Skip to content

Tags: bliu2000/core

Tags

1.19.2

Release 1.19.2

1.18.5

Release 1.18.5

1.18.4

(bug 36938) Correctly escape uselang attribute to prevent xss

Fixes xss in uselang parameter by quoting attribute with double quotes
and adding htmlspecialchars escaping.

Change-Id: I009c40f869d6c0d82345c417839fc72210d2dbfd

1.17.5

(bug 36938) Fix escaping uselang parameter

Quote uselang with double quotes, and add htmlspecialchar escaping
to prevent xss. Update code comments in Language.php to make the
return of getCode more clear.

Change-Id: I6612795e85e0fb0b3a1d10e4352cb649d36abc3f

1.19.1

Merge "Bump $wgVersion and add release-notes for 1.19.1" into REL1_19

1.19.0

Bump version and update release notes for 1.19.0 release

Change-Id: I5f6283950e0e4cbc32fe858ecbf18275c3f8df1e

1.19.0rc1

Fixup lead paragraph for 1.19.0rc1 release

Change-Id: I4697827b1aa07fd527b83aea9f58aac10b83e2f0

1.18.3

Bump 1.18.3

Add a few bits to the RELEASE-NOTES

Change-Id: I8808d26253dd39cc104c9d98cc60f5ee6da358d6

1.17.4

Bump 1.17.4

Add a few bits to the RELEASE-NOTES

Change-Id: Iaf07d38712b342160442150db2b4334a1dfce04d

1.19.0beta2

* (bug 34212) ApiBlock/ApiUnblock allow action to take place without …

…a token parameter present

* (bug 35317) CSRF in Special:Upload
Revert r56793, which removed the CSRF check for Special:Upload for normal file
uploads. Cross-site posting of file uploads without user interaction has been
possible since at least as early as Chrome 8 (late 2010) and Firefox 6 (mid
2011).

Commonist has used api.php since version 0.4.0 (April 2010), and the API
already requires an edit token, so Commonist 0.4.0+ is not affected by this
change.

* (bug 34907) Fix for CSRF vulnerability due to mw.user.tokens. Patch by Roan
Kattouw and Tim Starling.
* Filter out private modules early in ResourceLoader::makeResponse() and just
pretend they weren't specified. This means these modules cannot be loaded
through load.php . This filtering must not happen in makeModuleResponse(),
because that would break inlining.
* Force inlining of private modules in OutputPage::makeResourceLoaderLink(),
disregarding $wgResourceLoaderInlinePrivateModules
* Remove $wgResourceLoaderInlinePrivateModules
* Remove special treatment of private modules ($private) in
ResourceLoader::makeResponse() and sendResponseHeaders(), because we're not
allowing private modules to be loaded through here any more
* Remove identity checks in ResourceLoaderUserOptionsModule and
ResourceLoaderUserCSSPrefsModule, they didn't make a lot of sense before but
they're certainly useless now.
* Factored out error comment construction in ResourceLoader.php and stripped
comment terminations from exception messages. I didn't find an XSS
vulnerability but it looked scary.

Change-Id: I0a4d7d2cc19ab3af018604037be150bda5187434