Security fix: Previously it was possible to include unprotected and even content...

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e77c500..40ba59a 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -293,6 +293,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * Don't show non-functional toolbar buttons on Opera 7 anymore
 * (bug 9151) Fix relative subpage links with section fragments
 * (bug 10560) Adding a space between category letter heading and "continues"
+* Security fix: Disable retrieving pages as raw js/css that should not contain
+  such content.
 
 == API changes since 1.10 ==
 

diff --git a/includes/RawPage.php b/includes/RawPage.php
index 9df94e5..4b27823 100644 (file)
--- a/includes/RawPage.php
+++ b/includes/RawPage.php
@@ -145,7 +145,14 @@ class RawPage {
        }
 
        function getRawText() {
-               global $wgUser, $wgOut, $wgRequest;
+               global $wgUser, $wgOut, $wgRequest, $wgJsMimeType;
+
+               /* Disable retrieving content pages as raw js/css */
+               $dangerousTypes = array( $wgJsMimeType, 'text/css' );
+               if ( in_array( $this->mContentType, $dangerousTypes ) && 
+                               !($this->mTitle->isCssOrJsPage() || $this->mTitle->isCssJsSubpage() ) )
+                       return '/* EMPTY */';
+       
                if($this->mGen) {
                        $sk = $wgUser->getSkin();
                        $sk->initPage($wgOut);