| Index: branches/REL1_17/phase3/includes/AjaxDispatcher.php |
| — | — | @@ -74,7 +74,7 @@ |
| 75 | 75 | * request. |
| 76 | 76 | */ |
| 77 | 77 | function performAction() { |
| 78 | | - global $wgAjaxExportList, $wgOut; |
| | 78 | + global $wgAjaxExportList, $wgOut, $wgUser; |
| 79 | 79 | |
| 80 | 80 | if ( empty( $this->mode ) ) { |
| 81 | 81 | return; |
| — | — | @@ -90,6 +90,13 @@ |
| 91 | 91 | 'Bad Request', |
| 92 | 92 | "unknown function " . (string) $this->func_name |
| 93 | 93 | ); |
| | 94 | + } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) |
| | 95 | + && !$wgUser->isAllowed( 'read' ) ) |
| | 96 | + { |
| | 97 | + wfHttpError( |
| | 98 | + 403, |
| | 99 | + 'Forbidden', |
| | 100 | + 'You must log in to view pages.' ); |
| 94 | 101 | } else { |
| 95 | 102 | wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); |
| 96 | 103 | |
| Index: branches/REL1_17/phase3/includes/Wiki.php |
| — | — | @@ -149,10 +149,21 @@ |
| 150 | 150 | * @return boolean true if successful |
| 151 | 151 | */ |
| 152 | 152 | function preliminaryChecks( &$title, &$output ) { |
| | 153 | + global $wgTitle; |
| 153 | 154 | // If the user is not logged in, the Namespace:title of the article must be in |
| 154 | 155 | // the Read array in order for the user to see it. (We have to check here to |
| 155 | 156 | // catch special pages etc. We check again in Article::view()) |
| 156 | 157 | if( !is_null( $title ) && !$title->userCanRead() ) { |
| | 158 | + // Bug 32276: allowing the skin to generate output with $wgTitle |
| | 159 | + // set to the input title would allow anonymous users to |
| | 160 | + // determine whether a page exists, potentially leaking private data. In fact, the |
| | 161 | + // curid and oldid request parameters would allow page titles to be enumerated even |
| | 162 | + // when they are not guessable. So we reset the title to Special:Badtitle before the |
| | 163 | + // permissions error is displayed. |
| | 164 | + $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); |
| | 165 | + $output->setTitle( $badtitle ); |
| | 166 | + $wgTitle = $badtitle; |
| | 167 | + |
| 157 | 168 | $output->loginToUse(); |
| 158 | 169 | $this->finalCleanup( $output ); |
| 159 | 170 | $output->disable(); |
| Index: branches/REL1_17/phase3/includes/SkinTemplate.php |
| — | — | @@ -549,11 +549,22 @@ |
| 550 | 550 | |
| 551 | 551 | /* set up the default links for the personal toolbar */ |
| 552 | 552 | $personal_urls = array(); |
| 553 | | - $page = $wgRequest->getVal( 'returnto', $this->thisurl ); |
| 554 | | - $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); |
| 555 | | - $returnto = "returnto=$page"; |
| 556 | | - if( $this->thisquery != '' ) |
| 557 | | - $returnto .= "&returntoquery=$query"; |
| | 553 | + |
| | 554 | + # Due to bug 32276, if a user does not have read permissions, |
| | 555 | + # $wgOut->getTitle() will just give Special:Badtitle, which is |
| | 556 | + # not especially useful as a returnto parameter. Use the title |
| | 557 | + # from the request instead, if there was one. |
| | 558 | + $page = Title::newFromURL( $wgRequest->getVal( 'title', '' ) ); |
| | 559 | + $page = $wgRequest->getVal( 'returnto', $page ); |
| | 560 | + $returnto = ''; |
| | 561 | + if( strval( $page ) !== '' ) { |
| | 562 | + $returnto = "returnto=$page"; |
| | 563 | + $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); |
| | 564 | + if( $query != '' ) { |
| | 565 | + $returnto .= "&returntoquery=$query"; |
| | 566 | + } |
| | 567 | + } |
| | 568 | + |
| 558 | 569 | if( $this->loggedin ) { |
| 559 | 570 | $personal_urls['userpage'] = array( |
| 560 | 571 | 'text' => $this->username, |
| Index: branches/REL1_17/phase3/includes/DefaultSettings.php |
| — | — | @@ -34,7 +34,7 @@ |
| 35 | 35 | /** @endcond */ |
| 36 | 36 | |
| 37 | 37 | /** MediaWiki version number */ |
| 38 | | -$wgVersion = '1.17.0'; |
| | 38 | +$wgVersion = '1.17.1'; |
| 39 | 39 | |
| 40 | 40 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 41 | 41 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_17/phase3/RELEASE-NOTES |
| — | — | @@ -5,8 +5,19 @@ |
| 6 | 6 | |
| 7 | 7 | == MediaWiki 1.17.1 == |
| 8 | 8 | |
| 9 | | -This a maintenance release of the MediaWiki 1.17 branch. |
| | 9 | +2011-11-24 |
| 10 | 10 | |
| | 11 | +This a maintenance and security release of the MediaWiki 1.17 branch. |
| | 12 | + |
| | 13 | +=== Security changes === |
| | 14 | +* (bug 32276) Skins were generating output using the internal page title which |
| | 15 | + would allow anonymous users to determine wheter a page exists, potentially |
| | 16 | + leaking private data. In fact, the curid and oldid request parameters would |
| | 17 | + allow page titles to be enumerated even when they are not guessable. |
| | 18 | +* (bug 32616) action=ajax requests were dispatched to the relevant internal |
| | 19 | + functions without any read permission checks being done. This could lead to |
| | 20 | + data leakage on private wikis. |
| | 21 | + |
| 11 | 22 | === Summary of selected changes in 1.17 === |
| 12 | 23 | |
| 13 | 24 | Selected changes since MediaWiki 1.16 that may be of interest: |