-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
MediaWiki 1.4beta6 is a security and bug fix release for the 1.4 beta series.
In previous 1.4beta and 1.3.x releases an attacker could craft a URL which, when visited by a particular logged-in user, would execute arbitrary JavaScript code on the user's browser in the wiki's site context. This attack has been blocked, and as an extra precaution the user CSS and JavaScript subpage support is now disabled by default. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
Additional protections have been added against off-site form submissions hijacking user credentials. Authors of bot tools may need to update their code to include additional fields.
1.3.x users not using the 1.4 beta should upgrade to 1.3.10.
Note that 1.4 beta releases prior to beta 5 include an input validation error which could lead to execution of arbitrary PHP code on the server. Users of older betas should upgrade immediately to the current version.
Beta 6 also introduces the use of rel="nofollow" attributes on external links in wiki pages to reduce the effectiveness of wiki spam. This will cause participating search engines to ignore external URL links from wiki pages for purposes of page relevancy ranking.
The current implementation adds this attribute to _all_ external URL links in wiki text (but not internal [[wiki links]] or interwiki links). To disable the attribute for _all_ external links, add this line to your LocalSettings.php:
~ $wgNoFollowLinks = false
For background information on nofollow see:
~ http://www.google.com/googleblog/2005/01/preventing-comment-spam.html
=== Changes since beta 5 ===
* (bug 1335) implement 'tooltip-watch' in Language.php * Fix linktrail for nn: language * (bug 1214) Fix prev/next links in Special:Log * (bug 1354) Fix linktrail for fo: language * (bug 512) Reload generated CSS on preference change * (bug 63) Fix displaying as if logged in after logout * Set default MediaWiki:Sitenotice to '-', avoiding extra database hits * Skip message cache initialization on raw page view (quick hack) * Fix notice errors in wfDebugDieBacktrace() in XML callbacks * Suppress notice error on bogus timestamp input (returns epoch as before) * Remove unnecessary initialization and double-caching of parser variables * Call-tree output mode for profiling * (bug 730) configurable $wgRCMaxAge; don't try to update purged RC entries * Add $wgNoFollowLinks option to add rel="nofollow" on external links ~ (on by default) * (bug 1130) Show actual title when moving page instead of encoded one. * (bug 925) Fix headings containing <math> * (bug 1131) Fix headings containing interwiki links * (bug 1380) Update Nynorsk language file * (bug 1232) Fix sorting of cached Special:Wantedpages in miser mode * (bug 1217) Image within an image caption broke rendering * (bug 1384) Make patrol signs have the same width for page moves as for edits * (bug 1364) fix "clean up whitespace" in Title:SecureAndSplit * (bug 1389) i18n for proxyblocker message * Add fur/Furlan/Friulian to language names list * Add TitleMoveComplete hook on page renames * Allow simple comments for each translation rules in MW:Zhconversiontable * (bug 1402) Make link color of tab subject page link on talk page indicate whether article exists * (bug 1368) Fix SQL error on stopword/short word search w/ MySQL 3.x * Translated Hebrew namespace names * (bug 1429) Stop double-escaping of block comments; fix formatting * (bug 829) Fix URL-escaping on block success * (bug 1228) Fix double-escaping on & sequences in [enclosed] URLs * (bug 1435) Fixed many CSS errors * (bug 1457) Fix XHTML validation on category column list * (bug 1458) Don't save if edit form submission is incomplete * Logged-in edits and preview of user CSS/JS are now locked to a session token. * Per-user CSS and JavaScript subpage customizations now disabled by default. ~ They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss. * Removed .ogg from the default uploads whitelist as an extra precaution. ~ If your web server is configured to serve Ogg files with the correct ~ Content-Type header, you can re-add it in LocalSettings.php: ~ $wgFileExtensions[] = 'ogg';
Release notes: http://sourceforge.net/project/shownotes.php?release_id=302312
Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.4beta6.tar.gz?download
Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system: http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)