r79562 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r79561‎ | r79562 | r79563 >
Date:06:15, 4 January 2011
Author:tstarling
Status:ok
Tags:
Comment:
MFT r79561, bug 26561: fix clickjacking vulnerabilities.
Modified paths:
  • /branches/REL1_16/phase3 (modified) (history)
  • /branches/REL1_16/phase3/CREDITS (modified) (history)
  • /branches/REL1_16/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_16/phase3/config/Installer.php (modified) (history)
  • /branches/REL1_16/phase3/includes (modified) (history)
  • /branches/REL1_16/phase3/includes/Article.php (modified) (history)
  • /branches/REL1_16/phase3/includes/ChangesList.php (modified) (history)
  • /branches/REL1_16/phase3/includes/ConfEditor.php (modified) (history)
  • /branches/REL1_16/phase3/includes/DefaultSettings.php (modified) (history)
  • /branches/REL1_16/phase3/includes/HTMLForm.php (modified) (history)
  • /branches/REL1_16/phase3/includes/HistoryPage.php (modified) (history)
  • /branches/REL1_16/phase3/includes/ImagePage.php (modified) (history)
  • /branches/REL1_16/phase3/includes/LocalisationCache.php (modified) (history)
  • /branches/REL1_16/phase3/includes/OutputHandler.php (modified) (history)
  • /branches/REL1_16/phase3/includes/OutputPage.php (modified) (history)
  • /branches/REL1_16/phase3/includes/Sanitizer.php (modified) (history)
  • /branches/REL1_16/phase3/includes/Skin.php (modified) (history)
  • /branches/REL1_16/phase3/includes/UserMailer.php (modified) (history)
  • /branches/REL1_16/phase3/includes/WebRequest.php (modified) (history)
  • /branches/REL1_16/phase3/includes/api (modified) (history)
  • /branches/REL1_16/phase3/includes/api/ApiBase.php (modified) (history)
  • /branches/REL1_16/phase3/includes/api/ApiQueryAllUsers.php (modified) (history)
  • /branches/REL1_16/phase3/includes/diff (modified) (history)
  • /branches/REL1_16/phase3/includes/diff/DifferenceInterface.php (modified) (history)
  • /branches/REL1_16/phase3/includes/json/Services_JSON.php (modified) (history)
  • /branches/REL1_16/phase3/includes/media (modified) (history)
  • /branches/REL1_16/phase3/includes/media/Bitmap.php (modified) (history)
  • /branches/REL1_16/phase3/includes/search/SearchSqlite.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialAllpages.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialCategories.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialContributions.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialLinkSearch.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialSearch.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialSpecialpages.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialUpload.php (modified) (history)
  • /branches/REL1_16/phase3/includes/specials/SpecialVersion.php (modified) (history)
  • /branches/REL1_16/phase3/includes/upload (modified) (history)
  • /branches/REL1_16/phase3/languages/classes/LanguageSe.php (modified) (history)
  • /branches/REL1_16/phase3/languages/messages/MessagesEn.php (modified) (history)
  • /branches/REL1_16/phase3/maintenance (modified) (history)
  • /branches/REL1_16/phase3/maintenance/Maintenance.php (modified) (history)
  • /branches/REL1_16/phase3/maintenance/cleanupTable.inc (modified) (history)
  • /branches/REL1_16/phase3/maintenance/deleteSelfExternals.php (modified) (history)
  • /branches/REL1_16/phase3/maintenance/moveBatch.php (modified) (history)
  • /branches/REL1_16/phase3/profileinfo.php (modified) (history)
  • /branches/REL1_16/phase3/skins/common (modified) (history)
  • /branches/REL1_16/phase3/skins/common/jquery.js (modified) (history)
  • /branches/REL1_16/phase3/skins/common/jquery.min.js (modified) (history)
  • /branches/REL1_16/phase3/skins/vector (modified) (history)

Diff [purge]

Property changes on: branches/REL1_16/phase3/maintenance/deleteSelfExternals.php
___________________________________________________________________
Modified: svn:mergeinfo
11 Merged /trunk/phase3/maintenance/deleteSelfExternals.php:r79561
Property changes on: branches/REL1_16/phase3/maintenance/moveBatch.php
___________________________________________________________________
Modified: svn:mergeinfo
22 Merged /trunk/phase3/maintenance/moveBatch.php:r79561
Property changes on: branches/REL1_16/phase3/maintenance/cleanupTable.inc
___________________________________________________________________
Modified: svn:mergeinfo
33 Merged /trunk/phase3/maintenance/cleanupTable.inc:r79561
Property changes on: branches/REL1_16/phase3/maintenance/Maintenance.php
___________________________________________________________________
Modified: svn:mergeinfo
44 Merged /trunk/phase3/maintenance/Maintenance.php:r79561
Property changes on: branches/REL1_16/phase3/maintenance
___________________________________________________________________
Modified: svn:mergeinfo
55 Merged /trunk/phase3/maintenance:r79561
Property changes on: branches/REL1_16/phase3/skins/common/jquery.js
___________________________________________________________________
Modified: svn:mergeinfo
66 Merged /trunk/phase3/skins/common/jquery.js:r79561
Property changes on: branches/REL1_16/phase3/skins/common/jquery.min.js
___________________________________________________________________
Modified: svn:mergeinfo
77 Merged /trunk/phase3/skins/common/jquery.min.js:r79561
Property changes on: branches/REL1_16/phase3/skins/common
___________________________________________________________________
Modified: svn:mergeinfo
88 Merged /trunk/phase3/skins/common:r79561
Property changes on: branches/REL1_16/phase3/skins/vector
___________________________________________________________________
Modified: svn:mergeinfo
99 Merged /trunk/phase3/skins/vector:r79561
Property changes on: branches/REL1_16/phase3/CREDITS
___________________________________________________________________
Modified: svn:mergeinfo
1010 Merged /trunk/phase3/CREDITS:r79561
Property changes on: branches/REL1_16/phase3/includes/upload
___________________________________________________________________
Modified: svn:mergeinfo
1111 Merged /trunk/phase3/includes/upload:r79561
Property changes on: branches/REL1_16/phase3/includes/search/SearchSqlite.php
___________________________________________________________________
Modified: svn:mergeinfo
1212 Merged /trunk/phase3/includes/search/SearchSqlite.php:r79561
Index: branches/REL1_16/phase3/includes/diff/DifferenceInterface.php
@@ -112,6 +112,8 @@
113113 global $wgUser, $wgOut, $wgUseExternalEditor, $wgUseRCPatrol;
114114 wfProfileIn( __METHOD__ );
115115
 116+ # Allow frames except in certain special cases
 117+ $wgOut->allowClickjacking();
116118
117119 # If external diffs are enabled both globally and for the user,
118120 # we'll use the application/x-external-editor interface to call
@@ -199,6 +201,7 @@
200202 // Check if page is editable
201203 $editable = $this->mNewRev->getTitle()->userCan( 'edit' );
202204 if ( $editable && $this->mNewRev->isCurrent() && $wgUser->isAllowed( 'rollback' ) ) {
 205+ $wgOut->preventClickjacking();
203206 $rollback = '   ' . $sk->generateRollback( $this->mNewRev );
204207 } else {
205208 $rollback = '';
Property changes on: branches/REL1_16/phase3/includes/diff
___________________________________________________________________
Modified: svn:mergeinfo
206209 Merged /trunk/phase3/includes/diff:r79561
Property changes on: branches/REL1_16/phase3/includes/json/Services_JSON.php
___________________________________________________________________
Modified: svn:mergeinfo
207210 Merged /trunk/phase3/includes/json/Services_JSON.php:r79561
Index: branches/REL1_16/phase3/includes/Article.php
@@ -792,6 +792,9 @@
793793 return;
794794 }
795795
 796+ # Allow frames by default
 797+ $wgOut->allowClickjacking();
 798+
796799 # Should the parser cache be used?
797800 $useParserCache = $this->useParserCache( $oldid );
798801 wfDebug( 'Article::view using parser cache: ' . ( $useParserCache ? 'yes' : 'no' ) . "\n" );
@@ -1452,6 +1455,8 @@
14531456 );
14541457 if ( !$dbr->numRows( $tbs ) ) return;
14551458
 1459+ $wgOut->preventClickjacking();
 1460+
14561461 $tbtext = "";
14571462 while ( $o = $dbr->fetchObject( $tbs ) ) {
14581463 $rmvtxt = "";
Property changes on: branches/REL1_16/phase3/includes/Article.php
___________________________________________________________________
Modified: svn:mergeinfo
14591464 Merged /trunk/phase3/includes/Article.php:r79561
Property changes on: branches/REL1_16/phase3/includes/OutputHandler.php
___________________________________________________________________
Modified: svn:mergeinfo
14601465 Merged /trunk/phase3/includes/OutputHandler.php:r79561
Property changes on: branches/REL1_16/phase3/includes/LocalisationCache.php
___________________________________________________________________
Modified: svn:mergeinfo
14611466 Merged /trunk/phase3/includes/LocalisationCache.php:r79561
Index: branches/REL1_16/phase3/includes/ImagePage.php
@@ -600,6 +600,7 @@
601601 $this->loadFile();
602602 $pager = new ImageHistoryPseudoPager( $this );
603603 $wgOut->addHTML( $pager->getBody() );
 604+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
604605
605606 $this->img->resetHistory(); // free db resources
606607
@@ -803,6 +804,7 @@
804805 class ImageHistoryList {
805806
806807 protected $imagePage, $img, $skin, $title, $repo, $showThumb;
 808+ protected $preventClickjacking = false;
807809
808810 public function __construct( $imagePage ) {
809811 global $wgUser, $wgShowArchiveThumbnails;
@@ -929,6 +931,7 @@
930932 # Don't link to unviewable files
931933 $row .= '<span class="history-deleted">' . $wgLang->timeAndDate( $timestamp, true ) . '</span>';
932934 } elseif( $file->isDeleted(File::DELETED_FILE) ) {
 935+ $this->preventClickjacking();
933936 $revdel = SpecialPage::getTitleFor( 'Revisiondelete' );
934937 # Make a link to review the image
935938 $url = $this->skin->link(
@@ -1015,9 +1018,19 @@
10161019 return wfMsgHtml( 'filehist-nothumb' );
10171020 }
10181021 }
 1022+
 1023+ protected function preventClickjacking( $enable = true ) {
 1024+ $this->preventClickjacking = $enable;
 1025+ }
 1026+
 1027+ public function getPreventClickjacking() {
 1028+ return $this->preventClickjacking;
 1029+ }
10191030 }
10201031
10211032 class ImageHistoryPseudoPager extends ReverseChronologicalPager {
 1033+ protected $preventClickjacking = false;
 1034+
10221035 function __construct( $imagePage ) {
10231036 parent::__construct();
10241037 $this->mImagePage = $imagePage;
@@ -1058,6 +1071,10 @@
10591072 $s .= $list->imageHistoryLine( !$file->isOld(), $file );
10601073 }
10611074 $s .= $list->endImageHistoryList($navLink);
 1075+
 1076+ if ( $list->getPreventClickjacking() ) {
 1077+ $this->preventClickjacking();
 1078+ }
10621079 }
10631080 return $s;
10641081 }
@@ -1140,4 +1157,13 @@
11411158 }
11421159 $this->mQueryDone = true;
11431160 }
 1161+
 1162+ protected function preventClickjacking( $enable = true ) {
 1163+ $this->preventClickjacking = $enable;
 1164+ }
 1165+
 1166+ public function getPreventClickjacking() {
 1167+ return $this->preventClickjacking;
 1168+ }
 1169+
11441170 }
Property changes on: branches/REL1_16/phase3/includes/UserMailer.php
___________________________________________________________________
Modified: svn:mergeinfo
11451171 Merged /trunk/phase3/includes/UserMailer.php:r79561
Index: branches/REL1_16/phase3/includes/HTMLForm.php
@@ -311,6 +311,9 @@
312312 $this->displayErrors( $submitResult );
313313 }
314314
 315+ # For good measure (it is the default)
 316+ $wgOut->preventClickjacking();
 317+
315318 $html = ''
316319 . $this->mHeader
317320 . $this->getBody()
Index: branches/REL1_16/phase3/includes/OutputPage.php
@@ -37,6 +37,7 @@
3838 var $mPageTitleActionText = '';
3939 var $mParseWarnings = array();
4040 var $mSquidMaxage = 0;
 41+ var $mPreventClickjacking = true;
4142 var $mRevisionId = null;
4243 protected $mTitle = null;
4344
@@ -1348,6 +1349,41 @@
13491350 }
13501351
13511352 /**
 1353+ * Set a flag which will cause an X-Frame-Options header appropriate for
 1354+ * edit pages to be sent. The header value is controlled by
 1355+ * $wgEditPageFrameOptions.
 1356+ *
 1357+ * This is the default for special pages. If you display a CSRF-protected
 1358+ * form on an ordinary view page, then you need to call this function.
 1359+ */
 1360+ public function preventClickjacking( $enable = true ) {
 1361+ $this->mPreventClickjacking = $enable;
 1362+ }
 1363+
 1364+ /**
 1365+ * Turn off frame-breaking. Alias for $this->preventClickjacking(false).
 1366+ * This can be called from pages which do not contain any CSRF-protected
 1367+ * HTML form.
 1368+ */
 1369+ public function allowClickjacking() {
 1370+ $this->mPreventClickjacking = false;
 1371+ }
 1372+
 1373+ /**
 1374+ * Get the X-Frame-Options header value (without the name part), or false
 1375+ * if there isn't one. This is used by Skin to determine whether to enable
 1376+ * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
 1377+ */
 1378+ public function getFrameOptions() {
 1379+ global $wgBreakFrames, $wgEditPageFrameOptions;
 1380+ if ( $wgBreakFrames ) {
 1381+ return 'DENY';
 1382+ } elseif ( $this->mPreventClickjacking && $wgEditPageFrameOptions ) {
 1383+ return $wgEditPageFrameOptions;
 1384+ }
 1385+ }
 1386+
 1387+ /**
13521388 * Send cache control HTTP headers
13531389 */
13541390 public function sendCacheControl() {
@@ -1561,6 +1597,13 @@
15621598 $wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
15631599 $wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
15641600
 1601+ // Prevent framing, if requested
 1602+ $frameOptions = $this->getFrameOptions();
 1603+ if ( $frameOptions ) {
 1604+ $wgRequest->response()->header( "X-Frame-Options: $frameOptions" );
 1605+ }
 1606+
 1607+
15651608 if ($this->mArticleBodyOnly) {
15661609 $this->out($this->mBodytext);
15671610 } else {
Property changes on: branches/REL1_16/phase3/includes/OutputPage.php
___________________________________________________________________
Modified: svn:mergeinfo
15681611 Merged /trunk/phase3/includes/OutputPage.php:r79561
Index: branches/REL1_16/phase3/includes/HistoryPage.php
@@ -166,6 +166,7 @@
167167 $pager->getBody() .
168168 $pager->getNavigationBar()
169169 );
 170+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
170171
171172 wfProfileOut( __METHOD__ );
172173 }
@@ -301,6 +302,7 @@
302303 class HistoryPager extends ReverseChronologicalPager {
303304 public $lastRow = false, $counter, $historyPage, $title, $buttons, $conds;
304305 protected $oldIdChecked;
 306+ protected $preventClickjacking = false;
305307
306308 function __construct( $historyPage, $year='', $month='', $tagFilter = '', $conds = array() ) {
307309 parent::__construct();
@@ -382,6 +384,7 @@
383385
384386 $this->buttons = '<div>';
385387 if( $wgUser->isAllowed('deleterevision') ) {
 388+ $this->preventClickjacking();
386389 $float = $wgContLang->alignEnd();
387390 # Note bug #20966, <button> is non-standard in IE<8
388391 $this->buttons .= Xml::element( 'button',
@@ -488,6 +491,7 @@
489492 $del = '';
490493 // User can delete revisions...
491494 if( $wgUser->isAllowed( 'deleterevision' ) ) {
 495+ $this->preventClickjacking();
492496 // If revision was hidden from sysops, disable the checkbox
493497 if( !$rev->userCan( Revision::DELETED_RESTRICTED ) ) {
494498 $del = Xml::check( 'deleterevisions', false, array( 'disabled' => 'disabled' ) );
@@ -534,6 +538,7 @@
535539 # Rollback and undo links
536540 if( !is_null( $next ) && is_object( $next ) ) {
537541 if( $latest && $this->title->userCan( 'rollback' ) && $this->title->userCan( 'edit' ) ) {
 542+ $this->preventClickjacking();
538543 $tools[] = '<span class="mw-rollback-link">'.
539544 $this->getSkin()->buildRollbackLink( $rev ).'</span>';
540545 }
@@ -721,6 +726,20 @@
722727 return '';
723728 }
724729 }
 730+
 731+ /**
 732+ * This is called if a write operation is possible from the generated HTML
 733+ */
 734+ function preventClickjacking( $enable = true ) {
 735+ $this->preventClickjacking = $enable;
 736+ }
 737+
 738+ /**
 739+ * Get the "prevent clickjacking" flag
 740+ */
 741+ function getPreventClickjacking() {
 742+ return $this->preventClickjacking;
 743+ }
725744 }
726745
727746 /**
Property changes on: branches/REL1_16/phase3/includes/HistoryPage.php
___________________________________________________________________
Modified: svn:mergeinfo
728747 Merged /trunk/phase3/includes/HistoryPage.php:r79561
Property changes on: branches/REL1_16/phase3/includes/Sanitizer.php
___________________________________________________________________
Modified: svn:mergeinfo
729748 Merged /trunk/phase3/includes/Sanitizer.php:r79561
Property changes on: branches/REL1_16/phase3/includes/api/ApiBase.php
___________________________________________________________________
Modified: svn:mergeinfo
730749 Merged /trunk/phase3/includes/api/ApiBase.php:r79561
Property changes on: branches/REL1_16/phase3/includes/api/ApiQueryAllUsers.php
___________________________________________________________________
Modified: svn:mergeinfo
731750 Merged /trunk/phase3/includes/api/ApiQueryAllUsers.php:r79561
Property changes on: branches/REL1_16/phase3/includes/api
___________________________________________________________________
Modified: svn:mergeinfo
732751 Merged /trunk/phase3/includes/api:r79561
Property changes on: branches/REL1_16/phase3/includes/WebRequest.php
___________________________________________________________________
Modified: svn:mergeinfo
733752 Merged /trunk/phase3/includes/WebRequest.php:r79561
Property changes on: branches/REL1_16/phase3/includes/media/Bitmap.php
___________________________________________________________________
Modified: svn:mergeinfo
734753 Merged /trunk/phase3/includes/media/Bitmap.php:r79561
Property changes on: branches/REL1_16/phase3/includes/media
___________________________________________________________________
Modified: svn:mergeinfo
735754 Merged /trunk/phase3/includes/media:r79561
Property changes on: branches/REL1_16/phase3/includes/ChangesList.php
___________________________________________________________________
Modified: svn:mergeinfo
736755 Merged /trunk/phase3/includes/ChangesList.php:r79561
Property changes on: branches/REL1_16/phase3/includes/ConfEditor.php
___________________________________________________________________
Modified: svn:mergeinfo
737756 Merged /trunk/phase3/includes/ConfEditor.php:r79561
Index: branches/REL1_16/phase3/includes/DefaultSettings.php
@@ -3986,12 +3986,33 @@
39873987 $wgParserTestRemote = false;
39883988
39893989 /**
3990 - * Break out of framesets. This can be used to prevent external sites from
3991 - * framing your site with ads.
 3990+ * Break out of framesets. This can be used to prevent clickjacking attacks,
 3991+ * or to prevent external sites from framing your site with ads.
39923992 */
39933993 $wgBreakFrames = false;
39943994
39953995 /**
 3996+ * The X-Frame-Options header to send on pages sensitive to clickjacking
 3997+ * attacks, such as edit pages. This prevents those pages from being displayed
 3998+ * in a frame or iframe. The options are:
 3999+ *
 4000+ * - 'DENY': Do not allow framing. This is recommended for most wikis.
 4001+ *
 4002+ * - 'SAMEORIGIN': Allow framing by pages on the same domain. This can be used
 4003+ * to allow framing within a trusted domain. This is insecure if there
 4004+ * is a page on the same domain which allows framing of arbitrary URLs.
 4005+ *
 4006+ * - false: Allow all framing. This opens up the wiki to XSS attacks and thus
 4007+ * full compromise of local user accounts. Private wikis behind a
 4008+ * corporate firewall are especially vulnerable. This is not
 4009+ * recommended.
 4010+ *
 4011+ * For extra safety, set $wgBreakFrames = true, to prevent framing on all pages,
 4012+ * not just edit pages.
 4013+ */
 4014+$wgEditPageFrameOptions = 'DENY';
 4015+
 4016+/**
39964017 * Set this to an array of special page names to prevent
39974018 * maintenance/updateSpecialPages.php from updating those pages.
39984019 */
Index: branches/REL1_16/phase3/includes/specials/SpecialAllpages.php
@@ -40,6 +40,7 @@
4141
4242 $this->setHeaders();
4343 $this->outputHeader();
 44+ $wgOut->allowClickjacking();
4445
4546 # GET values
4647 $from = $wgRequest->getVal( 'from', null );
Index: branches/REL1_16/phase3/includes/specials/SpecialCategories.php
@@ -12,6 +12,7 @@
1313 } else {
1414 $from = $par;
1515 }
 16+ $wgOut->allowClickjacking();
1617 $cap = new CategoryPager( $from );
1718 $cap->doQuery();
1819 $wgOut->addHTML(
Index: branches/REL1_16/phase3/includes/specials/SpecialSpecialpages.php
@@ -13,6 +13,7 @@
1414 $wgMessageCache->loadAllMessages();
1515
1616 $wgOut->setRobotPolicy( 'noindex,nofollow' ); # Is this really needed?
 17+ $wgOut->allowClickjacking();
1718 $sk = $wgUser->getSkin();
1819
1920 $pages = SpecialPage::getUsablePages();
Index: branches/REL1_16/phase3/includes/specials/SpecialContributions.php
@@ -107,6 +107,7 @@
108108 '<p>' . $pager->getNavigationBar() . '</p>'
109109 );
110110 }
 111+ $wgOut->preventClickjacking( $pager->getPreventClickjacking() );
111112
112113
113114 # Show the appropriate "footer" message - WHOIS tools, etc.
@@ -428,6 +429,7 @@
429430 public $mDefaultDirection = true;
430431 var $messages, $target;
431432 var $namespace = '', $mDb;
 433+ var $preventClickjacking = false;
432434
433435 function __construct( $target, $namespace = false, $year = false, $month = false, $tagFilter = false ) {
434436 parent::__construct();
@@ -565,6 +567,7 @@
566568 if( !$row->page_is_new && $page->quickUserCan( 'rollback' )
567569 && $page->quickUserCan( 'edit' ) )
568570 {
 571+ $this->preventClickjacking();
569572 $topmarktext .= ' '.$sk->generateRollback( $rev );
570573 }
571574 }
@@ -671,4 +674,11 @@
672675 return $this->mDb;
673676 }
674677
 678+ protected function preventClickjacking() {
 679+ $this->preventClickjacking = true;
 680+ }
 681+
 682+ public function getPreventClickjacking() {
 683+ return $this->preventClickjacking;
 684+ }
675685 }
Property changes on: branches/REL1_16/phase3/includes/specials/SpecialUpload.php
___________________________________________________________________
Modified: svn:mergeinfo
676686 Merged /trunk/phase3/includes/specials/SpecialUpload.php:r79561
Index: branches/REL1_16/phase3/includes/specials/SpecialVersion.php
@@ -32,6 +32,7 @@
3333
3434 $this->setHeaders();
3535 $this->outputHeader();
 36+ $wgOut->allowClickjacking();
3637
3738 $wgOut->addHTML( Xml::openElement( 'div',
3839 array( 'dir' => $wgContLang->getDir() ) ) );
Index: branches/REL1_16/phase3/includes/specials/SpecialSearch.php
@@ -364,6 +364,7 @@
365365 $wgOut->setRobotPolicy( 'noindex,nofollow' );
366366 // add javascript specific to special:search
367367 $wgOut->addScriptFile( 'search.js' );
 368+ $wgOut->allowClickjacking();
368369 }
369370
370371 /**
Index: branches/REL1_16/phase3/includes/specials/SpecialLinkSearch.php
@@ -44,8 +44,10 @@
4545 $protocol = '';
4646 }
4747
 48+ $wgOut->allowClickjacking();
 49+
4850 $self = Title::makeTitle( NS_SPECIAL, 'Linksearch' );
49 -
 51+
5052 $wgOut->addWikiMsg( 'linksearch-text', '<nowiki>' . $wgLang->commaList( $wgUrlProtocols ) . '</nowiki>' );
5153 $s = Xml::openElement( 'form', array( 'id' => 'mw-linksearch-form', 'method' => 'get', 'action' => $GLOBALS['wgScript'] ) ) .
5254 Xml::hidden( 'title', $self->getPrefixedDbKey() ) .
Property changes on: branches/REL1_16/phase3/includes/specials
___________________________________________________________________
Modified: svn:mergeinfo
5355 Merged /trunk/phase3/includes/specials:r79561
Index: branches/REL1_16/phase3/includes/Skin.php
@@ -413,7 +413,7 @@
414414 'wgUserGroups' => $wgUser->isAnon() ? null : $wgUser->getEffectiveGroups(),
415415 'wgUserLanguage' => $wgLang->getCode(),
416416 'wgContentLanguage' => $wgContLang->getCode(),
417 - 'wgBreakFrames' => $wgBreakFrames,
 417+ 'wgBreakFrames' => $wgOut->getFrameOptions() == 'DENY',
418418 'wgCurRevisionId' => isset( $wgArticle ) ? $wgArticle->getLatest() : 0,
419419 'wgVersion' => $wgVersion,
420420 'wgEnableAPI' => $wgEnableAPI,
Property changes on: branches/REL1_16/phase3/includes
___________________________________________________________________
Modified: svn:mergeinfo
421421 Merged /trunk/phase3/includes:r79561
Property changes on: branches/REL1_16/phase3/profileinfo.php
___________________________________________________________________
Modified: svn:mergeinfo
422422 Merged /trunk/phase3/profileinfo.php:r79561
Index: branches/REL1_16/phase3/config/Installer.php
@@ -25,6 +25,7 @@
2626
2727 error_reporting( E_ALL | E_STRICT );
2828 header( "Content-type: text/html; charset=utf-8" );
 29+header( 'X-Frame-Options: DENY' );
2930 @ini_set( "display_errors", true );
3031
3132 # In case of errors, let output be clean.
Property changes on: branches/REL1_16/phase3/languages/messages/MessagesEn.php
___________________________________________________________________
Modified: svn:mergeinfo
3233 Merged /trunk/phase3/languages/messages/MessagesEn.php:r79561
Property changes on: branches/REL1_16/phase3/languages/classes/LanguageSe.php
___________________________________________________________________
Modified: svn:mergeinfo
3334 Merged /trunk/phase3/languages/classes/LanguageSe.php:r79561
Index: branches/REL1_16/phase3/RELEASE-NOTES
@@ -57,6 +57,9 @@
5858 active or exec() and similar functions are disabled.
5959 * (bug 19593) Specifying --server in now works for all maintenance scripts.
6060 * Fixed $wgLicenseTerms register globals.
 61+* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for
 62+ X-Frame-Options. The header value can be configured using $wgBreakFrames and
 63+ $wgEditPageFrameOptions.
6164
6265 == Changes since 1.16 beta 3 ==
6366
Property changes on: branches/REL1_16/phase3
___________________________________________________________________
Modified: svn:mergeinfo
6467 Merged /trunk/phase3:r79561

Follow-up revisions

RevisionCommit summaryAuthorDate
r79563Merge r79562 from REL1_16: bug 26561, clickjacking defences.tstarling06:26, 4 January 2011
r79566(bug 26561) Simplified clickjacking patch.tstarling07:06, 4 January 2011

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r79561Fix for bug 26561: clickjacking attacks. See the bug report for full document...tstarling06:12, 4 January 2011

Status & tagging log