diff options
author | Brion Vibber <brion@users.mediawiki.org> | 2005-09-21 19:16:58 +0000 |
---|---|---|
committer | Brion Vibber <brion@users.mediawiki.org> | 2005-09-21 19:16:58 +0000 |
commit | c7ab1c9b59e4f8a4338d1e083299945ece0f81e5 (patch) | |
tree | 722648548741827f9bd73b7d3e03a23076ed49e7 | |
parent | 646b3837531c2c40c2fbec658c710d1be27935a8 (diff) |
Bump to 1.3.16; fix for data corruption on save with bogus url & section specifier1.3.16
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/11097
-rw-r--r-- | RELEASE-NOTES | 29 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/EditPage.php | 3 |
3 files changed, 32 insertions, 2 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index eeebb5624800..d5c816248c60 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,35 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.3.16 == + +(released 2005-09-21) + +MediaWiki 1.3.16 is a security maintenance release. A bug in edit submission +handling could cause corruption of the previous revision in the database if +an abnormal URL was used, such as those used by some spambots. + +Affected releases: +* 1.4.x <= 1.4.9; fixed in 1.4.10 +* 1.3.x <= 1.3.15; fixed in 1.3.16 + +1.5 release candidates are not affected by this problem. + +All publicly editable wikis are strongly recommended to upgrade immediately. +1.3 releases can be manually patched by changing this bit in EditPage.php: + + if( $this->tokenOk( $request ) ) { + $this->save = $request->wasPosted() && !$this->preview; + } else { + +to: + + if( $this->tokenOk( $request ) ) { + $this->save = $request->getVal( 'action' ) == 'submit' && + $request->wasPosted() && !$this->preview; + } else { + + == MediaWiki 1.3.15, 2005-08-29 == MediaWiki 1.3.15 is a security maintenance release. It corrects across-site diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 02c318c4422d..adb9c79a67c1 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -9,7 +9,7 @@ if( defined( "MEDIAWIKI" ) ) { # like $wgScriptPath, you must also localize everything that # depends on it. -$wgVersion = '1.3.15'; +$wgVersion = '1.3.16'; $wgSitename = 'MediaWiki'; # Please customize! $wgMetaNamespace = FALSE; # will be same as you set $wgSitename diff --git a/includes/EditPage.php b/includes/EditPage.php index 9c3536f49cfa..ebfb427e1cda 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -74,7 +74,8 @@ class EditPage { $this->preview = $request->getCheck( 'wpPreview' ); if( $this->tokenOk( $request ) ) { - $this->save = $request->wasPosted() && !$this->preview; + $this->save = $request->getVal( 'action' ) == 'submit' && + $request->wasPosted() && !$this->preview; } else { # Page might be a hack attempt posted from # an external site. Preview instead of saving. |