summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES32
-rw-r--r--includes/AjaxDispatcher.php2
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/StubObject.php2
-rw-r--r--install-utils.inc10
-rw-r--r--maintenance/update.php2
6 files changed, 47 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 993f4568..82eb053b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,34 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.8.3 ==
+
+January 9, 2007
+
+MediaWiki 1.8.3 fixes several issues in the Fall 2006 snapshot release:
+* (bug 7831) Regression in AutoAuthenticate hook
+* Run PHP install version checks on update.php so command-line updaters see
+ new version requirements
+* Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive
+ as of MW 1.8 than it used to be. Install or upgrade now aborts with a
+ warning and a request to upgrade.
+* XSS fix in AJAX module
+
+An XSS injection vulnerability was located in the AJAX support module,
+affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax
+is enabled.
+
+There is no danger in the default configuration, with $wgUseAjax off.
+
+If you are using an extension based on the optional AJAX module,
+either disable it or upgrade to a version containing the fix:
+
+* 1.9: fixed in 1.9.0rc2
+* 1.8: fixed in 1.8.3
+* 1.7: fixed in 1.7.2
+* 1.6: fixed in 1.6.9
+
+
== MediaWiki 1.8.2 ==
October 13, 2006
@@ -366,6 +394,10 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
MediaWiki 1.8 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.
+PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing:
+http://bugs.php.net/bug.php?id=34879
+Upgrade affected systems to PHP 5.1 or higher.
+
MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 618c2736..c2744980 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -55,7 +55,7 @@ class AjaxDispatcher {
if (! in_array( $this->func_name, $wgAjaxExportList ) ) {
header( 'Status: 400 Bad Request', true, 400 );
- echo "unknown function {$this->func_name}";
+ print "unknown function " . htmlspecialchars( (string) $this->func_name );
} else {
try {
$result = call_user_func_array($this->func_name, $this->args);
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 767e551b..ee1ed3a0 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' );
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.8.2';
+$wgVersion = '1.8.3';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/StubObject.php b/includes/StubObject.php
index ed3b117a..63945f27 100644
--- a/includes/StubObject.php
+++ b/includes/StubObject.php
@@ -121,7 +121,7 @@ class StubUser extends StubObject {
$user->setLoaded( true );
} else {
$user = User::loadFromSession();
- wfRunHooks('AutoAuthenticate',array($user));
+ wfRunHooks('AutoAuthenticate',array(&$user));
}
return $user;
}
diff --git a/install-utils.inc b/install-utils.inc
index 0ba6eca6..6f8637c3 100644
--- a/install-utils.inc
+++ b/install-utils.inc
@@ -14,6 +14,16 @@ function install_version_checks() {
echo "PHP 5.0.0 or higher is required. ABORTING.\n";
die( -1 );
}
+
+ // Test for PHP bug which breaks PHP 5.0.x on 64-bit...
+ // As of 1.8 this breaks lots of common operations instead
+ // of just some rare ones like export.
+ $borked = str_replace( 'a', 'b', array( -1 => -1 ) );
+ if( !isset( $borked[-1] ) ) {
+ echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" .
+ "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n";
+ die( -1 );
+ }
global $wgCommandLineMode;
$wgCommandLineMode = true;
diff --git a/maintenance/update.php b/maintenance/update.php
index d2dcbf92..402818ce 100644
--- a/maintenance/update.php
+++ b/maintenance/update.php
@@ -18,6 +18,8 @@ $dbclass = 'Database' . ucfirst( $wgDBtype ) ;
echo( "MediaWiki {$wgVersion} Updater\n\n" );
+install_version_checks();
+
# Do a pre-emptive check to ensure we've got credentials supplied
# We can't, at this stage, check them, but we can detect their absence,
# which seems to cause most of the problems people whinge about