diff options
| -rw-r--r-- | RELEASE-NOTES | 32 | ||||
| -rw-r--r-- | includes/AjaxDispatcher.php | 2 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
| -rw-r--r-- | includes/StubObject.php | 2 | ||||
| -rw-r--r-- | install-utils.inc | 10 | ||||
| -rw-r--r-- | maintenance/update.php | 2 |
6 files changed, 47 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 993f4568..82eb053b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,34 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.8.3 == + +January 9, 2007 + +MediaWiki 1.8.3 fixes several issues in the Fall 2006 snapshot release: +* (bug 7831) Regression in AutoAuthenticate hook +* Run PHP install version checks on update.php so command-line updaters see + new version requirements +* Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive + as of MW 1.8 than it used to be. Install or upgrade now aborts with a + warning and a request to upgrade. +* XSS fix in AJAX module + +An XSS injection vulnerability was located in the AJAX support module, +affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax +is enabled. + +There is no danger in the default configuration, with $wgUseAjax off. + +If you are using an extension based on the optional AJAX module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.0rc2 +* 1.8: fixed in 1.8.3 +* 1.7: fixed in 1.7.2 +* 1.6: fixed in 1.6.9 + + == MediaWiki 1.8.2 == October 13, 2006 @@ -366,6 +394,10 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN MediaWiki 1.8 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported. +PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing: +http://bugs.php.net/bug.php?id=34879 +Upgrade affected systems to PHP 5.1 or higher. + MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases. diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 618c2736..c2744980 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -55,7 +55,7 @@ class AjaxDispatcher { if (! in_array( $this->func_name, $wgAjaxExportList ) ) { header( 'Status: 400 Bad Request', true, 400 ); - echo "unknown function {$this->func_name}"; + print "unknown function " . htmlspecialchars( (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 767e551b..ee1ed3a0 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -32,7 +32,7 @@ require_once( 'includes/SiteConfiguration.php' ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.8.2'; +$wgVersion = '1.8.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff --git a/includes/StubObject.php b/includes/StubObject.php index ed3b117a..63945f27 100644 --- a/includes/StubObject.php +++ b/includes/StubObject.php @@ -121,7 +121,7 @@ class StubUser extends StubObject { $user->setLoaded( true ); } else { $user = User::loadFromSession(); - wfRunHooks('AutoAuthenticate',array($user)); + wfRunHooks('AutoAuthenticate',array(&$user)); } return $user; } diff --git a/install-utils.inc b/install-utils.inc index 0ba6eca6..6f8637c3 100644 --- a/install-utils.inc +++ b/install-utils.inc @@ -14,6 +14,16 @@ function install_version_checks() { echo "PHP 5.0.0 or higher is required. ABORTING.\n"; die( -1 ); } + + // Test for PHP bug which breaks PHP 5.0.x on 64-bit... + // As of 1.8 this breaks lots of common operations instead + // of just some rare ones like export. + $borked = str_replace( 'a', 'b', array( -1 => -1 ) ); + if( !isset( $borked[-1] ) ) { + echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" . + "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n"; + die( -1 ); + } global $wgCommandLineMode; $wgCommandLineMode = true; diff --git a/maintenance/update.php b/maintenance/update.php index d2dcbf92..402818ce 100644 --- a/maintenance/update.php +++ b/maintenance/update.php @@ -18,6 +18,8 @@ $dbclass = 'Database' . ucfirst( $wgDBtype ) ; echo( "MediaWiki {$wgVersion} Updater\n\n" ); +install_version_checks(); + # Do a pre-emptive check to ensure we've got credentials supplied # We can't, at this stage, check them, but we can detect their absence, # which seems to cause most of the problems people whinge about |