- SECURITY fixes for SA42810

MediaWiki "Clickjacking" Security Bypass Vulnerability

Patches from upstream svn

ok stephan@ (MAINTAINER)

www/mediawiki/Makefile

@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.23 2010/11/22 08:36:49 espie Exp $
+# $OpenBSD: Makefile,v 1.24 2011/01/05 11:51:57 jasper Exp $
 
 COMMENT =	web-based collaborative editing environment
 
 DISTNAME =	mediawiki-1.15.5
+REVISION =	0
 CATEGORIES =	www
 
 HOMEPAGE =	http://www.mediawiki.org/

www/mediawiki/patches/patch-config_index_php

@@ -0,0 +1,18 @@
+$OpenBSD: patch-config_index_php,v 1.1 2011/01/05 11:51:57 jasper Exp $
+
+Security fix for SA42810
+MediaWiki "Clickjacking" Security Bypass Vulnerability
+
+Patch from upstream svn:
+http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+
+--- config/index.php.orig	Wed Jan  5 11:03:02 2011
++++ config/index.php	Wed Jan  5 11:03:19 2011
+@@ -21,6 +21,7 @@
+ 
+ error_reporting( E_ALL );
+ header( "Content-type: text/html; charset=utf-8" );
++header( 'X-Frame-Options: DENY' );
+ @ini_set( "display_errors", true );
+ 
+ # In case of errors, let output be clean.

www/mediawiki/patches/patch-includes_OutputPage_php

@@ -0,0 +1,20 @@
+$OpenBSD: patch-includes_OutputPage_php,v 1.1 2011/01/05 11:51:57 jasper Exp $
+
+Security fix for SA42810
+MediaWiki "Clickjacking" Security Bypass Vulnerability
+
+Patch from upstream svn:
+http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566
+
+--- includes/OutputPage.php.orig	Wed Jan  5 11:02:13 2011
++++ includes/OutputPage.php	Wed Jan  5 11:02:39 2011
+@@ -957,6 +957,9 @@ class OutputPage {
+ 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
+ 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
+ 
++		# To prevent clickjacking, do not allow this page to be inside a frame.
++		$wgRequest->response()->header( 'X-Frame-Options: DENY' );
++
+ 		if ($this->mArticleBodyOnly) {
+ 			$this->out($this->mBodytext);
+ 		} else {