From ecc073ba35aea5e43cd110af80e5d586dc771d8a Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Wed, 21 Feb 2007 01:05:50 +0000 Subject: [PATCH] clarify note; Apache 2 sends charset for files, but PHP sends its own text/html with no charset, overriding it. Never mind. :) --- RELEASE-NOTES | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 7b60643f66..4dd78556ef 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -208,9 +208,10 @@ lighter making things easier to read. dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES and such are used. * Add 'charset' to Content-Type headers on various HTTP error responses - to forestall additional UTF-7-autodetect XSS issues. Probably not an - issue on Apache 2.0+, but most servers send only 'text/html' by default - when the script didn't specify more details. + to forestall additional UTF-7-autodetect XSS issues. PHP sends only + 'text/html' by default when the script didn't specify more details, + which some inconsiderate browsers consider a license to autodetect + the deadly, hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message on MSIE when $wgUseAjax is enabled (not default configuration); this UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA from BugSec: -- 2.20.1