Fix potential html injection when the database server isn't available (bug 26164).

Wikis which set $wgServer in their LocalSettings or are in a virtual
host would never be vulnerable.
For sites which show the wiki in the default host, it will depend on how
forgiving is their webserver and php stack for that garbled input, although
some kind of foolable proxy —moreover wrongly caching errors (or the default
output buffering is disabled and something incorrectly sent a previous text)—
would also need to be present in order to make that useful for a
potential attacker.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 83bbf7b..084cad1 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -441,6 +441,7 @@ LocalSettings.php. The specific bugs are listed below in the general notes.
 * (bug 25451) Improved datetime representation in 32 bit php >= 5.2.
 * Show "skin does not exist error" only when the skin is inputted in the wrong
   case.
+* (bug 26164) Potential html injection when the database server isn't available
 
 === API changes in 1.17 ===
 * (bug 22738) Allow filtering by action type on query=logevent.

diff --git a/includes/Exception.php b/includes/Exception.php
index ac336bf..ff5d4b1 100644 (file)
--- a/includes/Exception.php
+++ b/includes/Exception.php
@@ -236,13 +236,15 @@ class MWException extends Exception {
                        header( 'Pragma: nocache' );
                }
 
-               $title = $this->getPageTitle();
+               $logo = htmlspecialchars( $wgLogo, ENT_QUOTES );
+               $title = htmlspecialchars( $this->getPageTitle() );
+
                return "<html>
                <head>
                <title>$title</title>
                </head>
                <body>
-               <h1><img src='$wgLogo' style='float:left;margin-right:1em' alt=''/>$title</h1>
+               <h1><img src='$logo' style='float:left;margin-right:1em' alt=''/>$title</h1>
                ";
        }
 

diff --git a/includes/db/Database.php b/includes/db/Database.php
index 26d4d2b..174b8f2 100644 (file)
--- a/includes/db/Database.php
+++ b/includes/db/Database.php
@@ -2805,7 +2805,7 @@ class DBConnectionError extends DBError {
        }
 
        function searchForm() {
-               global $wgSitename, $wgServer, $wgLang, $wgInputEncoding;
+               global $wgSitename, $wgServer, $wgLang;
 
                $usegoogle = "You can try searching via Google in the meantime.";
                $outofdate = "Note that their indexes of our content may be out of date.";
@@ -2819,20 +2819,23 @@ class DBConnectionError extends DBError {
 
                $search = htmlspecialchars( @$_REQUEST['search'] );
 
+               $server = htmlspecialchars( $wgServer );
+               $sitename = htmlspecialchars( $wgSitename );
+
                $trygoogle = <<<EOT
 <div style="margin: 1.5em">$usegoogle<br />
 <small>$outofdate</small></div>
 <!-- SiteSearch Google -->
 <form method="get" action="http://www.google.com/search" id="googlesearch">
-       <input type="hidden" name="domains" value="$wgServer" />
+       <input type="hidden" name="domains" value="$server" />
        <input type="hidden" name="num" value="50" />
-       <input type="hidden" name="ie" value="$wgInputEncoding" />
-       <input type="hidden" name="oe" value="$wgInputEncoding" />
+       <input type="hidden" name="ie" value="UTF-8" />
+       <input type="hidden" name="oe" value="UTF-8" />
 
        <input type="text" name="q" size="31" maxlength="255" value="$search" />
        <input type="submit" name="btnG" value="$googlesearch" />
   <div>
-       <input type="radio" name="sitesearch" id="gwiki" value="$wgServer" checked="checked" /><label for="gwiki">$wgSitename</label>
+       <input type="radio" name="sitesearch" id="gwiki" value="$server" checked="checked" /><label for="gwiki">$sitename</label>
        <input type="radio" name="sitesearch" id="gWWW" value="" /><label for="gWWW">WWW</label>
   </div>
 </form>