* Add 'charset' to Content-Type headers on various HTTP error responses

  to forestall additional UTF-7-autodetect XSS issues. Probably not an
  issue on Apache 2.0+, but most servers send only 'text/html' by default
  when the script didn't specify more details.
    This fixes an issue with the Ajax interface error message on MSIE when
  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
  http://www.bugsec.com/articles.php?Security=24

* Trackback responses now specify XML content type

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 02af192..7b60643 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -207,6 +207,15 @@ lighter making things easier to read.
 * Lazy-initialize site_stats row on load when empty. Somewhat kinder to
   dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES
   and such are used.
+* Add 'charset' to Content-Type headers on various HTTP error responses
+  to forestall additional UTF-7-autodetect XSS issues. Probably not an
+  issue on Apache 2.0+, but most servers send only 'text/html' by default
+  when the script didn't specify more details.
+    This fixes an issue with the Ajax interface error message on MSIE when
+  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+  http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
 
 
 == Languages updated ==

diff --git a/img_auth.php b/img_auth.php
index 99ca37d..11684b3 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -50,6 +50,7 @@ wfLogProfilingData();
 
 function wfForbidden() {
        header( 'HTTP/1.0 403 Forbidden' );
+       header( 'Content-Type: text/html; charset=utf-8' );
        print
 "<html><body>
 <h1>Access denied</h1>

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 0034ecf..4a84ea2 100644 (file)
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -54,15 +54,15 @@ class AjaxDispatcher {
                wfProfileIn( __METHOD__ );
 
                if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
-                       header( 'Status: 400 Bad Request', true, 400 );
-                       print "unknown function " . htmlspecialchars( (string) $this->func_name );
+                       wfHttpError( 400, 'Bad Request',
+                               "unknown function " . (string) $this->func_name );
                } else {
                        try {
                                $result = call_user_func_array($this->func_name, $this->args);
 
                                if ( $result === false || $result === NULL ) {
-                                       header( 'Status: 500 Internal Error', true, 500 );
-                                       echo "{$this->func_name} returned no data";
+                                       wfHttpError( 500, 'Internal Error',
+                                               "{$this->func_name} returned no data" );
                                }
                                else {
                                        if ( is_string( $result ) ) {
@@ -75,8 +75,8 @@ class AjaxDispatcher {
 
                        } catch (Exception $e) {
                                if (!headers_sent()) {
-                                       header( 'Status: 500 Internal Error', true, 500 );
-                                       print $e->getMessage();
+                                       wfHttpError( 500, 'Internal Error',
+                                               $e->getMessage() );
                                } else {
                                        print $e->getMessage();
                                }

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 505e800..f10d1ea 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1834,7 +1834,7 @@ END
        function livePreview() {
                global $wgOut;
                $wgOut->disable();
-               header( 'Content-type: text/xml' );
+               header( 'Content-type: text/xml; charset=utf-8' );
                header( 'Cache-control: no-cache' );
 
                $s =

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 619a373..171a29b 100644 (file)
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -1085,7 +1085,7 @@ function wfHttpError( $code, $label, $desc ) {
        header( "Status: $code $label" );
        $wgOut->sendCacheControl();
 
-       header( 'Content-type: text/html' );
+       header( 'Content-type: text/html; charset=utf-8' );
        print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">".
                "<html><head><title>" .
                htmlspecialchars( $label ) .

diff --git a/includes/Metadata.php b/includes/Metadata.php
index dee3457..98a92ec 100644 (file)
--- a/includes/Metadata.php
+++ b/includes/Metadata.php
@@ -80,7 +80,7 @@ function rdfSetup() {
                return false;
        } else {
                $wgOut->disable();
-               header( "Content-type: {$rdftype}" );
+               header( "Content-type: {$rdftype}; charset=utf-8" );
                $wgOut->sendCacheControl();
                return true;
        }

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 7501c65..fd64c9e 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -577,6 +577,7 @@ class OutputPage {
 
                        $this->sendCacheControl();
 
+                       $wgRequest->response()->header("Content-Type: text/html; charset=utf-8");
                        if( $wgDebugRedirects ) {
                                $url = htmlspecialchars( $this->mRedirect );
                                print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n";

diff --git a/includes/StreamFile.php b/includes/StreamFile.php
index 949422d..dc653e5 100644 (file)
--- a/includes/StreamFile.php
+++ b/includes/StreamFile.php
@@ -7,7 +7,7 @@ function wfStreamFile( $fname ) {
        if ( !$stat ) {
                header( 'HTTP/1.0 404 Not Found' );
                header( 'Cache-Control: no-cache' );
-               header( 'Content-Type: text/html' );
+               header( 'Content-Type: text/html; charset=utf-8' );
                $encFile = htmlspecialchars( $fname );
                $encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] );
                echo "<html><body>

diff --git a/thumb.php b/thumb.php
index 7c188b4..42bc549 100644 (file)
--- a/thumb.php
+++ b/thumb.php
@@ -75,7 +75,7 @@ if ( $thumb && $thumb->path ) {
        $badtitle = wfMsg( 'badtitle' );
        $badtitletext = wfMsg( 'badtitletext' );
        header( 'Cache-Control: no-cache' );
-       header( 'Content-Type: text/html' );
+       header( 'Content-Type: text/html; charset=utf-8' );
        echo "<html><head>
        <title>$badtitle</title>
        <body>

diff --git a/trackback.php b/trackback.php
index ea3f90f..ba8aa07 100644 (file)
--- a/trackback.php
+++ b/trackback.php
@@ -10,6 +10,7 @@ require_once( './includes/DatabaseFunctions.php' );
  *
  */
 function XMLsuccess() {
+       header("Content-Type: application/xml; charset=utf-8");
        echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>
@@ -21,6 +22,7 @@ function XMLsuccess() {
 
 function XMLerror($err = "Invalid request.") {
        header("HTTP/1.0 400 Bad Request");
+       header("Content-Type: application/xml; charset=utf-8");
        echo "
 <?xml version=\"1.0\" encoding=\"utf-8\"?>
 <response>