diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:52:04 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:52:04 +0000 |
commit | bf8a4af90edd5aa2188048bd97f35ec7b1146200 (patch) | |
tree | 9bd0054e5e7733d04e1fb24af4ce45cf3c0e6508 | |
parent | 3331907fed0b80c4c35dfdfde6ab6e61a30453a0 (diff) |
Bump to 1.3.131.3.13
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/9320
-rw-r--r-- | RELEASE-NOTES | 21 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/Parser.php | 16 |
3 files changed, 38 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b18e336e817c..7c2a8a7a1937 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,27 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== Version 1.3.13, 2005-06-03 == + +MediaWiki 1.3.13 is a security maintenance release. + +Incorrect handling of page template inclusions made it possible to +inject JavaScript code into HTML attributes, which could lead to +cross-site scripting attacks on a publicly editable wiki. + +Vulnerable releases and fix: +* 1.5 prerelease: fixed in 1.5alpha2 +* 1.4 stable series: fixed in 1.4.5 +* 1.3 legacy series: fixed in 1.3.13 +* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended + +The 1.3.x series is no longer maintained except for security fixes; +new users and those seeking general bug fixes should install 1.4.5. +Existing 1.3.x installations not willing or able to upgrade to the +current stable relase should update the installation to 1.3.13; only +includes/Parser.php has changed from 1.3.12. + + == Version 1.3.12, 2005-02-20 == MediaWiki 1.3.12 is a security maintenance release. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index f8ca20f702e2..d1ac2e9a9946 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -9,7 +9,7 @@ if( defined( "MEDIAWIKI" ) ) { # like $wgScriptPath, you must also localize everything that # depends on it. -$wgVersion = '1.3.12'; +$wgVersion = '1.3.13'; $wgSitename = 'MediaWiki'; # Please customize! $wgMetaNamespace = FALSE; # will be same as you set $wgSitename diff --git a/includes/Parser.php b/includes/Parser.php index 6eecd4f61b09..69b681c3e7af 100644 --- a/includes/Parser.php +++ b/includes/Parser.php @@ -43,6 +43,8 @@ define( "OT_MSG", 3 ); # may want to use in wikisyntax define( "STRIP_COMMENTS", "HTMLCommentStrip" ); +define( 'URL_PROTOCOLS', 'http|https|ftp|irc|gopher|news|mailto' ); + # prefix for escaping, used in two functions at least define( "UNIQ_PREFIX", "NaodW29"); @@ -627,6 +629,20 @@ cl_sortkey" ; { $t=''; } + + # Templates and links may be expanded in later parsing, + # creating invalid or dangerous output. Suppress this. + $t = strtr( $t, array( + '{' => '{', + '[' => '[', + "''" => '''', + 'ISBN' => 'ISBN', + 'RFC' => 'RFC', + 'PMID' => 'PMID', + ) ); + $t = preg_replace( + '/(' . URL_PROTOCOLS . '):/', + '\\1:', $t ); return trim ( $t ) ; } |