* Disable $wgAllowExternalImages by default.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e704979..da5a5c7 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -18,6 +18,12 @@ will be made on the development trunk and appear in the next quarterly release.
 Those wishing to use the latest code instead of a branch release can obtain
 it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 
+== Configuration changes ==
+
+Some default configuration options have changed:
+* $wgAllowExternalImages now defaults to off for increased security.
+
+
 == Changes since 1.6 ==
 
 * (bug 5458) Fix double-URL encoding in block log link in contribs and contribs
@@ -479,6 +485,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * Introduce $wgContentNamespaces which allows for articles to exist in namespaces other
   than the main namespace, and still be counted as valid content in the site statistics.
 * (bug 5932) Introduce {{PAGESINNAMESPACE}} magic word
+* Disable $wgAllowExternalImages by default.
+
 
 == Compatibility ==
 

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 782af96..334085f 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1079,7 +1079,7 @@ $wgCookieSecure = ($wgProto == 'https');
 $wgDisableCookieCheck = false;
 
 /**  Whether to allow inline image pointing to other websites */
-$wgAllowExternalImages = true;
+$wgAllowExternalImages = false;
 
 /** If the above is false, you can specify an exception here. Image URLs
   * that start with this string are then rendered, while all others are not.