From 888eab1a076a287bddd84fdf9dd9c57154c91e3f Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Thu, 27 Nov 2014 06:08:05 +0100 Subject: Update to MediaWiki 1.22.14 --- RELEASE-NOTES-1.22 | 27 + extensions/ConfirmEdit/Asirra.class.php | 55 - extensions/ConfirmEdit/Asirra.i18n.php | 549 --------- extensions/ConfirmEdit/Asirra.php | 42 - extensions/ConfirmEdit/README | 4 - .../resources/ext.confirmEdit.asirra.js | 54 - .../PdfHandler/CreatePdfThumbnailsJob.class.php | 126 --- extensions/PdfHandler/PdfHandler.i18n.php | 1186 -------------------- extensions/PdfHandler/PdfHandler.image.php | 309 ----- extensions/PdfHandler/PdfHandler.php | 64 -- extensions/PdfHandler/PdfHandler_body.php | 362 ------ extensions/SimpleAntiSpam/SimpleAntiSpam.php | 5 + extensions/Vector/README | 9 + extensions/Vector/Vector.php | 6 + includes/DefaultSettings.php | 23 +- includes/EditPage.php | 18 + includes/OutputHandler.php | 6 +- includes/OutputPage.php | 78 +- includes/User.php | 1 + includes/api/ApiBase.php | 1 + includes/api/ApiEditPage.php | 3 + includes/api/ApiFormatJson.php | 10 + includes/api/ApiFormatPhp.php | 19 +- includes/api/ApiQueryLogEvents.php | 10 +- includes/upload/UploadBase.php | 4 +- languages/messages/MessagesEn.php | 2 + languages/messages/MessagesQqq.php | 2 + 27 files changed, 181 insertions(+), 2794 deletions(-) delete mode 100644 extensions/ConfirmEdit/Asirra.class.php delete mode 100644 extensions/ConfirmEdit/Asirra.i18n.php delete mode 100644 extensions/ConfirmEdit/Asirra.php delete mode 100644 extensions/ConfirmEdit/resources/ext.confirmEdit.asirra.js delete mode 100644 extensions/PdfHandler/CreatePdfThumbnailsJob.class.php delete mode 100644 extensions/PdfHandler/PdfHandler.i18n.php delete mode 100644 extensions/PdfHandler/PdfHandler.image.php delete mode 100644 extensions/PdfHandler/PdfHandler.php delete mode 100644 extensions/PdfHandler/PdfHandler_body.php create mode 100644 extensions/SimpleAntiSpam/SimpleAntiSpam.php create mode 100644 extensions/Vector/README create mode 100644 extensions/Vector/Vector.php diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 9602c710..20c19471 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,11 +3,37 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.14 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.13 === + +* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code + into API clients that used format=php to process pages that underwent flash + policy mangling. This was fixed along with improving how the mangling was done + for format=json, and allowing sites to disable the mangling using + $wgMangleFlashPolicy. +* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update + the content model for a page could allow an unprivileged attacker to edit + another user's common.js under certain circumstances. The user right + "editcontentmodel" was added, and is needed to change a revision's content + model. +* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with + DELETED_ACTION. NOTICE: this may be reverted in a future release pending a + public RFC about the desired functionality. This issue was reported by user + Bawolff. +* (bug 71621) Make allowing site-wide styles on restricted special pages a + config option. +* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that + might be a flash policy directive configurable. + == MediaWiki 1.22.13 == This is a maintenance release of the MediaWiki 1.22 branch. === Changes since 1.22.12 === + * (Bug 67440) Allow classes to be registered properly from installer == MediaWiki 1.22.12 == @@ -15,6 +41,7 @@ This is a maintenance release of the MediaWiki 1.22 branch. This is a security release of the MediaWiki 1.22 branch. === Changes since 1.22.11 === + * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. diff --git a/extensions/ConfirmEdit/Asirra.class.php b/extensions/ConfirmEdit/Asirra.class.php deleted file mode 100644 index ae1178a1..00000000 --- a/extensions/ConfirmEdit/Asirra.class.php +++ /dev/null @@ -1,55 +0,0 @@ -asirra_localpath = "$wgExtensionAssetsPath/ConfirmEdit"; - } - - function getForm() { - global $wgOut; - - $wgOut->addModules( 'ext.confirmEdit.asirra' ); - $js = Html::linkedScript( $this->asirra_clientscript ); - - $message = Xml::encodeJsVar( wfMessage( 'asirra-createaccount-fail' )->plain() ); - $js .= Html::inlineScript( <<parse() . ''; - return $js; - } - - function getMessage( $action ) { - $name = 'asirra-' . $action; - $text = wfMessage( $name )->text(); - # Obtain a more tailored message, if possible, otherwise, fall - # back to the default for edits - return wfMessage( $name, $text )->isDisabled() ? wfMessage( 'asirra-edit' )->text() : $text; - } - - function passCaptcha() { - global $wgRequest; - - $ticket = $wgRequest->getVal( 'Asirra_Ticket' ); - $api = 'http://challenge.asirra.com/cgi/Asirra?'; - $params = array( - 'action' => 'ValidateTicket', - 'ticket' => $ticket, - ); - - $response = Http::get( $api . wfArrayToCgi( $params ) ); - $xml = simplexml_load_string( $response ); - $result = $xml->xpath( '/AsirraValidation/Result' ); - return strval( $result[0] ) === 'Pass'; - } -} diff --git a/extensions/ConfirmEdit/Asirra.i18n.php b/extensions/ConfirmEdit/Asirra.i18n.php deleted file mode 100644 index 23190c29..00000000 --- a/extensions/ConfirmEdit/Asirra.i18n.php +++ /dev/null @@ -1,549 +0,0 @@ - 'Asirra module for ConfirmEdit', - 'asirra-edit' => 'To protect the wiki against automated edit spam, we kindly ask you to select just the cat photos in the box below:', - 'asirra-addurl' => 'Your edit includes new external links. To protect the wiki against automated edit spam, we kindly ask you to select just the cat photos in the box below:', - 'asirra-badlogin' => 'To protect the wiki against automated password cracking, we kindly ask you to select just the cat photos in the box below:', - 'asirra-createaccount' => 'To protect the wiki against automated account creation, we kindly ask you to select just the cat photos in the box below:', - 'asirra-createaccount-fail' => "Please correctly identify the cats.", - 'asirra-create' => 'To protect the wiki against automated page creation, we kindly ask you to select just the cat photos in the box below:', - 'asirra-nojs' => '\'\'\'Please enable JavaScript and resubmit the page.\'\'\'', - 'asirra-failed' => 'Please identify all cat images', -); - -/** Message documentation (Message documentation) - * @author 2nd-player - * @author Beta16 - * @author Raymond - * @author Shirayuki - */ -$messages['qqq'] = array( - 'asirra-desc' => '{{desc|name=Asirra|url=http://www.mediawiki.org/wiki/Extension:Asirra}}', - 'asirra-edit' => '{{Related|ConfirmEdit-edit}}', - 'asirra-addurl' => '{{Related|ConfirmEdit-addurl}}', - 'asirra-badlogin' => '{{Related|ConfirmEdit-badlogin}}', - 'asirra-createaccount' => '{{Related|ConfirmEdit-createaccount}}', - 'asirra-createaccount-fail' => 'Used as failure message in JavaScript code. -{{Related|ConfirmEdit-createaccount-fail}}', - 'asirra-create' => '{{Related|ConfirmEdit-create}}', - 'asirra-nojs' => 'Used in HTML