[Mediawiki-l] MediaWiki 1.4beta6 released (SECURITY)

Fri Feb 4 07:49:35 UTC 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MediaWiki 1.4beta6 is a security and bug fix release for the 1.4 beta
series.

In previous 1.4beta and 1.3.x releases an attacker could craft a URL
which, when visited by a particular logged-in user, would execute
arbitrary JavaScript code on the user's browser in the wiki's site
context. This attack has been blocked, and as an extra precaution the
user CSS and JavaScript subpage support is now disabled by default.
Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs
in LocalSettings.php.

Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.

1.3.x users not using the 1.4 beta should upgrade to 1.3.10.

Note that 1.4 beta releases prior to beta 5 include an input validation
error which could lead to execution of arbitrary PHP code on the server.
Users of older betas should upgrade immediately to the current version.

Beta 6 also introduces the use of rel="nofollow" attributes on external
links in wiki pages to reduce the effectiveness of wiki spam. This will
cause participating search engines to ignore external URL links from
wiki pages for purposes of page relevancy ranking.

The current implementation adds this attribute to _all_ external URL
links in wiki text (but not internal [[wiki links]] or interwiki links).
To disable the attribute for _all_ external links, add this line to your
LocalSettings.php:

~  $wgNoFollowLinks = false

For background information on nofollow see:

~  http://www.google.com/googleblog/2005/01/preventing-comment-spam.html

=== Changes since beta 5 ===

* (bug 1335) implement 'tooltip-watch' in Language.php
* Fix linktrail for nn: language
* (bug 1214) Fix prev/next links in Special:Log
* (bug 1354) Fix linktrail for fo: language
* (bug 512) Reload generated CSS on preference change
* (bug 63) Fix displaying as if logged in after logout
* Set default MediaWiki:Sitenotice to '-', avoiding extra database hits
* Skip message cache initialization on raw page view (quick hack)
* Fix notice errors in wfDebugDieBacktrace() in XML callbacks
* Suppress notice error on bogus timestamp input (returns epoch as before)
* Remove unnecessary initialization and double-caching of parser variables
* Call-tree output mode for profiling
* (bug 730) configurable $wgRCMaxAge; don't try to update purged RC entries
* Add $wgNoFollowLinks option to add rel="nofollow" on external links
~  (on by default)
* (bug 1130) Show actual title when moving page instead of encoded one.
* (bug 925) Fix headings containing <math>
* (bug 1131) Fix headings containing interwiki links
* (bug 1380) Update Nynorsk language file
* (bug 1232) Fix sorting of cached Special:Wantedpages in miser mode
* (bug 1217) Image within an image caption broke rendering
* (bug 1384) Make patrol signs have the same width for page moves as for
edits
* (bug 1364) fix "clean up whitespace" in Title:SecureAndSplit
* (bug 1389) i18n for proxyblocker message
* Add fur/Furlan/Friulian to language names list
* Add TitleMoveComplete hook on page renames
* Allow simple comments for each translation rules in MW:Zhconversiontable
* (bug 1402) Make link color of tab subject page link on talk page
indicate whether article exists
* (bug 1368) Fix SQL error on stopword/short word search w/ MySQL 3.x
* Translated Hebrew namespace names
* (bug 1429) Stop double-escaping of block comments; fix formatting
* (bug 829) Fix URL-escaping on block success
* (bug 1228) Fix double-escaping on &amp; sequences in [enclosed] URLs
* (bug 1435) Fixed many CSS errors
* (bug 1457) Fix XHTML validation on category column list
* (bug 1458) Don't save if edit form submission is incomplete
* Logged-in edits and preview of user CSS/JS are now locked to a session
token.
* Per-user CSS and JavaScript subpage customizations now disabled by
default.
~  They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra precaution.
~  If your web server is configured to serve Ogg files with the correct
~  Content-Type header, you can re-add it in LocalSettings.php:
~    $wgFileExtensions[] = 'ogg';

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=302312

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.4beta6.tar.gz?download

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCAyhRwRnhpk1wk44RAnIUAKDdqRHUZeEM8g9+qazg+9yxtLpMogCgxNGb
0cawqMHSyQSVbc7CFav4hMg=
=qmq7
-----END PGP SIGNATURE-----