* Fixed a couple of missing lines in 1.12
* Added missing autoloader entry in 1.13
* Prepared the 1.6 branch for release, with a cut-down version of the security fixes
* Rewrote the RELEASE-NOTES entry for all 3 branches
* Added missing autoloader entry in 1.13
* Prepared the 1.6 branch for release, with a cut-down version of the security fixes
* Rewrote the RELEASE-NOTES entry for all 3 branches
== MediaWiki 1.6.10 ==
February 20, 2007
This is a security and bug-fix update to the Spring 2006 quarterly release.
An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* (bug 8819) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
February 20, 2007
This is a security and bug-fix update to the Spring 2006 quarterly release.
An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* (bug 8819) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
Fix #8819: Full path disclosure in skin dependencies files.
Backport from trunk@19681
Backport from trunk@19681
xss ajax fix
removed broken require_once
Use absolute path in require_once, errors reported in some configurations due to odd include_path.
* (bug 6730) Clearer usage of message 'titlematch' in
German translation (de)
German translation (de)
* (bug 6680) Added localisation for Dutch bookstore list (nl)
RELEASE-NOTES for bug 6621
(bug 6621) Backported German translation for 'eauthentsent'
(bug 6601) change minor edit letter for German translation (de)
bump notes
bump to 1.6.8, going to make a bugfix release
XSS
Make us seem at least semi-literate
Typo.
Fix 6415: typo in parser.php, patch by Ben White
Remove line breaks after Sanitizer::decodeCharReferences()
commandLine.inc no longer changes the current directory
Backported redirect validation fixes from HEAD
Show an arrow in the right direction also in Broken Redirects special page, not only in the Double Redirects. Backport from trunk, as it's trivial.
* Updates from Rotem Liss
Remove weird bogus error-generating file
* Updates to (he)
And one more little backport, fixing broken extra junk on heading lines
Another backport; needed to fix behavior with updated Cite and Inputbox extensions
Another security backport from HEAD, forgotten...
* Increase robustness of parser placeholders; fixes some glitches when
adjacent to identifier-ish constructs such as URLs.
* Increase robustness of parser placeholders; fixes some glitches when
adjacent to identifier-ish constructs such as URLs.
Backport fixes and bump to 1.6.7
* Fix oddity with open tag parameters getting stuck on </li>
* (bug 5384) Fix <!-- comments --> in <ref> extension
* Nesting of different tag extensions and comments should now work more
consistently and more safely. A cleaner, one-pass tag strip lets the
'outer' tag either take source (<nowiki>-style) or pass it down to
further parsing (<ref>-style). There should no longer be surprise
expansion of foreign extensions inside HTML output, or differences
in behavior based on the order tags are loaded.
* (bug 885) Pre-save transform no longer silently appends close tags
* Pre-save transform no longer changes the case of close tags
* Edit security precautions in raw HTML mode, etc
* Fix oddity with open tag parameters getting stuck on </li>
* (bug 5384) Fix <!-- comments --> in <ref> extension
* Nesting of different tag extensions and comments should now work more
consistently and more safely. A cleaner, one-pass tag strip lets the
'outer' tag either take source (<nowiki>-style) or pass it down to
further parsing (<ref>-style). There should no longer be surprise
expansion of foreign extensions inside HTML output, or differences
in behavior based on the order tags are loaded.
* (bug 885) Pre-save transform no longer silently appends close tags
* Pre-save transform no longer changes the case of close tags
* Edit security precautions in raw HTML mode, etc
* (bug 5957) Update for Hebrew language (he)
(bug 6138) Minor grammar tweak in "loginreqlink"
Backport from trunk:
Bug 6017: Update bookstore list for German language
Bug 6017: Update bookstore list for German language
* (bug 6051) Improvement to German localisation (de)
Backport further fixes from trunk for the recent parser security changes (r14353)
Clarify that this only affects 1.6 and higher. 1.5 and 1.4 not affected.
Backport security fixes from trunk (r14349, r14350), bump to 1.6.6.
* (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins)
* Reordered wiki table handling and __TOC__ extraction in the parser to better
handle some overlapping tag cases.
* Only the first __TOC__ is now turned into a TOC.
* (bug 361) URL in URL, they were almost fixed. Now they are.
* (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins)
* Reordered wiki table handling and __TOC__ extraction in the parser to better
handle some overlapping tag cases.
* Only the first __TOC__ is now turned into a TOC.
* (bug 361) URL in URL, they were almost fixed. Now they are.
* Update
Backport from trunk r14309:
Fix #6018: Special:Userrights -> wrong message when no user was specified
Patch by Jimmy Collins <jimmy.collins@web.de>
Fix #6018: Special:Userrights -> wrong message when no user was specified
Patch by Jimmy Collins <jimmy.collins@web.de>
Backport from trunk r14306:
Fix #6015: dd spacing in the boxes "edit is minor" and "watch this"
Patch by Rotem Liss <mail@rotemliss.com>
Fix #6015: dd spacing in the boxes "edit is minor" and "watch this"
Patch by Rotem Liss <mail@rotemliss.com>
Backport from trunk r14304:
Fix #6025: SpecialImport.php -> wrong message when no file was selected
Patch by Jimmy Collins <jimmy.collins@web.de>
Fix #6025: SpecialImport.php -> wrong message when no file was selected
Patch by Jimmy Collins <jimmy.collins@web.de>
* Updates #5957
* (bug 5957) Update for German localisation (de)
*Updates
* (bug 5957) Update for Hebrew language (he)
oops, bad merge.
Backport from trunk@14143:
Fix #5586: <gallery> treats text as links
Fix #5586: <gallery> treats text as links
* (bug 5857) Update for German localisation (de)
* (bug 5507) Logouttext uses now wiki markup
** When everything is not enough
** When everything is not enough
Correct "revertpage" message in English
adjust notes: * Rolled back the buggy patch for bug 5497
Parser test cases for bug 5497
Bump to 1.6.5
Revert bogus patch for 5497, which breaks parsing and didn't come with a test case
Revert 14035: new feature in release branch, and doesn't even compile
Add 'EmailConfirmed' hook
bump to 1.6.4
Fix bug #5796: error if mysql < 4.0.14
"Fix" #5796: we require MySQL 4.0.14
(bug 5789) Treat "loginreqpagetext" as wikitext
(bug 5723) Don't count pages linked to from the MediaWiki namespace as "wanted"
More Hebrew updates
Updated initStats maintenance script
Hebrew updates
16 years agoRewrite reassignEdits script to be more efficient; support optional updates to recent...
Rewrite reassignEdits script to be more efficient; support optional updates to recent changes table; add reporting and silent modes
Add snippet to release notes
16 years agoRewrite reassignEdits script to be more efficient; support optional updates to recent...
Rewrite reassignEdits script to be more efficient; support optional updates to recent changes table; add reporting and silent modes
Whoops, capitalisation matters. Capitalise all instances of mReturnTo like so, so it works, and so it's consistent.
(bug ????) Hebrew updates
* (bug 5761) Project talk namespace broken in Xal, Os, Udm and Cv
More Hebrew updates
Fix bug in wfMsgExt under PHP 5.1.2
* Parser can now know that it is parsing an interface message
* (bug 4737) MediaWiki:Viewcount supports {{PLURAL}} now
* (bug 4737) MediaWiki:Viewcount supports {{PLURAL}} now
Use the returnto parameter on successfull login
(bug 93) <nowiki> tags and tildes in templates
(bug 5741) Introduce {{NUMBEROFUSERS}} magic word
(bug 5751) Updates to Portuguese localisation files
Bug 5359: fix skin names
revert 13909 : wrong language file
Bug 5359: fix skin names
Fix bug #5679: timestamps not rendering in bn:, hi: or fa: numerals
Removed some messages that are (afaik) not used anymore
Remove unneeded extra whitespace at top of Special:Categories
Remove unneeded extra whitespace at top of Special:Categories
BACKPORT from trunk@13902:
Fix #4825: note in DefaultSettings.php about 'profiling' table creation
Fix #4825: note in DefaultSettings.php about 'profiling' table creation
Fix #4825: note in DefaultSettings.php about 'profiling' table creation
minor changes that raise a tidy warning
BACKPORT from trunk@13892:
Fix #5315: "Expires: -1" HTTP header not strictly RFC valid
Fix #5315: "Expires: -1" HTTP header not strictly RFC valid
Fix #5315: "Expires: -1" HTTP header not strictly RFC valid
BACKPORT from trunk@13890
Fix #5005 XHTML <gallery> output.
Patch by Jitse Niesen <j.niesen@latrobe.edu.au>
Fix #5005 XHTML <gallery> output.
Patch by Jitse Niesen <j.niesen@latrobe.edu.au>
Fix #5005: XHTML <gallery> output.
Patch by: Jitse Niesen <j.niesen@latrobe.edu.au>
Patch by: Jitse Niesen <j.niesen@latrobe.edu.au>
Updates and polishing
Do some html-escaping
Revert, breaks some unknown aspect of template-table interaction
*histlegend is now wikitext
*don't do double escaping
*don't do double escaping
Don't parse the return value of a function-style extension by default.
16 years agoImprovements to update scripts; print out the version, check for superuser credential...
Improvements to update scripts; print out the version, check for superuser credentials before attempting a connection, and produce a friendlier error if the connection fails
16 years agoImprovements to update scripts; print out the version, check for superuser credential...
Improvements to update scripts; print out the version, check for superuser credentials before attempting a connection, and produce a friendlier error if the connection fails
oops! the messages are old ones that need deletion (eg deprecated)
option --showdupes replaced by --showold
option --showdupes replaced by --showold
updated script so it can output duplicates per languages
duplicate messages