r44600 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r44599‎ | r44600 | r44601 >
Date:07:20, 15 December 2008
Author:tstarling
Status:deferred
Tags:
Comment:
* Fixed a couple of missing lines in 1.12
* Added missing autoloader entry in 1.13
* Prepared the 1.6 branch for release, with a cut-down version of the security fixes
* Rewrote the RELEASE-NOTES entry for all 3 branches
Modified paths:
  • /branches/REL1_12 (modified) (history)
  • /branches/REL1_12/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_12/phase3/includes/DefaultSettings.php (modified) (history)
  • /branches/REL1_12/phase3/includes/SpecialUndelete.php (modified) (history)
  • /branches/REL1_12/phase3/languages/messages/MessagesEn.php (modified) (history)
  • /branches/REL1_13/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_13/phase3/includes/AutoLoader.php (modified) (history)
  • /branches/REL1_13/phase3/languages/messages/MessagesEn.php (modified) (history)
  • /branches/REL1_6/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_6/phase3/includes/DefaultSettings.php (modified) (history)
  • /branches/REL1_6/phase3/includes/SpecialImport.php (modified) (history)
  • /branches/REL1_6/phase3/includes/SpecialUpload.php (modified) (history)
  • /branches/REL1_6/phase3/languages/Messages.php (modified) (history)

Diff [purge]

Index: branches/REL1_6/phase3/includes/SpecialImport.php
@@ -38,20 +38,26 @@
3939 ###
4040
4141 if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') {
42 - switch( $wgRequest->getVal( "source" ) ) {
43 - case "upload":
 42+ $sourceName = $wgRequest->getVal( "source" );
 43+ if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'editToken' ) ) ) {
 44+ $source = new WikiErrorMsg( 'import-token-mismatch' );
 45+ } elseif ( $sourceName == 'upload' ) {
4446 if( $wgUser->isAllowed( 'importupload' ) ) {
4547 $source = ImportStreamSource::newFromUpload( "xmlimport" );
4648 } else {
4749 return $wgOut->permissionRequired( 'importupload' );
4850 }
49 - break;
50 - case "interwiki":
51 - $source = ImportStreamSource::newFromInterwiki(
52 - $wgRequest->getVal( "interwiki" ),
53 - $wgRequest->getText( "frompage" ) );
54 - break;
55 - default:
 51+ } elseif ( $sourceName == "interwiki" ) {
 52+ $interwiki = $wgRequest->getVal( 'interwiki' );
 53+ if ( !in_array( $interwiki, $wgImportSources ) ) {
 54+ $source = new WikiErrorMsg( "import-invalid-interwiki" );
 55+ } else {
 56+ $frompage = $wgRequest->getText( "frompage" );
 57+ $source = ImportStreamSource::newFromInterwiki(
 58+ $interwiki,
 59+ $frompage );
 60+ }
 61+ } else {
5662 $source = new WikiError( "Unknown import source type" );
5763 }
5864
@@ -82,7 +88,9 @@
8389 <input type='hidden' name='source' value='upload' />
8490 <input type='hidden' name='MAX_FILE_SIZE' value='2000000' />
8591 <input type='file' name='xmlimport' value='' size='30' />
86 - <input type='submit' value='" . wfMsgHtml( "uploadbtn" ) . "'/>
 92+ <input type='hidden' name='editToken' value=\"" .
 93+ htmlspecialchars( $wgUser->editToken() ) . "\"/>
 94+ <input type='submit' value=\"" . wfMsgHtml( "uploadbtn" ) . "\"/>
8795 </form>
8896 </fieldset>
8997 " );
@@ -99,6 +107,7 @@
100108 <form method='post' action=\"$action\">
101109 <input type='hidden' name='action' value='submit' />
102110 <input type='hidden' name='source' value='interwiki' />
 111+ <input type='hidden' name='editToken' value=\"" . htmlspecialchars( $wgUser->editToken() ) . "\"/>
103112 <select name='interwiki'>
104113 " );
105114 foreach( $wgImportSources as $interwiki ) {
Index: branches/REL1_6/phase3/includes/SpecialUpload.php
@@ -847,6 +847,7 @@
848848 }
849849
850850 $chunk= strtolower( $chunk );
 851+ $originalChunk = $chunk;
851852
852853 if (!$chunk) return false;
853854
@@ -855,8 +856,9 @@
856857 elseif (substr($chunk,0,2)=="\xff\xfe") $enc= "UTF-16LE";
857858 else $enc= NULL;
858859
859 - if ($enc) $chunk= iconv($enc,"ASCII//IGNORE",$chunk);
 860+ if ($enc) $chunk = iconv($enc,"ASCII//IGNORE",$chunk);
860861
 862+
861863 $chunk= trim($chunk);
862864
863865 #FIXME: convert from UTF-16 if necessarry!
@@ -890,13 +892,19 @@
891893 '<pre',
892894 '<script', #also in safari
893895 '<table',
894 - '<title' #also in safari
 896+ '<title', #also in safari
 897+ '<a href',
 898+ '<plaintext',
 899+ '<scriptlet',
895900 );
896901
897902 foreach( $tags as $tag ) {
898903 if( false !== strpos( $chunk, $tag ) ) {
899904 return true;
900905 }
 906+ if( false !== strpos( $originalChunk, $tag ) ) {
 907+ return true;
 908+ }
901909 }
902910
903911 /*
Index: branches/REL1_6/phase3/includes/DefaultSettings.php
@@ -32,7 +32,7 @@
3333 $wgConf = new SiteConfiguration;
3434
3535 /** MediaWiki version number */
36 -$wgVersion = '1.6.10';
 36+$wgVersion = '1.6.11';
3737
3838 /** Name of the site. It must be changed in LocalSettings.php */
3939 $wgSitename = 'MediaWiki';
@@ -1195,7 +1195,7 @@
11961196 /** Files with these extensions will never be allowed as uploads. */
11971197 $wgFileBlacklist = array(
11981198 # HTML may contain cookie-stealing JavaScript and web bugs
1199 - 'html', 'htm', 'js', 'jsb',
 1199+ 'html', 'htm', 'js', 'jsb', 'svg',
12001200 # PHP scripts may execute arbitrary code on the server
12011201 'php', 'phtml', 'php3', 'php4', 'phps',
12021202 # Other types that may be interpreted by some servers
Index: branches/REL1_6/phase3/RELEASE-NOTES
@@ -1,8 +1,44 @@
22 = MediaWiki release notes =
33
4 -Security reminder: MediaWiki does not require PHP's register_globals
5 -setting since version 1.2.0. If you have it on, turn it *off* if you can.
 4+For upgrade instructions please see the UPGRADE file in this directory.
65
 6+== MediaWiki 1.6.11 ==
 7+
 8+December 15, 2008
 9+
 10+This is a security update to the Spring 2006 quarterly release.
 11+
 12+David Remahl of Apple's Product Security team has identified a number of
 13+security issues in previous releases of MediaWiki. Subsequent analysis by the
 14+MediaWiki development team expanded the scope of these vulnerabilities. The
 15+issues with a significant impact are as follows:
 16+
 17+* An XSS vulnerability affecting Internet Explorer clients for all MediaWiki
 18+ installations with uploads enabled. [CVE-2008-5250]
 19+* An XSS vulnerability affecting clients with SVG scripting capability (such as
 20+ Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled.
 21+ [CVE-2008-5250]
 22+* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
 23+ installations since the feature was introduced in 1.3.0. [CVE-2008-5252]
 24+
 25+XSS (cross-site scripting) vulnerabilities allow an attacker to steal an
 26+authorised user's login session, and to act as that user on the wiki. The
 27+authorised user must visit a web page controlled by the attacker in order to
 28+activate the attack. Intranet wikis are vulnerable if the attacker can
 29+determine the intranet URL, even if the attacker cannot access it.
 30+
 31+CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki,
 32+but unlike an XSS vulnerability, the attacker can only act as the user in a
 33+specific and restricted way. The present CSRF vulnerability allows pages to be
 34+edited, with forged revision histories. Like an XSS vulnerability, the
 35+authorised user must visit the malicious web page to activate the attack.
 36+
 37+Rather than backport our SVG validation code to this ancient branch, we have
 38+instead disabled SVG uploads. To enable SVG uploads, please upgrade to MediaWiki
 39+1.13.3 or later.
 40+
 41+The other two issues have been fixed.
 42+
743 == MediaWiki 1.6.10 ==
844
945 February 20, 2007
Index: branches/REL1_6/phase3/languages/Messages.php
@@ -1452,6 +1452,8 @@
14531453 'importnosources' => 'No transwiki import sources have been defined and direct history uploads are disabled.',
14541454 'importnofile' => 'No import file was uploaded.',
14551455 'importuploaderror' => 'Upload of import file failed; perhaps the file is bigger than the allowed upload size.',
 1456+'import-token-mismatch' => 'Loss of session data. Please try again.',
 1457+'import-invalid-interwiki' => 'Cannot import from the specified wiki.',
14561458
14571459 # Keyboard access keys for power users
14581460 'accesskey-search' => 'f',
Index: branches/REL1_12/phase3/includes/SpecialUndelete.php
@@ -583,7 +583,7 @@
584584 }
585585
586586 function execute() {
587 - global $wgOut;
 587+ global $wgOut, $wgUser;
588588 if ( $this->mAllowed ) {
589589 $wgOut->setPagetitle( wfMsg( "undeletepage" ) );
590590 } else {
Index: branches/REL1_12/phase3/includes/DefaultSettings.php
@@ -31,7 +31,7 @@
3232 $wgConf = new SiteConfiguration;
3333
3434 /** MediaWiki version number */
35 -$wgVersion = '1.12.1';
 35+$wgVersion = '1.12.2';
3636
3737 /** Name of the site. It must be changed in LocalSettings.php */
3838 $wgSitename = 'MediaWiki';
Index: branches/REL1_12/phase3/languages/messages/MessagesEn.php
@@ -1427,6 +1427,7 @@
14281428 Please rename the file and try uploading it again.',
14291429 'badfilename' => 'File name has been changed to "$1".',
14301430 'filetype-badmime' => 'Files of the MIME type "$1" are not allowed to be uploaded.',
 1431+'filetype-bad-ie-mime' => 'Cannot upload this file because Internet Explorer would detect it as "$1", which is a disallowed and potentially dangerous file type.',
14311432 'filetype-unwanted-type' => "'''\".\$1\"''' is an unwanted file type. Preferred file types are \$2.",
14321433 'filetype-banned-type' => "'''\".\$1\"''' is not a permitted file type. Permitted file types are \$2.",
14331434 'filetype-missing' => 'The file has no extension (like ".jpg").',
Index: branches/REL1_12/phase3/RELEASE-NOTES
@@ -1,14 +1,12 @@
22 = MediaWiki release notes =
33
4 -Security reminder: MediaWiki does not require PHP's register_globals
5 -setting since version 1.2.0. If you have it on, turn it *off* if you can.
 4+For upgrade instructions please see the UPGRADE file in this directory.
65
76 == MediaWiki 1.12.2 ==
87
98 December 15, 2008
109
11 -This is a security and bugfix release of the quarterly branch of MediaWiki
12 -for Winter 2008.
 10+This is a security release of the quarterly branch of MediaWiki for Winter 2008.
1311
1412 MediaWiki is now using a "continuous integration" development model with
1513 quarterly snapshot releases. The latest development code is always kept
@@ -23,27 +21,57 @@
2422
2523 == Changes since 1.12.1 ==
2624
27 -* Fixed output escaping for reporting of non-MediaWiki exceptions. Potential
28 - XSS if an extension throws one of these with user input.
29 -* Avoid fatal error in profileinfo.php when not configured. (Rem8)
30 -* Fixed CSRF vulnerability in Special:Import. Fixed input validation in
31 - transwiki import feature. (Rem10, Rem11)
 25+David Remahl of Apple's Product Security team has identified a number of
 26+security issues in previous releases of MediaWiki. Subsequent analysis by the
 27+MediaWiki development team expanded the scope of these vulnerabilities. The
 28+issues with a significant impact are as follows:
 29+
 30+* A local script injection vulnerability affecting Internet Explorer clients for
 31+ all MediaWiki installations with uploads enabled. [CVE-2008-5250]
 32+* A local script injection vulnerability affecting clients with SVG scripting
 33+ capability (such as Firefox 1.5+), for all MediaWiki installations with SVG
 34+ uploads enabled. [CVE-2008-5250]
 35+* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
 36+ installations since the feature was introduced in 1.3.0. [CVE-2008-5252]
 37+
 38+A local script injection vulnerability allows an attacker with a wiki account
 39+to steal another user's login session, and to act as that user on the wiki. The
 40+attacker uploads a malicious script file, and tricks the victim into executing
 41+it.
 42+
 43+CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki,
 44+but unlike an XSS vulnerability, the attacker can only act as the user in a
 45+specific and restricted way. The present CSRF vulnerability allows pages to be
 46+edited, with forged revision histories. Like an XSS vulnerability, the
 47+authorised user must visit the malicious web page to activate the attack.
 48+
 49+These three vulnerabilities are all fixed in this release.
 50+
 51+David Remahl also reminded us of some security-related configuration issues:
 52+
 53+* By default, MediaWiki stores a backup of deleted images in the images/deleted
 54+ directory. If you do not want these images to be publically accessible, make
 55+ sure this directory is not accessible from the web. MediaWiki takes some steps
 56+ to avoid leaking these images, but these measures are not perfect.
 57+* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal
 58+ errors. This is the default on most shared web hosts.
 59+* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may
 60+ lead to path disclosure.
 61+
 62+Other changes in this release:
 63+
 64+* Avoid fatal error in profileinfo.php when not configured.
3265 * Add a .htaccess to deleted images directory for additional protection against
3366 exposure of deleted files with known SHA-1 hashes on default installations.
34 - (Rem13)
35 -* Fixed XSS vulnerability for Internet Explorer clients, via file uploads which
36 - are interpreted by IE as HTML. (Rem14)
37 -* Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
38 - uploads are enabled. Firefox 1.5+ is affected. (Rem2, Rem3, Rem5, Rem6)
3967 * Avoid streaming uploaded files to the user via index.php. This allows
4068 security-conscious users to serve uploaded files via a different domain, and
4169 thus client-side scripts executed from that domain cannot access the login
42 - cookies. Affects Special:Undelete, img_auth.php and thumb.php. (Rem12)
 70+ cookies. Affects Special:Undelete, img_auth.php and thumb.php.
4371 * When streaming files via index.php, use the MIME type detected from the
4472 file extension, not from the data. This reduces the XSS attack surface.
4573 * Blacklist redirects via Special:Filepath. Such redirects exacerbate any
46 - XSS vulnerabilities involving uploads of files containing scripts. (Rem7)
47 -* Internationalisation updates
 74+ XSS vulnerabilities involving uploads of files containing scripts.
 75+* Internationalisation updates.
4876
4977 === Changes since 1.12.0 ===
5078
Property changes on: branches/REL1_12
___________________________________________________________________
Added: svn:mergeinfo
5179 Merged /branches/REL1_12:r44570
Index: branches/REL1_13/phase3/includes/AutoLoader.php
@@ -91,6 +91,7 @@
9292 'HTMLFileCache' => 'includes/HTMLFileCache.php',
9393 'Http' => 'includes/HttpFunctions.php',
9494 '_HWLDF_WordAccumulator' => 'includes/DifferenceEngine.php',
 95+ 'IEContentAnalyzer' => 'includes/IEContentAnalyzer.php',
9596 'ImageGallery' => 'includes/ImageGallery.php',
9697 'ImageHistoryList' => 'includes/ImagePage.php',
9798 'ImagePage' => 'includes/ImagePage.php',
Index: branches/REL1_13/phase3/languages/messages/MessagesEn.php
@@ -1647,6 +1647,7 @@
16481648 Please rename the file and try uploading it again.',
16491649 'badfilename' => 'File name has been changed to "$1".',
16501650 'filetype-badmime' => 'Files of the MIME type "$1" are not allowed to be uploaded.',
 1651+'filetype-bad-ie-mime' => 'Cannot upload this file because Internet Explorer would detect it as "$1", which is a disallowed and potentially dangerous file type.',
16511652 'filetype-unwanted-type' => "'''\".\$1\"''' is an unwanted file type.
16521653 Preferred {{PLURAL:\$3|file type is|file types are}} \$2.",
16531654 'filetype-banned-type' => "'''\".\$1\"''' is not a permitted file type.
Index: branches/REL1_13/phase3/RELEASE-NOTES
@@ -1,14 +1,12 @@
22 = MediaWiki release notes =
33
4 -Security reminder: MediaWiki does not require PHP's register_globals
5 -setting since version 1.2.0. If you have it on, turn it *off* if you can.
 4+For upgrade instructions please see the UPGRADE file in this directory.
65
76 == MediaWiki 1.13.3 ==
87
98 December 15, 2008
109
11 -This is a security and bugfix release of the Summer 2008 snapshot release of
12 -MediaWiki.
 10+This is a security release of the Summer 2008 snapshot release of MediaWiki.
1311
1412 MediaWiki is now using a "continuous integration" development model with
1513 quarterly snapshot releases. The latest development code is always kept
@@ -23,24 +21,66 @@
2422
2523 == Changes since 1.13.2 ==
2624
27 -* Fixed XSS vulnerability in api.php. (Rem1)
28 -* Avoid fatal error in profileinfo.php when not configured. (Rem8)
29 -* Fixed CSRF vulnerability in Special:Import. (Rem10, Rem11)
 25+David Remahl of Apple's Product Security team has identified a number of
 26+security issues in previous releases of MediaWiki. Subsequent analysis by the
 27+MediaWiki development team expanded the scope of these vulnerabilities. The
 28+issues with a significant impact are as follows:
 29+
 30+* An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and
 31+ 1.13.2. [CVE-2008-5249]
 32+* A local script injection vulnerability affecting Internet Explorer clients for
 33+ all MediaWiki installations with uploads enabled. [CVE-2008-5250]
 34+* A local script injection vulnerability affecting clients with SVG scripting
 35+ capability (such as Firefox 1.5+), for all MediaWiki installations with SVG
 36+ uploads enabled. [CVE-2008-5250]
 37+* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
 38+ installations since the feature was introduced in 1.3.0. [CVE-2008-5252]
 39+
 40+XSS (cross-site scripting) vulnerabilities allow an attacker to steal an
 41+authorised user's login session, and to act as that user on the wiki. The
 42+authorised user must visit a web page controlled by the attacker in order to
 43+activate the attack. Intranet wikis are vulnerable if the attacker can
 44+determine the intranet URL.
 45+
 46+A local script injection vulnerability is like an XSS vulnerability, except
 47+that the attacker must have an account on the local wiki, and there is no
 48+external site involved. The attacker uploads a script to the wiki, which another
 49+user is tricked into executing, with the effect that the attacker
 50+is able to act as the privileged user.
 51+
 52+CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki,
 53+but unlike an XSS vulnerability, the attacker can only act as the user in a
 54+specific and restricted way. The present CSRF vulnerability allows pages to be
 55+edited, with forged revision histories. Like an XSS vulnerability, the
 56+authorised user must visit the malicious web page to activate the attack.
 57+
 58+These four vulnerabilities are all fixed in this release.
 59+
 60+David Remahl also reminded us of some security-related configuration issues:
 61+
 62+* By default, MediaWiki stores a backup of deleted images in the images/deleted
 63+ directory. If you do not want these images to be publically accessible, make
 64+ sure this directory is not accessible from the web. MediaWiki takes some steps
 65+ to avoid leaking these images, but these measures are not perfect.
 66+* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal
 67+ errors. This is the default on most shared web hosts.
 68+* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may
 69+ lead to path disclosure.
 70+
 71+Other changes in this release:
 72+
 73+* Avoid fatal error in profileinfo.php when not configured.
3074 * Add a .htaccess to deleted images directory for additional protection against
3175 exposure of deleted files with known SHA-1 hashes on default installations.
32 - (Rem13)
33 -* Fixed XSS vulnerability for Internet Explorer clients, via file uploads which
34 - are interpreted by IE as HTML. (Rem14)
35 -* Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
36 - uploads are enabled. Firefox 1.5+ is affected. (Rem2, Rem3, Rem5, Rem6)
3776 * Avoid streaming uploaded files to the user via index.php. This allows
3877 security-conscious users to serve uploaded files via a different domain, and
3978 thus client-side scripts executed from that domain cannot access the login
40 - cookies. Affects Special:Undelete, img_auth.php and thumb.php. (Rem12)
 79+ cookies. Affects Special:Undelete, img_auth.php and thumb.php.
4180 * When streaming files via index.php, use the MIME type detected from the
4281 file extension, not from the data. This reduces the XSS attack surface.
4382 * Blacklist redirects via Special:Filepath. Such redirects exacerbate any
44 - XSS vulnerabilities involving uploads of files containing scripts. (Rem7)
 83+ XSS vulnerabilities involving uploads of files containing scripts.
 84+* Internationalisation updates.
4585
4686 == Changes since 1.13.1 ==
4787
@@ -52,7 +92,7 @@
5393 * Localisation updates
5494 * Security: Fixed XSS vulnerability in useskin parameter.
5595
56 -== Changes since 1.13.0
 96+== Changes since 1.13.0 ==
5797
5898 * (bug 15460) Fixed intermittent deadlock errors and poor concurrent
5999 performance for installations without memcached.

Follow-up revisions

RevisionCommit summaryAuthorDate
r44603Update messages.inc for r44599 and r44600siebrand08:37, 15 December 2008

Status & tagging log