diff options
-rw-r--r-- | RELEASE-NOTES-1.22 | 8 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/OutputPage.php | 73 |
3 files changed, 54 insertions, 29 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 34ced35a..34292e1f 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,14 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.12 == + +This is a security release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.11 === +* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module + allowance. + == MediaWiki 1.22.11 == This is a security release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 1ec2ea35..84374c42 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.11'; +$wgVersion = '1.22.12'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 6bfba78b..363f2b62 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -151,12 +151,12 @@ class OutputPage extends ContextSource { var $mFeedLinksAppendQuery = null; - # What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page? - # @see ResourceLoaderModule::$origin - # ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden; - protected $mAllowedModules = array( - ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL, - ); + /** + * @var int + * The level of 'untrustworthiness' allowed for modules loaded on this page. + * @see ResourceLoaderModule::$origin + */ + protected $mAllowedModuleOrigin = ResourceLoaderModule::ORIGIN_ALL; /** * @EasterEgg I just love the name for this self documenting variable. @@ -1271,14 +1271,13 @@ class OutputPage extends ContextSource { } /** - * Do not allow scripts which can be modified by wiki users to load on this page; - * only allow scripts bundled with, or generated by, the software. + * Restrict the page to loading modules bundled the software. + * + * Disallows the queue to contain any modules which can be modified by wiki + * users to load on this page. */ public function disallowUserJs() { - $this->reduceAllowedModules( - ResourceLoaderModule::TYPE_SCRIPTS, - ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL - ); + $this->reduceAllowedModuleOrigin( ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL ); } /** @@ -1293,37 +1292,55 @@ class OutputPage extends ContextSource { } /** - * Show what level of JavaScript / CSS untrustworthiness is allowed on this page + * Get the level of JavaScript / CSS untrustworthiness allowed on this page. + * * @see ResourceLoaderModule::$origin - * @param string $type ResourceLoaderModule TYPE_ constant + * @param string $type Unused: Module origin allowance used to be fragmented by + * ResourceLoaderModule TYPE_ constants. * @return Int ResourceLoaderModule ORIGIN_ class constant */ - public function getAllowedModules( $type ) { - if ( $type == ResourceLoaderModule::TYPE_COMBINED ) { - return min( array_values( $this->mAllowedModules ) ); - } else { - return isset( $this->mAllowedModules[$type] ) - ? $this->mAllowedModules[$type] - : ResourceLoaderModule::ORIGIN_ALL; - } + public function getAllowedModules( $type = null ) { + return $this->mAllowedModuleOrigin; } /** * Set the highest level of CSS/JS untrustworthiness allowed + * + * @deprecated since 1.24 Raising level of allowed untrusted content is no longer supported. + * Use reduceAllowedModuleOrigin() instead. + * * @param $type String ResourceLoaderModule TYPE_ constant - * @param $level Int ResourceLoaderModule class constant + * @param int $level ResourceLoaderModule ORIGIN_ constant */ public function setAllowedModules( $type, $level ) { - $this->mAllowedModules[$type] = $level; + wfDeprecated( __METHOD__, '1.24' ); + $this->reduceAllowedModuleOrigin( $level ); } /** - * As for setAllowedModules(), but don't inadvertently make the page more accessible - * @param $type String - * @param $level Int ResourceLoaderModule class constant + * Limit the highest level of CSS/JS untrustworthiness allowed. + * + * @deprecated since 1.24 Module allowance is no longer fragmented by content type. + * Use reduceAllowedModuleOrigin() instead. + * + * @param string $type ResourceLoaderModule TYPE_ constant + * @param int $level ResourceLoaderModule ORIGIN_ class constant */ public function reduceAllowedModules( $type, $level ) { - $this->mAllowedModules[$type] = min( $this->getAllowedModules( $type ), $level ); + wfDeprecated( __METHOD__, '1.24' ); + $this->reduceAllowedModuleOrigin( $level ); + } + + /** + * Limit the highest level of CSS/JS untrustworthiness allowed. + * + * If passed the same or a higher level than the current level of untrustworthiness set, the + * level will remain unchanged. + * + * @param int $level ResourceLoaderModule class constant + */ + public function reduceAllowedModuleOrigin( $level ) { + $this->mAllowedModuleOrigin = min( $this->mAllowedModuleOrigin, $level ); } /** |