| Index: branches/REL1_4/phase3/maintenance/parserTests.txt |
| — | — | @@ -2141,6 +2141,46 @@ |
| 2142 | 2142 | |
| 2143 | 2143 | !! end |
| 2144 | 2144 | |
| | 2145 | + |
| | 2146 | +!! test |
| | 2147 | +Math section safety when disabled |
| | 2148 | +!! input |
| | 2149 | +<math><script>alert(document.cookies);</script></math> |
| | 2150 | +!! result |
| | 2151 | +<p><math><script>alert(document.cookies);</script></math> |
| | 2152 | +</p> |
| | 2153 | +!! end |
| | 2154 | + |
| | 2155 | + |
| | 2156 | +!! test |
| | 2157 | +Table attribute legitimate extension |
| | 2158 | +!! input |
| | 2159 | +{| |
| | 2160 | +!+ style="<nowiki>color:blue</nowiki>"| status |
| | 2161 | +|} |
| | 2162 | +!! result |
| | 2163 | +<table > |
| | 2164 | +<tr > |
| | 2165 | +<th style="color:blue"> status |
| | 2166 | +</th></tr></table> |
| | 2167 | + |
| | 2168 | +!!end |
| | 2169 | + |
| | 2170 | +!! test |
| | 2171 | +Table attribute safety |
| | 2172 | +!! input |
| | 2173 | +{| |
| | 2174 | +!+ style="<nowiki>border-width:expression(0+alert(document.cookie))</nowiki>"| status |
| | 2175 | +|} |
| | 2176 | +!! result |
| | 2177 | +<table > |
| | 2178 | +<tr > |
| | 2179 | +<th > status |
| | 2180 | +</th></tr></table> |
| | 2181 | + |
| | 2182 | +!! end |
| | 2183 | + |
| | 2184 | + |
| 2145 | 2185 | TODO: |
| 2146 | 2186 | more images |
| 2147 | 2187 | more tables |
| Index: branches/REL1_4/phase3/maintenance/parserTests.php |
| — | — | @@ -299,6 +299,7 @@ |
| 300 | 300 | 'wgMaxTocLevel' => 999, |
| 301 | 301 | 'wgCapitalLinks' => true, |
| 302 | 302 | 'wgNoFollowLinks' => true, |
| | 303 | + 'wgUseTeX' => false, |
| 303 | 304 | ); |
| 304 | 305 | $this->savedGlobals = array(); |
| 305 | 306 | foreach( $settings as $var => $val ) { |
| Index: branches/REL1_4/phase3/includes/Article.php |
| — | — | @@ -232,6 +232,7 @@ |
| 233 | 233 | $striparray=array(); |
| 234 | 234 | $parser=new Parser(); |
| 235 | 235 | $parser->mOutputType=OT_WIKI; |
| | 236 | + $parser->mOptions = new ParserOptions(); |
| 236 | 237 | $striptext=$parser->strip($text, $striparray, true); |
| 237 | 238 | |
| 238 | 239 | # now that we can be sure that no pseudo-sections are in the source, |
| — | — | @@ -940,6 +941,7 @@ |
| 941 | 942 | $striparray=array(); |
| 942 | 943 | $parser=new Parser(); |
| 943 | 944 | $parser->mOutputType=OT_WIKI; |
| | 945 | + $parser->mOptions = new ParserOptions(); |
| 944 | 946 | $oldtext=$parser->strip($oldtext, $striparray, true); |
| 945 | 947 | |
| 946 | 948 | # now that we can be sure that no pseudo-sections are in the source, |
| Index: branches/REL1_4/phase3/includes/Parser.php |
| — | — | @@ -305,16 +305,14 @@ |
| 306 | 306 | } |
| 307 | 307 | |
| 308 | 308 | # math |
| 309 | | - $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); |
| 310 | | - foreach( $math_content as $marker => $content ){ |
| 311 | | - if( $render ) { |
| 312 | | - if( $this->mOptions->getUseTeX() ) { |
| | 309 | + if( $this->mOptions->getUseTeX() ) { |
| | 310 | + $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); |
| | 311 | + foreach( $math_content as $marker => $content ){ |
| | 312 | + if( $render ) { |
| 313 | 313 | $math_content[$marker] = renderMath( $content ); |
| 314 | 314 | } else { |
| 315 | | - $math_content[$marker] = '<math>'.$content.'<math>'; |
| | 315 | + $math_content[$marker] = '<math>'.$content.'</math>'; |
| 316 | 316 | } |
| 317 | | - } else { |
| 318 | | - $math_content[$marker] = '<math>'.$content.'</math>'; |
| 319 | 317 | } |
| 320 | 318 | } |
| 321 | 319 | |
| — | — | @@ -666,8 +664,11 @@ |
| 667 | 665 | $fc = substr ( $x , 0 , 1 ) ; |
| 668 | 666 | if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) { |
| 669 | 667 | $indent_level = strlen( $matches[1] ); |
| | 668 | + |
| | 669 | + $attributes = $this->unstripForHTML( $matches[2] ); |
| | 670 | + |
| 670 | 671 | $t[$k] = str_repeat( '<dl><dd>', $indent_level ) . |
| 671 | | - '<table ' . $this->fixTagAttributes ( $matches[2] ) . '>' ; |
| | 672 | + '<table ' . $this->fixTagAttributes ( $attributes ) . '>' ; |
| 672 | 673 | array_push ( $td , false ) ; |
| 673 | 674 | array_push ( $ltd , '' ) ; |
| 674 | 675 | array_push ( $tr , false ) ; |
| — | — | @@ -694,7 +695,8 @@ |
| 695 | 696 | array_push ( $tr , false ) ; |
| 696 | 697 | array_push ( $td , false ) ; |
| 697 | 698 | array_push ( $ltd , '' ) ; |
| 698 | | - array_push ( $ltr , $this->fixTagAttributes ( $x ) ) ; |
| | 699 | + $attributes = $this->unstripForHTML( $x ); |
| | 700 | + array_push ( $ltr , $this->fixTagAttributes ( $attributes ) ) ; |
| 699 | 701 | } |
| 700 | 702 | else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption |
| 701 | 703 | # $x is a table row |
| — | — | @@ -736,7 +738,10 @@ |
| 737 | 739 | } |
| 738 | 740 | if ( count ( $y ) == 1 ) |
| 739 | 741 | $y = "{$z}<{$l}>{$y[0]}" ; |
| 740 | | - else $y = $y = "{$z}<{$l} ".$this->fixTagAttributes($y[0]).">{$y[1]}" ; |
| | 742 | + else { |
| | 743 | + $attributes = $this->unstripForHTML( $y[0] ); |
| | 744 | + $y = "{$z}<{$l} ".$this->fixTagAttributes($attributes).">{$y[1]}" ; |
| | 745 | + } |
| 741 | 746 | $t[$k] .= $y ; |
| 742 | 747 | array_push ( $td , true ) ; |
| 743 | 748 | } |
| — | — | @@ -3260,6 +3265,11 @@ |
| 3261 | 3266 | */ |
| 3262 | 3267 | function attributeStripCallback( &$text, $args ) { |
| 3263 | 3268 | $text = $this->replaceVariables( $text, $args ); |
| | 3269 | + $text = $this->unstripForHTML( $text ); |
| | 3270 | + return $text; |
| | 3271 | + } |
| | 3272 | + |
| | 3273 | + function unstripForHTML( $text ) { |
| 3264 | 3274 | $text = $this->unstrip( $text, $this->mStripState ); |
| 3265 | 3275 | $text = $this->unstripNoWiki( $text, $this->mStripState ); |
| 3266 | 3276 | return $text; |
| Index: branches/REL1_4/phase3/includes/DefaultSettings.php |
| — | — | @@ -19,7 +19,7 @@ |
| 20 | 20 | * MediaWiki version number |
| 21 | 21 | * @global string $wgVersion |
| 22 | 22 | */ |
| 23 | | -$wgVersion = '1.4.8'; |
| | 23 | +$wgVersion = '1.4.9'; |
| 24 | 24 | |
| 25 | 25 | /** |
| 26 | 26 | * Name of the site. |
| Index: branches/REL1_4/phase3/RELEASE-NOTES |
| — | — | @@ -3,6 +3,23 @@ |
| 4 | 4 | Security reminder: MediaWiki does not require PHP's register_globals |
| 5 | 5 | setting since version 1.2.0. If you have it on, turn it *off* if you can. |
| 6 | 6 | |
| | 7 | +== MediaWiki 1.4.9 == |
| | 8 | + |
| | 9 | +(released 2005-08-29) |
| | 10 | + |
| | 11 | +MediaWiki 1.4.9 is a security maintenance release. It corrects two cross-site |
| | 12 | +scripting security bugs: |
| | 13 | + |
| | 14 | +* <math> tags were handled incorrectly when TeX rendering support is off, |
| | 15 | + as in the default configuration. |
| | 16 | +* Extension or <nowiki> sections in Wiki table syntax could bypass HTML |
| | 17 | + style attribute restrictions for cross-site scripting attacks against |
| | 18 | + Microsoft Internet Explorer |
| | 19 | + |
| | 20 | +Wikis where the optional math support has been *enabled* are not vulnerable |
| | 21 | +to the first, but are vulnerable to the second. |
| | 22 | + |
| | 23 | + |
| 7 | 24 | == MediaWiki 1.4.8 == |
| 8 | 25 | |
| 9 | 26 | (released 2005-08-23) |
| — | — | @@ -741,6 +758,12 @@ |
| 742 | 759 | * (bug 3244) Fix remote image loading hack, JavaScript injection on MSIE |
| 743 | 760 | |
| 744 | 761 | |
| | 762 | +=== 1.4.9 changes === |
| | 763 | + |
| | 764 | +* Security fix for <math> |
| | 765 | +* Security fix for tables |
| | 766 | + |
| | 767 | + |
| 745 | 768 | === Caveats === |
| 746 | 769 | |
| 747 | 770 | Some output, particularly involving user-supplied inline HTML, may not |