| Index: branches/REL1_5/phase3/maintenance/parserTests.inc |
| — | — | @@ -303,6 +303,7 @@ |
| 304 | 304 | 'wgDefaultUserOptions' => array(), |
| 305 | 305 | 'wgNoFollowLinks' => true, |
| 306 | 306 | 'wgThumbnailScriptPath' => false, |
| | 307 | + 'wgUseTeX' => false, |
| 307 | 308 | ); |
| 308 | 309 | $this->savedGlobals = array(); |
| 309 | 310 | foreach( $settings as $var => $val ) { |
| Index: branches/REL1_5/phase3/maintenance/parserTests.txt |
| — | — | @@ -2598,6 +2598,45 @@ |
| 2599 | 2599 | !! end |
| 2600 | 2600 | |
| 2601 | 2601 | |
| | 2602 | +!! test |
| | 2603 | +Math section safety when disabled |
| | 2604 | +!! input |
| | 2605 | +<math><script>alert(document.cookies);</script></math> |
| | 2606 | +!! result |
| | 2607 | +<p><math><script>alert(document.cookies);</script></math> |
| | 2608 | +</p> |
| | 2609 | +!! end |
| | 2610 | + |
| | 2611 | + |
| | 2612 | +!! test |
| | 2613 | +Table attribute legitimate extension |
| | 2614 | +!! input |
| | 2615 | +{| |
| | 2616 | +!+ style="<nowiki>color:blue</nowiki>"| status |
| | 2617 | +|} |
| | 2618 | +!! result |
| | 2619 | +<table> |
| | 2620 | +<tr> |
| | 2621 | +<th style="color:blue"> status |
| | 2622 | +</th></tr></table> |
| | 2623 | + |
| | 2624 | +!!end |
| | 2625 | + |
| | 2626 | +!! test |
| | 2627 | +Table attribute safety |
| | 2628 | +!! input |
| | 2629 | +{| |
| | 2630 | +!+ style="<nowiki>border-width:expression(0+alert(document.cookie))</nowiki>"| status |
| | 2631 | +|} |
| | 2632 | +!! result |
| | 2633 | +<table> |
| | 2634 | +<tr> |
| | 2635 | +<th> status |
| | 2636 | +</th></tr></table> |
| | 2637 | + |
| | 2638 | +!! end |
| | 2639 | + |
| | 2640 | + |
| 2602 | 2641 | TODO: |
| 2603 | 2642 | more images |
| 2604 | 2643 | more tables |
| Index: branches/REL1_5/phase3/includes/Article.php |
| — | — | @@ -173,6 +173,7 @@ |
| 174 | 174 | $striparray=array(); |
| 175 | 175 | $parser=new Parser(); |
| 176 | 176 | $parser->mOutputType=OT_WIKI; |
| | 177 | + $parser->mOptions = new ParserOptions(); |
| 177 | 178 | $striptext=$parser->strip($text, $striparray, true); |
| 178 | 179 | |
| 179 | 180 | # now that we can be sure that no pseudo-sections are in the source, |
| — | — | @@ -1119,6 +1120,7 @@ |
| 1120 | 1121 | $striparray=array(); |
| 1121 | 1122 | $parser=new Parser(); |
| 1122 | 1123 | $parser->mOutputType=OT_WIKI; |
| | 1124 | + $parser->mOptions = new ParserOptions(); |
| 1123 | 1125 | $oldtext=$parser->strip($oldtext, $striparray, true); |
| 1124 | 1126 | |
| 1125 | 1127 | # now that we can be sure that no pseudo-sections are in the source, |
| Index: branches/REL1_5/phase3/includes/Parser.php |
| — | — | @@ -377,16 +377,14 @@ |
| 378 | 378 | } |
| 379 | 379 | |
| 380 | 380 | # math |
| 381 | | - $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); |
| 382 | | - foreach( $math_content as $marker => $content ){ |
| 383 | | - if( $render ) { |
| 384 | | - if( $this->mOptions->getUseTeX() ) { |
| | 381 | + if( $this->mOptions->getUseTeX() ) { |
| | 382 | + $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); |
| | 383 | + foreach( $math_content as $marker => $content ){ |
| | 384 | + if( $render ) { |
| 385 | 385 | $math_content[$marker] = renderMath( $content ); |
| 386 | 386 | } else { |
| 387 | | - $math_content[$marker] = '<math>'.$content.'<math>'; |
| | 387 | + $math_content[$marker] = '<math>'.$content.'</math>'; |
| 388 | 388 | } |
| 389 | | - } else { |
| 390 | | - $math_content[$marker] = '<math>'.$content.'</math>'; |
| 391 | 389 | } |
| 392 | 390 | } |
| 393 | 391 | |
| — | — | @@ -650,8 +648,11 @@ |
| 651 | 649 | $fc = substr ( $x , 0 , 1 ) ; |
| 652 | 650 | if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) { |
| 653 | 651 | $indent_level = strlen( $matches[1] ); |
| | 652 | + |
| | 653 | + $attributes = $this->unstripForHTML( $matches[2] ); |
| | 654 | + |
| 654 | 655 | $t[$k] = str_repeat( '<dl><dd>', $indent_level ) . |
| 655 | | - '<table' . Sanitizer::fixTagAttributes ( $matches[2], 'table' ) . '>' ; |
| | 656 | + '<table' . Sanitizer::fixTagAttributes ( $attributes, 'table' ) . '>' ; |
| 656 | 657 | array_push ( $td , false ) ; |
| 657 | 658 | array_push ( $ltd , '' ) ; |
| 658 | 659 | array_push ( $tr , false ) ; |
| — | — | @@ -678,7 +679,8 @@ |
| 679 | 680 | array_push ( $tr , false ) ; |
| 680 | 681 | array_push ( $td , false ) ; |
| 681 | 682 | array_push ( $ltd , '' ) ; |
| 682 | | - array_push ( $ltr , Sanitizer::fixTagAttributes ( $x, 'tr' ) ) ; |
| | 683 | + $attributes = $this->unstripForHTML( $x ); |
| | 684 | + array_push ( $ltr , Sanitizer::fixTagAttributes ( $attributes, 'tr' ) ) ; |
| 683 | 685 | } |
| 684 | 686 | else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption |
| 685 | 687 | # $x is a table row |
| — | — | @@ -720,7 +722,10 @@ |
| 721 | 723 | } |
| 722 | 724 | if ( count ( $y ) == 1 ) |
| 723 | 725 | $y = "{$z}<{$l}>{$y[0]}" ; |
| 724 | | - else $y = $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($y[0], $l).">{$y[1]}" ; |
| | 726 | + else { |
| | 727 | + $attributes = $this->unstripForHTML( $y[0] ); |
| | 728 | + $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($attributes, $l).">{$y[1]}" ; |
| | 729 | + } |
| 725 | 730 | $t[$k] .= $y ; |
| 726 | 731 | array_push ( $td , true ) ; |
| 727 | 732 | } |
| — | — | @@ -3315,6 +3320,11 @@ |
| 3316 | 3321 | */ |
| 3317 | 3322 | function attributeStripCallback( &$text, $args ) { |
| 3318 | 3323 | $text = $this->replaceVariables( $text, $args ); |
| | 3324 | + $text = $this->unstripForHTML( $text ); |
| | 3325 | + return $text; |
| | 3326 | + } |
| | 3327 | + |
| | 3328 | + function unstripForHTML( $text ) { |
| 3319 | 3329 | $text = $this->unstrip( $text, $this->mStripState ); |
| 3320 | 3330 | $text = $this->unstripNoWiki( $text, $this->mStripState ); |
| 3321 | 3331 | return $text; |
| Index: branches/REL1_5/phase3/includes/DefaultSettings.php |
| — | — | @@ -28,7 +28,7 @@ |
| 29 | 29 | $wgConf = new SiteConfiguration; |
| 30 | 30 | |
| 31 | 31 | /** MediaWiki version number */ |
| 32 | | -$wgVersion = '1.5rc3'; |
| | 32 | +$wgVersion = '1.5rc4'; |
| 33 | 33 | |
| 34 | 34 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 35 | 35 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_5/phase3/RELEASE-NOTES |
| — | — | @@ -3,6 +3,25 @@ |
| 4 | 4 | Security reminder: MediaWiki does not require PHP's register_globals |
| 5 | 5 | setting since version 1.2.0. If you have it on, turn it *off* if you can. |
| 6 | 6 | |
| | 7 | +== MediaWiki 1.5 release candidate 4 == |
| | 8 | + |
| | 9 | +August 29, 2005 |
| | 10 | + |
| | 11 | +MediaWiki 1.5rc4 is a preview release of the new 1.5 release series. |
| | 12 | +It fixes compatibility with PHP 5.1, and corrects two cross-site scripting |
| | 13 | +security bugs: |
| | 14 | + |
| | 15 | +* <math> tags were handled incorrectly when TeX rendering support is off, |
| | 16 | + as in the default configuration. |
| | 17 | +* Extension or <nowiki> sections in Wiki table syntax could bypass HTML |
| | 18 | + style attribute restrictions for cross-site scripting attacks against |
| | 19 | + Microsoft Internet Explorer |
| | 20 | + |
| | 21 | +Wikis where the optional math support has been *enabled* are not vulnerable |
| | 22 | +to the first, but are vulnerable to the second. |
| | 23 | + |
| | 24 | + |
| | 25 | + |
| 7 | 26 | == MediaWiki 1.5 release candidate 3 == |
| 8 | 27 | |
| 9 | 28 | August 24, 2005 |
| — | — | @@ -724,6 +743,8 @@ |
| 725 | 744 | |
| 726 | 745 | * (bug 3280) Respect 'move' group permission on page moves |
| 727 | 746 | * (bug 2885) More PHP 5.1 fixes: skin, search, log, undelete |
| | 747 | +* Security fix for <math> |
| | 748 | +* Security fix for tables |
| 728 | 749 | |
| 729 | 750 | |
| 730 | 751 | === Caveats === |