From 888eab1a076a287bddd84fdf9dd9c57154c91e3f Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Thu, 27 Nov 2014 06:08:05 +0100
Subject: Update to MediaWiki 1.22.14

---
 includes/DefaultSettings.php | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'includes/DefaultSettings.php')

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index df3d57b9..6feac36b 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
  * MediaWiki version number
  * @since 1.2
  */
-$wgVersion = '1.22.13';
+$wgVersion = '1.22.14';
 
 /**
  * Name of the site. It must be changed in LocalSettings.php
@@ -3322,6 +3322,27 @@ $wgResourceLoaderLESSImportPaths = array(
 	"$IP/resources/mediawiki.less/",
 );
 
+/**
+ * Whether to allow site-wide CSS (MediaWiki:Common.css and friends) on
+ * restricted pages like Special:UserLogin or Special:Preferences where
+ * JavaScript is disabled for security reasons. As it is possible to
+ * execute JavaScript through CSS, setting this to true opens up a
+ * potential security hole. Some sites may "skin" their wiki by using
+ * site-wide CSS, causing restricted pages to look unstyled and different
+ * from the rest of the site.
+ *
+ * @since 1.25
+ */
+$wgAllowSiteCSSOnRestrictedPages = false;
+
+/**
+ * When OutputHandler is used, mangle any output that contains
+ * <cross-domain-policy>. Without this, an attacker can send their own
+ * cross-domain policy unless it is prevented by the crossdomain.xml file at
+ * the domain root.
+ */
+$wgMangleFlashPolicy = true;
+
 /** @} */ # End of resource loader settings }
 
 /*************************************************************************//**
-- 
cgit v1.2.2