r9316 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r9315‎ \| r9316 \| r9317 >
Date:	14:50, 3 June 2005
Author:	vibber
Status:	old
Tags:
Comment:	Bump to 1.5alpha2
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/DefaultSettings.php (modified) (history) /trunk/phase3/includes/Sanitizer.php (modified) (history) /trunk/phase3/maintenance/parserTests.txt (modified) (history)

Diff [purge]

Index: trunk/phase3/maintenance/parserTests.txt
—	—	@@ -2345,6 +2345,93 @@
2346	2346	</p>
2347	2347	!! end
2348	2348
	2349	+
	2350	+###
	2351	+### Safety
	2352	+###
	2353	+
	2354	+!! test
	2355	+Bug 2304: HTML attribute safety (template)
	2356	+!! input
	2357	+<div title="{{test}}"></div>
	2358	+!! result
	2359	+<div title="{{test}}"></div>
	2360	+
	2361	+!! end
	2362	+
	2363	+!! test
	2364	+Bug 2304: HTML attribute safety (link)
	2365	+!! input
	2366	+<div title="[[Main Page]]"></div>
	2367	+!! result
	2368	+<div title="[[Main Page]]"></div>
	2369	+
	2370	+!! end
	2371	+
	2372	+!! test
	2373	+Bug 2304: HTML attribute safety (italics)
	2374	+!! input
	2375	+<div title="''foobar''"></div>
	2376	+!! result
	2377	+<div title="''foobar''"></div>
	2378	+
	2379	+!! end
	2380	+
	2381	+!! test
	2382	+Bug 2304: HTML attribute safety (bold)
	2383	+!! input
	2384	+<div title="'''foobar'''"></div>
	2385	+!! result
	2386	+<div title="'''foobar'''"></div>
	2387	+
	2388	+!! end
	2389	+
	2390	+!! test
	2391	+Bug 2304: HTML attribute safety (ISBN)
	2392	+!! input
	2393	+<div title="ISBN 1234567890"></div>
	2394	+!! result
	2395	+<div title="ISBN 1234567890"></div>
	2396	+
	2397	+!! end
	2398	+
	2399	+!! test
	2400	+Bug 2304: HTML attribute safety (RFC)
	2401	+!! input
	2402	+<div title="RFC 1234"></div>
	2403	+!! result
	2404	+<div title="RFC 1234"></div>
	2405	+
	2406	+!! end
	2407	+
	2408	+!! test
	2409	+Bug 2304: HTML attribute safety (PMID)
	2410	+!! input
	2411	+<div title="PMID 1234567890"></div>
	2412	+!! result
	2413	+<div title="PMID 1234567890"></div>
	2414	+
	2415	+!! end
	2416	+
	2417	+!! test
	2418	+Bug 2304: HTML attribute safety (web link)
	2419	+!! input
	2420	+<div title="http://example.com/"></div>
	2421	+!! result
	2422	+<div title="http://example.com/"></div>
	2423	+
	2424	+!! end
	2425	+
	2426	+!! test
	2427	+Bug 2304: HTML attribute safety (named web link)
	2428	+!! input
	2429	+<div title="[http://example.com/ link]"></div>
	2430	+!! result
	2431	+<div title="[http://example.com/ link]"></div>
	2432	+
	2433	+!! end
	2434	+
	2435	+
2349	2436	TODO:
2350	2437	more images
2351	2438	more tables
Index: trunk/phase3/includes/Sanitizer.php
—	—	@@ -539,6 +539,20 @@
540	540	continue;
541	541	}
542	542
	543	+ # Templates and links may be expanded in later parsing,
	544	+ # creating invalid or dangerous output. Suppress this.
	545	+ $value = strtr( $value, array(
	546	+ '{' => '{',
	547	+ '[' => '[',
	548	+ "''" => '''',
	549	+ 'ISBN' => 'ISBN',
	550	+ 'RFC' => 'RFC',
	551	+ 'PMID' => 'PMID',
	552	+ ) );
	553	+ $value = preg_replace(
	554	+ '/(' . URL_PROTOCOLS . '):/',
	555	+ '\\1:', $value );
	556	+
543	557	if( !isset( $attribs[$attribute] ) ) {
544	558	$attribs[$attribute] = "$attribute=\"$value\"";
545	559	}
Index: trunk/phase3/includes/DefaultSettings.php
—	—	@@ -18,7 +18,7 @@
19	19	}
20	20
21	21	/** MediaWiki version number */
22		~~-$wgVersion = '1.5alpha1';~~
	22	+$wgVersion = '1.5alpha2';
23	23
24	24	/** Name of the site. It must be changed in LocalSettings.php */
25	25	$wgSitename = 'MediaWiki';
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -4,6 +4,24 @@
5	5	setting since version 1.2.0. If you have it on, turn it off if you can.
6	6
7	7
	8	+== MediaWiki 1.5 alpha 2 ==
	9	+
	10	+June 3, 2005
	11	+
	12	+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
	13	+and a security update.
	14	+
	15	+Incorrect handling of page template inclusions made it possible to
	16	+inject JavaScript code into HTML attributes, which could lead to
	17	+cross-site scripting attacks on a publicly editable wiki.
	18	+
	19	+Vulnerable releases and fix:
	20	+* 1.5 prerelease: fixed in 1.5alpha2
	21	+* 1.4 stable series: fixed in 1.4.5
	22	+* 1.3 legacy series: fixed in 1.3.13
	23	+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
	24	+
	25	+
8	26	== MediaWiki 1.5 alpha 1 ==
9	27
10	28	May 3, 2005
—	—	@@ -242,6 +260,7 @@
243	261	* (bug 684) Accept an attribute parameter array on parser hook tags
244	262	* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
245	263	LDAP authentication plugin
	264	+* (bug 2034) Armor HTML attributes against template inclusion and links munging
246	265
247	266
248	267	=== Caveats ===

Status & tagging log

01:56, 13 October 2010 😂 (talk | contribs) changed the status of r9316 [removed: new added: old]