| Index: branches/REL1_17/phase3/HISTORY |
| — | — | @@ -2,6 +2,135 @@ |
| 3 | 3 | |
| 4 | 4 | == MediaWiki 1.16 == |
| 5 | 5 | |
| | 6 | +== Changes since 1.16.4 == |
| | 7 | + |
| | 8 | +* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third |
| | 9 | + attempt at fixing bug 28235. |
| | 10 | +* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin |
| | 11 | + is enabled. |
| | 12 | + |
| | 13 | +== Changes since 1.16.3 == |
| | 14 | + |
| | 15 | +* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 |
| | 16 | + clients) was not actually sufficient to fix that bug. This release contains |
| | 17 | + a second attempt, hopefully we have fixed it this time. |
| | 18 | + |
| | 19 | +== Changes since 1.16.2 == |
| | 20 | + |
| | 21 | +* (bug 28449) Fixed permissions checks in Special:Import which allowed users |
| | 22 | + without the 'import' permission to import pages from the configured import |
| | 23 | + sources. |
| | 24 | +* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those |
| | 25 | + browsers looking for a file extension in the query string of the URL, and |
| | 26 | + ignoring the Content-Type header if one is found. |
| | 27 | +* (bug 28450) Fixed a CSS validation issue involving escaped comments, which |
| | 28 | + led to XSS for Internet Explorer clients and privacy loss for other clients. |
| | 29 | + |
| | 30 | +== Changes since 1.16.1 == |
| | 31 | + |
| | 32 | +* (bug 26642) Fixed incorrect translated namespace due to a regression in the |
| | 33 | + language converter. |
| | 34 | +* The interface translations were updated. |
| | 35 | +* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. |
| | 36 | +* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability. |
| | 37 | + Affects Windows servers only. A malicious file with extension ".php" must |
| | 38 | + exist on the server for the exploit to be effective. |
| | 39 | + |
| | 40 | +== Changes since 1.16.0 == |
| | 41 | + |
| | 42 | +* (bug 24981) Allow extensions to access SpecialUpload variables again |
| | 43 | +* (bug 24724) list=allusers was out by 1 (shows total users - 1) |
| | 44 | +* (bug 24166) Fixed API error when using rvprop=tags |
| | 45 | +* For wikis using French as a content language, Special:Téléchargement works |
| | 46 | + again as an alias for Special:Upload. |
| | 47 | +* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0) |
| | 48 | +* (bug 25248) Fixed paraminfo errors in certain API modules. |
| | 49 | +* The installer now has improved handling for situations where safe_mode is |
| | 50 | + active or exec() and similar functions are disabled. |
| | 51 | +* (bug 19593) Specifying --server in now works for all maintenance scripts. |
| | 52 | +* Fixed $wgLicenseTerms register globals. |
| | 53 | +* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for |
| | 54 | + X-Frame-Options. The header value can be configured using $wgBreakFrames and |
| | 55 | + $wgEditPageFrameOptions. |
| | 56 | + |
| | 57 | +== Changes since 1.16 beta 3 == |
| | 58 | + |
| | 59 | +* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in |
| | 60 | + 1.16 beta 1, but is currently poorly supported by browsers. |
| | 61 | +* (bug 23175) Re-added window.ta variable for backwards compatibility. |
| | 62 | +* (bug 23264) Fixed breakage of various command line scripts due to extra line |
| | 63 | + endings being inserted by Maintenance::output(). |
| | 64 | +* Fixed HTTP client functionality with safe_mode=On. |
| | 65 | +* Fixed parser tests broken in 1.16 beta 3. |
| | 66 | +* For Oracle DB backend: fixed parser tests and table prefix feature. |
| | 67 | +* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue). |
| | 68 | +* Fixed plural function for Northern Sami (se) |
| | 69 | +* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and |
| | 70 | + parser-generated heading IDs. Renamed head, panel, head-base and page-base. |
| | 71 | +* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet. |
| | 72 | +* (bug 23465) Don't ignore the predefined destination filename on |
| | 73 | + Special:Upload after following a red link to a file. |
| | 74 | +* In SQLite full-text search feature: fixed "move page" feature, was non- |
| | 75 | + functional. |
| | 76 | +* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect |
| | 77 | + user privacy in the case where an attacker can access the wiki through the |
| | 78 | + same HTTP proxy as a logged-in user. |
| | 79 | +* Fixed an XSS vulnerability in profileinfo.php for installations with |
| | 80 | + $wgEnableProfileInfo = true (false by default) |
| | 81 | +* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being |
| | 82 | + false. Fixed a minor header parsing issue when $wgUseXVO = true. |
| | 83 | +* Fixed a register_globals arbitrary inclusion vulnerability in |
| | 84 | + MediaWikiParserTest.php, introduced in 1.16 beta 1. |
| | 85 | + |
| | 86 | +== Changes since 1.16 beta 2 == |
| | 87 | + |
| | 88 | +* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of |
| | 89 | + invalid usernames. |
| | 90 | +* Fixed sorting in [[Special:Allmessages]] |
| | 91 | +* (bug 23113) Fixed title in the show/hide links on diff pages |
| | 92 | +* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests |
| | 93 | +* (bug 23127) Re-added missing $1 parameter to the uploadtext message |
| | 94 | +* Fixed a bug in the Vector skin where personal tools display behind the logo |
| | 95 | +* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes |
| | 96 | + showed the same text. |
| | 97 | +* (bug 23115, bug 23124) Fixed various problems with <title> and <h1> elements |
| | 98 | + in page views and previews when the language converter is enabled. |
| | 99 | +* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image |
| | 100 | + scaling, which was introduced in 1.16 beta 1. |
| | 101 | +* Improved error checking on installer. |
| | 102 | +* (bug 22970) Fixed a JavaScript error in the upload destination conflict |
| | 103 | + check. |
| | 104 | +* (bug 23167) Check the watch checkbox by default if the watchcreations |
| | 105 | + preference is set. |
| | 106 | +* (bug 23171) Improve IE6 version check to avoid false positives. |
| | 107 | +* (bug 23176) Fixed upload warning override feature "upload new version", |
| | 108 | + broken in 1.16 beta 1. |
| | 109 | +* Fixed regression in unwatch links sent out in notification emails. When the |
| | 110 | + mailing job was deferred via the job queue, the title was incorrect. |
| | 111 | +* (bug 23534) Fixed SQL query error in API list=allusers. |
| | 112 | +* Fixed a bug in uploads for non-JavaScript clients. An empty string was used |
| | 113 | + as the default destination filename, instead of the source filename as |
| | 114 | + expected. |
| | 115 | +* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create |
| | 116 | + account" and "create by e-mail" features of [[Special:Userlogin]] |
| | 117 | +* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS |
| | 118 | + validation issue. |
| | 119 | +* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick |
| | 120 | + expanded wildcard characters "?" and "*" in image filenames, potentially |
| | 121 | + causing large numbers of images to be scaled in response to a single request. |
| | 122 | + The fix for this involves breaking the scaling of such image filenames until |
| | 123 | + ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details. |
| | 124 | +* (bug 23608) Fixed invalid HTML in diff pages. |
| | 125 | + |
| | 126 | +=== Changes since 1.16 beta 1 === |
| | 127 | + |
| | 128 | +* Fixed errors in maintenance/patchSql.php |
| | 129 | +* (bug 19627) Fix regression from r57867 where HTMLForm would output |
| | 130 | + <element classes="foo bar"> rather than <element class="foo bar"> |
| | 131 | +* Fixed broken "-r" option to maintenance/lag.php |
| | 132 | +* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to |
| | 133 | + be submitted along with the user name and password. |
| | 134 | + |
| 6 | 135 | === Configuration changes in 1.16 === |
| 7 | 136 | |
| 8 | 137 | * (bug 18222) $wgMinimalPasswordLength default is now 1 |
| Index: branches/REL1_17/phase3/includes/DefaultSettings.php |
| — | — | @@ -34,7 +34,7 @@ |
| 35 | 35 | /** @endcond */ |
| 36 | 36 | |
| 37 | 37 | /** MediaWiki version number */ |
| 38 | | -$wgVersion = '1.17alpha'; |
| | 38 | +$wgVersion = '1.17.0beta1'; |
| 39 | 39 | |
| 40 | 40 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 41 | 41 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_17/phase3/RELEASE-NOTES |
| — | — | @@ -5,7 +5,7 @@ |
| 6 | 6 | |
| 7 | 7 | == MediaWiki 1.17 beta 1 == |
| 8 | 8 | |
| 9 | | -2011-05-04 |
| | 9 | +2011-05-05 |
| 10 | 10 | |
| 11 | 11 | This is a beta release of the MediaWiki 1.17 branch. Please test it and let us |
| 12 | 12 | know what you think of it. Beta releases are not recommended for use in |