| Index: branches/REL1_9/phase3/includes/DefaultSettings.php |
| — | — | @@ -32,7 +32,7 @@ |
| 33 | 33 | $wgConf = new SiteConfiguration; |
| 34 | 34 | |
| 35 | 35 | /** MediaWiki version number */ |
| 36 | | -$wgVersion = '1.9.4'; |
| | 36 | +$wgVersion = '1.9.5'; |
| 37 | 37 | |
| 38 | 38 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 39 | 39 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_9/phase3/api.php |
| — | — | @@ -27,6 +27,29 @@ |
| 28 | 28 | |
| 29 | 29 | wfProfileIn('api.php'); |
| 30 | 30 | |
| | 31 | +// URL safety checks |
| | 32 | +// |
| | 33 | +// See RawPage.php for details; summary is that MSIE can override the |
| | 34 | +// Content-Type if it sees a recognized extension on the URL, such as |
| | 35 | +// might be appended via PATH_INFO after 'api.php'. |
| | 36 | +// |
| | 37 | +// Some data formats can end up containing unfiltered user-provided data |
| | 38 | +// which will end up triggering HTML detection and execution, hence |
| | 39 | +// XSS injection and all that entails. |
| | 40 | +// |
| | 41 | +// Ensure that all access is through the canonical entry point... |
| | 42 | +// |
| | 43 | +if( isset( $_SERVER['SCRIPT_URL'] ) ) { |
| | 44 | + $url = $_SERVER['SCRIPT_URL']; |
| | 45 | +} else { |
| | 46 | + $url = $_SERVER['PHP_SELF']; |
| | 47 | +} |
| | 48 | +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { |
| | 49 | + wfHttpError( 403, 'Forbidden', |
| | 50 | + 'API must be accessed through the primary script entry point.' ); |
| | 51 | + return; |
| | 52 | +} |
| | 53 | + |
| 31 | 54 | // Verify that the API has not been disabled |
| 32 | 55 | if (!$wgEnableAPI) { |
| 33 | 56 | echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; |
| Index: branches/REL1_9/phase3/RELEASE-NOTES |
| — | — | @@ -3,6 +3,38 @@ |
| 4 | 4 | Security reminder: MediaWiki does not require PHP's register_globals |
| 5 | 5 | setting since version 1.2.0. If you have it on, turn it *off* if you can. |
| 6 | 6 | |
| | 7 | +== MediaWiki 1.9.5 == |
| | 8 | + |
| | 9 | +January 23, 2008 |
| | 10 | + |
| | 11 | +This is a security update to the Winter 2007 quarterly release. A potential |
| | 12 | +XSS injection vector affecting api.php only for Microsoft Internet Explorer |
| | 13 | +users has been closed. |
| | 14 | + |
| | 15 | + |
| | 16 | +To work around the vulnerability without upgrading, you may disable the |
| | 17 | +API if you don't need it: |
| | 18 | + |
| | 19 | + $wgEnableAPI = false; |
| | 20 | + |
| | 21 | +Not vulnerable versions: |
| | 22 | +* 1.12 or later |
| | 23 | +* 1.11 >= 1.11.1 |
| | 24 | +* 1.10 >= 1.10.3 |
| | 25 | +* 1.9 >= 1.9.5 |
| | 26 | +* 1.8 any version (if $wgEnableAPI has been left off) |
| | 27 | + |
| | 28 | +Vulnerable versions: |
| | 29 | +* 1.11 <= 1.11.0rc1 |
| | 30 | +* 1.10 <= 1.10.1 |
| | 31 | +* 1.9 <= 1.9.3 |
| | 32 | +* 1.8 any version (if $wgEnableAPI has been switched on) |
| | 33 | + |
| | 34 | +MediaWiki 1.7 and below are not affected as they do not include |
| | 35 | +the API functionality, however the BotQuery extension is similarly |
| | 36 | +vulnerable unless updated to the latest SVN version. |
| | 37 | + |
| | 38 | + |
| 7 | 39 | == MediaWiki 1.9.4 == |
| 8 | 40 | |
| 9 | 41 | September 10, 2007 |