diff options
-rw-r--r-- | FAQ | 2 | ||||
-rw-r--r-- | INSTALL | 4 | ||||
-rw-r--r-- | README | 14 | ||||
-rw-r--r-- | RELEASE-NOTES | 44 | ||||
-rw-r--r-- | api.php | 23 | ||||
-rw-r--r-- | config/index.php | 2 | ||||
-rw-r--r-- | includes/AutoLoader.php | 1 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/LinkBatch.php | 4 | ||||
-rw-r--r-- | languages/Language.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesDa.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesDe.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesEn.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesHy.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesNl.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesSv.php | 2 | ||||
-rw-r--r-- | maintenance/archives/patch-objectcache.sql | 6 |
17 files changed, 91 insertions, 25 deletions
@@ -2,4 +2,4 @@ The original MediaWiki FAQ can be found at http://meta.wikimedia.org/wiki/MediaWiki_FAQ. A newer version is available at -http://www.mediawiki.org/wiki/Help:FAQ. +http://www.mediawiki.org/wiki/Manual:FAQ. @@ -27,7 +27,7 @@ Additional documentation is available online, which may include more detailed notes on particular operating systems and workarounds for difficult hosting environments: -http://meta.wikimedia.org/wiki/Help:Installation +http://www.mediawiki.org/wiki/Manual:Installation ********************** WARNING ************************** @@ -52,7 +52,7 @@ something nice, like "wiki", since it'll be in your URL. | *different* directory from the virtual path where page | | names will appear. | | | - | See: http://meta.wikimedia.org/wiki/Rewrite_rules | + | See: http://www.mediawiki.org/wiki/Manual:Short_URL | +-----------------------------------------------------------+ To run the install script, you'll need to temporarily make @@ -1,4 +1,4 @@ -2006-04-05 +2007-09-15 For system requirements, installation and upgrade details, see the files RELEASE-NOTES, INSTALL, and UPGRADE. @@ -61,7 +61,7 @@ users under the GPL for use of the whole code or other sections thereof. Many thanks to the Wikimedia regulars for testing and suggestions. -The official website for mediawiki is located at: +The official website for MediaWiki is located at: http://www.mediawiki.org/ @@ -81,23 +81,23 @@ Documentation and discussion on new features may be found at: Extensions are listed at: - http://meta.wikimedia.org/wiki/Category:MediaWiki_extensions + http://www.mediawiki.org/wiki/Category:Extensions If you are setting up your own wiki based on this software, it is highly recommended that you subscribe to mediawiki-announce: - http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce + http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce The mailing list is very low volume, and is intended primarily for announcements of new versions, bug fixes, and security issues. A higher volume support mailing list can be found at: - http://mail.wikimedia.org/mailman/listinfo/mediawiki-l + http://lists.wikimedia.org/mailman/listinfo/mediawiki-l Developer discussion takes place at: - http://mail.wikimedia.org/mailman/listinfo/wikitech-l + http://lists.wikimedia.org/mailman/listinfo/wikitech-l There is also a development and support channel #mediawiki on -irc.freenode.net, and an unoffical support forum at www.mwusers.com. +irc.freenode.net, and an unoffical support forum at www.mwusers.com.
\ No newline at end of file diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 94fec251..5115778e 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,45 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.11.1 == + +January 23, 2008 + +This is a security and bugfix release of the Fall 2007 snapshot release of +MediaWiki. A potential XSS injection vector affecting api.php only for +Microsoft Internet Explorer users has been closed. + +Changes in this release: + +* (bug 11450) Fix creation of objectcache table on upgrade +* (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name +* Fix regression in LinkBatch.php breaking PHP 5.0 +* Security fix for API on MSIE + + +To work around the vulnerability without upgrading, you may disable the +API if you don't need it: + + $wgEnableAPI = false; + +Not vulnerable versions: +* 1.12 or later +* 1.11 >= 1.11.1 +* 1.10 >= 1.10.3 +* 1.9 >= 1.9.5 +* 1.8 any version (if $wgEnableAPI has been left off) + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.2 +* 1.9 <= 1.9.4 +* 1.8 any version (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include +the API functionality, however the BotQuery extension is similarly +vulnerable unless updated to the latest SVN version. + + == MediaWiki 1.11.0 == September 10, 2007 @@ -532,6 +571,7 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API * (bug 10890) Timestamp support for categorymembers query * (bug 10980) Add exclude redirects on backlinks * IPv6 titles in User namespace are normalized (run cleanupTitles.php to fix any old stray pages) +* Sysops now have the same limits on the number of items they can request in a query as bots. == Maintenance script changes since 1.10 == @@ -643,6 +683,10 @@ updates. If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data. +If upgrading from before 1.11, and you are using a wiki as a commons repository, +make sure that it is updated as well. Otherwise, errors may arise due to +database schema changes. + If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading! @@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; diff --git a/config/index.php b/config/index.php index 274a1531..0d08123e 100644 --- a/config/index.php +++ b/config/index.php @@ -271,7 +271,7 @@ class ConfigData { <ul> <li> <b>Don't forget security updates!</b> Keep an eye on the - <a href="http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce">low-traffic + <a href="http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce">low-traffic release announcements mailing list</a>. </li> </ul> diff --git a/includes/AutoLoader.php b/includes/AutoLoader.php index 25c728cd..5e1b8156 100644 --- a/includes/AutoLoader.php +++ b/includes/AutoLoader.php @@ -96,7 +96,6 @@ function __autoload($className) { 'HTMLCacheUpdate' => 'includes/HTMLCacheUpdate.php', 'Http' => 'includes/HttpFunctions.php', 'IP' => 'includes/IP.php', - 'ThumbnailImage' => 'includes/Image.php', 'ImageGallery' => 'includes/ImageGallery.php', 'ImagePage' => 'includes/ImagePage.php', 'ImageHistoryList' => 'includes/ImagePage.php', diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 1ed8779a..5afb969d 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.11.0'; +$wgVersion = '1.11.1'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/LinkBatch.php b/includes/LinkBatch.php index 8ab3393e..20bcd3d4 100644 --- a/includes/LinkBatch.php +++ b/includes/LinkBatch.php @@ -158,9 +158,9 @@ class LinkBatch { } if (count($dbkeys)==1) { // avoid multiple-reference syntax if simple equality can be used - + $singleKey = array_keys($dbkeys); $sql .= "({$prefix}_namespace=$ns AND {$prefix}_title=". - $db->addQuotes(current(array_keys($dbkeys))). + $db->addQuotes($singleKey[0]). ")"; } else { $sql .= "({$prefix}_namespace=$ns AND {$prefix}_title IN ("; diff --git a/languages/Language.php b/languages/Language.php index 3f9d98fb..9bf1abab 100644 --- a/languages/Language.php +++ b/languages/Language.php @@ -1179,7 +1179,7 @@ class Language { $this->load(); if ( !isset( $this->mExtendedSpecialPageAliases ) ) { $this->mExtendedSpecialPageAliases = $this->specialPageAliases; - wfRunHooks( 'LangugeGetSpecialPageAliases', + wfRunHooks( 'LanguageGetSpecialPageAliases', array( &$this->mExtendedSpecialPageAliases, $this->getCode() ) ); } return $this->mExtendedSpecialPageAliases; diff --git a/languages/messages/MessagesDa.php b/languages/messages/MessagesDa.php index e3e1e084..d54a7a32 100644 --- a/languages/messages/MessagesDa.php +++ b/languages/messages/MessagesDa.php @@ -55,7 +55,7 @@ $linkTrail = '/^([a-zæøå]+)(.*)$/sDu'; * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/languages/messages/MessagesDe.php b/languages/messages/MessagesDe.php index df795c8b..1e85acaf 100644 --- a/languages/messages/MessagesDe.php +++ b/languages/messages/MessagesDe.php @@ -57,7 +57,7 @@ $linkTrail = '/^([äöüßa-z]+)(.*)$/sDu'; * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 3a8c3949..b3795c85 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -347,7 +347,7 @@ $magicWords = array( * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/languages/messages/MessagesHy.php b/languages/messages/MessagesHy.php index 1f409e7d..2e9135e3 100644 --- a/languages/messages/MessagesHy.php +++ b/languages/messages/MessagesHy.php @@ -264,7 +264,7 @@ $magicWords = array( * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/languages/messages/MessagesNl.php b/languages/messages/MessagesNl.php index b9f6b121..5603b4c8 100644 --- a/languages/messages/MessagesNl.php +++ b/languages/messages/MessagesNl.php @@ -213,7 +213,7 @@ $magicWords = array( * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/languages/messages/MessagesSv.php b/languages/messages/MessagesSv.php index 92968f22..cad8b48a 100644 --- a/languages/messages/MessagesSv.php +++ b/languages/messages/MessagesSv.php @@ -42,7 +42,7 @@ $namespaceAliases = array( * listed alias will be used as the default. Aliases from the fallback * localisation (usually English) will be included by default. * - * This array may be altered at runtime using the LangugeGetSpecialPageAliases + * This array may be altered at runtime using the LanguageGetSpecialPageAliases * hook. */ $specialPageAliases = array( diff --git a/maintenance/archives/patch-objectcache.sql b/maintenance/archives/patch-objectcache.sql index 223a11c9..5edf305b 100644 --- a/maintenance/archives/patch-objectcache.sql +++ b/maintenance/archives/patch-objectcache.sql @@ -1,9 +1,9 @@ -- For a few generic cache operations if not using Memcached CREATE TABLE /*$wgDBprefix*/objectcache ( - keyname varbinary(255) binary not null default '', + keyname varbinary(255) NOT NULL default '', value mediumblob, exptime datetime, - unique key (keyname), - key (exptime) + UNIQUE KEY (keyname), + KEY (exptime) ) /*$wgDBTableOptions*/; |