r86030 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r86029‎ \| r86030 \| r86031 >
Date:	07:14, 14 April 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	* MFT r86027: fix IE6 XSS again * Updates for release of 1.16.4
Modified paths:	/branches/REL1_16/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_16/phase3/images/.htaccess (modified) (history) /branches/REL1_16/phase3/img_auth.php (modified) (history) /branches/REL1_16/phase3/includes/DefaultSettings.php (modified) (history) /branches/REL1_16/phase3/includes/WebRequest.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/phase3/images/.htaccess
—	—	@@ -1,6 +1,6 @@
2	2	# Protect against bug 28235
3	3	<IfModule rewrite_module>
4	4	RewriteEngine On
5		~~- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]~~
	5	+ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#\|\?\|$) [nocase]
6	6	RewriteRule . - [forbidden]
7	7	</IfModule>
Index: branches/REL1_16/phase3/includes/WebRequest.php
—	—	@@ -697,7 +697,7 @@
698	698	global $wgScriptExtension;
699	699
700	700	if ( isset( $_SERVER['QUERY_STRING'] )
701		~~- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )~~
	701	+ && preg_match( '/\.[a-z0-9]{1,4}(#\|\?\|$)/i', $_SERVER['QUERY_STRING'] ) )
702	702	{
703	703	// Bug 28235
704	704	// Block only Internet Explorer, and requests with missing UA
Index: branches/REL1_16/phase3/includes/DefaultSettings.php
—	—	@@ -33,7 +33,7 @@
34	34	}
35	35
36	36	/** MediaWiki version number */
37		~~-$wgVersion = '1.16.3';~~
	37	+$wgVersion = '1.16.4';
38	38
39	39	/** Name of the site. It must be changed in LocalSettings.php */
40	40	$wgSitename = 'MediaWiki';
Index: branches/REL1_16/phase3/img_auth.php
—	—	@@ -39,7 +39,7 @@
40	40
41	41	// Check for bug 28235: QUERY_STRING overriding the correct extension
42	42	if ( isset( $_SERVER['QUERY_STRING'] )
43		~~- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )~~
	43	+ && preg_match( '/\.[a-z0-9]{1,4}(#\|\?\|$)/i', $_SERVER['QUERY_STRING'] ) )
44	44	{
45	45	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
46	46	}
Index: branches/REL1_16/phase3/RELEASE-NOTES
—	—	@@ -1,8 +1,8 @@
2	2	= MediaWiki release notes =
3	3
4		~~-== MediaWiki 1.16.3 ==~~
	4	+== MediaWiki 1.16.4 ==
5	5
6		~~-2011-04-12~~
	6	+2011-04-14
7	7
8	8	This is a security and maintenance release of the MediaWiki 1.16 branch.
9	9
—	—	@@ -44,6 +44,12 @@
45	45	you have the DBA extension for PHP installed, this will improve performance
46	46	further.
47	47
	48	+== Changes since 1.16.3 ==
	49	+
	50	+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
	51	+ clients) was not actually sufficient to fix that bug. This release contains
	52	+ a second attempt, hopefully we have fixed it this time.
	53	+
48	54	== Changes since 1.16.2 ==
49	55
50	56	* (bug 28449) Fixed permissions checks in Special:Import which allowed users

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r86027	(bug 28507) Fix for r85844: that revision was not actually sufficient to fix ...	tstarling	07:10, 14 April 2011

Status & tagging log

22:33, 15 April 2011 Reedy (talk | contribs) changed the status of r86030 [removed: new added: ok]