From: Brion Vibber Date: Wed, 21 Feb 2007 01:05:50 +0000 (+0000) Subject: clarify note; Apache 2 sends charset for files, but PHP sends its own X-Git-Tag: 1.31.0-rc.0~53995 X-Git-Url: http://git.cyclocoop.org/%22.%24info%5B?a=commitdiff_plain;h=ecc073ba35aea5e43cd110af80e5d586dc771d8a;p=lhc%2Fweb%2Fwiklou.git clarify note; Apache 2 sends charset for files, but PHP sends its own text/html with no charset, overriding it. Never mind. :) --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 7b60643f66..4dd78556ef 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -208,9 +208,10 @@ lighter making things easier to read. dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES and such are used. * Add 'charset' to Content-Type headers on various HTTP error responses - to forestall additional UTF-7-autodetect XSS issues. Probably not an - issue on Apache 2.0+, but most servers send only 'text/html' by default - when the script didn't specify more details. + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message on MSIE when $wgUseAjax is enabled (not default configuration); this UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA from BugSec: