From 749e7fb2bae7bbda855de3c9e319435b9f698ff7 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Mon, 3 Mar 2008 09:36:49 +0100
Subject: MediaWiki 1.11.2 released (security)

---
 includes/DefaultSettings.php   | 2 +-
 includes/api/ApiFormatJson.php | 2 +-
 includes/api/ApiMain.php       | 8 ++++++++
 includes/api/ApiQueryBase.php  | 4 ++++
 4 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'includes')

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 5afb969d..ad682b72 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" );
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.11.1';
+$wgVersion			= '1.11.2';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index ed9bd938..59f3b492 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -74,7 +74,7 @@ class ApiFormatJson extends ApiFormatBase {
 
 	protected function getParamDescription() {
 		return array (
-			'callback' => 'If specified, wraps the output into a given function call',
+			'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
 		);
 	}
 
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 31870449..00b3f63f 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -98,6 +98,14 @@ class ApiMain extends ApiBase {
 			// If the current user cannot read, 
 			// Remove all modules other than login
 			global $wgUser;
+			
+			if( $request->getVal( 'callback' ) !== null ) {
+				// JSON callback allows cross-site reads.
+				// For safety, strip user credentials.
+				wfDebug( "API: stripping user credentials for JSON callback\n" );
+				$wgUser = new User();
+			}
+			
 			if (!$wgUser->isAllowed('read')) {
 				self::$Modules = array(
 					'login' => self::$Modules['login'],
diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php
index 28adb415..c810cfa7 100644
--- a/includes/api/ApiQueryBase.php
+++ b/includes/api/ApiQueryBase.php
@@ -215,6 +215,10 @@ abstract class ApiQueryBase extends ApiBase {
 	}
 
 	public function getTokenFlag($tokenArr, $action) {
+		if ($this->getMain()->getRequest()->getVal('callback') !== null) {
+			// Don't do any session-specific data.
+			return false;
+		}
 		if (in_array($action, $tokenArr)) {
 			global $wgUser;
 			if ($wgUser->isAllowed($action))
-- 
cgit v1.2.3-54-g00ecf