Index: includes/SpecialRecentchangeslinked.php
===================================================================
--- includes/SpecialRecentchangeslinked.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/SpecialRecentchangeslinked.php (.../REL1_9_3/phase3) (revision 20016)
@@ -73,7 +73,7 @@
$GROUPBY = "
GROUP BY rc_cur_id,rc_namespace,rc_title,
rc_user,rc_comment,rc_user_text,rc_timestamp,rc_minor,
- rc_new, rc_id, rc_this_oldid, rc_last_oldid, rc_bot, rc_patrolled, rc_type
+ rc_new, rc_id, rc_this_oldid, rc_last_oldid, rc_bot, rc_patrolled, rc_type, rc_old_len, rc_new_len
" . ($uid ? ",wl_user" : "") . "
ORDER BY rc_timestamp DESC
LIMIT {$limit}";
Index: includes/GlobalFunctions.php
===================================================================
--- includes/GlobalFunctions.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/GlobalFunctions.php (.../REL1_9_3/phase3) (revision 20016)
@@ -1078,7 +1078,7 @@
header( "Status: $code $label" );
$wgOut->sendCacheControl();
- header( 'Content-type: text/html' );
+ header( 'Content-type: text/html; charset=utf-8' );
print "".
"
" .
htmlspecialchars( $label ) .
Index: includes/AjaxDispatcher.php
===================================================================
--- includes/AjaxDispatcher.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/AjaxDispatcher.php (.../REL1_9_3/phase3) (revision 20016)
@@ -54,15 +54,15 @@
wfProfileIn( __METHOD__ );
if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
- header( 'Status: 400 Bad Request', true, 400 );
- print "unknown function " . htmlspecialchars( (string) $this->func_name );
+ wfHttpError( 400, 'Bad Request',
+ "unknown function " . (string) $this->func_name );
} else {
try {
$result = call_user_func_array($this->func_name, $this->args);
if ( $result === false || $result === NULL ) {
- header( 'Status: 500 Internal Error', true, 500 );
- echo "{$this->func_name} returned no data";
+ wfHttpError( 500, 'Internal Error',
+ "{$this->func_name} returned no data" );
}
else {
if ( is_string( $result ) ) {
@@ -75,8 +75,8 @@
} catch (Exception $e) {
if (!headers_sent()) {
- header( 'Status: 500 Internal Error', true, 500 );
- print $e->getMessage();
+ wfHttpError( 500, 'Internal Error',
+ $e->getMessage() );
} else {
print $e->getMessage();
}
Index: includes/EditPage.php
===================================================================
--- includes/EditPage.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/EditPage.php (.../REL1_9_3/phase3) (revision 20016)
@@ -1765,7 +1765,7 @@
function livePreview() {
global $wgOut;
$wgOut->disable();
- header( 'Content-type: text/xml' );
+ header( 'Content-type: text/xml; charset=utf-8' );
header( 'Cache-control: no-cache' );
# FIXME
echo $this->getPreviewText( );
Index: includes/OutputPage.php
===================================================================
--- includes/OutputPage.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/OutputPage.php (.../REL1_9_3/phase3) (revision 20016)
@@ -561,6 +561,7 @@
$this->sendCacheControl();
+ $wgRequest->response()->header("Content-Type: text/html; charset=utf-8");
if( $wgDebugRedirects ) {
$url = htmlspecialchars( $this->mRedirect );
print "\n\nRedirect\n\n\n";
Index: includes/Wiki.php
===================================================================
--- includes/Wiki.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/Wiki.php (.../REL1_9_3/phase3) (revision 20016)
@@ -422,7 +422,8 @@
}
break;
case 'history':
- if( $_SERVER['REQUEST_URI'] == $title->getInternalURL( 'action=history' ) ) {
+ global $wgRequest;
+ if( $wgRequest->getFullRequestURL() == $title->getInternalURL( 'action=history' ) ) {
$output->setSquidMaxage( $this->getVal( 'SquidMaxage' ) );
}
$history = new PageHistory( $article );
Index: includes/StreamFile.php
===================================================================
--- includes/StreamFile.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/StreamFile.php (.../REL1_9_3/phase3) (revision 20016)
@@ -7,7 +7,7 @@
if ( !$stat ) {
header( 'HTTP/1.0 404 Not Found' );
header( 'Cache-Control: no-cache' );
- header( 'Content-Type: text/html' );
+ header( 'Content-Type: text/html; charset=utf-8' );
$encFile = htmlspecialchars( $fname );
$encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] );
echo "
Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/DefaultSettings.php (.../REL1_9_3/phase3) (revision 20016)
@@ -32,7 +32,7 @@
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.9.2';
+$wgVersion = '1.9.3';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
Index: includes/Metadata.php
===================================================================
--- includes/Metadata.php (.../REL1_9_2/phase3) (revision 20016)
+++ includes/Metadata.php (.../REL1_9_3/phase3) (revision 20016)
@@ -81,7 +81,7 @@
return false;
} else {
$wgOut->disable();
- header( "Content-type: {$rdftype}" );
+ header( "Content-type: {$rdftype}; charset=utf-8" );
$wgOut->sendCacheControl();
return true;
}
Index: trackback.php
===================================================================
--- trackback.php (.../REL1_9_2/phase3) (revision 20016)
+++ trackback.php (.../REL1_9_3/phase3) (revision 20016)
@@ -12,6 +12,7 @@
*
*/
function XMLsuccess() {
+ header("Content-Type: application/xml; charset=utf-8");
echo "
@@ -23,6 +24,7 @@
function XMLerror($err = "Invalid request.") {
header("HTTP/1.0 400 Bad Request");
+ header("Content-Type: application/xml; charset=utf-8");
echo "
Index: img_auth.php
===================================================================
--- img_auth.php (.../REL1_9_2/phase3) (revision 20016)
+++ img_auth.php (.../REL1_9_3/phase3) (revision 20016)
@@ -49,6 +49,7 @@
function wfForbidden() {
header( 'HTTP/1.0 403 Forbidden' );
+ header( 'Content-Type: text/html; charset=utf-8' );
print
"
Access denied
Index: thumb.php
===================================================================
--- thumb.php (.../REL1_9_2/phase3) (revision 20016)
+++ thumb.php (.../REL1_9_3/phase3) (revision 20016)
@@ -74,7 +74,7 @@
$badtitle = wfMsg( 'badtitle' );
$badtitletext = wfMsg( 'badtitletext' );
header( 'Cache-Control: no-cache' );
- header( 'Content-Type: text/html' );
+ header( 'Content-Type: text/html; charset=utf-8' );
echo "
$badtitle
Index: RELEASE-NOTES
===================================================================
--- RELEASE-NOTES (.../REL1_9_2/phase3) (revision 20016)
+++ RELEASE-NOTES (.../REL1_9_3/phase3) (revision 20016)
@@ -3,6 +3,43 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.9.3 ==
+
+February 20, 2007
+
+This is a security and bug-fix update to the Winter 2007 quarterly release.
+Minor compatibility fixes for IIS and PostgreSQL are included.
+
+An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
+charset autodetection was located in the AJAX support module, affecting MSIE
+users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
+enabled.
+
+If you are using an extension based on the optional Ajax module,
+either disable it or upgrade to a version containing the fix:
+
+* 1.9: fixed in 1.9.3
+* 1.8: fixed in 1.8.4
+* 1.7: fixed in 1.7.3
+* 1.6: fixed in 1.6.10
+
+There is no known danger in the default configuration, with $wgUseAjax off.
+
+* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
+* (bug 8984) Fix a database error in Special:Recentchangeslinked
+ when using the PostgreSQL database.
+* Add 'charset' to Content-Type headers on various HTTP error responses
+ to forestall additional UTF-7-autodetect XSS issues. PHP sends only
+ 'text/html' by default when the script didn't specify more details,
+ which some inconsiderate browsers consider a license to autodetect
+ the deadly, hard-to-escape UTF-7.
+ This fixes an issue with the Ajax interface error message on MSIE when
+ $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+ on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+ http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
+
+
== MediaWiki 1.9.2 ==
February 4, 2007