| Index: branches/REL1_13/phase3/includes/DefaultSettings.php |
| — | — | @@ -1794,6 +1794,8 @@ |
| 1795 | 1795 | 'application/x-php', 'text/x-php', |
| 1796 | 1796 | # Other types that may be interpreted by some servers |
| 1797 | 1797 | 'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh', |
| | 1798 | + # Client-side hazards on Internet Explorer |
| | 1799 | + 'text/scriptlet', 'application/x-msdownload', |
| 1798 | 1800 | # Windows metafile, client-side vulnerability on some systems |
| 1799 | 1801 | 'application/x-msmetafile' |
| 1800 | 1802 | ); |
| Index: branches/REL1_13/phase3/RELEASE-NOTES |
| — | — | @@ -5,7 +5,7 @@ |
| 6 | 6 | |
| 7 | 7 | == MediaWiki 1.13.3 == |
| 8 | 8 | |
| 9 | | -November 18, 2008 |
| | 9 | +December 15, 2008 |
| 10 | 10 | |
| 11 | 11 | This is a security and bugfix release of the Summer 2008 snapshot release of |
| 12 | 12 | MediaWiki. |
| — | — | @@ -23,15 +23,24 @@ |
| 24 | 24 | |
| 25 | 25 | == Changes since 1.13.2 == |
| 26 | 26 | |
| 27 | | -* Safer handling of non-MediaWiki exceptions -- now obeys our settings for formatting and path exposure. (Rem1) |
| 28 | | -* Less verbose errors from profileinfo.php when not configured (Rem8) |
| 29 | | -* Blacklist redirects via Special:Filepath, hard to use. (Rem7) |
| 30 | | -* Improved input validation on Special:Import form (Rem10, Rem11) |
| 31 | | -* Add a .htaccess to deleted images directory for additional protection against exposure of deleted files with known SHA-1 hashes on default installations. (Rem13) |
| 32 | | -* Improved scripting safety heuristics for IE content-type detection. (Rem14) |
| 33 | | -* Improved scripting safety heuristics on SVG uploads. (Rem2, Rem3, Rem5, Rem6) |
| 34 | | -* Improved the security of file streaming (Special:Undelete, img_auth.php and thumb.php): use the extension to determine the type, check it against the blacklist. (Rem12.2) |
| 35 | | -* Restrict img_auth.php to private wikis only. Require a session token before streaming out Special:Undelete. If uploads are hosted on a different domain, then these changes reduce the chance that an upload containing a script might steal cookies from the wiki. (Rem12.1) |
| | 27 | +* Fixed XSS vulnerability in api.php. (Rem1) |
| | 28 | +* Avoid fatal error in profileinfo.php when not configured. (Rem8) |
| | 29 | +* Fixed CSRF vulnerability in Special:Import. (Rem10, Rem11) |
| | 30 | +* Add a .htaccess to deleted images directory for additional protection against |
| | 31 | + exposure of deleted files with known SHA-1 hashes on default installations. |
| | 32 | + (Rem13) |
| | 33 | +* Fixed XSS vulnerability for Internet Explorer clients, via file uploads which |
| | 34 | + are interpreted by IE as HTML. (Rem14) |
| | 35 | +* Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG |
| | 36 | + uploads are enabled. Firefox 1.5+ is affected. (Rem2, Rem3, Rem5, Rem6) |
| | 37 | +* Avoid streaming uploaded files to the user via index.php. This allows |
| | 38 | + security-conscious users to serve uploaded files via a different domain, and |
| | 39 | + thus client-side scripts executed from that domain cannot access the login |
| | 40 | + cookies. Affects Special:Undelete, img_auth.php and thumb.php. (Rem12) |
| | 41 | +* When streaming files via index.php, use the MIME type detected from the |
| | 42 | + file extension, not from the data. This reduces the XSS attack surface. |
| | 43 | +* Blacklist redirects via Special:Filepath. Such redirects exacerbate any |
| | 44 | + XSS vulnerabilities involving uploads of files containing scripts. (Rem7) |
| 36 | 45 | |
| 37 | 46 | == Changes since 1.13.1 == |
| 38 | 47 | |