r70067 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r70066‎ \| r70067 \| r70068 >
Date:	06:11, 28 July 2010
Author:	tstarling
Status:	ok
Tags:
Comment:	Fixed register_globals arbitrary inclusion vulnerability. Was fixed in trunk in r68544. Does not affect Apache installations with AllowOverride since there is a .htaccess file protecting the maintenance directory.
Modified paths:	/branches/REL1_16/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php
—	—	@@ -1,5 +1,9 @@
2	2	<?php
3	3
	4	+if ( !defined( 'MEDIAWIKI' ) ) {
	5	+ exit;
	6	+}
	7	+
4	8	global $IP;
5	9	define( "NO_COMMAND_LINE", 1 );
6	10	define( "PARSER_TESTS", "$IP/maintenance/parserTests.txt" );
Index: branches/REL1_16/phase3/RELEASE-NOTES
—	—	@@ -64,9 +64,12 @@
65	65	* (bug xxxxx) Fixed Cache-Control headers sent from API modules, to protect
66	66	user privacy in the case where an attacker can access the wiki through the
67	67	same HTTP proxy as a logged-in user.
68		~~-* Fixed XSS in profileinfo.php for users with $wgEnableProfileInfo = true;~~
	68	+* Fixed an XSS vulnerability in profileinfo.php for installations with
	69	+ $wgEnableProfileInfo = true (false by default)
69	70	* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
70	71	false. Fixed a minor header parsing issue when $wgUseXVO = true.
	72	+* Fixed a register_globals arbitrary inclusion vulnerability in
	73	+ MediaWikiParserTest.php, introduced in 1.16 beta 1.
71	74
72	75	== Changes since 1.16 beta 2 ==
73	76

Revision	Commit summary	Author	Date
r68544	* Removed require/require_once from maintenance scripts where possible, repla...	tstarling	02:55, 25 June 2010

12:06, 28 July 2010 MaxSem (talk | contribs) changed the status of r70067 [removed: new added: ok]