diff --git a/www/mediawiki/Makefile b/www/mediawiki/Makefile index f39e2ff9148..30cae4b08b8 100644 --- a/www/mediawiki/Makefile +++ b/www/mediawiki/Makefile @@ -1,8 +1,9 @@ -# $OpenBSD: Makefile,v 1.23 2010/11/22 08:36:49 espie Exp $ +# $OpenBSD: Makefile,v 1.24 2011/01/05 11:51:57 jasper Exp $ COMMENT = web-based collaborative editing environment DISTNAME = mediawiki-1.15.5 +REVISION = 0 CATEGORIES = www HOMEPAGE = http://www.mediawiki.org/ diff --git a/www/mediawiki/patches/patch-config_index_php b/www/mediawiki/patches/patch-config_index_php new file mode 100644 index 00000000000..74b08d3a821 --- /dev/null +++ b/www/mediawiki/patches/patch-config_index_php @@ -0,0 +1,18 @@ +$OpenBSD: patch-config_index_php,v 1.1 2011/01/05 11:51:57 jasper Exp $ + +Security fix for SA42810 +MediaWiki "Clickjacking" Security Bypass Vulnerability + +Patch from upstream svn: +http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566 + +--- config/index.php.orig Wed Jan 5 11:03:02 2011 ++++ config/index.php Wed Jan 5 11:03:19 2011 +@@ -21,6 +21,7 @@ + + error_reporting( E_ALL ); + header( "Content-type: text/html; charset=utf-8" ); ++header( 'X-Frame-Options: DENY' ); + @ini_set( "display_errors", true ); + + # In case of errors, let output be clean. diff --git a/www/mediawiki/patches/patch-includes_OutputPage_php b/www/mediawiki/patches/patch-includes_OutputPage_php new file mode 100644 index 00000000000..4f02f75a271 --- /dev/null +++ b/www/mediawiki/patches/patch-includes_OutputPage_php @@ -0,0 +1,20 @@ +$OpenBSD: patch-includes_OutputPage_php,v 1.1 2011/01/05 11:51:57 jasper Exp $ + +Security fix for SA42810 +MediaWiki "Clickjacking" Security Bypass Vulnerability + +Patch from upstream svn: +http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566 + +--- includes/OutputPage.php.orig Wed Jan 5 11:02:13 2011 ++++ includes/OutputPage.php Wed Jan 5 11:02:39 2011 +@@ -957,6 +957,9 @@ class OutputPage { + $wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" ); + $wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode ); + ++ # To prevent clickjacking, do not allow this page to be inside a frame. ++ $wgRequest->response()->header( 'X-Frame-Options: DENY' ); ++ + if ($this->mArticleBodyOnly) { + $this->out($this->mBodytext); + } else {