r36279 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r36278‎ | r36279 | r36280 >
Date:09:32, 14 June 2008
Author:tstarling
Status:old
Tags:
Comment:
Ran a new vulnerability scanner on the extensions directory. Found the following:

* register_globals XSS vulnerabilities in: Call, ChangeAuthor, EditOwn, SignDocument, TemplateLink, WatchSubpages, WhoIsWatching, php/ext/MediaWiki
* register_globals arbitrary inclusion vulnerabilities in: CategoryIntersection, Makebot, PasswordReset, SemanticCalendar, SemanticForms, SemanticMediaWiki, SocialProfile, SpamRegex, StalePages, TodoTasks, WhiteList, Wikidata, regexBlock
* Plain (non-register_globals) XSS vulnerabilities in: geo, MetavidWiki, wikihiero
* Parser warnings in: SyntaxHighlight_vim, SpamDiffTool, TidyTab

Fixed all. Some fixes are lightly tested.
Modified paths:
  • /trunk/extensions/Call/Call.php (modified) (history)
  • /trunk/extensions/CategoryIntersection/CategoryIntersection.php (modified) (history)
  • /trunk/extensions/ChangeAuthor/ChangeAuthor.body.php (modified) (history)
  • /trunk/extensions/ChangeAuthor/ChangeAuthor.i18n.php (modified) (history)
  • /trunk/extensions/ChangeAuthor/ChangeAuthor.setup.php (modified) (history)
  • /trunk/extensions/EditOwn/EditOwn.php (modified) (history)
  • /trunk/extensions/Makebot/Makebot.class.php (modified) (history)
  • /trunk/extensions/MetavidWiki/skins/mv_embed/cortado_iframe.php (modified) (history)
  • /trunk/extensions/PasswordReset/PasswordReset_Disabledusers.php (modified) (history)
  • /trunk/extensions/SemanticCalendar/includes/SC_Settings.php (modified) (history)
  • /trunk/extensions/SemanticForms/includes/SF_AutocompleteAPI.php (modified) (history)
  • /trunk/extensions/SemanticForms/includes/SF_GlobalFunctions.php (modified) (history)
  • /trunk/extensions/SemanticForms/includes/SF_Settings.php (modified) (history)
  • /trunk/extensions/SemanticForms/specials/SF_CreateProperty.php (modified) (history)
  • /trunk/extensions/SemanticForms/specials/SF_CreateTemplate.php (modified) (history)
  • /trunk/extensions/SemanticForms/specials/SF_EditData.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/SMW_Factbox.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/SMW_QueryProcessor.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/jobs/SMW_DummyJob.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/storage/SMW_Query.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/storage/SMW_SQLStore.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/storage/SMW_SQLStore2.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/storage/SMW_Store.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/includes/storage/SMW_TestStore.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageAr.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageArz.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageDe.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageEn.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageEs.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageFr.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageHe.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageIt.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageKo.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageNl.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguagePl.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageRu.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageSk.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageZh_cn.php (modified) (history)
  • /trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageZh_tw.php (modified) (history)
  • /trunk/extensions/SignDocument/SignDocument.php (modified) (history)
  • /trunk/extensions/SocialProfile/SocialProfile.php (modified) (history)
  • /trunk/extensions/SpamDiffTool/SpamDiffTool.php (modified) (history)
  • /trunk/extensions/SpamRegex/SpamRegex.php (modified) (history)
  • /trunk/extensions/StalePages/StalePages_body.php (modified) (history)
  • /trunk/extensions/SyntaxHighlight_vim/SyntaxHook.php (modified) (history)
  • /trunk/extensions/TemplateLink/TemplateLink.setup.php (modified) (history)
  • /trunk/extensions/TidyTab/Tidy.php (modified) (history)
  • /trunk/extensions/TodoTasks/SpecialTaskList_body.php (modified) (history)
  • /trunk/extensions/WatchSubpages/WatchSubpages.php (modified) (history)
  • /trunk/extensions/WhiteList/SpecialWhitelistEdit_body.php (modified) (history)
  • /trunk/extensions/WhoIsWatching/SpecialWhoIsWatching.php (modified) (history)
  • /trunk/extensions/Wikidata/App.php (modified) (history)
  • /trunk/extensions/geo/geomaker.php (modified) (history)
  • /trunk/extensions/php/ext/MediaWiki/MediaWiki.php (modified) (history)
  • /trunk/extensions/regexBlock/regexBlock.php (modified) (history)
  • /trunk/extensions/wikihiero/index.php (modified) (history)
  • /trunk/extensions/wikihiero/wh_generate.php (modified) (history)
  • /trunk/extensions/wikihiero/wh_table.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Wikidata/App.php
@@ -4,6 +4,12 @@
55 # CONFIGURATION VARIABLES TO LocalApp.php AND EDIT THEM
66 # THERE.
77
 8+/**
 9+ * Protect against register_globals vulnerabilities.
 10+ * This line must be present before any global variable is referenced.
 11+ */
 12+if (!defined('MEDIAWIKI')) die();
 13+
814 $wgDefaultGoPrefix='Expression:';
915 $wgHooks['BeforePageDisplay'][]='addWikidataHeader';
1016 $wgHooks['GetEditLinkTrail'][]='addWikidataEditLinkTrail'; #TODO merge with modifyTabs
Index: trunk/extensions/php/ext/MediaWiki/MediaWiki.php
@@ -1,4 +1,10 @@
22 <?
 3+
 4+if ( php_sapi_name() != 'cli' ) {
 5+ echo "This script must be run from the command line\n";
 6+ exit( 1 );
 7+}
 8+
39 if(!extension_loaded('MediaWiki')) {
410 dl('MediaWiki.' . PHP_SHLIB_SUFFIX);
511 }
Index: trunk/extensions/CategoryIntersection/CategoryIntersection.php
@@ -20,7 +20,7 @@
2121 if (!defined('MEDIAWIKI')) {
2222 echo <<<EOT
2323 To install my extension, put the following line in LocalSettings.php:
24 -require_once("$IP/extensions/CategoryIntersection/CategoryIntersection.php");
 24+require_once("\$IP/extensions/CategoryIntersection/CategoryIntersection.php");
2525 EOT;
2626 exit(1);
2727 }
Index: trunk/extensions/TemplateLink/TemplateLink.setup.php
@@ -13,7 +13,7 @@
1414 if(!defined('MEDIAWIKI')){
1515 echo <<<EOT
1616 To install my extension, put the following line in LocalSettings.php:
17 -require_once( "$IP/extensions/TemplateLink/TemplateLink.setup.php" );
 17+require_once( "\$IP/extensions/TemplateLink/TemplateLink.setup.php" );
1818 EOT;
1919 exit( 1 );
2020 }
Index: trunk/extensions/SyntaxHighlight_vim/SyntaxHook.php
@@ -28,10 +28,10 @@
2929 private function setHook() {
3030 global $wgParser;
3131
32 - $wgParser->setHook( 'syntax', array( $this, 'syntaxHook' ) );
 32+ $wgParser->setHook( 'syntax', array( $this, 'hook' ) );
3333 }
3434
35 - public function syntaxHook( $in, array $argv ) {
 35+ public function hook( $in, array $argv ) {
3636 $in = ltrim( $in, "\n" );
3737 $syntax = new Syntax( $in );
3838
Index: trunk/extensions/wikihiero/wh_generate.php
@@ -32,7 +32,7 @@
3333 $lang = "fr";
3434 }
3535 ?>
36 -<html lang=<?php echo $lang; ?>>
 36+<html lang=<?php echo htmlspecialchars( $lang ); ?>>
3737 <head>
3838 <title>WikiHiero - Table generator</title>
3939 <meta http-equiv="Content-type" content="text/html; charset=UTF-8">
Index: trunk/extensions/wikihiero/wh_table.php
@@ -61,9 +61,9 @@
6262 }
6363
6464 ?>
65 -<html lang=<?php echo $lang; ?>>
 65+<html lang=<?php echo htmlspecialchars($lang); ?>>
6666 <head>
67 - <title><?php echo "$table - ".WH_Text($table); ?> - WikiHiero</title>
 67+ <title><?php echo htmlspecialchars($table)." - ".WH_Text($table); ?> - WikiHiero</title>
6868 <meta http-equiv="Content-type" content="text/html; charset=UTF-8">
6969 <link rel="shortcut icon" href="https://www.mediawiki.org/favicon.ico">
7070 </head>
@@ -71,7 +71,7 @@
7272
7373 <?php
7474
75 - echo "<b>$table</b> - ".WH_Text($table)."<br /><br />";
 75+ echo "<b>" . htmlspecialchars( $table ) . "</b> - ".WH_Text($table)."<br /><br />";
7676
7777 if($dh = opendir(WH_IMG_DIR)) {
7878 while(($file = readdir($dh)) !== false) {
@@ -79,15 +79,20 @@
8080 {
8181 $code = WH_GetCode($file);
8282 if(in_array($code, $wh_phonemes))
83 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code [".array_search($code, $wh_phonemes)."]\">\n";
 83+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ) . "\" " .
 84+ "title=\"" . htmlspecialchars( $code ) . " [".
 85+ htmlspecialchars( array_search($code, $wh_phonemes) ) . "]\">\n";
8486 else
85 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code\">\n";
 87+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ) . "\" title=\"" .
 88+ htmlspecialchars( $code ) . "\">\n";
8689 }
8790 else if($table == "Phoneme")
8891 {
8992 $code = WH_GetCode($file);
9093 if(in_array($code, $wh_phonemes))
91 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code [".array_search($code, $wh_phonemes)."]\">\n";
 94+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ) . "\" " .
 95+ "title=\"" . htmlspecialchars( $code ) . " [".
 96+ htmlspecialchars( array_search($code, $wh_phonemes) )."]\">\n";
9297 }
9398 else if($table == "Aa")
9499 {
@@ -95,9 +100,12 @@
96101 if((substr($code, 0, 2) == $table) && ctype_digit($code[2]))
97102 {
98103 if(in_array($code, $wh_phonemes))
99 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code [".array_search($code, $wh_phonemes)."]\">\n";
 104+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file) . "\" title=\"" .
 105+ htmlspecialchars( $code ) . " [".
 106+ htmlspecialchars( array_search($code, $wh_phonemes) )."]\">\n";
100107 else
101 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code\">\n";
 108+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ) . "\" title=\"" .
 109+ htmlspecialchars( $code ) . "\">\n";
102110 }
103111 }
104112 else
@@ -106,9 +114,12 @@
107115 if(($code[0] == $table) && ctype_digit($code[1]))
108116 {
109117 if(in_array($code, $wh_phonemes))
110 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code [".array_search($code, $wh_phonemes)."]\">\n";
 118+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ) . "\" title=\"" .
 119+ htmlspecialchars( $code ) . "[".
 120+ htmlspecialchars( array_search($code, $wh_phonemes) )."]\">\n";
111121 else
112 - echo "<img src=\"".WH_IMG_DIR."$file\" title=\"$code\">\n";
 122+ echo "<img src=\"".htmlspecialchars( WH_IMG_DIR.$file ). "\" title=\"" .
 123+ htmlspecialchars( $code ) . "\">\n";
113124 }
114125 }
115126 }
Index: trunk/extensions/wikihiero/index.php
@@ -24,9 +24,14 @@
2525 //
2626 //////////////////////////////////////////////////////////////////////////
2727
 28+$IP = getenv( 'MW_INSTALL_PATH' );
 29+if ( $IP === false ) {
 30+ $IP = dirname( __FILE__ ) .'/../..';
 31+}
 32+require( "$IP/includes/WebStart.php" );
 33+
2834 require('wh_language.php');
2935 require('wikihiero.php');
30 -
3136 #
3237 # Initialization from request
3338 #
@@ -91,7 +96,9 @@
9297
9398 function WH_Table( $table ) {
9499 global $lang;
95 - echo "<a href=\"#\" onClick=\"MyWindow=window.open('wh_table.php?table=$table&lang=$lang','$table','toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=400,height=300,left=20,top=20'); return false;\" title =\"".WH_Text($table)."\">$table</a>";
 100+ $url = "wh_table.php?table=" . urlencode( $table ) . '&lang=' . urlencode( $lang );
 101+ $encUrl = htmlspecialchars( Xml::encodeJsVar( $url ) );
 102+ echo "<a href=\"#\" onClick=\"MyWindow=window.open($encUrl,'$table','toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=400,height=300,left=20,top=20'); return false;\" title =\"".WH_Text($table)."\">$table</a>";
96103 }
97104
98105 #
@@ -160,9 +167,9 @@
161168 <option disabled value="2" <?php if($mode==2) echo "selected"; ?> title="<?php echo WH_Text("CSS"); ?>">HTML & CSS
162169 <option disabled value="3" <?php if($mode==3) echo "selected"; ?> title="<?php echo WH_Text("Image"); ?>">Image
163170 </select>
164 - <?php echo WH_Text("Scale"); ?><input type="range" name="scale" <?php if($mode==0) echo "disabled"; ?> title="<?php echo WH_Text("Size"); ?>" min="1" max="999" size="3" maxlength="3" value="<?php echo $scale; ?>">%
 171+ <?php echo WH_Text("Scale"); ?><input type="range" name="scale" <?php if($mode==0) echo "disabled"; ?> title="<?php echo WH_Text("Size"); ?>" min="1" max="999" size="3" maxlength="3" value="<?php echo htmlspecialchars( $scale ); ?>">%
165172 <?php echo WH_Text("Line"); ?><input type="checkbox" name="line" <?php if($line) echo "checked"; ?>>
166 - <input type="hidden" name="lang" value="<?php echo $lang; ?>">
 173+ <input type="hidden" name="lang" value="<?php echo htmlspecialchars( $lang ); ?>">
167174 </form>
168175
169176 </td><td valign="top">
Index: trunk/extensions/StalePages/StalePages_body.php
@@ -12,9 +12,6 @@
1313 * @author Tim Laqua <t.laqua@gmail.com>
1414 */
1515
16 -global $wgHooks, $IP;
17 -require_once "$IP/includes/QueryPage.php";
18 -
1916 class Stalepages extends SpecialPage
2017 {
2118 ///StalePages Class Constructor
Index: trunk/extensions/TodoTasks/SpecialTaskList_body.php
@@ -279,8 +279,6 @@
280280 }
281281
282282
283 -require_once("$IP/includes/SpecialPage.php");
284 -
285283 class TaskList extends SpecialPage
286284 {
287285 function TaskList() {
Index: trunk/extensions/WatchSubpages/WatchSubpages.php
@@ -10,7 +10,7 @@
1111 if (!defined('MEDIAWIKI')) {
1212 echo <<<EOT
1313 To install my extension, put the following line in LocalSettings.php:
14 -require_once( "$IP/extensions/WatchSubpages/WatchSubpages.php" );
 14+require_once( "\$IP/extensions/WatchSubpages/WatchSubpages.php" );
1515 EOT;
1616 exit( 1 );
1717 }
Index: trunk/extensions/ChangeAuthor/ChangeAuthor.setup.php
@@ -18,7 +18,7 @@
1919 if (!defined('MEDIAWIKI')) {
2020 echo <<<EOT
2121 To install the ChangeAuthor extension, put the following line in LocalSettings.php:
22 -require_once( "$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
 22+require_once( "\$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
2323 EOT;
2424 exit(1);
2525 }
Index: trunk/extensions/ChangeAuthor/ChangeAuthor.body.php
@@ -18,7 +18,7 @@
1919 if (!defined('MEDIAWIKI')) {
2020 echo <<<EOT
2121 To install the ChangeAuthor extension, put the following line in LocalSettings.php:
22 -require_once( "$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
 22+require_once( "\$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
2323 EOT;
2424 exit(1);
2525 }
Index: trunk/extensions/ChangeAuthor/ChangeAuthor.i18n.php
@@ -18,7 +18,7 @@
1919 if (!defined('MEDIAWIKI')) {
2020 echo <<<EOT
2121 To install the ChangeAuthor extension, put the following line in LocalSettings.php:
22 -require_once( "$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
 22+require_once( "\$IP/extensions/ChangeAuthor/ChangeAuthor.setup.php" );
2323 EOT;
2424 exit(1);
2525 }
Index: trunk/extensions/Call/Call.php
@@ -8,7 +8,7 @@
99 if (!defined('MEDIAWIKI')) {
1010 echo <<<EOT
1111 To install Call as a special page, put the following line in LocalSettings.php:
12 -require_once( "$IP/extensions/Call/Call.php" );
 12+require_once( "\$IP/extensions/Call/Call.php" );
1313 EOT;
1414 exit( 1 );
1515 }
Index: trunk/extensions/Makebot/Makebot.class.php
@@ -1,9 +1,5 @@
22 <?php
33
4 -global $IP;
5 -require_once( "$IP/includes/LogPage.php" );
6 -require_once( "$IP/includes/SpecialLog.php" );
7 -
84 class MakeBot extends SpecialPage {
95
106 var $target = '';
Index: trunk/extensions/SemanticCalendar/includes/SC_Settings.php
@@ -1,5 +1,11 @@
22 <?php
 3+/**
 4+ * Protect against register_globals vulnerabilities.
 5+ * This line must be present before any global variable is referenced.
 6+ */
 7+if (!defined('MEDIAWIKI')) die();
38
 9+
410 ###
511 # This is the path to your installation of Semantic Calendar as
612 # seen from the web. Change it if required ($wgScriptPath is the
Index: trunk/extensions/PasswordReset/PasswordReset_Disabledusers.php
@@ -12,9 +12,6 @@
1313 * @author Tim Laqua <t.laqua@gmail.com>
1414 */
1515
16 -global $wgHooks, $IP;
17 -require_once "$IP/includes/QueryPage.php";
18 -
1916 class Disabledusers extends SpecialPage {
2017 ///StalePages Class Constructor
2118 public function __construct() {
Index: trunk/extensions/regexBlock/regexBlock.php
@@ -8,8 +8,14 @@
99 * @author Bartek Łapiński
1010 * @copyright Copyright © 2007, Wikia Inc.
1111 * @license http://www.gnu.org/copyleft/gpl.html GNU General Public License 2.0 or later
12 -*/
 12+ */
1313
 14+/**
 15+ * Protect against register_globals vulnerabilities.
 16+ * This line must be present before any global variable is referenced.
 17+ */
 18+if (!defined('MEDIAWIKI')) die();
 19+
1420 /* generic reasons */
1521
1622 global $wgContactLink;
@@ -67,4 +73,4 @@
6874 require_once ($IP.REGEXBLOCK_PATH."extensions/regexBlock/SpecialRegexBlockStats.php");
6975
7076 /* simplified regexes, this is shared with SpamRegex */
71 -require_once ($IP.REGEXBLOCK_PATH."extensions/SimplifiedRegex/SimplifiedRegex.php");
\ No newline at end of file
 77+require_once ($IP.REGEXBLOCK_PATH."extensions/SimplifiedRegex/SimplifiedRegex.php");
Index: trunk/extensions/SemanticMediaWiki/includes/SMW_QueryProcessor.php
@@ -6,6 +6,12 @@
77 * @author Markus Krötzsch
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 global $smwgIP;
1117 require_once($smwgIP . '/includes/storage/SMW_Store.php');
1218
Index: trunk/extensions/SemanticMediaWiki/includes/jobs/SMW_DummyJob.php
@@ -11,10 +11,6 @@
1212 *
1313 * @author Daniel M. Herzig
1414 */
15 -
16 -global $IP;
17 -require_once ($IP."/includes/JobQueue.php");
18 -
1915 class SMW_DummyJob extends Job {
2016
2117 //Constructor
@@ -33,4 +29,4 @@
3430
3531 return true;
3632 }
37 -}
\ No newline at end of file
 33+}
Index: trunk/extensions/SemanticMediaWiki/includes/SMW_Factbox.php
@@ -6,6 +6,12 @@
77 * @author Markus Krötzsch
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 global $smwgIP;
1117 include_once($smwgIP . '/includes/SMW_SemanticData.php');
1218
Index: trunk/extensions/SemanticMediaWiki/includes/storage/SMW_SQLStore2.php
@@ -5,6 +5,12 @@
66 * @author Markus Krötzsch
77 */
88
 9+/**
 10+ * Protect against register_globals vulnerabilities.
 11+ * This line must be present before any global variable is referenced.
 12+ */
 13+if (!defined('MEDIAWIKI')) die();
 14+
915 global $smwgIP;
1016 require_once( "$smwgIP/includes/storage/SMW_Store.php" );
1117 require_once( "$smwgIP/includes/SMW_DataValueFactory.php" );
Index: trunk/extensions/SemanticMediaWiki/includes/storage/SMW_Query.php
@@ -6,6 +6,12 @@
77 * @author Markus Krötzsch
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 global $smwgIP;
1117 require_once($smwgIP . '/includes/storage/SMW_Description.php');
1218
Index: trunk/extensions/SemanticMediaWiki/includes/storage/SMW_SQLStore.php
@@ -5,6 +5,12 @@
66 * @author Markus Krötzsch
77 */
88
 9+/**
 10+ * Protect against register_globals vulnerabilities.
 11+ * This line must be present before any global variable is referenced.
 12+ */
 13+if (!defined('MEDIAWIKI')) die();
 14+
915 global $smwgIP;
1016 require_once( "$smwgIP/includes/storage/SMW_Store.php" );
1117 require_once( "$smwgIP/includes/SMW_DataValueFactory.php" );
Index: trunk/extensions/SemanticMediaWiki/includes/storage/SMW_Store.php
@@ -5,6 +5,12 @@
66 * @author Markus Krötzsch
77 */
88
 9+/**
 10+ * Protect against register_globals vulnerabilities.
 11+ * This line must be present before any global variable is referenced.
 12+ */
 13+if (!defined('MEDIAWIKI')) die();
 14+
915 global $smwgIP;
1016 require_once($smwgIP . '/includes/SMW_SemanticData.php');
1117 require_once($smwgIP . '/includes/storage/SMW_Query.php');
Index: trunk/extensions/SemanticMediaWiki/includes/storage/SMW_TestStore.php
@@ -6,6 +6,12 @@
77 * @author Markus Krötzsch
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 global $smwgIP;
1117 require_once( "$smwgIP/includes/storage/SMW_Store.php" );
1218
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguagePl.php
@@ -22,6 +22,13 @@
2323 * on this site = w tym miejscu
2424 */
2525
 26+/**
 27+ * Protect against register_globals vulnerabilities.
 28+ * This line must be present before any global variable is referenced.
 29+ */
 30+if (!defined('MEDIAWIKI')) die();
 31+
 32+
2633 global $smwgIP;
2734 include_once($smwgIP . '/languages/SMW_Language.php');
2835
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageIt.php
@@ -3,6 +3,12 @@
44 * @author Davide Eynard, David Laniado
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageSk.php
@@ -3,6 +3,12 @@
44 * @author helix84
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageRu.php
@@ -4,6 +4,12 @@
55 * @author cnit@uniyar.ac.ru
66 */
77
 8+/**
 9+ * Protect against register_globals vulnerabilities.
 10+ * This line must be present before any global variable is referenced.
 11+ */
 12+if (!defined('MEDIAWIKI')) die();
 13+
814 global $smwgIP;
915 include_once($smwgIP . '/languages/SMW_Language.php');
1016
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageDe.php
@@ -11,6 +11,11 @@
1212 * "printout statement" --> Ausgabeanweisung
1313 */
1414
 15+/**
 16+ * Protect against register_globals vulnerabilities.
 17+ * This line must be present before any global variable is referenced.
 18+ */
 19+if (!defined('MEDIAWIKI')) die();
1520
1621 global $smwgIP;
1722 include_once($smwgIP . '/languages/SMW_Language.php');
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageZh_tw.php
@@ -3,6 +3,12 @@
44 * @author Markus Krötzsch 翻譯:張致信(Translation: Roc Michael Email:roc.no1@gmail.com) 2007-10-20
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageArz.php
@@ -3,6 +3,12 @@
44 * @author Meno25
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageHe.php
@@ -3,6 +3,12 @@
44 * @author Udi Oron אודי אורון
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageZh_cn.php
@@ -3,6 +3,12 @@
44 * @author Markus Krötzsch 翻译:张致信 本档系以电子字典译自繁体版,请自行修订(Translation: Roc Michael Email:roc.no1@gmail.com. This file is translated from Tradition Chinese by useing electronic dictionary. Please correct the file by yourself.) 2007-10-22
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageAr.php
@@ -4,6 +4,12 @@
55 * @author Meno25
66 */
77
 8+/**
 9+ * Protect against register_globals vulnerabilities.
 10+ * This line must be present before any global variable is referenced.
 11+ */
 12+if (!defined('MEDIAWIKI')) die();
 13+
814 global $smwgIP;
915 include_once($smwgIP . '/languages/SMW_Language.php');
1016
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageEn.php
@@ -3,6 +3,12 @@
44 * @author Markus Krötzsch
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageEs.php
@@ -3,6 +3,12 @@
44 * @author Javier Calzada Prado, Carmen Jorge García-Reyes, Universidad Carlos III de Madrid, Jesús Espino García
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageFr.php
@@ -3,6 +3,12 @@
44 * @author Pierre Matringe
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageNl.php
@@ -3,6 +3,12 @@
44 * @author Siebrand Mazeland
55 */
66
 7+/**
 8+ * Protect against register_globals vulnerabilities.
 9+ * This line must be present before any global variable is referenced.
 10+ */
 11+if (!defined('MEDIAWIKI')) die();
 12+
713 global $smwgIP;
814 include_once($smwgIP . '/languages/SMW_Language.php');
915
Index: trunk/extensions/SemanticMediaWiki/languages/SMW_LanguageKo.php
@@ -6,6 +6,12 @@
77 * @author Terry A. Hurlbut
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 global $smwgIP;
1117 include_once($smwgIP . '/languages/SMW_Language.php');
1218
Index: trunk/extensions/WhoIsWatching/SpecialWhoIsWatching.php
@@ -4,7 +4,7 @@
55 if (!defined('MEDIAWIKI')) {
66 echo <<<EOT
77 To install my extension, put the following line in LocalSettings.php:
8 -require_once( "$IP/extensions/WhoIsWatching/SpecialWhoIsWatching.php" );
 8+require_once( "\$IP/extensions/WhoIsWatching/SpecialWhoIsWatching.php" );
99 EOT;
1010 exit( 1 );
1111 }
Index: trunk/extensions/SocialProfile/SocialProfile.php
@@ -1,4 +1,9 @@
22 <?php
 3+/**
 4+ * Protect against register_globals vulnerabilities.
 5+ * This line must be present before any global variable is referenced.
 6+ */
 7+if (!defined('MEDIAWIKI')) die();
38
49 $dir = dirname(__FILE__) . '/';
510
Index: trunk/extensions/WhiteList/SpecialWhitelistEdit_body.php
@@ -44,8 +44,6 @@
4545 return wfMsg($key);
4646 }
4747
48 -require_once("$IP/includes/SpecialPage.php");
49 -
5048 class WhitelistEdit extends SpecialPage
5149 {
5250 function WhitelistEdit() {
Index: trunk/extensions/MetavidWiki/skins/mv_embed/cortado_iframe.php
@@ -6,13 +6,16 @@
77 */
88 //load the http GETS:
99
 10+// set the parent domain if provided
 11+// needed before error_out can be called
 12+$parent_domain = isset( $_GET['parent_domain'] ) ? wfEscapeJsString( $_GET['parent_domain'] ) : false;
1013
1114 $error='';
1215 if(!function_exists('filter_input')){
1316 error_out('you version of php lacks <b>filter_input()</b> function</br>');
1417 }
1518 //default to null media in not provided:
16 -$media_url = filter_input(INPUT_GET, 'media_url', FILTER_SANITIZE_URL);
 19+$media_url = isset( $_GET['media_url'] ) ? htmlspecialchars( $_GET['media_url'] ) : false;
1720 if( is_null($media_url) || $media_url===false || $media_url==''){
1821 error_out('not valid or missing media url');
1922 }
@@ -25,7 +28,7 @@
2629
2730 //id (set to random if none provided)
2831 //$id = (isset($_GET['id']))?$_GET['id']:'vid_'.rand('10000000');
29 -$id= filter_input(INPUT_GET, 'id', FILTER_SANITIZE_STRING);
 32+$id = isset($_GET['id']) ? htmlspecialchars( $_GET['id'] ) : false;
3033 if( is_null($id) || $id===false){
3134 $id = 'vid_'.rand(0,10000000);
3235 }
@@ -48,18 +51,45 @@
4952 if(is_null($height) || $height===false)
5053 $height = 20;
5154 }
52 -//set the parent domain if provided:
53 -$parent_domain = filter_input(INPUT_GET, 'parent_domain', FILTER_SANITIZE_STRING);
5455
5556 //everything good output page:
5657 output_page();
5758
 59+/**
 60+ * JS escape function copied from MediaWiki's Xml::escapeJsString()
 61+ */
 62+function wfEscapeJsString( $string ) {
 63+ // See ECMA 262 section 7.8.4 for string literal format
 64+ $pairs = array(
 65+ "\\" => "\\\\",
 66+ "\"" => "\\\"",
 67+ '\'' => '\\\'',
 68+ "\n" => "\\n",
 69+ "\r" => "\\r",
 70+
 71+ # To avoid closing the element or CDATA section
 72+ "<" => "\\x3c",
 73+ ">" => "\\x3e",
 74+
 75+ # To avoid any complaints about bad entity refs
 76+ "&" => "\\x26",
 77+
 78+ # Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152
 79+ # Encode certain Unicode formatting chars so affected
 80+ # versions of Gecko don't misinterpret our strings;
 81+ # this is a common problem with Farsi text.
 82+ "\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER
 83+ "\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER
 84+ );
 85+ return strtr( $string, $pairs );
 86+}
 87+
5888 function error_out($error=''){
5989 output_page($error);
6090 exit();
6191 }
6292 function output_page($error=''){
63 - global $id, $media_url, $audio, $video, $duration, $width, $height,$parent_domain;
 93+ global $id, $media_url, $audio, $video, $duration, $width, $height, $parent_domain;
6494 ?>
6595 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
6696 <html xmlns="http://www.w3.org/1999/xhtml">
@@ -68,7 +98,7 @@
6999 <title>cortado_embed</title>
70100 <?if($parent_domain){?>
71101 <script type="text/javascript">
72 - window.DOMAIN = '<?=$parent_domain?>';
 102+ window.DOMAIN = '<?=$parent_domain; ?>';
73103 </script>
74104 <?}?>
75105 <style type="text/css">
Index: trunk/extensions/SpamDiffTool/SpamDiffTool.php
@@ -183,7 +183,7 @@
184184 $ntext = $de->mNewtext;
185185 $ota = explode( "\n", $wgContLang->segmentForDiff( $otext ) );
186186 $nta = explode( "\n", $wgContLang->segmentForDiff( $ntext ) );
187 - $diffs =& new Diff( $ota, $nta );
 187+ $diffs = new Diff( $ota, $nta );
188188
189189 // iterate over the edits and get all of the changed text
190190 foreach ($diffs->edits as $edit) {
Index: trunk/extensions/SignDocument/SignDocument.php
@@ -7,7 +7,7 @@
88 if (!defined('MEDIAWIKI')) {
99 echo <<<EOT
1010 To install my extension, put the following line in LocalSettings.php:
11 -require_once( "$IP/extensions/SignDocument/SignDocument.php.php" );
 11+require_once( "\$IP/extensions/SignDocument/SignDocument.php.php" );
1212 EOT;
1313 exit( 1 );
1414 }
Index: trunk/extensions/EditOwn/EditOwn.php
@@ -18,7 +18,7 @@
1919 if (!defined('MEDIAWIKI')) {
2020 echo <<<EOT
2121 To install the EditOwn extension, put the following line in LocalSettings.php:
22 -require_once( "$IP/extensions/EditOwn/EditOwn.php" );
 22+require_once( "\$IP/extensions/EditOwn/EditOwn.php" );
2323 EOT;
2424 exit(1);
2525 }
@@ -71,4 +71,4 @@
7272 return true;
7373 }
7474 return($result = $cache[$user->getName()][$title->getArticleId()] = false);
75 -}
\ No newline at end of file
 75+}
Index: trunk/extensions/geo/geomaker.php
@@ -12,7 +12,6 @@
1313 if ( $image == "" )
1414 {
1515 print "<html><head></head><body><form method=post>" ;
16 - print $_POST["image"] ;
1716 print "Image location (URL) <input type=text name='image'></input>" ;
1817 print "<input type=submit value='OK'/></form></html>" ;
1918 exit ( 0 ) ;
@@ -71,12 +70,11 @@
7271
7372 $coords = implode ( ";" , $coords ) ;
7473
75 -print "
76 -<a href='" . make_link ( $coords ) . "&'><image src='{$image}' ismap/></a>
77 -" ;
 74+print "\n<a href=\"" . htmlspecialchars( make_link ( $coords ) ) . "&\">" .
 75+ "<img src=\"" . htmlspecialchars( $image ) . "\" ismap/></a>\n";
7876
79 -print "<br /><a href='" .make_link ( $c2 ) . "'>Remove last coordinates</a>" ;
80 -print " | <a href='" . make_link ( array() ) . "'>Reset</a>" ;
 77+print "<br /><a href=\"" .htmlspecialchars( make_link ( $c2 ) ) . "\">Remove last coordinates</a>" ;
 78+print " | <a href=\"" . htmlspecialchars( make_link ( array() ) ) . "\">Reset</a>" ;
8179
8280 # Conversion form
8381
@@ -108,19 +106,19 @@
109107 $coords = implode ( " " , $coords ) ;
110108
111109 # For output
112 - $p1 = $_POST['p1'] ;
113 - $p2 = $_POST['p2'] ;
114 - $np1 = $_POST['np1'] ;
115 - $np2 = $_POST['np2'] ;
 110+ $p1 = htmlspecialchars( $_POST['p1'] );
 111+ $p2 = htmlspecialchars( $_POST['p2'] );
 112+ $np1 = htmlspecialchars( $_POST['np1'] );
 113+ $np2 = htmlspecialchars( $_POST['np2'] );
116114 }
117115 else $p1 = $p2 = $np1 = $np2 = "" ;
118116
119117 print "<br />Coordinates so far:<br />\n" ;
120118 print "<form method=post><textarea style='width:100%' rows=5 cols=40 name='ctext'>\n" ;
121 -print str_replace ( ";" , " " , $coords ) ;
 119+print htmlspecialchars( str_replace ( ";" , " " , $coords ) );
122120 print "</textarea>\n" ;
123 -print "Conversion : Point <input type='text' name='p1'/ value='{$p1}'> matches coordinates <input type='text' name='np1' value='{$np1}'/><br />" ;
124 -print "and point <input type='text' name='p2' value='{$p2}'/> matches coordinates <input type='text' name='np2' value='{$np2}'/>" ;
 121+print "Conversion : Point <input type='text' name='p1'/ value=\"{$p1}\"> matches coordinates <input type='text' name='np1' value=\"{$np1}\"/><br />" ;
 122+print "and point <input type='text' name='p2' value=\"{$p2}\"/> matches coordinates <input type='text' name='np2' value=\"{$np2}\"/>" ;
125123 print " <input type='submit' name='convert' value='Convert'/>" ;
126124 print "</form>" ;
127125
Index: trunk/extensions/SpamRegex/SpamRegex.php
@@ -20,10 +20,16 @@
2121 }
2222 }
2323
 24+/**
 25+ * Protect against register_globals vulnerabilities.
 26+ * This line must be present before any global variable is referenced.
 27+ */
 28+if (!defined('MEDIAWIKI')) die();
 29+
2430 $dir = dirname(__FILE__) . '/';
2531 $wgExtensionMessagesFiles['Spamregex'] = $dir . 'SpamRegex.i18n.php';
2632
2733 require_once ($IP.SPAMREGEX_PATH."extensions/SpamRegex/SpecialSpamRegex.php");
2834 //will need more, maybe Core?
2935 require_once ($IP.SPAMREGEX_PATH."extensions/SpamRegex/SpamRegexCore.php");
30 -require_once ($IP.SPAMREGEX_PATH."extensions/SimplifiedRegex/SimplifiedRegex.php");
\ No newline at end of file
 36+require_once ($IP.SPAMREGEX_PATH."extensions/SimplifiedRegex/SimplifiedRegex.php");
Index: trunk/extensions/TidyTab/Tidy.php
@@ -29,7 +29,7 @@
3030 wfLoadExtensionMessages( 'tidy' );
3131
3232 $wgHooks['SkinTemplateContentActions'][] = array( &$this, 'tidyHook' );
33 - $wgHooks['UnknownAction'][] = array( &$this, 'tidyAction' );
 33+ $wgHooks['UnknownAction'][] = array( &$this, 'action' );
3434 }
3535
3636 public function tidyHook( array &$content_actions ) {
@@ -65,7 +65,7 @@
6666 );
6767 }
6868
69 - public static function tidyAction( $action, Article &$article ) {
 69+ public static function action( $action, Article &$article ) {
7070 global $wgUseTidy;
7171
7272 if ( $action === 'tidy' || $action === 'untidy' )
Index: trunk/extensions/SemanticForms/includes/SF_Settings.php
@@ -1,4 +1,9 @@
22 <?php
 3+/**
 4+ * Protect against register_globals vulnerabilities.
 5+ * This line must be present before any global variable is referenced.
 6+ */
 7+if (!defined('MEDIAWIKI')) die();
38
49 ###
510 # This is the path to your installation of Semantic Forms as
Index: trunk/extensions/SemanticForms/includes/SF_GlobalFunctions.php
@@ -7,6 +7,12 @@
88 * @author Louis Gerbarg
99 */
1010
 11+/**
 12+ * Protect against register_globals vulnerabilities.
 13+ * This line must be present before any global variable is referenced.
 14+ */
 15+if ( !defined( 'MEDIAWIKI' ) ) die();
 16+
1117 define('SF_VERSION','1.2.3');
1218
1319 // constants for special properties
Index: trunk/extensions/SemanticForms/includes/SF_AutocompleteAPI.php
@@ -6,6 +6,12 @@
77 * @author Yaron Koren
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 require_once ("$IP/includes/api/ApiBase.php");
1117
1218 global $wgAPIModules;
Index: trunk/extensions/SemanticForms/specials/SF_CreateProperty.php
@@ -6,9 +6,14 @@
77 * @author Yaron Koren
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 include_once $sfgIP . "/includes/SF_TemplateField.inc";
1117
12 -if (!defined('MEDIAWIKI')) die();
1318
1419 global $IP;
1520 require_once( "$IP/includes/SpecialPage.php" );
Index: trunk/extensions/SemanticForms/specials/SF_CreateTemplate.php
@@ -6,9 +6,14 @@
77 * @author Yaron Koren
88 */
99
 10+/**
 11+ * Protect against register_globals vulnerabilities.
 12+ * This line must be present before any global variable is referenced.
 13+ */
 14+if (!defined('MEDIAWIKI')) die();
 15+
1016 include_once $sfgIP . "/includes/SF_TemplateField.inc";
1117
12 -if (!defined('MEDIAWIKI')) die();
1318
1419 global $IP;
1520 require_once( "$IP/includes/SpecialPage.php" );
Index: trunk/extensions/SemanticForms/specials/SF_EditData.php
@@ -4,10 +4,16 @@
55 *
66 * @author Yaron Koren
77 */
8 -require_once( $sfgIP . "/includes/SF_FormPrinter.inc" );
98
 9+/**
 10+ * Protect against register_globals vulnerabilities.
 11+ * This line must be present before any global variable is referenced.
 12+ */
1013 if (!defined('MEDIAWIKI')) die();
1114
 15+require_once( $sfgIP . "/includes/SF_FormPrinter.inc" );
 16+
 17+
1218 global $IP;
1319 require_once( "$IP/includes/SpecialPage.php" );
1420

Follow-up revisions

RevisionCommit summaryAuthorDate
r36280Backport of security fixes from r36279 to all extension branches, and fixed a...tstarling09:40, 14 June 2008

Status & tagging log