MediaWiki 1.16.4

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index cf3f3a77efa59c985239f667e869f6e631aa6253..1a863b9fa9b4ecd56fc5dcd93f5b042a7f3d844b 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,8 +1,8 @@
 = MediaWiki release notes =
 
-== MediaWiki 1.16.3 ==
+== MediaWiki 1.16.4 ==
 
-2011-04-12
+2011-04-14
 
 This is a security and maintenance release of the MediaWiki 1.16 branch.
 
@@ -44,6 +44,12 @@ set $wgCacheDirectory to a writable path on the local filesystem. Make sure
 you have the DBA extension for PHP installed, this will improve performance 
 further.
 
+== Changes since 1.16.3 ==
+
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 
+  clients) was not actually sufficient to fix that bug. This release contains 
+  a second attempt, hopefully we have fixed it this time.
+
 == Changes since 1.16.2 ==
 
 * (bug 28449) Fixed permissions checks in Special:Import which allowed users 

diff --git a/images/.htaccess b/images/.htaccess
index e84a09522ad9865d3a9b75c25680f15b483c54be..2aea33e06270cc903d8cab1611d0a480d4610073 100644 (file)
--- a/images/.htaccess
+++ b/images/.htaccess
@@ -1,6 +1,6 @@
 # Protect against bug 28235
 <IfModule rewrite_module>
        RewriteEngine On
-       RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
+       RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
        RewriteRule . - [forbidden]
 </IfModule>

diff --git a/img_auth.php b/img_auth.php
index 534d1fd2ec01fbc60b3d657f9c3efb595ef86a02..26ba9413c81ae23a8e5afaa16e4a7e29a2e88128 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -39,7 +39,7 @@ if ( $wgImgAuthPublicTest
 
 // Check for bug 28235: QUERY_STRING overriding the correct extension
 if ( isset( $_SERVER['QUERY_STRING'] )
-       && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+       && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
 {
        wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
 }

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 7993d95cbe6ac53a48099ddcea046dfe8758ba9c..e4864edb3ea421cf7cfddc0966a783d9d8cee01a 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ if ( !defined( 'MW_PHP4' ) ) {
 }
 
 /** MediaWiki version number */
-$wgVersion = '1.16.3';
+$wgVersion = '1.16.4';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 8a0ef48bf51fb9cf7ca1843f7914cd2214e0e18a..a1d02d9c81aa24e4aa4766f3af129049c5482cc7 100644 (file)
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -697,7 +697,7 @@ class WebRequest {
                global $wgScriptExtension;
 
                if ( isset( $_SERVER['QUERY_STRING'] ) 
-                       && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+                       && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
                {
                        // Bug 28235
                        // Block only Internet Explorer, and requests with missing UA 

diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc
index 25bc8fd052f2d2c76fd2116d8eada05138a0e923..4c907a161c4a96a9575e756f390b5badf99993cf 100644 (file)
--- a/maintenance/language/messages.inc
+++ b/maintenance/language/messages.inc
@@ -1272,6 +1272,7 @@ $wgMessageStructure = array(
                'img-auth-streaming',
                'img-auth-public',
                'img-auth-noread',
+               'img-auth-bad-query-string',
        ),
 
        'http-errors' => array(