diff options
| -rw-r--r-- | RELEASE-NOTES-1.20 | 8 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/Import.php | 7 | ||||
| -rw-r--r-- | includes/media/SVGMetadataExtractor.php | 11 | ||||
| -rw-r--r-- | includes/parser/Parser.php | 5 |
5 files changed, 30 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20 index a7197ec1..d03ca1fa 100644 --- a/RELEASE-NOTES-1.20 +++ b/RELEASE-NOTES-1.20 @@ -3,6 +3,14 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.20.4 == + +This is a security release of the MediaWiki 1.20 branch. + +=== Changes since 1.20.3 === +* (bug 47251) SECURITY: Disable external entities in Import +* (bug 46859) SECURITY: Disable external entities in XMLReader +* (bug 46084) SECURITY: Sanitize $limitReport before outputting == MediaWiki 1.20.3 == diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 426c11ad..ed566b3b 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -59,7 +59,7 @@ if( !defined( 'MEDIAWIKI' ) ) { $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.20.3'; +$wgVersion = '1.20.4'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Import.php b/includes/Import.php index 11f37952..c32c6793 100644 --- a/includes/Import.php +++ b/includes/Import.php @@ -432,9 +432,15 @@ class WikiImporter { * @return bool */ public function doImport() { + + // Calls to reader->read need to be wrapped in calls to + // libxml_disable_entity_loader() to avoid local file + // inclusion attacks (bug 46932). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->read(); if ( $this->reader->name != 'mediawiki' ) { + libxml_disable_entity_loader( $oldDisable ); throw new MWException( "Expected <mediawiki> tag, got ". $this->reader->name ); } @@ -473,6 +479,7 @@ class WikiImporter { } } + libxml_disable_entity_loader( $oldDisable ); return true; } diff --git a/includes/media/SVGMetadataExtractor.php b/includes/media/SVGMetadataExtractor.php index 851fe428..e0740385 100644 --- a/includes/media/SVGMetadataExtractor.php +++ b/includes/media/SVGMetadataExtractor.php @@ -77,7 +77,12 @@ class SVGReader { // Expand entities, since Adobe Illustrator uses them for xmlns // attributes (bug 31719). Note that libxml2 has some protection // against large recursive entity expansions so this is not as - // insecure as it might appear to be. + // insecure as it might appear to be. However, it is still extremely + // insecure. It's necessary to wrap any read() calls with + // libxml_disable_entity_loader() to avoid arbitrary local file + // inclusion, or even arbitrary code execution if the expect + // extension is installed (bug 46859). + $oldDisable = libxml_disable_entity_loader( true ); $this->reader->setParserProperty( XMLReader::SUBST_ENTITIES, true ); $this->metadata['width'] = self::DEFAULT_WIDTH; @@ -99,9 +104,11 @@ class SVGReader { // Note, if this happens, the width/height will be taken to be 0x0. // Should we consider it the default 512x512 instead? wfRestoreWarnings(); + libxml_disable_entity_loader( $oldDisable ); throw $e; } wfRestoreWarnings(); + libxml_disable_entity_loader( $oldDisable ); } /** @@ -115,7 +122,7 @@ class SVGReader { * Read the SVG * @return bool */ - public function read() { + protected function read() { $keepReading = $this->reader->read(); /* Skip until first element */ diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php index 2a24bee7..10765de2 100644 --- a/includes/parser/Parser.php +++ b/includes/parser/Parser.php @@ -490,6 +490,11 @@ class Parser { "Highest expansion depth: {$this->mHighestExpansionDepth}/{$this->mOptions->getMaxPPExpandDepth()}\n". $PFreport; wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) ); + + // Sanitize for comment. Note '‐' in the replacement is U+2010, + // which looks much like the problematic '-'. + $limitReport = str_replace( array( '-', '&' ), array( '‐', '&' ), $limitReport ); + $text .= "\n<!-- \n$limitReport-->\n"; } $this->mOutput->setText( $text ); |