\' . dechex( ord( $char ) ) . ' '; } else { - throw new MWException( __METHOD__.': invalid match' ); + // Decode unnecessary escape + return $char; } } |