diff options
| author | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:50:34 +0000 |
|---|---|---|
| committer | Brion Vibber <brion@users.mediawiki.org> | 2005-06-03 14:50:34 +0000 |
| commit | 6a2ec5877b26cb417921fef66c5b6aa6db4b954d (patch) | |
| tree | cf201d5a80ca4677053cdcdca40c66d9b7dd3b29 | |
| parent | cfa06c17aede70ef8d6744bf80672ca36f6c977c (diff) | |
| download | mediawikicore-1.5.0alpha2.tar.gz mediawikicore-1.5.0alpha2.zip | |
Bump to 1.5alpha21.5.0alpha2
Notes
Notes:
http://mediawiki.org/wiki/Special:Code/MediaWiki/9316
| -rw-r--r-- | RELEASE-NOTES | 19 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/Sanitizer.php | 14 | ||||
| -rw-r--r-- | maintenance/parserTests.txt | 87 |
4 files changed, 121 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 765d76910724..d818a3201a65 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -4,6 +4,24 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.5 alpha 2 == + +June 3, 2005 + +MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges, +and a security update. + +Incorrect handling of page template inclusions made it possible to +inject JavaScript code into HTML attributes, which could lead to +cross-site scripting attacks on a publicly editable wiki. + +Vulnerable releases and fix: +* 1.5 prerelease: fixed in 1.5alpha2 +* 1.4 stable series: fixed in 1.4.5 +* 1.3 legacy series: fixed in 1.3.13 +* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended + + == MediaWiki 1.5 alpha 1 == May 3, 2005 @@ -242,6 +260,7 @@ Various bugfixes, small features, and a few experimental things: * (bug 684) Accept an attribute parameter array on parser hook tags * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external LDAP authentication plugin +* (bug 2034) Armor HTML attributes against template inclusion and links munging === Caveats === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index bba8c6dc3811..ffb26c194be9 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -18,7 +18,7 @@ if( !defined( 'MEDIAWIKI' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.5alpha1'; +$wgVersion = '1.5alpha2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 40016d93b2d1..9f05ed87cd86 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -539,6 +539,20 @@ class Sanitizer { continue; } + # Templates and links may be expanded in later parsing, + # creating invalid or dangerous output. Suppress this. + $value = strtr( $value, array( + '{' => '{', + '[' => '[', + "''" => '''', + 'ISBN' => 'ISBN', + 'RFC' => 'RFC', + 'PMID' => 'PMID', + ) ); + $value = preg_replace( + '/(' . URL_PROTOCOLS . '):/', + '\\1:', $value ); + if( !isset( $attribs[$attribute] ) ) { $attribs[$attribute] = "$attribute=\"$value\""; } diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt index 6255dc659ce6..94b965b9bccc 100644 --- a/maintenance/parserTests.txt +++ b/maintenance/parserTests.txt @@ -2345,6 +2345,93 @@ Bug 2095: link with pipe and three closing brackets </p> !! end + +### +### Safety +### + +!! test +Bug 2304: HTML attribute safety (template) +!! input +<div title="{{test}}"></div> +!! result +<div title="{{test}}"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (link) +!! input +<div title="[[Main Page]]"></div> +!! result +<div title="[[Main Page]]"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (italics) +!! input +<div title="''foobar''"></div> +!! result +<div title="''foobar''"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (bold) +!! input +<div title="'''foobar'''"></div> +!! result +<div title="'''foobar'''"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (ISBN) +!! input +<div title="ISBN 1234567890"></div> +!! result +<div title="ISBN 1234567890"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (RFC) +!! input +<div title="RFC 1234"></div> +!! result +<div title="RFC 1234"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (PMID) +!! input +<div title="PMID 1234567890"></div> +!! result +<div title="PMID 1234567890"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (web link) +!! input +<div title="http://example.com/"></div> +!! result +<div title="http://example.com/"></div> + +!! end + +!! test +Bug 2304: HTML attribute safety (named web link) +!! input +<div title="[http://example.com/ link]"></div> +!! result +<div title="[http://example.com/ link]"></div> + +!! end + + TODO: more images more tables |