diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:09:13 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2007-02-21 02:09:13 +0000 |
commit | f2dafdea2085c5b45590c5eb32b28408f129d9a0 (patch) | |
tree | 5e719d2ab862e55c42f096f96380a1482c060ec9 | |
parent | 276fb515a311fcaf37d4ad9e5e3a82e0d6693a0a (diff) |
== MediaWiki 1.6.10 ==1.9.3
February 20, 2007
This is a security and bug-fix update to the Spring 2006 quarterly release.
An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* (bug 8819) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/20009
-rw-r--r-- | RELEASE-NOTES | 33 | ||||
-rw-r--r-- | img_auth.php | 1 | ||||
-rw-r--r-- | includes/AjaxDispatcher.php | 12 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/EditPage.php | 2 | ||||
-rw-r--r-- | includes/GlobalFunctions.php | 2 | ||||
-rw-r--r-- | includes/Metadata.php | 2 | ||||
-rw-r--r-- | includes/OutputPage.php | 1 | ||||
-rw-r--r-- | includes/StreamFile.php | 2 | ||||
-rw-r--r-- | thumb.php | 2 | ||||
-rw-r--r-- | trackback.php | 2 |
11 files changed, 47 insertions, 14 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 22f2a3a7f1c0..472409da0479 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -5,11 +5,40 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.9.3 == -? +February 20, 2007 + +This is a security and bug-fix update to the Winter 2007 quarterly release. +Minor compatibility fixes for IIS and PostgreSQL are included. + +An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 +charset autodetection was located in the AJAX support module, affecting MSIE +users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is +enabled. + +If you are using an extension based on the optional Ajax module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.3 +* 1.8: fixed in 1.8.4 +* 1.7: fixed in 1.7.3 +* 1.6: fixed in 1.6.10 + +There is no known danger in the default configuration, with $wgUseAjax off. * (bug 8992) Fix a remaining raw use of REQUEST_URI in history * (bug 8984) Fix a database error in Special:Recentchangeslinked - when using the postgre database. + when using the PostgreSQL database. +* Add 'charset' to Content-Type headers on various HTTP error responses + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. + This fixes an issue with the Ajax interface error message on MSIE when + $wgUseAjax is enabled (not default configuration); this UTF-7 variant + on a previously fixed attack vector was discovered by Moshe BA from BugSec: + http://www.bugsec.com/articles.php?Security=24 +* Trackback responses now specify XML content type + == MediaWiki 1.9.2 == diff --git a/img_auth.php b/img_auth.php index 8794bc786979..e0a6459f740b 100644 --- a/img_auth.php +++ b/img_auth.php @@ -49,6 +49,7 @@ wfLogProfilingData(); function wfForbidden() { header( 'HTTP/1.0 403 Forbidden' ); + header( 'Content-Type: text/html; charset=utf-8' ); print "<html><body> <h1>Access denied</h1> diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 89062f8770dc..39ec19f883d0 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -54,15 +54,15 @@ class AjaxDispatcher { wfProfileIn( __METHOD__ ); if (! in_array( $this->func_name, $wgAjaxExportList ) ) { - header( 'Status: 400 Bad Request', true, 400 ); - print "unknown function " . htmlspecialchars( (string) $this->func_name ); + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); if ( $result === false || $result === NULL ) { - header( 'Status: 500 Internal Error', true, 500 ); - echo "{$this->func_name} returned no data"; + wfHttpError( 500, 'Internal Error', + "{$this->func_name} returned no data" ); } else { if ( is_string( $result ) ) { @@ -75,8 +75,8 @@ class AjaxDispatcher { } catch (Exception $e) { if (!headers_sent()) { - header( 'Status: 500 Internal Error', true, 500 ); - print $e->getMessage(); + wfHttpError( 500, 'Internal Error', + $e->getMessage() ); } else { print $e->getMessage(); } diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index df1b9d55136f..0692401d2319 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.9.2'; +$wgVersion = '1.9.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/EditPage.php b/includes/EditPage.php index c53389ccf4b3..7688a64aa926 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1765,7 +1765,7 @@ END function livePreview() { global $wgOut; $wgOut->disable(); - header( 'Content-type: text/xml' ); + header( 'Content-type: text/xml; charset=utf-8' ); header( 'Cache-control: no-cache' ); # FIXME echo $this->getPreviewText( ); diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index da24e4a7e6fa..de07b321e0ac 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1078,7 +1078,7 @@ function wfHttpError( $code, $label, $desc ) { header( "Status: $code $label" ); $wgOut->sendCacheControl(); - header( 'Content-type: text/html' ); + header( 'Content-type: text/html; charset=utf-8' ); print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">". "<html><head><title>" . htmlspecialchars( $label ) . diff --git a/includes/Metadata.php b/includes/Metadata.php index b48ced0de9a9..4e0d91b76239 100644 --- a/includes/Metadata.php +++ b/includes/Metadata.php @@ -81,7 +81,7 @@ function rdfSetup() { return false; } else { $wgOut->disable(); - header( "Content-type: {$rdftype}" ); + header( "Content-type: {$rdftype}; charset=utf-8" ); $wgOut->sendCacheControl(); return true; } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 4ca9e88a4879..6d3cc0ac8649 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -561,6 +561,7 @@ class OutputPage { $this->sendCacheControl(); + $wgRequest->response()->header("Content-Type: text/html; charset=utf-8"); if( $wgDebugRedirects ) { $url = htmlspecialchars( $this->mRedirect ); print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n"; diff --git a/includes/StreamFile.php b/includes/StreamFile.php index 949422d6912e..dc653e57bf6e 100644 --- a/includes/StreamFile.php +++ b/includes/StreamFile.php @@ -7,7 +7,7 @@ function wfStreamFile( $fname ) { if ( !$stat ) { header( 'HTTP/1.0 404 Not Found' ); header( 'Cache-Control: no-cache' ); - header( 'Content-Type: text/html' ); + header( 'Content-Type: text/html; charset=utf-8' ); $encFile = htmlspecialchars( $fname ); $encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] ); echo "<html><body> diff --git a/thumb.php b/thumb.php index c325d07a7184..206019dfd1d8 100644 --- a/thumb.php +++ b/thumb.php @@ -74,7 +74,7 @@ if ( $thumb && $thumb->path ) { $badtitle = wfMsg( 'badtitle' ); $badtitletext = wfMsg( 'badtitletext' ); header( 'Cache-Control: no-cache' ); - header( 'Content-Type: text/html' ); + header( 'Content-Type: text/html; charset=utf-8' ); echo "<html><head> <title>$badtitle</title> <body> diff --git a/trackback.php b/trackback.php index 6d2d826b9b39..6e4ee9828eed 100644 --- a/trackback.php +++ b/trackback.php @@ -12,6 +12,7 @@ require_once('DatabaseFunctions.php'); * */ function XMLsuccess() { + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> @@ -23,6 +24,7 @@ function XMLsuccess() { function XMLerror($err = "Invalid request.") { header("HTTP/1.0 400 Bad Request"); + header("Content-Type: application/xml; charset=utf-8"); echo " <?xml version=\"1.0\" encoding=\"utf-8\"?> <response> |