(MAIN-4265) Apply MediaWiki 1.19.24 security release to core

Author: Grunny

RELEASE-NOTES-1.19

@@ -3,6 +3,20 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.19.24 ==
+
+This is a security and maintenance release of the MediaWiki 1.19 branch.
+
+== Changes since 1.19.23 ==
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+  to prevent various DoS attacks.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+  prevent XSS and protect viewer's privacy.
+
 == MediaWiki 1.19.23 ==
 
 This is a security and maintenance release of the MediaWiki 1.19 branch.

includes/DefaultSettings.php

@@ -33,7 +33,7 @@
 /** @endcond */
 
 /** MediaWiki version number */
-$wgVersion = '1.19.23';
+$wgVersion = '1.19.24';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename = 'MediaWiki';

includes/EditPage.php

@@ -2083,14 +2083,19 @@ protected function showHeader() {
 				if ( $this->isWrongCaseCssJsPage ) {
 					$wgOut->wrapWikiMsg( "<div class='error' id='mw-userinvalidcssjstitle'>\n$1\n</div>", array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() ) );
 				}
+				if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
 				if ( $this->formtype !== 'preview' ) {
-					if ( $this->isCssSubpage )
+						if ( $this->isCssSubpage ) {
 						$wgOut->wrapWikiMsg( "<div id='mw-usercssyoucanpreview'>\n$1\n</div>", array( 'usercssyoucanpreview' ) );
-					if ( $this->isJsSubpage )
+						}
+
+						if ( $this->isJsSubpage ) {
 						$wgOut->wrapWikiMsg( "<div id='mw-userjsyoucanpreview'>\n$1\n</div>", array( 'userjsyoucanpreview' ) );
 				}
 			}
 		}
+			}
+		}
 
 		if ( $this->mTitle->getNamespace() != NS_MEDIAWIKI && $this->mTitle->isProtected( 'edit' ) ) {
 			# Is the title semi-protected?

includes/Html.php

@@ -450,7 +450,7 @@ public static function expandAttributes( $attribs ) {
 				'class', // html4, html5
 				'accesskey', // as of html5, multiple space-separated values allowed
 				// html4-spec doesn't document rel= as space-separated
-				// but has been used like that and is now documented as such 
+				// but has been used like that and is now documented as such
 				// in the html5-spec.
 				'rel',
 			);
@@ -463,7 +463,7 @@ public static function expandAttributes( $attribs ) {
 				// values. Implode/explode to get those into the main array as well.
 				if ( is_array( $value ) ) {
 					// If input wasn't an array, we can skip this step
-					
+
 					$newValue = array();
 					foreach ( $value as $k => $v ) {
 						if ( is_string( $v ) ) {
@@ -523,10 +523,34 @@ public static function expandAttributes( $attribs ) {
 					$ret .= " $key=\"$key\"";
 				}
 			} else {
-				// Note: It's important to encode < and >, even if its not
-				// required in this context, due to how language converter
-				// works.
-				$ret .= " $key=$quote" . Sanitizer::encodeAttribute( $value ) . $quote;
+				# Apparently we need to entity-encode \n, \r, \t, although the
+				# spec doesn't mention that.  Since we're doing strtr() anyway,
+				# we may as well not call htmlspecialchars().
+				# @todo FIXME: Verify that we actually need to
+				# escape \n\r\t here, and explain why, exactly.
+				#
+				# We could call Sanitizer::encodeAttribute() for this, but we
+				# don't because we're stubborn and like our marginal savings on
+				# byte size from not having to encode unnecessary quotes.
+				# The only difference between this transform and the one by
+				# Sanitizer::encodeAttribute() is '<' is only encoded here if
+				# $wgWellFormedXml is set, and ' is not encoded.
+				$map = array(
+					'&' => '&amp;',
+					'"' => '&quot;',
+					'>' => '&gt;',
+					"\n" => '&#10;',
+					"\r" => '&#13;',
+					"\t" => '&#9;'
+				);
+				if ( $wgWellFormedXml ) {
+					# This is allowed per spec: <http://www.w3.org/TR/xml/#NT-AttValue>
+					# But reportedly it breaks some XML tools?
+					# @todo FIXME: Is this really true?
+					$map['<'] = '&lt;';
+				}
+
+				$ret .= " $key=$quote" . strtr( $value, $map ) . $quote;
 			}
 		}
 		return $ret;

includes/OutputPage.php

@@ -3115,6 +3115,10 @@ public function userCanPreview() {
 		if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
 			return false;
 		}
+		if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+			// Don't execute another user's CSS or JS on preview (T85855)
+			return false;
+		}
 
 		return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
 	}