dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6479ad2) | patch
* Add 'charset' to Content-Type headers on various HTTP error responses
authorBrion Vibber <brion@users.mediawiki.org>
Wed, 21 Feb 2007 01:02:47 +0000 (01:02 +0000)
committerBrion Vibber <brion@users.mediawiki.org>
Wed, 21 Feb 2007 01:02:47 +0000 (01:02 +0000)
commit2d5ac3c276413fe42ebda673019c7fcdf4b2c878
treed18a4ddf3b7d6911cb3dfc4cb16d686e45b67dcctree | snapshot
parent6479ad2cda6af326fd58390b8a0ca7a43b5460fecommit | diff
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. Probably not an
  issue on Apache 2.0+, but most servers send only 'text/html' by default
  when the script didn't specify more details.
    This fixes an issue with the Ajax interface error message on MSIE when
  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
  http://www.bugsec.com/articles.php?Security=24

* Trackback responses now specify XML content type
RELEASE-NOTES diff | blob | history
img_auth.php diff | blob | history
includes/AjaxDispatcher.php diff | blob | history
includes/EditPage.php diff | blob | history
includes/GlobalFunctions.php diff | blob | history
includes/Metadata.php diff | blob | history
includes/OutputPage.php diff | blob | history
includes/StreamFile.php diff | blob | history
thumb.php diff | blob | history
trackback.php diff | blob | history
Wiklou, le Wiki du Wiklou