Index: img_auth.php =================================================================== --- img_auth.php (.../REL1_7_2/phase3) (revision 20016) +++ img_auth.php (.../REL1_7_3/phase3) (revision 20016) @@ -50,6 +50,7 @@ function wfForbidden() { header( 'HTTP/1.0 403 Forbidden' ); + header( 'Content-Type: text/html; charset=utf-8' ); print "
Although this PHP script ({$_SERVER['SCRIPT_NAME']}) exists, the file requested for output
Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php (.../REL1_7_2/phase3) (revision 20016)
+++ includes/DefaultSettings.php (.../REL1_7_3/phase3) (revision 20016)
@@ -32,7 +32,7 @@
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.7.2';
+$wgVersion = '1.7.3';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
Index: includes/Metadata.php
===================================================================
--- includes/Metadata.php (.../REL1_7_2/phase3) (revision 20016)
+++ includes/Metadata.php (.../REL1_7_3/phase3) (revision 20016)
@@ -80,7 +80,7 @@
return false;
} else {
$wgOut->disable();
- header( "Content-type: {$rdftype}" );
+ header( "Content-type: {$rdftype}; charset=utf-8" );
$wgOut->sendCacheControl();
return true;
}
Index: RELEASE-NOTES
===================================================================
--- RELEASE-NOTES (.../REL1_7_2/phase3) (revision 20016)
+++ RELEASE-NOTES (.../REL1_7_3/phase3) (revision 20016)
@@ -3,7 +3,39 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.7.3 ==
+February 20, 2007
+
+This is a security and bug-fix update to the Summer 2006 quarterly release.
+
+An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
+charset autodetection was located in the AJAX support module, affecting MSIE
+users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
+enabled.
+
+If you are using an extension based on the optional Ajax module,
+either disable it or upgrade to a version containing the fix:
+
+* 1.9: fixed in 1.9.3
+* 1.8: fixed in 1.8.4
+* 1.7: fixed in 1.7.3
+* 1.6: fixed in 1.6.10
+
+There is no known danger in the default configuration, with $wgUseAjax off.
+
+* Add 'charset' to Content-Type headers on various HTTP error responses
+ to forestall additional UTF-7-autodetect XSS issues. PHP sends only
+ 'text/html' by default when the script didn't specify more details,
+ which some inconsiderate browsers consider a license to autodetect
+ the deadly, hard-to-escape UTF-7.
+ This fixes an issue with the Ajax interface error message on MSIE when
+ $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+ on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+ http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
+
+
== MediaWiki 1.7.2 ==
January 9, 2007
Index: trackback.php
===================================================================
--- trackback.php (.../REL1_7_2/phase3) (revision 20016)
+++ trackback.php (.../REL1_7_3/phase3) (revision 20016)
@@ -26,6 +26,7 @@
*
*/
function XMLsuccess() {
+ header("Content-Type: application/xml; charset=utf-8");
echo "