diff options
| author | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:51:08 +0000 |
|---|---|---|
| committer | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:51:08 +0000 |
| commit | f02d4fbade759ee5043afeb562aeeb9b3b4793b3 (patch) | |
| tree | 97ff7d9b4ce4c1e10097010efc4dbd431a12d969 | |
| parent | c3bed6d21e3da6a03daa9484c3b0dd05ffd33785 (diff) | |
Bump to 1.4.51.4.5
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/9318
| -rw-r--r-- | RELEASE-NOTES | 22 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/Parser.php | 14 | ||||
| -rw-r--r-- | maintenance/parserTests.txt | 85 |
4 files changed, 120 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index c3dbda3c7cad..af1f33b60aa8 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -5,9 +5,26 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.4.5 == -(to be released) +(released 2005-06-03) -Various minor bug fixes, some backports. +MediaWiki 1.4.5 is a security update and bugfix release. + +Incorrect handling of page template inclusions made it possible to +inject JavaScript code into HTML attributes, which could lead to +cross-site scripting attacks on a publicly editable wiki. + +Vulnerable releases and fix: +* 1.5 prerelease: fixed in 1.5alpha2 +* 1.4 stable series: fixed in 1.4.5 +* 1.3 legacy series: fixed in 1.3.13 +* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended + +This release also includes a number of bug fixes (see changelog below) +and merges some large-server load balancing patches from Wikipedia. + +An experimental rate limiter for page edits and moves can be enabled +with global, per-IP, per-subnet, or per-user bases. See configuration +options in includes/DefaultSettings.php == MediaWiki 1.4.4 == @@ -611,6 +628,7 @@ pages for purposes of page relevancy ranking. * (bug 2281) Fix regression with page moves taking the wrong talk pages * Regression fix: watchlist day cutoff * (bug 2173) Fatal error when removing an article with an empty title from the watchlist +* (bug 2034) Armor HTML attributes against template inclusion and links munging === Caveats === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index e9008cd57902..3ba84a9cddcb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -19,7 +19,7 @@ if( defined( 'MEDIAWIKI' ) ) { * MediaWiki version number * @global string $wgVersion */ -$wgVersion = '1.4.4'; +$wgVersion = '1.4.5'; /** * Name of the site. diff --git a/includes/Parser.php b/includes/Parser.php index d95d87c70f1d..b1df477cdb7f 100644 --- a/includes/Parser.php +++ b/includes/Parser.php @@ -496,6 +496,20 @@ class Parser { $t=''; } + + # Templates and links may be expanded in later parsing, + # creating invalid or dangerous output. Suppress this. + $t = strtr( $t, array( + '{' => '{', + '[' => '[', + "''" => '''', + 'ISBN' => 'ISBN', + 'RFC' => 'RFC', + 'PMID' => 'PMID', + ) ); + $t = preg_replace( + '/(' . URL_PROTOCOLS . '):/', + '\\1:', $t ); return trim ( $t ) ; } diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt index 232243bfff0e..e3078ab8dc83 100644 --- a/maintenance/parserTests.txt +++ b/maintenance/parserTests.txt @@ -1966,6 +1966,91 @@ Character reference normalization in link text (bug 1938) !!end +### +### Safety +### + +!! test +Bug 2304: HTML attribute safety (template) +!! input +<div title="{{test}}"></div> +!! result +<div title="{{test}}"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (link) +!! input +<div title="[[Main Page]]"></div> +!! result +<div title="[[Main Page]]"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (italics) +!! input +<div title="''foobar''"></div> +!! result +<div title="''foobar''"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (bold) +!! input +<div title="'''foobar'''"></div> +!! result +<div title="'''foobar'''"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (ISBN) +!! input +<div title="ISBN 1234567890"></div> +!! result +<div title="ISBN 1234567890"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (RFC) +!! input +<div title="RFC 1234"></div> +!! result +<div title="RFC 1234"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (PMID) +!! input +<div title="PMID 1234567890"></div> +!! result +<div title="PMID 1234567890"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (web link) +!! input +<div title="http://example.com/"></div> +!! result +<div title="http://example.com/"></div > + +!! end + +!! test +Bug 2304: HTML attribute safety (named web link) +!! input +<div title="[http://example.com/ link]"></div> +!! result +<div title="[http://example.com/ link]"></div > + +!! end + TODO: more images more tables |