Merge 30087 and bump to 1.11.11.11.1

3 files changed, 54 insertions, 3 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 155a2c27290b..5115778ea229 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -5,13 +5,41 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
 == MediaWiki 1.11.1 ==
 
-October ?, 2007
+January 23, 2008
 
-This is a bugfix release of the Fall 2007 snapshot release of MediaWiki.
+This is a security and bugfix release of the Fall 2007 snapshot release of
+MediaWiki. A potential XSS injection vector affecting api.php only for
+Microsoft Internet Explorer users has been closed.
+
+Changes in this release:
 
 * (bug 11450) Fix creation of objectcache table on upgrade
 * (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name
 * Fix regression in LinkBatch.php breaking PHP 5.0
+* Security fix for API on MSIE
+
+
+To work around the vulnerability without upgrading, you may disable the
+API if you don't need it:
+
+  $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.12 or later
+* 1.11 >= 1.11.1
+* 1.10 >= 1.10.3
+* 1.9 >= 1.9.5
+* 1.8 any version (if $wgEnableAPI has been left off)
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.2
+* 1.9 <= 1.9.4
+* 1.8 any version (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the API functionality, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
 
 
 == MediaWiki 1.11.0 ==
diff --git a/api.php b/api.php
index fa85573df5b1..ce445ef4aa4b 100644
--- a/api.php
+++ b/api.php
@@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php');
 
 wfProfileIn('api.php');
 
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+	$url = $_SERVER['SCRIPT_URL'];
+} else {
+	$url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+	wfHttpError( 403, 'Forbidden',
+		'API must be accessed through the primary script entry point.' );
+	return;
+}
+
 // Verify that the API has not been disabled
 if (!$wgEnableAPI) {
 	echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1ed8779affa6..5afb969d56eb 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" );
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.11.0';
+$wgVersion			= '1.11.1';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';