Our patch for the Internet Explorer 6 XSS issue (bug 28235) released two days ago in 1.16.3 was insufficient to fix that bug. The original reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we are doing another release, which contains a second attempt at fixing the issue.
Apologies to everyone for the inconvenience. Big thanks go to Masato Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan Kattouw who helped me test the patch this time around, so that we can hopefully avoid a repeat.
It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for Internet Explorer clients, version 6 and earlier. Also, if you used the Apache configuration I suggested in the previous release announcement, you should update it to:
RewriteEngine On RewriteCond %{QUERY_STRING} .[a-z0-9]{1,4}(#|?|$) [nocase] RewriteRule . - [forbidden]
We missed the fact that there can be more than one question mark in a URL. In certain circumstances, IE 6 will use a file extension immediately before a question mark character, regardless of how many question marks precede it. For example, with the URL:
http://example.com/a?b?c.html?d?e
IE 6 will see the file extension as ".html".
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz
Patch to previous version (1.16.3): http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
On 14.04.2011 09:47, Tim Starling wrote:
We missed the fact that there can be more than one question mark in a URL. In certain circumstances, IE 6 will use a file extension immediately before a question mark character, regardless of how many question marks precede it. For example, with the URL:
http://example.com/a?b?c.html?d?e
IE 6 will see the file extension as ".html".
Wow, seriously? IE6 should be taken out the back and shot...
-- daniel
On 14-04-11 10:02 Daniel Kinzler daniel@brightbyte.de wrote:
Wow, seriously? IE6 should be taken out the back and shot...
You're in luck. These days, even Microsoft agrees with you:
So when will we be able to drop IE6 support in MediaWiki completely? What metrics/thresholds can we use?
I would suggest to set a percentage of worldwide usage as reported by some "trusted" statistics reported, or possibly a percentage of Wikimedia pageviews. 3% or 4%?
Any thoughts?
Siebrand
*For reading*, we aim to support any browser with 0.1%[1] use or more.
This has both culled things out, like IE 5.5, and surfaced things like NetFront (Sony Playstation Browser).
*For security*, if it's possible to protect the site or our users, and we have money in the bank, we should be doing what it takes to protect them.
*For everything else*, we support various browsers based on a variety of factors:
* Whether the browser can ever support the feature at all * Level of difficulty getting the feature to work in the browser * Level of resources dedicated to the project
We normally knock out the most commonly-used and easy-to-get-working browsers first, and then sort out details on other browsers in order of use. There's no base percentage here, just hopes and dreams.
- Trevor
[1] http://stats.wikimedia.org/wikimedia/squids/SquidReportClients.htm
On Apr 14, 2011, at 2:10 AM, Siebrand Mazeland wrote:
On 14-04-11 10:02 Daniel Kinzler daniel@brightbyte.de wrote:
Wow, seriously? IE6 should be taken out the back and shot...
You're in luck. These days, even Microsoft agrees with you:
So when will we be able to drop IE6 support in MediaWiki completely? What metrics/thresholds can we use?
I would suggest to set a percentage of worldwide usage as reported by some "trusted" statistics reported, or possibly a percentage of Wikimedia pageviews. 3% or 4%?
Any thoughts?
Siebrand
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi Tim,
On 04/14/2011 09:47 AM, Tim Starling wrote:
Also, if you used the Apache configuration I suggested in the previous release announcement, you should update it to:
RewriteEngine On RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] RewriteRule . - [forbidden]
I'm confused - where should this configuration be applied? To the images subdirectory?
Best, Kilian
On 14/04/11 18:20, Kilian wrote:
Hi Tim,
On 04/14/2011 09:47 AM, Tim Starling wrote:
Also, if you used the Apache configuration I suggested in the previous release announcement, you should update it to:
RewriteEngine On RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] RewriteRule . - [forbidden]I'm confused - where should this configuration be applied? To the images subdirectory?
Yes, or wherever you keep your images if it isn't there.
-- Tim Starling
mediawiki-l@lists.wikimedia.org