* Fix for bug 28534: IE 6 content type detection again1.16.5

* Fix for bug 28639: user object instance cache pollution
* Updates for release of 1.16.5

6 files changed, 35 insertions, 14 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 1a863b9fa9b4..ecfb4e2d8759 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,10 +1,10 @@
 = MediaWiki release notes =
 
-== MediaWiki 1.16.4 ==
+== MediaWiki 1.16.5 ==
 
-2011-04-14
+2011-05-05
 
-This is a security and maintenance release of the MediaWiki 1.16 branch.
+This is a security release of the MediaWiki 1.16 branch.
 
 === Summary of selected changes in 1.16 ===
 
@@ -44,6 +44,13 @@ set $wgCacheDirectory to a writable path on the local filesystem. Make sure
 you have the DBA extension for PHP installed, this will improve performance 
 further.
 
+== Changes since 1.16.4
+
+* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third 
+  attempt at fixing bug 28235.
+* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin
+  is enabled.
+
 == Changes since 1.16.3 ==
 
 * (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 
diff --git a/images/.htaccess b/images/.htaccess
index 2aea33e06270..1cc74f42b08e 100644
--- a/images/.htaccess
+++ b/images/.htaccess
@@ -1,6 +1,6 @@
 # Protect against bug 28235
 <IfModule rewrite_module>
 	RewriteEngine On
-	RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
+	RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
 	RewriteRule . - [forbidden]
 </IfModule>
diff --git a/img_auth.php b/img_auth.php
index 26ba9413c81a..0fe239bae856 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -39,7 +39,7 @@ if ( $wgImgAuthPublicTest
 
 // Check for bug 28235: QUERY_STRING overriding the correct extension
 if ( isset( $_SERVER['QUERY_STRING'] )
-	&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+	&& preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
 {
 	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
 }
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index e4864edb3ea4..54a96d442873 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) {
 }
 
 /** MediaWiki version number */
-$wgVersion = '1.16.4';
+$wgVersion = '1.16.5';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
diff --git a/includes/User.php b/includes/User.php
index 51ffe70a5087..fb19ddf2e88f 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -897,24 +897,25 @@ class User {
 		}
 
 		$passwordCorrect = FALSE;
-		$this->mId = $sId;
-		if ( !$this->loadFromId() ) {
-			# Not a valid ID, loadFromId has switched the object to anon for us
+		$proposedUser = User::newFromId( $sId );
+		if ( !$proposedUser->isLoggedIn() ) {
+			# Not a valid ID
+			$this->loadDefaults();
 			return false;
 		}
 
 		global $wgBlockDisablesLogin;
-		if( $wgBlockDisablesLogin && $this->isBlocked() ) {
+		if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) {
 			# User blocked and we've disabled blocked user logins
 			$this->loadDefaults();
 			return false;
 		}
 
 		if ( isset( $_SESSION['wsToken'] ) ) {
-			$passwordCorrect = $_SESSION['wsToken'] == $this->mToken;
+			$passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken'];
 			$from = 'session';
 		} else if ( isset( $_COOKIE["{$wgCookiePrefix}Token"] ) ) {
-			$passwordCorrect = $this->mToken == $_COOKIE["{$wgCookiePrefix}Token"];
+			$passwordCorrect = $proposedUser->getToken() === $_COOKIE["{$wgCookiePrefix}Token"];
 			$from = 'cookie';
 		} else {
 			# No session or persistent login cookie
@@ -922,7 +923,8 @@ class User {
 			return false;
 		}
 
-		if ( ( $sName == $this->mName ) && $passwordCorrect ) {
+		if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) {
+			$this->loadFromUserObject( $proposedUser );
 			$_SESSION['wsToken'] = $this->mToken;
 			wfDebug( "Logged in from $from\n" );
 			return true;
@@ -935,6 +937,18 @@ class User {
 	}
 
 	/**
+	 * Load the data for this user object from another user object. 
+	 */
+	protected function loadFromUserObject( $user ) {
+		$user->load();
+		$user->loadGroups();
+		$user->loadOptions();
+		foreach ( self::$mCacheVars as $var ) {
+			$this->$var = $user->$var;
+		}
+	}
+
+	/**
 	 * Load user and user_group data from the database.
 	 * $this::mId must be set, this is how the user is identified.
 	 *
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index a1d02d9c81aa..877f7cf60c81 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -697,7 +697,7 @@ class WebRequest {
 		global $wgScriptExtension;
 
 		if ( isset( $_SERVER['QUERY_STRING'] ) 
-			&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+			&& preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
 		{
 			// Bug 28235
 			// Block only Internet Explorer, and requests with missing UA