summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--FAQ2
-rw-r--r--INSTALL4
-rw-r--r--README14
-rw-r--r--RELEASE-NOTES44
-rw-r--r--api.php23
-rw-r--r--config/index.php2
-rw-r--r--includes/AutoLoader.php1
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/LinkBatch.php4
-rw-r--r--languages/Language.php2
-rw-r--r--languages/messages/MessagesDa.php2
-rw-r--r--languages/messages/MessagesDe.php2
-rw-r--r--languages/messages/MessagesEn.php2
-rw-r--r--languages/messages/MessagesHy.php2
-rw-r--r--languages/messages/MessagesNl.php2
-rw-r--r--languages/messages/MessagesSv.php2
-rw-r--r--maintenance/archives/patch-objectcache.sql6
17 files changed, 91 insertions, 25 deletions
diff --git a/FAQ b/FAQ
index a4b54cf3..ea1d6243 100644
--- a/FAQ
+++ b/FAQ
@@ -2,4 +2,4 @@ The original MediaWiki FAQ can be found at
http://meta.wikimedia.org/wiki/MediaWiki_FAQ.
A newer version is available at
-http://www.mediawiki.org/wiki/Help:FAQ.
+http://www.mediawiki.org/wiki/Manual:FAQ.
diff --git a/INSTALL b/INSTALL
index 4c69dcf9..1bbdc201 100644
--- a/INSTALL
+++ b/INSTALL
@@ -27,7 +27,7 @@ Additional documentation is available online, which may include more
detailed notes on particular operating systems and workarounds for
difficult hosting environments:
-http://meta.wikimedia.org/wiki/Help:Installation
+http://www.mediawiki.org/wiki/Manual:Installation
********************** WARNING **************************
@@ -52,7 +52,7 @@ something nice, like "wiki", since it'll be in your URL.
| *different* directory from the virtual path where page |
| names will appear. |
| |
- | See: http://meta.wikimedia.org/wiki/Rewrite_rules |
+ | See: http://www.mediawiki.org/wiki/Manual:Short_URL |
+-----------------------------------------------------------+
To run the install script, you'll need to temporarily make
diff --git a/README b/README
index 427b5479..e3a387ef 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-2006-04-05
+2007-09-15
For system requirements, installation and upgrade details, see the files RELEASE-NOTES,
INSTALL, and UPGRADE.
@@ -61,7 +61,7 @@ users under the GPL for use of the whole code or other sections thereof.
Many thanks to the Wikimedia regulars for testing and suggestions.
-The official website for mediawiki is located at:
+The official website for MediaWiki is located at:
http://www.mediawiki.org/
@@ -81,23 +81,23 @@ Documentation and discussion on new features may be found at:
Extensions are listed at:
- http://meta.wikimedia.org/wiki/Category:MediaWiki_extensions
+ http://www.mediawiki.org/wiki/Category:Extensions
If you are setting up your own wiki based on this software, it is highly
recommended that you subscribe to mediawiki-announce:
- http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce
+ http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
The mailing list is very low volume, and is intended primarily for
announcements of new versions, bug fixes, and security issues.
A higher volume support mailing list can be found at:
- http://mail.wikimedia.org/mailman/listinfo/mediawiki-l
+ http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Developer discussion takes place at:
- http://mail.wikimedia.org/mailman/listinfo/wikitech-l
+ http://lists.wikimedia.org/mailman/listinfo/wikitech-l
There is also a development and support channel #mediawiki on
-irc.freenode.net, and an unoffical support forum at www.mwusers.com.
+irc.freenode.net, and an unoffical support forum at www.mwusers.com. \ No newline at end of file
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 94fec251..5115778e 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,45 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.11.1 ==
+
+January 23, 2008
+
+This is a security and bugfix release of the Fall 2007 snapshot release of
+MediaWiki. A potential XSS injection vector affecting api.php only for
+Microsoft Internet Explorer users has been closed.
+
+Changes in this release:
+
+* (bug 11450) Fix creation of objectcache table on upgrade
+* (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name
+* Fix regression in LinkBatch.php breaking PHP 5.0
+* Security fix for API on MSIE
+
+
+To work around the vulnerability without upgrading, you may disable the
+API if you don't need it:
+
+ $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.12 or later
+* 1.11 >= 1.11.1
+* 1.10 >= 1.10.3
+* 1.9 >= 1.9.5
+* 1.8 any version (if $wgEnableAPI has been left off)
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.2
+* 1.9 <= 1.9.4
+* 1.8 any version (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the API functionality, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
+
+
== MediaWiki 1.11.0 ==
September 10, 2007
@@ -532,6 +571,7 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API
* (bug 10890) Timestamp support for categorymembers query
* (bug 10980) Add exclude redirects on backlinks
* IPv6 titles in User namespace are normalized (run cleanupTitles.php to fix any old stray pages)
+* Sysops now have the same limits on the number of items they can request in a query as bots.
== Maintenance script changes since 1.10 ==
@@ -643,6 +683,10 @@ updates.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
+If upgrading from before 1.11, and you are using a wiki as a commons repository,
+make sure that it is updated as well. Otherwise, errors may arise due to
+database schema changes.
+
If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!
diff --git a/api.php b/api.php
index fa85573d..ce445ef4 100644
--- a/api.php
+++ b/api.php
@@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php');
wfProfileIn('api.php');
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ $url = $_SERVER['SCRIPT_URL'];
+} else {
+ $url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+ wfHttpError( 403, 'Forbidden',
+ 'API must be accessed through the primary script entry point.' );
+ return;
+}
+
// Verify that the API has not been disabled
if (!$wgEnableAPI) {
echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
diff --git a/config/index.php b/config/index.php
index 274a1531..0d08123e 100644
--- a/config/index.php
+++ b/config/index.php
@@ -271,7 +271,7 @@ class ConfigData {
<ul>
<li>
<b>Don't forget security updates!</b> Keep an eye on the
- <a href="http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce">low-traffic
+ <a href="http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce">low-traffic
release announcements mailing list</a>.
</li>
</ul>
diff --git a/includes/AutoLoader.php b/includes/AutoLoader.php
index 25c728cd..5e1b8156 100644
--- a/includes/AutoLoader.php
+++ b/includes/AutoLoader.php
@@ -96,7 +96,6 @@ function __autoload($className) {
'HTMLCacheUpdate' => 'includes/HTMLCacheUpdate.php',
'Http' => 'includes/HttpFunctions.php',
'IP' => 'includes/IP.php',
- 'ThumbnailImage' => 'includes/Image.php',
'ImageGallery' => 'includes/ImageGallery.php',
'ImagePage' => 'includes/ImagePage.php',
'ImageHistoryList' => 'includes/ImagePage.php',
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1ed8779a..5afb969d 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" );
$wgConf = new SiteConfiguration;
/** MediaWiki version number */
-$wgVersion = '1.11.0';
+$wgVersion = '1.11.1';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
diff --git a/includes/LinkBatch.php b/includes/LinkBatch.php
index 8ab3393e..20bcd3d4 100644
--- a/includes/LinkBatch.php
+++ b/includes/LinkBatch.php
@@ -158,9 +158,9 @@ class LinkBatch {
}
if (count($dbkeys)==1) { // avoid multiple-reference syntax if simple equality can be used
-
+ $singleKey = array_keys($dbkeys);
$sql .= "({$prefix}_namespace=$ns AND {$prefix}_title=".
- $db->addQuotes(current(array_keys($dbkeys))).
+ $db->addQuotes($singleKey[0]).
")";
} else {
$sql .= "({$prefix}_namespace=$ns AND {$prefix}_title IN (";
diff --git a/languages/Language.php b/languages/Language.php
index 3f9d98fb..9bf1abab 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -1179,7 +1179,7 @@ class Language {
$this->load();
if ( !isset( $this->mExtendedSpecialPageAliases ) ) {
$this->mExtendedSpecialPageAliases = $this->specialPageAliases;
- wfRunHooks( 'LangugeGetSpecialPageAliases',
+ wfRunHooks( 'LanguageGetSpecialPageAliases',
array( &$this->mExtendedSpecialPageAliases, $this->getCode() ) );
}
return $this->mExtendedSpecialPageAliases;
diff --git a/languages/messages/MessagesDa.php b/languages/messages/MessagesDa.php
index e3e1e084..d54a7a32 100644
--- a/languages/messages/MessagesDa.php
+++ b/languages/messages/MessagesDa.php
@@ -55,7 +55,7 @@ $linkTrail = '/^([a-zæøå]+)(.*)$/sDu';
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/languages/messages/MessagesDe.php b/languages/messages/MessagesDe.php
index df795c8b..1e85acaf 100644
--- a/languages/messages/MessagesDe.php
+++ b/languages/messages/MessagesDe.php
@@ -57,7 +57,7 @@ $linkTrail = '/^([äöüßa-z]+)(.*)$/sDu';
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 3a8c3949..b3795c85 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -347,7 +347,7 @@ $magicWords = array(
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/languages/messages/MessagesHy.php b/languages/messages/MessagesHy.php
index 1f409e7d..2e9135e3 100644
--- a/languages/messages/MessagesHy.php
+++ b/languages/messages/MessagesHy.php
@@ -264,7 +264,7 @@ $magicWords = array(
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/languages/messages/MessagesNl.php b/languages/messages/MessagesNl.php
index b9f6b121..5603b4c8 100644
--- a/languages/messages/MessagesNl.php
+++ b/languages/messages/MessagesNl.php
@@ -213,7 +213,7 @@ $magicWords = array(
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/languages/messages/MessagesSv.php b/languages/messages/MessagesSv.php
index 92968f22..cad8b48a 100644
--- a/languages/messages/MessagesSv.php
+++ b/languages/messages/MessagesSv.php
@@ -42,7 +42,7 @@ $namespaceAliases = array(
* listed alias will be used as the default. Aliases from the fallback
* localisation (usually English) will be included by default.
*
- * This array may be altered at runtime using the LangugeGetSpecialPageAliases
+ * This array may be altered at runtime using the LanguageGetSpecialPageAliases
* hook.
*/
$specialPageAliases = array(
diff --git a/maintenance/archives/patch-objectcache.sql b/maintenance/archives/patch-objectcache.sql
index 223a11c9..5edf305b 100644
--- a/maintenance/archives/patch-objectcache.sql
+++ b/maintenance/archives/patch-objectcache.sql
@@ -1,9 +1,9 @@
-- For a few generic cache operations if not using Memcached
CREATE TABLE /*$wgDBprefix*/objectcache (
- keyname varbinary(255) binary not null default '',
+ keyname varbinary(255) NOT NULL default '',
value mediumblob,
exptime datetime,
- unique key (keyname),
- key (exptime)
+ UNIQUE KEY (keyname),
+ KEY (exptime)
) /*$wgDBTableOptions*/;