MediaWiki 1.4.8 vendor drop Added: vendor/mediawiki/ Added: vendor/mediawiki/current/ Added: vendor/mediawiki/current/.cvsignore Added: vendor/mediawiki/current/AdminSettings.sample Added: vendor/mediawiki/current/COPYING Added: vendor/mediawiki/current/FAQ Added: vendor/mediawiki/current/HISTORY Added: vendor/mediawiki/current/INSTALL Added: vendor/mediawiki/current/README Added: vendor/mediawiki/current/RELEASE-NOTES Added: vendor/mediawiki/current/UPGRADE Added: vendor/mediawiki/current/Version.php Added: vendor/mediawiki/current/config/ Added: vendor/mediawiki/current/config/index.php Added: vendor/mediawiki/current/docs/ Added: vendor/mediawiki/current/docs/deferred.doc Added: vendor/mediawiki/current/docs/design.doc Added: vendor/mediawiki/current/docs/globals.doc Added: vendor/mediawiki/current/docs/hooks.doc Added: vendor/mediawiki/current/docs/html/ Added: vendor/mediawiki/current/docs/html/.cvsignore Added: vendor/mediawiki/current/docs/html/README Added: vendor/mediawiki/current/docs/language.doc Added: vendor/mediawiki/current/docs/linkcache.doc Added: vendor/mediawiki/current/docs/memcached.doc Added: vendor/mediawiki/current/docs/php-memcached/ Added: vendor/mediawiki/current/docs/php-memcached/ChangeLog Added: vendor/mediawiki/current/docs/php-memcached/Documentation Added: vendor/mediawiki/current/docs/schema.doc Added: vendor/mediawiki/current/docs/skin.doc Added: vendor/mediawiki/current/docs/title.doc Added: vendor/mediawiki/current/docs/user.doc Added: vendor/mediawiki/current/extensions/ Added: vendor/mediawiki/current/extensions/README Added: vendor/mediawiki/current/images/ Added: vendor/mediawiki/current/images/.cvsignore Added: vendor/mediawiki/current/images/README Added: vendor/mediawiki/current/img_auth.php Added: vendor/mediawiki/current/includes/ Added: vendor/mediawiki/current/includes/.htaccess Added: vendor/mediawiki/current/includes/Article.php Added: vendor/mediawiki/current/includes/AuthPlugin.php Added: vendor/mediawiki/current/includes/Block.php Added: vendor/mediawiki/current/includes/BlockCache.php Added: vendor/mediawiki/current/includes/CacheManager.php Added: vendor/mediawiki/current/includes/CategoryPage.php Added: vendor/mediawiki/current/includes/ChangesList.php Added: vendor/mediawiki/current/includes/Credits.php Added: vendor/mediawiki/current/includes/Database.php Added: vendor/mediawiki/current/includes/DatabaseFunctions.php Added: vendor/mediawiki/current/includes/DatabasePostgreSQL.php Added: vendor/mediawiki/current/includes/DateFormatter.php Added: vendor/mediawiki/current/includes/DefaultSettings.php Added: vendor/mediawiki/current/includes/Defines.php Added: vendor/mediawiki/current/includes/DifferenceEngine.php Added: vendor/mediawiki/current/includes/EditPage.php Added: vendor/mediawiki/current/includes/ExternalStore.php Added: vendor/mediawiki/current/includes/ExternalStoreDB.php Added: vendor/mediawiki/current/includes/ExternalStoreHttp.php Added: vendor/mediawiki/current/includes/Feed.php Added: vendor/mediawiki/current/includes/FulltextStoplist.php Added: vendor/mediawiki/current/includes/GlobalFunctions.php Added: vendor/mediawiki/current/includes/Group.php Added: vendor/mediawiki/current/includes/HTMLForm.php Added: vendor/mediawiki/current/includes/HistoryBlob.php Added: vendor/mediawiki/current/includes/Hooks.php Added: vendor/mediawiki/current/includes/Image.php Added: vendor/mediawiki/current/includes/ImageGallery.php Added: vendor/mediawiki/current/includes/ImagePage.php Added: vendor/mediawiki/current/includes/Interwiki.php Added: vendor/mediawiki/current/includes/LinkCache.php Added: vendor/mediawiki/current/includes/LinksUpdate.php Added: vendor/mediawiki/current/includes/LoadBalancer.php Added: vendor/mediawiki/current/includes/LogPage.php Added: vendor/mediawiki/current/includes/MagicWord.php Added: vendor/mediawiki/current/includes/Math.php Added: vendor/mediawiki/current/includes/MemcachedSessions.php Added: vendor/mediawiki/current/includes/MessageCache.php Added: vendor/mediawiki/current/includes/MessageCacheHints.php Added: vendor/mediawiki/current/includes/Metadata.php Added: vendor/mediawiki/current/includes/Namespace.php Added: vendor/mediawiki/current/includes/ObjectCache.php Added: vendor/mediawiki/current/includes/OutputPage.php Added: vendor/mediawiki/current/includes/PageHistory.php Added: vendor/mediawiki/current/includes/Parser.php Added: vendor/mediawiki/current/includes/ParserCache.php Added: vendor/mediawiki/current/includes/ParserXML.php Added: vendor/mediawiki/current/includes/Profiling.php Added: vendor/mediawiki/current/includes/ProxyTools.php Added: vendor/mediawiki/current/includes/QueryPage.php Added: vendor/mediawiki/current/includes/RawPage.php Added: vendor/mediawiki/current/includes/RecentChange.php Added: vendor/mediawiki/current/includes/SearchEngine.php Added: vendor/mediawiki/current/includes/SearchMySQL3.php Added: vendor/mediawiki/current/includes/SearchMySQL4.php Added: vendor/mediawiki/current/includes/SearchTsearch2.php Added: vendor/mediawiki/current/includes/SearchUpdate.php Added: vendor/mediawiki/current/includes/Setup.php Added: vendor/mediawiki/current/includes/SiteConfiguration.php Added: vendor/mediawiki/current/includes/SiteStatsUpdate.php [truncated at 100 lines; 485 more skipped] _____ Added: vendor/mediawiki/current/.cvsignore --- vendor/mediawiki/current/.cvsignore 2005-12-06 19:11:08 UTC (rev 19933) +++ vendor/mediawiki/current/.cvsignore 2005-12-06 19:30:16 UTC (rev 19934) @@ -0,0 +1,8 @@ +LocalSettings.php +AdminSettings.php +*~ +bin +.classpath +.project +project.index +.metadata* Property changes on: vendor/mediawiki/current/.cvsignore ___________________________________________________________________ Name: svn:eol-style + native _____ Added: vendor/mediawiki/current/AdminSettings.sample --- vendor/mediawiki/current/AdminSettings.sample 2005-12-06 19:11:08 UTC (rev 19933) +++ vendor/mediawiki/current/AdminSettings.sample 2005-12-06 19:30:16 UTC (rev 19934) @@ -0,0 +1,26 @@ +<?php +/** + * This file should be copied to AdminSettings.php, and modified + * to reflect local settings. It is required for the maintenance + * scripts which run on the command line, as an extra security + * measure to allow using a separate user account with higher + * privileges to do maintenance work. + * + * Developers: Do not check AdminSettings.php into CVS! + * + * @package MediaWiki + */ + +/* + * This data is used by all database maintenance scripts + * (see directory maintenance/). The SQL user MUST BE + * MANUALLY CREATED or set to an existing user with + * necessary permissions. + * + * This is not to be confused with sysop accounts for the + * wiki. + */ +$wgDBadminuser = 'wikiadmin'; +$wgDBadminpassword = 'adminpass'; + +?> Property changes on: vendor/mediawiki/current/AdminSettings.sample ___________________________________________________________________ Name: svn:eol-style + native _____ Added: vendor/mediawiki/current/COPYING --- vendor/mediawiki/current/COPYING 2005-12-06 19:11:08 UTC (rev 19933) +++ vendor/mediawiki/current/COPYING 2005-12-06 19:30:16 UTC (rev 19934) @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. Property changes on: vendor/mediawiki/current/COPYING ___________________________________________________________________ Name: svn:eol-style + native _____ Added: vendor/mediawiki/current/FAQ --- vendor/mediawiki/current/FAQ 2005-12-06 19:11:08 UTC (rev 19933) +++ vendor/mediawiki/current/FAQ 2005-12-06 19:30:16 UTC (rev 19934) @@ -0,0 +1 @@ +The FAQ is at: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Property changes on: vendor/mediawiki/current/FAQ ___________________________________________________________________ Name: svn:eol-style + native _____ Added: vendor/mediawiki/current/HISTORY --- vendor/mediawiki/current/HISTORY 2005-12-06 19:11:08 UTC (rev 19933) +++ vendor/mediawiki/current/HISTORY 2005-12-06 19:30:16 UTC (rev 19934) @@ -0,0 +1,652 @@ +Change notes from older releases. For current info see RELEASE-NOTES. + +Security reminder: MediaWiki does not require PHP's register_globals +setting since version 1.2.0. If you have it on, turn it *off* if you can. + +== Version 1.3.11, 2005-02-20 == + +MediaWiki 1.3.11 is a security release. + +A security audit found and fixed a number of problems. Users of MediaWiki +1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases +should upgrade to 1.4rc1. + + +=== Cross-site scripting vulnerability === + +XSS injection points can be used to hijack session and authentication +cookies as well as more serious attacks. + +* Media: links output raw text into an attribute value, potentially + abusable for JavaScript injection. This has been corrected. +* Additional checks added to file upload to protect against MSIE and + Safari MIME-type autodetection bugs. + +As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled +by default as a general precaution. Sites which want this ability may set +$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php. + + +=== Cross-site request forgery === + +An attacker could use JavaScript-submitted forms to perform various +restricted actions by tricking an authenticated user into visiting +a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has +been expanded in this release to other forms and functions. + +Authors of bot tools may need to update their code to include the +additional fields. + + +=== Directory traversal === + +An unchecked parameter in image deletion could allow an authenticated +administrator to delete arbitary files in directories writable by the +web server, and confirm existence of files not deletable. + + +== Version 1.3.10, 2005-02-03 == + +MediaWiki 1.3.10 is a security release. + +An attacker could craft a URL which, when visited by a particular +logged-in user, would execute arbitrary JavaScript code on the user's +browser in the wiki's site context. This attack has been blocked, and as +an extra precaution the user CSS and JavaScript subpage support is now +disabled by default. Sites which want this ability may set $wgAllowUserCss +and $wgAllowUserJs in LocalSettings.php. + +Additional protections have been added against off-site form submissions +hijacking user credentials. Authors of bot tools may need to update their +code to include additional fields. + +All wikis running 1.3.x are strongly urged to upgrade to 1.3.10. + +Changes from 1.3.9: +* Logged-in edits and preview of user CSS/JS are now locked to a session token. +* Per-user CSS and JavaScript subpage customizations now disabled by default. + They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss. +* Removed .ogg from the default uploads whitelist as an extra precaution. + If your web server is configured to serve Ogg files with the correct + Content-Type header, you can re-add it in LocalSettings.php: + $wgFileExtensions[] = 'ogg'; + + + +== Version 1.3.9, 2004-12-12 == + +MediaWiki 1.3.9 is a security and bug fix release. + +A flaw in upload handling has been found which may allow upload and +execution of arbitrary scripts with the permissions of the web server. +Only wikis that have enabled uploads and have a vulnerable Apache +configuration will be affected, but to be safe all wikis should upgrade. + +Wikis with uploads available should either disable uploads or upgrade to +1.3.9 immediately; if other files are customized and require merging +changes, includes/SpecialUpload.php may be replaced individually to add +the fix. + +(It is also recommended to configure your web server to disable script +execution in the 'images' subdirectory where uploads are placed, which +prevents most attacks even if the wiki fails.) + +Changes from 1.3.8: +* Backported "Templates used in this page"-feature of EditPage +* Allow "MySkin" as a default skin. +* (bug 938) Parse namespaces correctly on self-interwiki links +* (bug 1010) fix broken Commons image link on Classic & Cologne Blue +* (bug 1004) Norsk language names for interwiki links changed, + Nauruan language name changed +* Enhance upload extension blacklist to protect against vulnerable + Apache configurations + + +== Version 1.3.8, 2004-11-15 == + +MediaWiki 1.3.8 is a bugfix release. Those running wikis with uploads +enabled are strongly recommended to upgrade as this fixes several problems +with overwriting previously-uploaded files. + +Changes from 1.3.7: +* (bug 506) fix array_key_exists() warning for IIS servers using + ISAPI mode +* (bug 718) fix bad charset in (file) cached pages +* use local numerals in category page (for Hindi et al) +* alias month abbreviations to month names in Hindi +* add localized numerals for Gujarati and Kannada +* fix Category and project namespaces for Hindi +* Don't output bogus timestamp on Special:Recentchanges if no entries +* Correct template include path which broke some but not all Windows installs +* Fix edit form submission problem with some PHP versions +* Disallow unreachable titles with %XX hex codes +* Allow page [[0]] to be renamed +* (bug 774) when saving with section=new, return to the anchor as with + existing numbered section edits +* Experimental shared upload overlay area (disabled by default) +* (bug 806) Removed some "Wikipedia" hardcoding in German localization +* User option localization fix for some extensions +* (bug 809) now try to load the mysql php extension if it isn't loaded +* (bug 848) fix error message in Special:Newpages RSS and Atom feeds +* (bug 26) fix cache headers on anon talk page notification +* (bug 874) added 'cgi' to wgFileBlacklist +* (bug 862) localize date and time format for Finnish +* (bug 548) Don't overwrite images until the user confirms it + + +== Version 1.3.7, 2004-10-18 == +Changes from 1.3.6: +* Fix protected-page related security issue. + + +== Version 1.3.6, 2004-10-14 == + +Changes from 1.3.5: +* (bug 296) Variables in user interface messages are no longer substituted + at install time, so changes to the site name etc should be easier to make +* (bug 149) Special:Recentchanges "changes from" link preserves limit +* (bug 433) tooltip for "Undelete" tab now labeled correctly +* (bug 439) unclickable "Move" tab no longer displays on protected pages +* (bug 484) graceful deletion of images where the actual file is missing +* (bug 686) fixed [[plural]]s in Catalan localization +* Fixed potential HTML/JavaScript injection attack in the UnicodeConverter + extension. (This extension is not enabled by default.) +* Fixed potential HTML/JavaScript injection attack via raw page views to + a maliciously crafted wiki page. +* (bug 187, bug 669) Fixed centered thumbnails, using <div> instead of + <span>. +* catch MySQL error 2000 during installation. +* (bug 704) Removed misleading LocalSettings.sample +* Fix cross site scripting bugs in SpecialIpblocklist, SpecialEmailuser +* Fix SQL injection and cross site scripting bugs in SpecialMaintenance +* Fix cross site scripting bugs and possible filename validation vulnerability + in ImagePage. +* and more of that sort + + +== Version 1.3.5, 2004-09-30 == + +Changes from 1.3.4: +* Clean up input validation in 'raw' page output mode which was a potential + cross-site scripting opportunity. + + +== Version 1.3.4, 2004-09-28 == + +************************** SECURITY NOTE! ****************************** + +As of 1.3.4, MediaWiki performs some screening of newly uploaded files for +validity. (Some) corrupt image files, and HTML files mistakenly or +maliciously masquerading as images, should now be rejected. + +These checks protect against Internet Explorer security holes relating +to type autodetection which are a potential cross-site scripting attack +vector, and also rejects at least one known version of the "JPEG virus" +which might attack unpatched clients. + +If you already have invalid files uploaded this will not protect against +them. If you have expanded the filetype whitelist or disabled the strict +type checking, other dangerous file types may still get through. You should +always be careful when allowing uploads! + + +Changes from 1.3.3: +* Fixed lots of template-related bugs, esp. for cases where template + variables are used for links, images, etc. +* Fixed transformation of page messages when viewing Special:Allmessages +* Handle "ISBN ISBN 1234" correctly +* Fixed warning on Category pages +* Fixed some bad error messages on login page +* Fixed history entry for initial main page on install +* Removed problematic { and } from legal title characters +* Strip leading blank from output in preformated text. +* Fixed problem when moving pages to titles with '#' in +* Optional $wgRawHtml for raw <html> sections. Use only on limited- + participation 'trusted' wikis, as it does not protect against cross-site + scripting attacks. For security, this option can only be enabled if in + $wgWhitelistEdit mode. +* Fixed problem where pages which were created as a redirect following + a move never showed on Special:Randompage. +* Fixed line spacing on printed table of contents +* Allow links to pages with names of the form [[RFC 1234]] +* Fixed broken edit links being shown for sections from included templates +* Verify that uploaded image files are of the claimed type. + + +== Version 1.3.3, 2004-09-09 == + +Changes from 1.3.2: +* Fix for long numeric page titles +* Fix Go search for "0", numeric almost-self-links +* Avoid caching of pages with "You have new messages" headers +* Fix for upgrades as non-root users from 1.2 command-line installs. +* Fix for $wgDebugDumpSql debug mode. +* $wgExtraNamespaces setting for configuring additional namespaces + (see note in DefaultSettings.php) +* 'recache' on query pages now disabled when miser mode is on; special case the + global settings in your LocalSettings.php to do automatic updates. +* Don't block UTF-8 titles containing byte 0xA0 (bug added in 1.3.2) +* Watch/unwatch tabs now shown on edit pages in MonoBook. +* Fix default skin in Irish localization (ga) +* Add Traditional Chinese localization (zh-tw) +* Changed default sortkey of subcategories. Don't include "Category:"-prefix + any longer +* More helpful info on spam catcher. +* Allow larger offsets for queries such as Special:Listusers +* Semicolon (;) added to French non-break space rules +* Possible fix for some install errors with path names permission problems. +* Removed [[Project:All system messages]], which has been superceded by + the much faster [[Special:Allmessages]]. This speeds up installation + considerably. + +== Version 1.3.2, 2004-08-30 == + +Changes from 1.3.1: +* Fix namespaced page creation links when no go match +* When cookies are disabled, don't show login screen twice +* Install should no longer die when PHP is pre-configured to compress output +* Fixed bug that caused long Japanese pages to time out with Tidy active +* When session.handler is set incorrectly, try automatic override to 'files' +* Watch/Unwatch links back to the affected page instead of Main Page +* Upload link no longer displayed on Monobook if uploading is disabled +* Special:Allmessages faster, shows correct original text, works in safe mode + + +== Version 1.3.1, 2004-08-14 == + +Changes from 1.3.0: +* Watchlist parameters now work with register_globals off +* Fixed parsing of ''italics'' and '''bold''' mark-up (again) +* Special:Allpages display is more sensible on smaller wikis +* Fixed XHTML parsing error in classic skins +* Moved pages update watchlist correctly +* Fixed rebuildall.php on case-sensitive Unix filesystems +* Disabled file cache compression by default due to incompatibility + with output buffer compression (ob_gzhandler) +* New magic word PAGENAMEE (URL-escaped version of PAGENAME) +* Installation avoids blank username; better message on missing XML module +* $wgWhitelistAccount no longer breaks all logins. + +== Version 1.3.0, 2004-08-11 == + +Look & layout: +* New default layout 'MonoBook' (available on PHP4 only currently) +* Print stylesheet now built-in to every page +* More or less correct XHTML 1.0 (served as text/html by default) + +Wiki features: +* Image captions can now include links and other basic formatting +* Image bounding box can be specified instead of width, e.g. as + 100x100px, making the image not wider than 100px and not higher + than 100px, keeping aspect ratio. +* Templates have been expanded with parameters, and separated from + the MediaWiki: localization scheme. +* Categories more or less work +* added a special page for listing users with sysop rights. + +Editing: +* Automatic merging of edit conflicts that don't directly interfere +* Edit summaries can now include basic formatting and links + +Metadata and output: +* Linked Creative Commons copyright metadata (optional) +* RSS 2.0 & Atom 0.3 feeds for Recent Changes, New Pages + +Optional modules: +* WikiHiero hieroglyphic module can be added (separate download) +* Timeline module can be added (separate download). + Requires ploticus. +* TeX now has an experimental MathML output mode (incomplete!) + +Installation and upgrading: +* The old install.php and update.php have been removed. In-place + installation introduced in 1.2 is now the standard installation + and upgrade method, see INSTALL and UPGRADE for directions. + +Database: +* The links table has been changed to use a cur_id for l_from. + The link tables must be converted on upgrade, which may entail + some downtime. + +Code and compatibility: +* Should now run clean with error reporting set to E_ALL. +* register_globals hack from 1.2 has been replaced with safer code +* Bundled PHPTAL 0.7.0 from http://phptal.sourceforge.net/ + (with some patches) +* Most image-related code moved to Image.php +* More fixes for PHP 4.1.2 (thanks to Asheesh Laroia) +* URL encoding fix for anchors +* All languages now available in UTF-8 mode +* Various other fixes + +=== Caveats === + +Some output, particularly involving user-supplied inline HTML, may not +produce 100% valid or well-formed XHTML output. Testers are welcome to +set $wgMimeType = "application/xhtml+xml"; to test for remaining problem +cases, but this is not recommended on live sites. (This must be set for +MathML to display properly in Mozilla.) + +The new 'MonoBook' skin is not compatible with PHP 5 due to bugs in the +underlying PHPTAL library. It will be automatically disabled when running +on PHP5; the older look and feel will be used instead. + + +== Version 1.2.6, 2004-05-24 == +* Spam blocker ($wgSpamRegex - refuses to save edits that match) +* Updated documentation about $wgWhitelistRead +* Ensure that searchindex table is created as MyISAM +* Interwiki cache timeout (memcached) +* Fix uploads on Windows with magic_quotes_gpc +* Some config fixes for Windows (slashes etc) +* Local interwiki URL redirects +* Fixed obscure deletion problem in squid mode on corrupt entries +* Language files updated to remove more hard-coded "Wikipedia" strings + +== Version 1.2.5, 2004-05-01 == +* Fixed install problem with blank root password +* Fixed Special:Emailuser/Username links +* Fixed main-page edit links on fuzzy search results +* Fixed wikipedia-interwiki.sql +* Fixed install with apache2filter (ugly URLs) +* IP in 'go' search brings up contributions +* Switch from broken & to ? on top-level wiki URL hack + +== Version 1.2.4, 2004-04-13 == + +* Fixed edit toolbar in Mozilla +* Diff links in Contributions for 'top' edits +* Fixed Nostalgia skin drop-down for register_globals off +* Backported optional open proxy blocker +* Backported $wgWhitelistRead +* $wgCapitalLinks option to force full case sensitivity in titles +* Cleaned up error handling when can't talk to database +* Disabled unsafe command-line installer (remove the "die()" call to use) + +== Version 1.2.3, 2004-04-02 == + +* Fixed an in-place install bug with non-root MySQL user +* Fixed history diff checkboxes bug on titles with ampersands +* Fixed printable link bug on special pages with parameters +* Fixed bug that broke IP blocking w/o memcached +* Turns off E_NOTICE warnings if PHP settings have them on + (you can grope in and turn this off if you like to debug) + +== Version 1.2.2, 2004-03-28 == + +* Fixed an upgrade bug introduced in 1.2.1. +* Disabled $wgUseCategoryMagic, which feature is incomplete broken + +== Version 1.2.1, 2004-03-27 == + +Installation, compatibility, security fixlets: +* Detect use of PHP as CGI and disable index.php/Title URLs +* Try to auto-create math tmp & output directories if not present +* Disable Asksql in default install ($wgAllowSysopQueries) +* Better handling of get_magic_quotes_gpc (apostrophe problems) +* French localisation no longer hard-codes "Wikipedia" name + +== Version 1.2.0 == + +New features in 1.2: +* Image resizing/thumbnail generation +* Stricter upload file extension blacklist and whitelist options +* More flexible blocking system; time period may be set +* Handier sysop account management. An account marked "bureaucrat" + may assign sysop access to other accounts via Special:Makesysop. + (The exact details of this may change in the future) +* Support for a squid cache with explicit purging of cached anon pages +* Optional compression of old revision text (requires zlib support) +* Fuzzy title search (experimental, requires memcached) +* Page rendering cache (experimental) +* Editing toolbar to demonstrate wiki syntax to newbies + (off by default in user preferences) +* Support for authenticated SMTP outgoing e-mail (experimental) +* It's now possible to assign sysop accounts from within the wiki. + An account with this ability must be labeled with the "bureaucrat" + privilege, such as the 'Developer' account created by the install. + +Fixes and tweaks: +* Now works with register_globals off! +* Works with short tags disabled. +* Should work out of the box on MySQL 3.2.x again. On 4.x set + $wgEnablePersistentLC = true; to turn on the link cache table + for a slight rendering speed boost. +* rebuildMessages.php can now selectively update new messages, or + overwrite everything. +* Various bug fixes. +* Other stuff we forgot. +* Documentation more out of date than ever before! + +=== Behavior changes === + +* wiki.phtml and redirect.phtml are now renamed to index.php and redirect.php + The old names are provided too for compatibility, but make sure they don't + conflict if you've been putting other files in your wiki. +* Uploaded filenames are more strictly checked than before. See bits in + DefaultSettings.php to tweak this behavior to your needs. +* Database messages are now enabled by default, so the interface messages can + be tweaked through the wiki with a sysop account. Disable this if you + don't want the performance hit. + +=== Database changes === + +An index was added to recentchanges table to speed up Newpages +(patch-rc-newindex.sql for manual updaters). + +Expiration date field has been added to ipblocks table +(patch-ipb_expiry.sql for manual updaters). + + +== Version 1.1.0, 2003-12-08 == + +This is the new production release. Any following 1.1.x releases are expected +to contain only bug fixes; developments of new features will go towards a 1.2.0 +release. + +New features in 1.1: +* New wiki table syntax: + http://meta.wikipedia.org/wiki/MediaWiki_User%27s_Guide:_Using_tables +* User-editable interface messages: + http://meta.wikipedia.org/wiki/MediaWiki_namespace +* XML-wrapped page source export with optional history: + http://meta.wikipedia.org/wiki/XML_import_and_export + (There is not yet an import function!) +* "Magic words" + +Fixes and tweaks: +* linkscc table caches link data for rendering; faster rebuildlinks.php +* Numerous bugs in Cologne Blue skin fixed +* Login gives warning about missing cookies +* Block log, protection log added; deletion log now includes undeletions +* Deletion & upload logs now escape comment text properly +* Problems with <nowiki> segments in section titles etc mitigated +* Contributions offset and minor edit bugs fixed +* Whatlinkshere now sorted alphabetically +* Various exciting new profiling options. +* Debug log is off by default. +* Various small bugs fixed. + +Internal changes: +* wfQuery has had a second parameter inserted, DB_READ or DB_WRITE. This value + is not actually used so far. +* Partial code for categories and Smarty template-based skins is in the tree + but disabled. +* Parts of Article.php have been moved to EditPage.php and ImagePage.php. + +New translations: +* fi - Finnish +* ia - Interlingua +* no - Norwegian +* sk - Slovak +* ta - Tamil + +=== Database changes === + +"linkscc" table added. If upgrading manually (rather than with update.php), +run maintenance/archives/patch-linkscc.sql to create the table. + +Older releases were dated snapshots from the old 'stable' branch: + +== mediawiki-20031118 == + +* Image deletion fixed. +* Deletion of image old revisions now restricted to sysops + (this is an irreversible action and not well logged) +* Fixed maintenance scripts broken by last release's security fix +* Many errors in rebuildlinks script fixed. + +== mediawiki-20031117 == + +* SECURITY FIX: stricter checking of include path +* Fixed user contributions next/prev bug +* Login cookies now have the database name prefixed to allow wikis + to coexist in the same domain. This will invalidate any old saved + password cookies. +* Update cache timestamp when talk pages are created +* Saving the login form in Mozilla no longer blanks password in prefs. +* Check existence of source page before performing a move. +* Detect invalid titles in Special:Allpages +* Q-encode headers on outgoing inter-user e-mail +* Updates to some translations. +* Added table of contents border/bg to Cologne Blue, Nostalgia skins +* Protected pages no longer appear unprotected when visited via redirect +* Swapped old Wikipedia logo for the MediaWiki sunflower logo +* install.php, update.php print warning on old PHP versions, + added compatibility functions that might or might not help + +No database changes since 20031107; upgrading should be clean. + + +== mediawiki-20031107 == + +* Fixed various bugs! +* Some speed improvements from tweaks to the table indexes +* Limited support for memcached (see below) +* New translations (see below) +* Interwiki link data now kept in database for flexibility +* Friendlier read-only source view if asked to edit a page when + the db is locked or the page is protected. +* Normal IP blocks auto-expire after 24 hours +* Optional support for blocking usernames +* Uploads disabled by default (see below) + + +=== Security note === + +Uploads are now disabled by default. If you've set up a secure configuration +you can reenable uploads by putting: + + $wgDisableUploads = false; + +into LocalSettings.php. + +Earlier versions of MediaWiki included a bug that potentially allows logged- +in users to delete arbitrary files in directories writable by the web server +user by manually feeding false form data; this is now fixed. + +As a reminder, disable PHP script execution in the upload directory! +You may also wish to serve HTML pages as plaintext to prevent cookie- +stealing JavaScript attacks. Example Apache config fragment: + + <Directory "/Library/MediaWiki/web/upload"> + # Ignore .htaccess files + AllowOverride None + + # Serve HTML as plaintext + AddType text/plain .html .htm .shtml + + # Don't run arbitrary PHP code. + php_admin_flag engine off + + # If you've other scripting languages, disable them too. + </Directory> + + +=== Database updates === + +If you're using update.php, the necessary database changes should +be made automatically. + +To manually upgrade your database from the 2003-08-29 release, run the +following SQL scripts from the maintenance subdirectory: + + archives/patch-ipblocks.sql + archives/patch-interwiki.sql + archives/patch-indexes.sql + interwiki.sql + +To copy in the Wikipedia language-prefix interwikis as well, add: + + wikipedia-interwiki.sql + + +=== Translations === [truncated at 1000 lines; 149963 more skipped]