[MediaWiki-CVS] SVN: [70067] branches/REL1_16/phase3

Tue, 27 Jul 2010 23:12:05 -0700 

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/70067

Revision: 70067
Author:   tstarling
Date:     2010-07-28 06:11:54 +0000 (Wed, 28 Jul 2010)

Log Message:
-----------
Fixed register_globals arbitrary inclusion vulnerability. Was fixed in trunk in 
r68544. Does not affect Apache installations with AllowOverride since there is 
a .htaccess file protecting the maintenance directory.

Modified Paths:
--------------
    branches/REL1_16/phase3/RELEASE-NOTES
    branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php

Modified: branches/REL1_16/phase3/RELEASE-NOTES
===================================================================
--- branches/REL1_16/phase3/RELEASE-NOTES       2010-07-28 05:52:32 UTC (rev 
70066)
+++ branches/REL1_16/phase3/RELEASE-NOTES       2010-07-28 06:11:54 UTC (rev 
70067)
@@ -64,9 +64,12 @@
 * (bug xxxxx) Fixed Cache-Control headers sent from API modules, to protect
   user privacy in the case where an attacker can access the wiki through the
   same HTTP proxy as a logged-in user.
-* Fixed XSS in profileinfo.php for users with $wgEnableProfileInfo = true;
+* Fixed an XSS vulnerability in profileinfo.php for installations with 
+  $wgEnableProfileInfo = true (false by default)
 * Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
   false. Fixed a minor header parsing issue when $wgUseXVO = true.
+* Fixed a register_globals arbitrary inclusion vulnerability in 
+  MediaWikiParserTest.php, introduced in 1.16 beta 1.
 
 == Changes since 1.16 beta 2 ==
 

Modified: branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php
===================================================================
--- branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php   
2010-07-28 05:52:32 UTC (rev 70066)
+++ branches/REL1_16/phase3/maintenance/tests/MediaWikiParserTest.php   
2010-07-28 06:11:54 UTC (rev 70067)
@@ -1,5 +1,9 @@
 <?php
 
+if ( !defined( 'MEDIAWIKI' ) ) {
+       exit;
+}
+
 global $IP;
 define( "NO_COMMAND_LINE", 1 );
 define( "PARSER_TESTS", "$IP/maintenance/parserTests.txt" );



_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to