From: Tim Starling Date: Thu, 5 May 2011 05:29:50 +0000 (+0000) Subject: * Fix for bug 28534: IE 6 content type detection again X-Git-Tag: 1.31.0-rc.0~30396 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/password.php?a=commitdiff_plain;h=1db9197660fdaab639f8576d76aa9f91cae3b524;p=lhc%2Fweb%2Fwiklou.git * Fix for bug 28534: IE 6 content type detection again * Fix for bug 28639: user object instance cache pollution * Release notes formatting tweak. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 46dc3ba96a..4946115605 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,7 +1,7 @@ = MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals -setting since version 1.2.0. If you have it on, turn it *off* if you can. +setting since version 1.2.0. If you have it on, turn it '''off''' if you can. == MediaWiki 1.18 == diff --git a/images/.htaccess b/images/.htaccess index 2aea33e062..1cc74f42b0 100644 --- a/images/.htaccess +++ b/images/.htaccess @@ -1,6 +1,6 @@ # Protect against bug 28235 RewriteEngine On - RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] + RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase] RewriteRule . - [forbidden] diff --git a/img_auth.php b/img_auth.php index 7b7bbda2e4..b059be31bf 100644 --- a/img_auth.php +++ b/img_auth.php @@ -40,7 +40,7 @@ if ( $wgImgAuthPublicTest // Check for bug 28235: QUERY_STRING overriding the correct extension if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); } diff --git a/includes/User.php b/includes/User.php index 308b6e3b39..9ff846dbaa 100644 --- a/includes/User.php +++ b/includes/User.php @@ -937,24 +937,25 @@ class User { return false; } - $this->mId = $sId; - if ( !$this->loadFromId() ) { - # Not a valid ID, loadFromId has switched the object to anon for us + $proposedUser = User::newFromId( $sId ); + if ( !$proposedUser->isLoggedIn() ) { + # Not a valid ID + $this->loadDefaults(); return false; } global $wgBlockDisablesLogin; - if( $wgBlockDisablesLogin && $this->isBlocked() ) { + if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { # User blocked and we've disabled blocked user logins $this->loadDefaults(); return false; } if ( $wgRequest->getSessionData( 'wsToken' ) !== null ) { - $passwordCorrect = $this->mToken == $wgRequest->getSessionData( 'wsToken' ); + $passwordCorrect = $proposedUser->getToken() === $wgRequest->getSessionData( 'wsToken' ); $from = 'session'; } else if ( $wgRequest->getCookie( 'Token' ) !== null ) { - $passwordCorrect = $this->mToken == $wgRequest->getCookie( 'Token' ); + $passwordCorrect = $proposedUser->getToken() === $wgRequest->getCookie( 'Token' ); $from = 'cookie'; } else { # No session or persistent login cookie @@ -962,7 +963,8 @@ class User { return false; } - if ( ( $sName == $this->mName ) && $passwordCorrect ) { + if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { + $this->loadFromUserObject( $proposedUser ); $wgRequest->setSessionData( 'wsToken', $this->mToken ); wfDebug( "User: logged in from $from\n" ); return true; @@ -1063,6 +1065,18 @@ class User { } } + /** + * Load the data for this user object from another user object. + */ + protected function loadFromUserObject( $user ) { + $user->load(); + $user->loadGroups(); + $user->loadOptions(); + foreach ( self::$mCacheVars as $var ) { + $this->$var = $user->$var; + } + } + /** * Load the groups from the database if they aren't already loaded. * @private diff --git a/includes/WebRequest.php b/includes/WebRequest.php index 41077d30de..f7010953ec 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -786,7 +786,7 @@ class WebRequest { global $wgScriptExtension; if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) { // Bug 28235 // Block only Internet Explorer, and requests with missing UA