Merge "Warn on session access in profileinfo.php and opensearch_desc.php"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)
diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28

index 1bb8c32..c950921 100644 (file)
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -6,7 +6,9 @@ MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
  production.
  
  === Configuration changes in 1.28 ===
-
+* The load.php entry point now enforces the existing policy of not allowing
+  access to session data, which includes the session user and the session
+  user's language. If such access is attempted, an exception will be thrown.
  
  === New features in 1.28 ===
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Thu, 5 May 2016 16:09:56 +0000 (16:09 +0000)