From 2d5ac3c276413fe42ebda673019c7fcdf4b2c878 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 21 Feb 2007 01:02:47 +0000
Subject: [PATCH] * Add 'charset' to Content-Type headers on various HTTP error
 responses   to forestall additional UTF-7-autodetect XSS issues. Probably not
 an   issue on Apache 2.0+, but most servers send only 'text/html' by default 
  when the script didn't specify more details.     This fixes an issue with
 the Ajax interface error message on MSIE when   $wgUseAjax is enabled (not
 default configuration); this UTF-7 variant   on a previously fixed attack
 vector was discovered by Moshe BA from BugSec:  
 http://www.bugsec.com/articles.php?Security=24

* Trackback responses now specify XML content type
---
 RELEASE-NOTES                |  9 +++++++++
 img_auth.php                 |  1 +
 includes/AjaxDispatcher.php  | 12 ++++++------
 includes/EditPage.php        |  2 +-
 includes/GlobalFunctions.php |  2 +-
 includes/Metadata.php        |  2 +-
 includes/OutputPage.php      |  1 +
 includes/StreamFile.php      |  2 +-
 thumb.php                    |  2 +-
 trackback.php                |  2 ++
 10 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 02af192b65..7b60643f66 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -207,6 +207,15 @@ lighter making things easier to read.
 * Lazy-initialize site_stats row on load when empty. Somewhat kinder to
   dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES
   and such are used.
+* Add 'charset' to Content-Type headers on various HTTP error responses
+  to forestall additional UTF-7-autodetect XSS issues. Probably not an
+  issue on Apache 2.0+, but most servers send only 'text/html' by default
+  when the script didn't specify more details.
+    This fixes an issue with the Ajax interface error message on MSIE when
+  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+  http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
 
 
 == Languages updated ==
diff --git a/img_auth.php b/img_auth.php
index 99ca37dbcc..11684b375e 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -50,6 +50,7 @@ wfLogProfilingData();
 
 function wfForbidden() {
 	header( 'HTTP/1.0 403 Forbidden' );
+	header( 'Content-Type: text/html; charset=utf-8' );
 	print
 "<html><body>
 <h1>Access denied</h1>
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 0034ecf4e3..4a84ea2261 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -54,15 +54,15 @@ class AjaxDispatcher {
 		wfProfileIn( __METHOD__ );
 
 		if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
-			header( 'Status: 400 Bad Request', true, 400 );
-			print "unknown function " . htmlspecialchars( (string) $this->func_name );
+			wfHttpError( 400, 'Bad Request',
+				"unknown function " . (string) $this->func_name );
 		} else {
 			try {
 				$result = call_user_func_array($this->func_name, $this->args);
 
 				if ( $result === false || $result === NULL ) {
-					header( 'Status: 500 Internal Error', true, 500 );
-					echo "{$this->func_name} returned no data";
+					wfHttpError( 500, 'Internal Error',
+						"{$this->func_name} returned no data" );
 				}
 				else {
 					if ( is_string( $result ) ) {
@@ -75,8 +75,8 @@ class AjaxDispatcher {
 
 			} catch (Exception $e) {
 				if (!headers_sent()) {
-					header( 'Status: 500 Internal Error', true, 500 );
-					print $e->getMessage();
+					wfHttpError( 500, 'Internal Error',
+						$e->getMessage() );
 				} else {
 					print $e->getMessage();
 				}
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 505e800d90..f10d1ea037 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1834,7 +1834,7 @@ END
 	function livePreview() {
 		global $wgOut;
 		$wgOut->disable();
-		header( 'Content-type: text/xml' );
+		header( 'Content-type: text/xml; charset=utf-8' );
 		header( 'Cache-control: no-cache' );
 
 		$s =
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 619a3731f3..171a29b93b 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -1085,7 +1085,7 @@ function wfHttpError( $code, $label, $desc ) {
 	header( "Status: $code $label" );
 	$wgOut->sendCacheControl();
 
-	header( 'Content-type: text/html' );
+	header( 'Content-type: text/html; charset=utf-8' );
 	print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">".
 		"<html><head><title>" .
 		htmlspecialchars( $label ) .
diff --git a/includes/Metadata.php b/includes/Metadata.php
index dee3457590..98a92ecd30 100644
--- a/includes/Metadata.php
+++ b/includes/Metadata.php
@@ -80,7 +80,7 @@ function rdfSetup() {
 		return false;
 	} else {
 		$wgOut->disable();
-		header( "Content-type: {$rdftype}" );
+		header( "Content-type: {$rdftype}; charset=utf-8" );
 		$wgOut->sendCacheControl();
 		return true;
 	}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 7501c65f10..fd64c9ecc0 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -577,6 +577,7 @@ class OutputPage {
 
 			$this->sendCacheControl();
 
+			$wgRequest->response()->header("Content-Type: text/html; charset=utf-8");
 			if( $wgDebugRedirects ) {
 				$url = htmlspecialchars( $this->mRedirect );
 				print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n";
diff --git a/includes/StreamFile.php b/includes/StreamFile.php
index 949422d691..dc653e57bf 100644
--- a/includes/StreamFile.php
+++ b/includes/StreamFile.php
@@ -7,7 +7,7 @@ function wfStreamFile( $fname ) {
 	if ( !$stat ) {
 		header( 'HTTP/1.0 404 Not Found' );
 		header( 'Cache-Control: no-cache' );
-		header( 'Content-Type: text/html' );
+		header( 'Content-Type: text/html; charset=utf-8' );
 		$encFile = htmlspecialchars( $fname );
 		$encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] );
 		echo "<html><body>
diff --git a/thumb.php b/thumb.php
index 7c188b47f1..42bc5497a5 100644
--- a/thumb.php
+++ b/thumb.php
@@ -75,7 +75,7 @@ if ( $thumb && $thumb->path ) {
 	$badtitle = wfMsg( 'badtitle' );
 	$badtitletext = wfMsg( 'badtitletext' );
 	header( 'Cache-Control: no-cache' );
-	header( 'Content-Type: text/html' );
+	header( 'Content-Type: text/html; charset=utf-8' );
 	echo "<html><head>
 	<title>$badtitle</title>
 	<body>
diff --git a/trackback.php b/trackback.php
index ea3f90fe46..ba8aa0783f 100644
--- a/trackback.php
+++ b/trackback.php
@@ -10,6 +10,7 @@ require_once( './includes/DatabaseFunctions.php' );
  *
  */
 function XMLsuccess() {
+	header("Content-Type: application/xml; charset=utf-8");
 	echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>
@@ -21,6 +22,7 @@ function XMLsuccess() {
 
 function XMLerror($err = "Invalid request.") {
 	header("HTTP/1.0 400 Bad Request");
+	header("Content-Type: application/xml; charset=utf-8");
 	echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>
-- 
2.20.1