| Index: branches/REL1_16/phase3/images/.htaccess |
| — | — | @@ -1,6 +1,6 @@ |
| 2 | 2 | # Protect against bug 28235 |
| 3 | 3 | <IfModule rewrite_module> |
| 4 | 4 | RewriteEngine On |
| 5 | | - RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] |
| | 5 | + RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase] |
| 6 | 6 | RewriteRule . - [forbidden] |
| 7 | 7 | </IfModule> |
| Index: branches/REL1_16/phase3/includes/User.php |
| — | — | @@ -897,24 +897,25 @@ |
| 898 | 898 | } |
| 899 | 899 | |
| 900 | 900 | $passwordCorrect = FALSE; |
| 901 | | - $this->mId = $sId; |
| 902 | | - if ( !$this->loadFromId() ) { |
| 903 | | - # Not a valid ID, loadFromId has switched the object to anon for us |
| | 901 | + $proposedUser = User::newFromId( $sId ); |
| | 902 | + if ( !$proposedUser->isLoggedIn() ) { |
| | 903 | + # Not a valid ID |
| | 904 | + $this->loadDefaults(); |
| 904 | 905 | return false; |
| 905 | 906 | } |
| 906 | 907 | |
| 907 | 908 | global $wgBlockDisablesLogin; |
| 908 | | - if( $wgBlockDisablesLogin && $this->isBlocked() ) { |
| | 909 | + if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { |
| 909 | 910 | # User blocked and we've disabled blocked user logins |
| 910 | 911 | $this->loadDefaults(); |
| 911 | 912 | return false; |
| 912 | 913 | } |
| 913 | 914 | |
| 914 | 915 | if ( isset( $_SESSION['wsToken'] ) ) { |
| 915 | | - $passwordCorrect = $_SESSION['wsToken'] == $this->mToken; |
| | 916 | + $passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken']; |
| 916 | 917 | $from = 'session'; |
| 917 | 918 | } else if ( isset( $_COOKIE["{$wgCookiePrefix}Token"] ) ) { |
| 918 | | - $passwordCorrect = $this->mToken == $_COOKIE["{$wgCookiePrefix}Token"]; |
| | 919 | + $passwordCorrect = $proposedUser->getToken() === $_COOKIE["{$wgCookiePrefix}Token"]; |
| 919 | 920 | $from = 'cookie'; |
| 920 | 921 | } else { |
| 921 | 922 | # No session or persistent login cookie |
| — | — | @@ -922,7 +923,8 @@ |
| 923 | 924 | return false; |
| 924 | 925 | } |
| 925 | 926 | |
| 926 | | - if ( ( $sName == $this->mName ) && $passwordCorrect ) { |
| | 927 | + if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { |
| | 928 | + $this->loadFromUserObject( $proposedUser ); |
| 927 | 929 | $_SESSION['wsToken'] = $this->mToken; |
| 928 | 930 | wfDebug( "Logged in from $from\n" ); |
| 929 | 931 | return true; |
| — | — | @@ -935,6 +937,18 @@ |
| 936 | 938 | } |
| 937 | 939 | |
| 938 | 940 | /** |
| | 941 | + * Load the data for this user object from another user object. |
| | 942 | + */ |
| | 943 | + protected function loadFromUserObject( $user ) { |
| | 944 | + $user->load(); |
| | 945 | + $user->loadGroups(); |
| | 946 | + $user->loadOptions(); |
| | 947 | + foreach ( self::$mCacheVars as $var ) { |
| | 948 | + $this->$var = $user->$var; |
| | 949 | + } |
| | 950 | + } |
| | 951 | + |
| | 952 | + /** |
| 939 | 953 | * Load user and user_group data from the database. |
| 940 | 954 | * $this::mId must be set, this is how the user is identified. |
| 941 | 955 | * |
| Index: branches/REL1_16/phase3/includes/WebRequest.php |
| — | — | @@ -697,7 +697,7 @@ |
| 698 | 698 | global $wgScriptExtension; |
| 699 | 699 | |
| 700 | 700 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 701 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 701 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 702 | 702 | { |
| 703 | 703 | // Bug 28235 |
| 704 | 704 | // Block only Internet Explorer, and requests with missing UA |
| Index: branches/REL1_16/phase3/includes/DefaultSettings.php |
| — | — | @@ -33,7 +33,7 @@ |
| 34 | 34 | } |
| 35 | 35 | |
| 36 | 36 | /** MediaWiki version number */ |
| 37 | | -$wgVersion = '1.16.4'; |
| | 37 | +$wgVersion = '1.16.5'; |
| 38 | 38 | |
| 39 | 39 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 40 | 40 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_16/phase3/img_auth.php |
| — | — | @@ -39,7 +39,7 @@ |
| 40 | 40 | |
| 41 | 41 | // Check for bug 28235: QUERY_STRING overriding the correct extension |
| 42 | 42 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 43 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 43 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 44 | 44 | { |
| 45 | 45 | wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); |
| 46 | 46 | } |
| Index: branches/REL1_16/phase3/RELEASE-NOTES |
| — | — | @@ -1,10 +1,10 @@ |
| 2 | 2 | = MediaWiki release notes = |
| 3 | 3 | |
| 4 | | -== MediaWiki 1.16.4 == |
| | 4 | +== MediaWiki 1.16.5 == |
| 5 | 5 | |
| 6 | | -2011-04-14 |
| | 6 | +2011-05-05 |
| 7 | 7 | |
| 8 | | -This is a security and maintenance release of the MediaWiki 1.16 branch. |
| | 8 | +This is a security release of the MediaWiki 1.16 branch. |
| 9 | 9 | |
| 10 | 10 | === Summary of selected changes in 1.16 === |
| 11 | 11 | |
| — | — | @@ -44,6 +44,13 @@ |
| 45 | 45 | you have the DBA extension for PHP installed, this will improve performance |
| 46 | 46 | further. |
| 47 | 47 | |
| | 48 | +== Changes since 1.16.4 |
| | 49 | + |
| | 50 | +* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third |
| | 51 | + attempt at fixing bug 28235. |
| | 52 | +* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin |
| | 53 | + is enabled. |
| | 54 | + |
| 48 | 55 | == Changes since 1.16.3 == |
| 49 | 56 | |
| 50 | 57 | * (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 |