diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2008-01-24 00:23:03 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2008-01-24 00:23:03 +0000 |
commit | e530d80f0eb4424e55f31744c26ad6c891b2b383 (patch) | |
tree | 524a83e5e109e82341e885d55b9e761d8f6f4bff | |
parent | 9e9d081f4b3d9cba64473d7a84dfa4ae60585357 (diff) |
Merge 30087 and bump to 1.11.11.11.1
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/30094
-rw-r--r-- | RELEASE-NOTES | 32 | ||||
-rw-r--r-- | api.php | 23 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
3 files changed, 54 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 155a2c27290b..5115778ea229 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -5,13 +5,41 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.11.1 == -October ?, 2007 +January 23, 2008 -This is a bugfix release of the Fall 2007 snapshot release of MediaWiki. +This is a security and bugfix release of the Fall 2007 snapshot release of +MediaWiki. A potential XSS injection vector affecting api.php only for +Microsoft Internet Explorer users has been closed. + +Changes in this release: * (bug 11450) Fix creation of objectcache table on upgrade * (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name * Fix regression in LinkBatch.php breaking PHP 5.0 +* Security fix for API on MSIE + + +To work around the vulnerability without upgrading, you may disable the +API if you don't need it: + + $wgEnableAPI = false; + +Not vulnerable versions: +* 1.12 or later +* 1.11 >= 1.11.1 +* 1.10 >= 1.10.3 +* 1.9 >= 1.9.5 +* 1.8 any version (if $wgEnableAPI has been left off) + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.2 +* 1.9 <= 1.9.4 +* 1.8 any version (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include +the API functionality, however the BotQuery extension is similarly +vulnerable unless updated to the latest SVN version. == MediaWiki 1.11.0 == @@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 1ed8779affa6..5afb969d56eb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.11.0'; +$wgVersion = '1.11.1'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; |