diff options
| author | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:28:38 +0000 |
|---|---|---|
| committer | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:28:38 +0000 |
| commit | e7dfef21aa522bb328908c89552b7ac1f610a104 (patch) | |
| tree | 99b6e33be7e270583c402bcce82359f92a017584 | |
| parent | 745c25d71b1c1e46c7852d64bd0ef8de1f73fcd9 (diff) | |
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would1.17.1
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/104506
| -rw-r--r-- | RELEASE-NOTES | 13 | ||||
| -rw-r--r-- | includes/AjaxDispatcher.php | 9 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/SkinTemplate.php | 21 | ||||
| -rw-r--r-- | includes/Wiki.php | 11 |
5 files changed, 48 insertions, 8 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b1cbe3cd1b06..d4eb8bf488bd 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -5,7 +5,18 @@ setting since version 1.2.0. If you have it on, turn it '''off''' if you can. == MediaWiki 1.17.1 == -This a maintenance release of the MediaWiki 1.17 branch. +2011-11-24 + +This a maintenance and security release of the MediaWiki 1.17 branch. + +=== Security changes === +* (bug 32276) Skins were generating output using the internal page title which + would allow anonymous users to determine wheter a page exists, potentially + leaking private data. In fact, the curid and oldid request parameters would + allow page titles to be enumerated even when they are not guessable. +* (bug 32616) action=ajax requests were dispatched to the relevant internal + functions without any read permission checks being done. This could lead to + data leakage on private wikis. === Summary of selected changes in 1.17 === diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index e36787fdf445..f7583188a747 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -74,7 +74,7 @@ class AjaxDispatcher { * request. */ function performAction() { - global $wgAjaxExportList, $wgOut; + global $wgAjaxExportList, $wgOut, $wgUser; if ( empty( $this->mode ) ) { return; @@ -90,6 +90,13 @@ class AjaxDispatcher { 'Bad Request', "unknown function " . (string) $this->func_name ); + } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) + && !$wgUser->isAllowed( 'read' ) ) + { + wfHttpError( + 403, + 'Forbidden', + 'You must log in to view pages.' ); } else { wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 6dce44a3f675..0395633d8387 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -34,7 +34,7 @@ if ( !defined( 'MW_PHP4' ) ) { /** @endcond */ /** MediaWiki version number */ -$wgVersion = '1.17.0'; +$wgVersion = '1.17.1'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index cfb67250fa01..023afdd88a5d 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -549,11 +549,22 @@ class SkinTemplate extends Skin { /* set up the default links for the personal toolbar */ $personal_urls = array(); - $page = $wgRequest->getVal( 'returnto', $this->thisurl ); - $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); - $returnto = "returnto=$page"; - if( $this->thisquery != '' ) - $returnto .= "&returntoquery=$query"; + + # Due to bug 32276, if a user does not have read permissions, + # $wgOut->getTitle() will just give Special:Badtitle, which is + # not especially useful as a returnto parameter. Use the title + # from the request instead, if there was one. + $page = Title::newFromURL( $wgRequest->getVal( 'title', '' ) ); + $page = $wgRequest->getVal( 'returnto', $page ); + $returnto = ''; + if( strval( $page ) !== '' ) { + $returnto = "returnto=$page"; + $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); + if( $query != '' ) { + $returnto .= "&returntoquery=$query"; + } + } + if( $this->loggedin ) { $personal_urls['userpage'] = array( 'text' => $this->username, diff --git a/includes/Wiki.php b/includes/Wiki.php index b2cb1eb06759..4c3af0f786cd 100644 --- a/includes/Wiki.php +++ b/includes/Wiki.php @@ -149,10 +149,21 @@ class MediaWiki { * @return boolean true if successful */ function preliminaryChecks( &$title, &$output ) { + global $wgTitle; // If the user is not logged in, the Namespace:title of the article must be in // the Read array in order for the user to see it. (We have to check here to // catch special pages etc. We check again in Article::view()) if( !is_null( $title ) && !$title->userCanRead() ) { + // Bug 32276: allowing the skin to generate output with $wgTitle + // set to the input title would allow anonymous users to + // determine whether a page exists, potentially leaking private data. In fact, the + // curid and oldid request parameters would allow page titles to be enumerated even + // when they are not guessable. So we reset the title to Special:Badtitle before the + // permissions error is displayed. + $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); + $output->setTitle( $badtitle ); + $wgTitle = $badtitle; + $output->loginToUse(); $this->finalCleanup( $output ); $output->disable(); |