* Lazy-initialize site_stats row on load when empty. Somewhat kinder to
dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES
and such are used.
+* Add 'charset' to Content-Type headers on various HTTP error responses
+ to forestall additional UTF-7-autodetect XSS issues. Probably not an
+ issue on Apache 2.0+, but most servers send only 'text/html' by default
+ when the script didn't specify more details.
+ This fixes an issue with the Ajax interface error message on MSIE when
+ $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+ on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+ http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
== Languages updated ==
function wfForbidden() {
header( 'HTTP/1.0 403 Forbidden' );
+ header( 'Content-Type: text/html; charset=utf-8' );
print
"<html><body>
<h1>Access denied</h1>
wfProfileIn( __METHOD__ );
if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
- header( 'Status: 400 Bad Request', true, 400 );
- print "unknown function " . htmlspecialchars( (string) $this->func_name );
+ wfHttpError( 400, 'Bad Request',
+ "unknown function " . (string) $this->func_name );
} else {
try {
$result = call_user_func_array($this->func_name, $this->args);
if ( $result === false || $result === NULL ) {
- header( 'Status: 500 Internal Error', true, 500 );
- echo "{$this->func_name} returned no data";
+ wfHttpError( 500, 'Internal Error',
+ "{$this->func_name} returned no data" );
}
else {
if ( is_string( $result ) ) {
} catch (Exception $e) {
if (!headers_sent()) {
- header( 'Status: 500 Internal Error', true, 500 );
- print $e->getMessage();
+ wfHttpError( 500, 'Internal Error',
+ $e->getMessage() );
} else {
print $e->getMessage();
}
function livePreview() {
global $wgOut;
$wgOut->disable();
- header( 'Content-type: text/xml' );
+ header( 'Content-type: text/xml; charset=utf-8' );
header( 'Cache-control: no-cache' );
$s =
header( "Status: $code $label" );
$wgOut->sendCacheControl();
- header( 'Content-type: text/html' );
+ header( 'Content-type: text/html; charset=utf-8' );
print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">".
"<html><head><title>" .
htmlspecialchars( $label ) .
return false;
} else {
$wgOut->disable();
- header( "Content-type: {$rdftype}" );
+ header( "Content-type: {$rdftype}; charset=utf-8" );
$wgOut->sendCacheControl();
return true;
}
$this->sendCacheControl();
+ $wgRequest->response()->header("Content-Type: text/html; charset=utf-8");
if( $wgDebugRedirects ) {
$url = htmlspecialchars( $this->mRedirect );
print "<html>\n<head>\n<title>Redirect</title>\n</head>\n<body>\n";
if ( !$stat ) {
header( 'HTTP/1.0 404 Not Found' );
header( 'Cache-Control: no-cache' );
- header( 'Content-Type: text/html' );
+ header( 'Content-Type: text/html; charset=utf-8' );
$encFile = htmlspecialchars( $fname );
$encScript = htmlspecialchars( $_SERVER['SCRIPT_NAME'] );
echo "<html><body>
$badtitle = wfMsg( 'badtitle' );
$badtitletext = wfMsg( 'badtitletext' );
header( 'Cache-Control: no-cache' );
- header( 'Content-Type: text/html' );
+ header( 'Content-Type: text/html; charset=utf-8' );
echo "<html><head>
<title>$badtitle</title>
<body>
*
*/
function XMLsuccess() {
+ header("Content-Type: application/xml; charset=utf-8");
echo "
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<response>
function XMLerror($err = "Invalid request.") {
header("HTTP/1.0 400 Bad Request");
+ header("Content-Type: application/xml; charset=utf-8");
echo "
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<response>