Brion Vibber wrote:
If its ajax related, are there any potential issues with users running Flex?
Jeff
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brion Vibber wrote:
Edward Z. Yang wrote:
See
http://ha.ckers.org/blog/20070220/mediawiki-192-utf-7-xss/ for
details. I'm sure we get these all the time, but since RSnake picked it
up it probably will get a bit more publicity than normal. Has it been
fixed on the trunk yet?
Haven't heard of it before now, so I'll take a look.
Fixed on trunk in r20007.
As with the previous (non-UTF7-autodetection-based) bug mentioned, this
only affects wikis with $wgUseAjax enabled, which is off by default.
I went through and added preemptive charset headers in various other
places (mostly custom HTTP error output) though I didn't notice anything
that looked exploitable.
Will backport to release branches and put out bugfix releases shortly.
- -- brion vibber (brion @
pobox.com / brion @
wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFF26KcwRnhpk1wk44RAi9EAJkBnW7ElARD/vRZ4/uhuwIsTaz4MgCeOttl
q+abdj0nYbC51j9uJ7KTLKQ=
=Doix
-----END PGP SIGNATURE-----
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/wikitech-l