summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES-1.2214
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/api/ApiMain.php2
-rw-r--r--includes/api/ApiQueryLogEvents.php8
-rw-r--r--languages/messages/MessagesEn.php4
-rw-r--r--thumb.php10
6 files changed, 27 insertions, 13 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 20c19471..9d10f222 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,20 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.22.15 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.14 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
== MediaWiki 1.22.14 ==
This is a security and maintenance release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 6feac36b..78568107 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
* MediaWiki version number
* @since 1.2
*/
-$wgVersion = '1.22.14';
+$wgVersion = '1.22.15';
/**
* Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index c11f16cb..ea2fcc78 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -510,7 +510,7 @@ class ApiMain extends ApiBase {
array( '.*?', '.' ),
$wildcard
);
- return "/https?:\/\/$wildcard/";
+ return "/^https?:\/\/$wildcard$/";
}
protected function sendCacheHeaders() {
diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php
index 0e8c5e61..ecd117e4 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -36,7 +36,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
}
private $fld_ids = false, $fld_title = false, $fld_type = false,
- $fld_action = false, $fld_user = false, $fld_userid = false,
+ $fld_user = false, $fld_userid = false,
$fld_timestamp = false, $fld_comment = false, $fld_parsedcomment = false,
$fld_details = false, $fld_tags = false;
@@ -49,7 +49,6 @@ class ApiQueryLogEvents extends ApiQueryBase {
$this->fld_ids = isset( $prop['ids'] );
$this->fld_title = isset( $prop['title'] );
$this->fld_type = isset( $prop['type'] );
- $this->fld_action = isset( $prop['action'] );
$this->fld_user = isset( $prop['user'] );
$this->fld_userid = isset( $prop['userid'] );
$this->fld_timestamp = isset( $prop['timestamp'] );
@@ -157,7 +156,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
$this->addOption( 'USE INDEX', $index );
// Paranoia: avoid brute force searches (bug 17342)
- if ( !is_null( $title ) || !is_null( $params['action'] ) ) {
+ if ( !is_null( $title ) ) {
$this->addWhere( $db->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0' );
}
if ( !is_null( $user ) ) {
@@ -300,7 +299,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
$title = Title::makeTitle( $row->log_namespace, $row->log_title );
}
- if ( $this->fld_title || $this->fld_ids || $this->fld_type ) {
+ if ( $this->fld_title || $this->fld_ids ) {
if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
$vals['actionhidden'] = '';
} else {
@@ -318,6 +317,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
if ( $this->fld_type ) {
$vals['type'] = $row->log_type;
+ $vals['action'] = $row->log_action;
}
if ( $this->fld_details && $row->log_params !== '' ) {
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 147ffcd5..65371ad7 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -1657,7 +1657,7 @@ Try [[Special:Search|searching on the wiki]] for relevant new pages.',
# Revision deletion
'rev-deleted-comment' => '(edit summary removed)',
'rev-deleted-user' => '(username removed)',
-'rev-deleted-event' => '(log action removed)',
+'rev-deleted-event' => '(log details removed)',
'rev-deleted-user-contribs' => '[username or IP address removed - edit hidden from contributions]',
'rev-deleted-text-permission' => "This page revision has been '''deleted'''.
Details can be found in the [{{fullurl:{{#Special:Log}}/delete|page={{FULLPAGENAMEE}}}} deletion log].",
@@ -1709,7 +1709,7 @@ Other administrators on {{SITENAME}} will still be able to access the hidden con
'revdelete-legend' => 'Set visibility restrictions',
'revdelete-hide-text' => 'Revision text',
'revdelete-hide-image' => 'Hide file content',
-'revdelete-hide-name' => 'Hide action and target',
+'revdelete-hide-name' => 'Hide target and parameters',
'revdelete-hide-comment' => 'Edit summary',
'revdelete-hide-user' => "Editor's username/IP address",
'revdelete-hide-restricted' => 'Suppress data from administrators as well as others',
diff --git a/thumb.php b/thumb.php
index 913adc18..dc3093c0 100644
--- a/thumb.php
+++ b/thumb.php
@@ -131,12 +131,12 @@ function wfStreamThumb( array $params ) {
// Format is <timestamp>!<name>
$bits = explode( '!', $fileName, 2 );
if ( count( $bits ) != 2 ) {
- wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
return;
}
$title = Title::makeTitleSafe( NS_FILE, $bits[1] );
if ( !$title ) {
- wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
return;
}
$img = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName( $title, $fileName );
@@ -146,7 +146,7 @@ function wfStreamThumb( array $params ) {
// Check the source file title
if ( !$img ) {
- wfThumbError( 404, wfMessage( 'badtitletext' )->text() );
+ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
return;
}
@@ -306,7 +306,7 @@ function wfStreamThumb( array $params ) {
$user = RequestContext::getMain()->getUser();
if ( $user->pingLimiter( 'renderfile' ) ) {
- wfThumbError( 500, wfMessage( 'actionthrottledtext' ) );
+ wfThumbError( 500, wfMessage( 'actionthrottledtext' )->parse() );
return;
}
@@ -452,7 +452,7 @@ function wfExtractThumbParams( $file, $params ) {
* Output a thumbnail generation error message
*
* @param $status integer
- * @param $msg string
+ * @param string $msg HTML
* @return void
*/
function wfThumbError( $status, $msg ) {