diff options
author | Tim Starling <tstarling@users.mediawiki.org> | 2011-05-05 05:33:13 +0000 |
---|---|---|
committer | Tim Starling <tstarling@users.mediawiki.org> | 2011-05-05 05:33:13 +0000 |
commit | ca79ad027d3e9068df3f37cfb143935f96d21016 (patch) | |
tree | 985370243255f46b9c3d50b291f1aaba84c347cd | |
parent | 1f18d3d48b90f34bd2b6b9d2e35707640ce8c20b (diff) |
* Fix for bug 28534: IE 6 content type detection again1.16.5
* Fix for bug 28639: user object instance cache pollution
* Updates for release of 1.16.5
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/87484
-rw-r--r-- | RELEASE-NOTES | 13 | ||||
-rw-r--r-- | images/.htaccess | 2 | ||||
-rw-r--r-- | img_auth.php | 2 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/User.php | 28 | ||||
-rw-r--r-- | includes/WebRequest.php | 2 |
6 files changed, 35 insertions, 14 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 1a863b9fa9b4..ecfb4e2d8759 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,10 +1,10 @@ = MediaWiki release notes = -== MediaWiki 1.16.4 == +== MediaWiki 1.16.5 == -2011-04-14 +2011-05-05 -This is a security and maintenance release of the MediaWiki 1.16 branch. +This is a security release of the MediaWiki 1.16 branch. === Summary of selected changes in 1.16 === @@ -44,6 +44,13 @@ set $wgCacheDirectory to a writable path on the local filesystem. Make sure you have the DBA extension for PHP installed, this will improve performance further. +== Changes since 1.16.4 + +* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third + attempt at fixing bug 28235. +* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin + is enabled. + == Changes since 1.16.3 == * (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 diff --git a/images/.htaccess b/images/.htaccess index 2aea33e06270..1cc74f42b08e 100644 --- a/images/.htaccess +++ b/images/.htaccess @@ -1,6 +1,6 @@ # Protect against bug 28235 <IfModule rewrite_module> RewriteEngine On - RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] + RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase] RewriteRule . - [forbidden] </IfModule> diff --git a/img_auth.php b/img_auth.php index 26ba9413c81a..0fe239bae856 100644 --- a/img_auth.php +++ b/img_auth.php @@ -39,7 +39,7 @@ if ( $wgImgAuthPublicTest // Check for bug 28235: QUERY_STRING overriding the correct extension if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); } diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index e4864edb3ea4..54a96d442873 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.16.4'; +$wgVersion = '1.16.5'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/User.php b/includes/User.php index 51ffe70a5087..fb19ddf2e88f 100644 --- a/includes/User.php +++ b/includes/User.php @@ -897,24 +897,25 @@ class User { } $passwordCorrect = FALSE; - $this->mId = $sId; - if ( !$this->loadFromId() ) { - # Not a valid ID, loadFromId has switched the object to anon for us + $proposedUser = User::newFromId( $sId ); + if ( !$proposedUser->isLoggedIn() ) { + # Not a valid ID + $this->loadDefaults(); return false; } global $wgBlockDisablesLogin; - if( $wgBlockDisablesLogin && $this->isBlocked() ) { + if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { # User blocked and we've disabled blocked user logins $this->loadDefaults(); return false; } if ( isset( $_SESSION['wsToken'] ) ) { - $passwordCorrect = $_SESSION['wsToken'] == $this->mToken; + $passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken']; $from = 'session'; } else if ( isset( $_COOKIE["{$wgCookiePrefix}Token"] ) ) { - $passwordCorrect = $this->mToken == $_COOKIE["{$wgCookiePrefix}Token"]; + $passwordCorrect = $proposedUser->getToken() === $_COOKIE["{$wgCookiePrefix}Token"]; $from = 'cookie'; } else { # No session or persistent login cookie @@ -922,7 +923,8 @@ class User { return false; } - if ( ( $sName == $this->mName ) && $passwordCorrect ) { + if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { + $this->loadFromUserObject( $proposedUser ); $_SESSION['wsToken'] = $this->mToken; wfDebug( "Logged in from $from\n" ); return true; @@ -935,6 +937,18 @@ class User { } /** + * Load the data for this user object from another user object. + */ + protected function loadFromUserObject( $user ) { + $user->load(); + $user->loadGroups(); + $user->loadOptions(); + foreach ( self::$mCacheVars as $var ) { + $this->$var = $user->$var; + } + } + + /** * Load user and user_group data from the database. * $this::mId must be set, this is how the user is identified. * diff --git a/includes/WebRequest.php b/includes/WebRequest.php index a1d02d9c81aa..877f7cf60c81 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -697,7 +697,7 @@ class WebRequest { global $wgScriptExtension; if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) { // Bug 28235 // Block only Internet Explorer, and requests with missing UA |