From 6a2ec5877b26cb417921fef66c5b6aa6db4b954d Mon Sep 17 00:00:00 2001
From: Brion Vibber
Date: Fri, 3 Jun 2005 14:50:34 +0000
Subject: [PATCH] Bump to 1.5alpha2
---
RELEASE-NOTES | 19 ++++++++
includes/DefaultSettings.php | 2 +-
includes/Sanitizer.php | 14 ++++++
maintenance/parserTests.txt | 87 ++++++++++++++++++++++++++++++++++++
4 files changed, 121 insertions(+), 1 deletion(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 765d769107..d818a3201a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,6 +4,24 @@ Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.5 alpha 2 ==
+
+June 3, 2005
+
+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
+and a security update.
+
+Incorrect handling of page template inclusions made it possible to
+inject JavaScript code into HTML attributes, which could lead to
+cross-site scripting attacks on a publicly editable wiki.
+
+Vulnerable releases and fix:
+* 1.5 prerelease: fixed in 1.5alpha2
+* 1.4 stable series: fixed in 1.4.5
+* 1.3 legacy series: fixed in 1.3.13
+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
+
+
== MediaWiki 1.5 alpha 1 ==
May 3, 2005
@@ -242,6 +260,7 @@ Various bugfixes, small features, and a few experimental things:
* (bug 684) Accept an attribute parameter array on parser hook tags
* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
LDAP authentication plugin
+* (bug 2034) Armor HTML attributes against template inclusion and links munging
=== Caveats ===
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index bba8c6dc38..ffb26c194b 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -18,7 +18,7 @@ if( !defined( 'MEDIAWIKI' ) ) {
}
/** MediaWiki version number */
-$wgVersion = '1.5alpha1';
+$wgVersion = '1.5alpha2';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 40016d93b2..9f05ed87cd 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -539,6 +539,20 @@ class Sanitizer {
continue;
}
+ # Templates and links may be expanded in later parsing,
+ # creating invalid or dangerous output. Suppress this.
+ $value = strtr( $value, array(
+ '{' => '{',
+ '[' => '[',
+ "''" => '''',
+ 'ISBN' => 'ISBN',
+ 'RFC' => 'RFC',
+ 'PMID' => 'PMID',
+ ) );
+ $value = preg_replace(
+ '/(' . URL_PROTOCOLS . '):/',
+ '\\1:', $value );
+
if( !isset( $attribs[$attribute] ) ) {
$attribs[$attribute] = "$attribute=\"$value\"";
}
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index 6255dc659c..94b965b9bc 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2345,6 +2345,93 @@ Bug 2095: link with pipe and three closing brackets
!! end
+
+###
+### Safety
+###
+
+!! test
+Bug 2304: HTML attribute safety (template)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (link)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (italics)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (bold)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (ISBN)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (RFC)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (PMID)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (web link)
+!! input
+
+!! result
+
+
+!! end
+
+!! test
+Bug 2304: HTML attribute safety (named web link)
+!! input
+
+!! result
+
+
+!! end
+
+
TODO:
more images
more tables
--
2.20.1