From 6a2ec5877b26cb417921fef66c5b6aa6db4b954d Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Fri, 3 Jun 2005 14:50:34 +0000 Subject: [PATCH] Bump to 1.5alpha2 --- RELEASE-NOTES | 19 ++++++++ includes/DefaultSettings.php | 2 +- includes/Sanitizer.php | 14 ++++++ maintenance/parserTests.txt | 87 ++++++++++++++++++++++++++++++++++++ 4 files changed, 121 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 765d769107..d818a3201a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -4,6 +4,24 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.5 alpha 2 == + +June 3, 2005 + +MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges, +and a security update. + +Incorrect handling of page template inclusions made it possible to +inject JavaScript code into HTML attributes, which could lead to +cross-site scripting attacks on a publicly editable wiki. + +Vulnerable releases and fix: +* 1.5 prerelease: fixed in 1.5alpha2 +* 1.4 stable series: fixed in 1.4.5 +* 1.3 legacy series: fixed in 1.3.13 +* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended + + == MediaWiki 1.5 alpha 1 == May 3, 2005 @@ -242,6 +260,7 @@ Various bugfixes, small features, and a few experimental things: * (bug 684) Accept an attribute parameter array on parser hook tags * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external LDAP authentication plugin +* (bug 2034) Armor HTML attributes against template inclusion and links munging === Caveats === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index bba8c6dc38..ffb26c194b 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -18,7 +18,7 @@ if( !defined( 'MEDIAWIKI' ) ) { } /** MediaWiki version number */ -$wgVersion = '1.5alpha1'; +$wgVersion = '1.5alpha2'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 40016d93b2..9f05ed87cd 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -539,6 +539,20 @@ class Sanitizer { continue; } + # Templates and links may be expanded in later parsing, + # creating invalid or dangerous output. Suppress this. + $value = strtr( $value, array( + '{' => '{', + '[' => '[', + "''" => '''', + 'ISBN' => 'ISBN', + 'RFC' => 'RFC', + 'PMID' => 'PMID', + ) ); + $value = preg_replace( + '/(' . URL_PROTOCOLS . '):/', + '\\1:', $value ); + if( !isset( $attribs[$attribute] ) ) { $attribs[$attribute] = "$attribute=\"$value\""; } diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt index 6255dc659c..94b965b9bc 100644 --- a/maintenance/parserTests.txt +++ b/maintenance/parserTests.txt @@ -2345,6 +2345,93 @@ Bug 2095: link with pipe and three closing brackets

!! end + +### +### Safety +### + +!! test +Bug 2304: HTML attribute safety (template) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (link) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (italics) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (bold) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (ISBN) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (RFC) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (PMID) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (web link) +!! input +
+!! result +
+ +!! end + +!! test +Bug 2304: HTML attribute safety (named web link) +!! input +
+!! result +
+ +!! end + + TODO: more images more tables -- 2.20.1