| Index: branches/REL1_16/phase3/includes/Sanitizer.php |
| — | — | @@ -644,10 +644,6 @@ |
| 645 | 645 | # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp |
| 646 | 646 | if( $attribute == 'style' ) { |
| 647 | 647 | $value = Sanitizer::checkCss( $value ); |
| 648 | | - if( $value === false ) { |
| 649 | | - # haxx0r |
| 650 | | - continue; |
| 651 | | - } |
| 652 | 648 | } |
| 653 | 649 | |
| 654 | 650 | if ( $attribute === 'id' ) { |
| — | — | @@ -744,10 +740,8 @@ |
| 745 | 741 | $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); |
| 746 | 742 | |
| 747 | 743 | // Decode escape sequences and line continuation |
| 748 | | - // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. |
| 749 | | - // IE 8 doesn't implement it at all, but there's no way to introduce url() into |
| 750 | | - // IE that doesn't hit Mozilla also. |
| 751 | | - static $decodeRegex; |
| | 744 | + // See the grammar in the CSS 2 spec, appendix D. |
| | 745 | + static $decodeRegex, $reencodeTable; |
| 752 | 746 | if ( !$decodeRegex ) { |
| 753 | 747 | $space = '[\\x20\\t\\r\\n\\f]'; |
| 754 | 748 | $nl = '(?:\\n|\\r\\n|\\r|\\f)'; |
| — | — | @@ -756,30 +750,41 @@ |
| 757 | 751 | (?: |
| 758 | 752 | ($nl) | # 1. Line continuation |
| 759 | 753 | ([0-9A-Fa-f]{1,6})$space? | # 2. character number |
| 760 | | - (.) # 3. backslash cancelling special meaning |
| | 754 | + (.) | # 3. backslash cancelling special meaning |
| | 755 | + () | # 4. backslash at end of string |
| 761 | 756 | )/xu"; |
| 762 | 757 | } |
| 763 | | - $decoded = preg_replace_callback( $decodeRegex, |
| | 758 | + $value = preg_replace_callback( $decodeRegex, |
| 764 | 759 | array( __CLASS__, 'cssDecodeCallback' ), $value ); |
| 765 | | - if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { |
| 766 | | - // Not allowed |
| 767 | | - return false; |
| 768 | | - } else { |
| 769 | | - // Allowed, return CSS with comments stripped |
| 770 | | - return $value; |
| | 760 | + |
| | 761 | + // Reject problematic keywords and control characters |
| | 762 | + if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { |
| | 763 | + return '/* invalid control char */'; |
| | 764 | + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { |
| | 765 | + return '/* insecure input */'; |
| 771 | 766 | } |
| | 767 | + return $value; |
| 772 | 768 | } |
| 773 | 769 | |
| 774 | 770 | static function cssDecodeCallback( $matches ) { |
| 775 | 771 | if ( $matches[1] !== '' ) { |
| | 772 | + // Line continuation |
| 776 | 773 | return ''; |
| 777 | 774 | } elseif ( $matches[2] !== '' ) { |
| 778 | | - return codepointToUtf8( hexdec( $matches[2] ) ); |
| | 775 | + $char = codepointToUtf8( hexdec( $matches[2] ) ); |
| 779 | 776 | } elseif ( $matches[3] !== '' ) { |
| 780 | | - return $matches[3]; |
| | 777 | + $char = $matches[3]; |
| 781 | 778 | } else { |
| 782 | | - throw new MWException( __METHOD__.': invalid match' ); |
| | 779 | + $char = '\\'; |
| 783 | 780 | } |
| | 781 | + if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) { |
| | 782 | + // These characters need to be escaped in strings |
| | 783 | + // Clean up the escape sequence to avoid parsing errors by clients |
| | 784 | + return '\\' . dechex( ord( $char ) ) . ' '; |
| | 785 | + } else { |
| | 786 | + // Decode unnecessary escape |
| | 787 | + return $char; |
| | 788 | + } |
| 784 | 789 | } |
| 785 | 790 | |
| 786 | 791 | /** |
| Property changes on: branches/REL1_16/phase3/includes/Sanitizer.php |
| ___________________________________________________________________ |
| Name: svn:mergeinfo |
| 787 | 792 | + /branches/REL1_15/phase3/includes/Sanitizer.php:51646 |
| /branches/sqlite/includes/Sanitizer.php:58211-58321 |
| /branches/wmf-deployment/includes/Sanitizer.php:53381 |
| /trunk/phase3/includes/Sanitizer.php:63549,63764,63897-63901,64876,64881,64948,66990 |
| Index: branches/REL1_16/phase3/includes/DefaultSettings.php |
| — | — | @@ -33,7 +33,7 @@ |
| 34 | 34 | } |
| 35 | 35 | |
| 36 | 36 | /** MediaWiki version number */ |
| 37 | | -$wgVersion = '1.16.0beta2'; |
| | 37 | +$wgVersion = '1.16.0beta3'; |
| 38 | 38 | |
| 39 | 39 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 40 | 40 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_16/phase3/RELEASE-NOTES |
| — | — | @@ -2,6 +2,8 @@ |
| 3 | 3 | |
| 4 | 4 | == MediaWiki 1.16 beta 3 == |
| 5 | 5 | |
| | 6 | +2010-05-28 |
| | 7 | + |
| 6 | 8 | This is a pre-release beta of the MediaWiki 1.16 branch. |
| 7 | 9 | |
| 8 | 10 | === Summary of selected changes in 1.16 === |
| — | — | @@ -40,9 +42,6 @@ |
| 41 | 43 | you have the DBA extension for PHP installed, this will improve performance |
| 42 | 44 | further. |
| 43 | 45 | |
| 44 | | -* (bug 23371) Fixed holes in Special:Userlogin which could lead to abuse of |
| 45 | | -the system, and disclosure of information from private wikis. |
| 46 | | - |
| 47 | 46 | == Changes since 1.16 beta 2 == |
| 48 | 47 | |
| 49 | 48 | * Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of |
| — | — | @@ -72,6 +71,10 @@ |
| 73 | 72 | * Fixed a bug in uploads for non-JavaScript clients. An empty string was used |
| 74 | 73 | as the default destination filename, instead of the source filename as |
| 75 | 74 | expected. |
| | 75 | +* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create |
| | 76 | + account" and "create by e-mail" features of [[Special:Userlogin]] |
| | 77 | +* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS |
| | 78 | + validation issue. |
| 76 | 79 | |
| 77 | 80 | === Changes since 1.16 beta 1 === |
| 78 | 81 | |