diff options
-rw-r--r-- | RELEASE-NOTES-1.22 | 14 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/api/ApiMain.php | 2 | ||||
-rw-r--r-- | includes/api/ApiQueryLogEvents.php | 8 | ||||
-rw-r--r-- | languages/messages/MessagesEn.php | 4 | ||||
-rw-r--r-- | thumb.php | 10 |
6 files changed, 27 insertions, 13 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 20c19471..9d10f222 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,20 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.15 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.14 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. + == MediaWiki 1.22.14 == This is a security and maintenance release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 6feac36b..78568107 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.14'; +$wgVersion = '1.22.15'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index c11f16cb..ea2fcc78 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -510,7 +510,7 @@ class ApiMain extends ApiBase { array( '.*?', '.' ), $wildcard ); - return "/https?:\/\/$wildcard/"; + return "/^https?:\/\/$wildcard$/"; } protected function sendCacheHeaders() { diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php index 0e8c5e61..ecd117e4 100644 --- a/includes/api/ApiQueryLogEvents.php +++ b/includes/api/ApiQueryLogEvents.php @@ -36,7 +36,7 @@ class ApiQueryLogEvents extends ApiQueryBase { } private $fld_ids = false, $fld_title = false, $fld_type = false, - $fld_action = false, $fld_user = false, $fld_userid = false, + $fld_user = false, $fld_userid = false, $fld_timestamp = false, $fld_comment = false, $fld_parsedcomment = false, $fld_details = false, $fld_tags = false; @@ -49,7 +49,6 @@ class ApiQueryLogEvents extends ApiQueryBase { $this->fld_ids = isset( $prop['ids'] ); $this->fld_title = isset( $prop['title'] ); $this->fld_type = isset( $prop['type'] ); - $this->fld_action = isset( $prop['action'] ); $this->fld_user = isset( $prop['user'] ); $this->fld_userid = isset( $prop['userid'] ); $this->fld_timestamp = isset( $prop['timestamp'] ); @@ -157,7 +156,7 @@ class ApiQueryLogEvents extends ApiQueryBase { $this->addOption( 'USE INDEX', $index ); // Paranoia: avoid brute force searches (bug 17342) - if ( !is_null( $title ) || !is_null( $params['action'] ) ) { + if ( !is_null( $title ) ) { $this->addWhere( $db->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0' ); } if ( !is_null( $user ) ) { @@ -300,7 +299,7 @@ class ApiQueryLogEvents extends ApiQueryBase { $title = Title::makeTitle( $row->log_namespace, $row->log_title ); } - if ( $this->fld_title || $this->fld_ids || $this->fld_type ) { + if ( $this->fld_title || $this->fld_ids ) { if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) { $vals['actionhidden'] = ''; } else { @@ -318,6 +317,7 @@ class ApiQueryLogEvents extends ApiQueryBase { if ( $this->fld_type ) { $vals['type'] = $row->log_type; + $vals['action'] = $row->log_action; } if ( $this->fld_details && $row->log_params !== '' ) { diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 147ffcd5..65371ad7 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1657,7 +1657,7 @@ Try [[Special:Search|searching on the wiki]] for relevant new pages.', # Revision deletion 'rev-deleted-comment' => '(edit summary removed)', 'rev-deleted-user' => '(username removed)', -'rev-deleted-event' => '(log action removed)', +'rev-deleted-event' => '(log details removed)', 'rev-deleted-user-contribs' => '[username or IP address removed - edit hidden from contributions]', 'rev-deleted-text-permission' => "This page revision has been '''deleted'''. Details can be found in the [{{fullurl:{{#Special:Log}}/delete|page={{FULLPAGENAMEE}}}} deletion log].", @@ -1709,7 +1709,7 @@ Other administrators on {{SITENAME}} will still be able to access the hidden con 'revdelete-legend' => 'Set visibility restrictions', 'revdelete-hide-text' => 'Revision text', 'revdelete-hide-image' => 'Hide file content', -'revdelete-hide-name' => 'Hide action and target', +'revdelete-hide-name' => 'Hide target and parameters', 'revdelete-hide-comment' => 'Edit summary', 'revdelete-hide-user' => "Editor's username/IP address", 'revdelete-hide-restricted' => 'Suppress data from administrators as well as others', @@ -131,12 +131,12 @@ function wfStreamThumb( array $params ) { // Format is <timestamp>!<name> $bits = explode( '!', $fileName, 2 ); if ( count( $bits ) != 2 ) { - wfThumbError( 404, wfMessage( 'badtitletext' )->text() ); + wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); return; } $title = Title::makeTitleSafe( NS_FILE, $bits[1] ); if ( !$title ) { - wfThumbError( 404, wfMessage( 'badtitletext' )->text() ); + wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); return; } $img = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName( $title, $fileName ); @@ -146,7 +146,7 @@ function wfStreamThumb( array $params ) { // Check the source file title if ( !$img ) { - wfThumbError( 404, wfMessage( 'badtitletext' )->text() ); + wfThumbError( 404, wfMessage( 'badtitletext' )->parse() ); return; } @@ -306,7 +306,7 @@ function wfStreamThumb( array $params ) { $user = RequestContext::getMain()->getUser(); if ( $user->pingLimiter( 'renderfile' ) ) { - wfThumbError( 500, wfMessage( 'actionthrottledtext' ) ); + wfThumbError( 500, wfMessage( 'actionthrottledtext' )->parse() ); return; } @@ -452,7 +452,7 @@ function wfExtractThumbParams( $file, $params ) { * Output a thumbnail generation error message * * @param $status integer - * @param $msg string + * @param string $msg HTML * @return void */ function wfThumbError( $status, $msg ) { |