[Pkg-mediawiki-commits] r239 - mediawiki/squeeze/debian/patches
Jonathan Wiltshire
jmw at alioth.debian.org
Sun Feb 6 15:08:52 UTC 2011
Author: jmw
Date: 2011-02-06 15:08:44 +0000 (Sun, 06 Feb 2011)
New Revision: 239
Added:
mediawiki/squeeze/debian/patches/CVE-2011-0003.patch
Log:
Actually commit the patch for CVE-2011-0003
Added: mediawiki/squeeze/debian/patches/CVE-2011-0003.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-0003.patch (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-0003.patch 2011-02-06 15:08:44 UTC (rev 239)
@@ -0,0 +1,28 @@
+Description: prevent ClickJacking by breaking out of iframes
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
+Author: Tim Starling
+Last-Update: 2011-01-04
+
+--- mediawiki-1.15.5.orig/config/index.php
++++ mediawiki-1.15.5/config/index.php
+@@ -21,6 +21,7 @@
+
+ error_reporting( E_ALL );
+ header( "Content-type: text/html; charset=utf-8" );
++header( 'X-Frame-Options: DENY' );
+ @ini_set( "display_errors", true );
+
+ # In case of errors, let output be clean.
+--- mediawiki-1.15.5.orig/includes/OutputPage.php
++++ mediawiki-1.15.5/includes/OutputPage.php
+@@ -957,6 +957,9 @@
+ $wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
+ $wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+
++ # To prevent clickjacking, do not allow this page to be inside a frame.
++ $wgRequest->response()->header( 'X-Frame-Options: DENY' );
++
+ if ($this->mArticleBodyOnly) {
+ $this->out($this->mBodytext);
+ } else {
More information about the Pkg-mediawiki-commits
mailing list