summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Shumaker <lukeshu@sbcglobal.net>2014-07-26 21:10:52 -0400
committerLuke Shumaker <lukeshu@sbcglobal.net>2014-07-26 21:10:52 -0400
commitbe4fcbd51a4b134c7c9e3945f86295e33bbb45b6 (patch)
treee1bc6098e720429b75bd69e4566c39c7fb29aafe
parent68da4046dd3cbe1c3cccf4daa4a862594a01e80e (diff)
parentf80b2307028ed4d9231a0bd46496b241dcf4aa5c (diff)
Merge branch 'archwiki'
-rw-r--r--RELEASE-NOTES-1.2210
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/MimeMagic.php18
-rw-r--r--includes/upload/UploadBase.php15
4 files changed, 37 insertions, 8 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 56a7e3d3..be1d96a7 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,16 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.22.8 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.7 ===
+
+* (bug 65839) SECURITY: Prevent external resources in SVG files.
+* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
+ like only extracting the tail of the file partially or not at all.
+
== MediaWiki 1.22.7 ==
This is a security and maintenance release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 850c2cfb..4eb979ac 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
* MediaWiki version number
* @since 1.2
*/
-$wgVersion = '1.22.7';
+$wgVersion = '1.22.8';
/**
* Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/MimeMagic.php b/includes/MimeMagic.php
index 8220e92f..9180218b 100644
--- a/includes/MimeMagic.php
+++ b/includes/MimeMagic.php
@@ -570,20 +570,30 @@ class MimeMagic {
* @param string $file
* @param mixed $ext
* @return bool|string
+ * @throws MWException
*/
private function doGuessMimeType( $file, $ext ) { // TODO: remove $ext param
// Read a chunk of the file
wfSuppressWarnings();
- // @todo FIXME: Shouldn't this be rb?
- $f = fopen( $file, 'rt' );
+ $f = fopen( $file, 'rb' );
wfRestoreWarnings();
if ( !$f ) {
return 'unknown/unknown';
}
+
+ $fsize = filesize( $file );
+ if ( $fsize === false ) {
+ return 'unknown/unknown';
+ }
+
$head = fread( $f, 1024 );
- fseek( $f, -65558, SEEK_END );
- $tail = fread( $f, 65558 ); // 65558 = maximum size of a zip EOCDR
+ $tailLength = min( 65558, $fsize ); // 65558 = maximum size of a zip EOCDR
+ if ( fseek( $f, -1 * $tailLength, SEEK_END ) === -1 ) {
+ throw new MWException(
+ "Seeking $tailLength bytes from EOF failed in " . __METHOD__ );
+ }
+ $tail = fread( $f, $tailLength );
fclose( $f );
wfDebug( __METHOD__ . ": analyzing head and tail of $file for magic numbers.\n" );
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index c0c37b3f..40b3b19a 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -1283,11 +1283,20 @@ abstract class UploadBase {
return true;
}
- # href with javascript target
- if ( $stripped == 'href' && strpos( strtolower( $value ), 'javascript:' ) !== false ) {
- wfDebug( __METHOD__ . ": Found script in href attribute '$attrib'='$value' in uploaded file.\n" );
+ # href with non-local target (don't allow http://, javascript:, etc)
+ if ( $stripped == 'href'
+ && strpos( $value, 'data:' ) !== 0
+ && strpos( $value, '#' ) !== 0
+ ) {
+ if ( !( $strippedElement === 'a'
+ && preg_match( '!^https?://!im', $value ) )
+ ) {
+ wfDebug( __METHOD__ . ": Found href attribute <$strippedElement "
+ . "'$attrib'='$value' in uploaded file.\n" );
+
return true;
}
+ }
# href with embedded svg as target
if ( $stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value ) ) {