-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I would like to announce the release of MediaWiki 1.16.1, which is a security and maintenance release.
Wikipedia user PleaseStand pointed out that MediaWiki has no protection against "clickjacking". With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki.
Our fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options. For information about supported browsers, see:
https://developer.mozilla.org/en/the_x-frame-options_response_header
For more information about this vulnerability and the related patch, see:
https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
Other changes in MediaWiki 1.16.1:
* (bug 24981) Allow extensions to access SpecialUpload variables again * (bug 24724) list=allusers was out by 1 (shows total users - 1) * (bug 24166) Fixed API error when using rvprop=tags * For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload. * (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0) * (bug 25248) Fixed paraminfo errors in certain API modules. * The installer now has improved handling for situations where safe_mode is active or exec() and similar functions are disabled. * (bug 19593) Specifying --server in now works for all maintenance scripts. * Fixed $wgLicenseTerms register globals.
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NOT...
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz
Patch to previous version (1.16.0), without interface text: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
Hi all,
On Tue, 04 Jan 2011, Tim Starling wrote:
I would like to announce the release of MediaWiki 1.16.1, which is a security and maintenance release.
It appears to have broken my skin (sigh). And I'm just beginning to figure out CSS.
Where the content was centered under 1.16.0, the right margin now seems to be extended most of the way to the right. From what I can see, I now have an extra 128 pixels in the content area.
What do I need to be looking at? The wiki is at http://www.parts-unknown.org/mediawiki/
Thanks!
On Mon, 03 Jan 2011, David Benfell wrote:
Hi all,
On Tue, 04 Jan 2011, Tim Starling wrote:
I would like to announce the release of MediaWiki 1.16.1, which is a security and maintenance release.
It appears to have broken my skin (sigh). And I'm just beginning to figure out CSS.
No, that's not it. The problem appears on one page at: http://www.parts-unknown.org/mediawiki/index.php?title=EarthWiki:About
For some reason, which I've never figured out, the text immediately following the Extensions heading appears in a dashed box. Apparently, line breaks no longer occur automatically. So now the right margin is extended to accommodate this text.
[grumble... grumble... grumble...]
So here's the deal:
1) I don't want this dashed box in the first place. Is there a way to tell mediawiki not to do this here?
2) How do I get line breaks back?
Thanks!
On Tue, 04 Jan 2011, David Benfell wrote:
- I don't want this dashed box in the first place. Is there a way
to tell mediawiki not to do this here?
Okay, I found the space at the beginning of the line. Apparently mediawiki understands that as a <pre> tag. Curious, but okay.
- How do I get line breaks back?
And I take it that <pre> intentionally does not insert line breaks (this would make sense).
So arguably, the newer version of mediawiki is actually handling this correctly, whereas, for some reason the older (1.16.0) did not. But I'll leave that argument to others. :-)
David Benfell wrote:
On Tue, 04 Jan 2011, David Benfell wrote:
- I don't want this dashed box in the first place. Is there a way
to tell mediawiki not to do this here?
Okay, I found the space at the beginning of the line. Apparently mediawiki understands that as a <pre> tag. Curious, but okay.
- How do I get line breaks back?
And I take it that <pre> intentionally does not insert line breaks (this would make sense).
So arguably, the newer version of mediawiki is actually handling this correctly, whereas, for some reason the older (1.16.0) did not. But I'll leave that argument to others. :-)
I see the same behavior in 1.16.0
On Tue, 04 Jan 2011, Platonides wrote:
So arguably, the newer version of mediawiki is actually handling this correctly, whereas, for some reason the older (1.16.0) did not. But I'll leave that argument to others. :-)
I see the same behavior in 1.16.0
Must be something weird in the skin, then. It'll be a while before I'm up to figuring out what it is.
Thanks!
mediawiki-l@lists.wikimedia.org