Index: includes/api/ApiFormatBase.php
===================================================================
--- includes/api/ApiFormatBase.php (.../REL1_11_0RC1/phase3) (revision 25750)
+++ includes/api/ApiFormatBase.php (.../REL1_11_0/phase3) (revision 25750)
@@ -158,8 +158,11 @@
* This method also replaces any '<' with <
*/
protected function formatHTML($text) {
- // encode all tags as safe blue strings
- $text = ereg_replace('\<([^>]+)\>', '<\1>', $text);
+ // Escape everything first for full coverage
+ $text = htmlspecialchars($text);
+
+ // encode all comments or tags as safe blue strings
+ $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<\1>', $text);
// identify URLs
$protos = "http|https|ftp|gopher";
$text = ereg_replace("($protos)://[^ \\'\"()<\n]+", '\\0', $text);
Index: includes/Title.php
===================================================================
--- includes/Title.php (.../REL1_11_0RC1/phase3) (revision 25750)
+++ includes/Title.php (.../REL1_11_0/phase3) (revision 25750)
@@ -1922,7 +1922,8 @@
// there are numerous ways to present the same IP. Having sp:contribs scan
// them all is silly and having some show the edits and others not is
// inconsistent. Same for talk/userpages. Keep them normalized instead.
- $dbkey = $this->mNamespace == NS_USER ? IP::sanitizeIP( $dbkey ) : $dbkey;
+ $dbkey = ($this->mNamespace == NS_USER || $this->mNamespace == NS_USER_TALK) ?
+ IP::sanitizeIP( $dbkey ) : $dbkey;
// Any remaining initial :s are illegal.
if ( $dbkey !== '' && ':' == $dbkey{0} ) {
return false;
Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php (.../REL1_11_0RC1/phase3) (revision 25750)
+++ includes/DefaultSettings.php (.../REL1_11_0/phase3) (revision 25750)
@@ -31,7 +31,7 @@
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.11.0rc1';
+$wgVersion = '1.11.0';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
Index: RELEASE-NOTES
===================================================================
--- RELEASE-NOTES (.../REL1_11_0RC1/phase3) (revision 25750)
+++ RELEASE-NOTES (.../REL1_11_0/phase3) (revision 25750)
@@ -3,10 +3,12 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
-== MediaWiki 1.11.0rc1 ==
+== MediaWiki 1.11.0 ==
-This is a release candidate of the Fall 2007 snapshot release of MediaWiki.
+September 10, 2007
+This is the Fall 2007 snapshot release of MediaWiki.
+
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
@@ -18,6 +20,36 @@
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
+== Changes since 1.11.0rc1 ==
+
+A possible HTML/XSS injection vector in the API pretty-printing mode has
+been found and fixed.
+
+The vulnerability may be worked around in an unfixed version by simply
+disabling the API interface if it is not in use, by adding this to
+LocalSettings.php:
+
+ $wgEnableAPI = false;
+
+(This is the default setting in 1.8.x.)
+
+Not vulnerable versions:
+* 1.11 >= 1.11.0
+* 1.10 >= 1.10.2
+* 1.9 >= 1.9.4
+* 1.8 >= 1.8.5
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.1
+* 1.9 <= 1.9.3
+* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the faulty function, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
+
+
== Configuration changes since 1.10 ==
* $wgThumbUpright - Adjust width of upright images when parameter 'upright' is