X-Git-Url: http://git.cyclocoop.org/%7B%7B%20url_for%28%27admin_vote_del%27%2C%20idvote=vote.voteid%29%20%7D%7D?a=blobdiff_plain;f=RELEASE-NOTES-1.29;h=b835eb54704e87ed7a1a063fd73c75578afdb5fb;hb=17e7bc02357e42a78cf5fdcbf9e550dda4631ac6;hp=6dbc749cb575ce57755d425f4f3028a9187b91e9;hpb=eca93b7c40944f1ac44d42f8ffa4afccc2ca235a;p=lhc%2Fweb%2Fwiklou.git diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index 6dbc749cb5..b835eb5470 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -35,6 +35,8 @@ production. * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs. * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be added to $wgExtraLanguageCodes instead. +* (T161453) LocalisationCache will no longer use the temporary directory in it's + fallback chain when trying to work out where to write the cache. === New features in 1.29 === * (T5233) A cookie can now be set when a user is autoblocked, to track that user @@ -70,6 +72,7 @@ production. * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14. * Updated monolog from v1.18.2 to 1.22.1. * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0. +* Updated OOjs from v1.1.10 to v2.0.0. ==== New external libraries ==== * Added wikimedia/timestamp v1.0.0. @@ -85,6 +88,21 @@ production. * (T157035) "new mw.Uri()" was ignoring options when using default URI. * Special:Allpages can no longer be filtered by redirect in miser mode. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. +* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep + their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. +* (T156184) SECURITY: Escape content model/format url parameter in message. +* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD + declaration. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory + in it's fallback chain when trying to work out where to write the cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion + syntax's link parameter. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, @@ -145,6 +163,8 @@ production. various methods now take a module path rather than a module name. * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes from the message key, and maps some message keys for backwards compatibility. +* API parameters may now be marked as "sensitive" to keep their values out of + the logs. === Languages updated in 1.29 === @@ -283,8 +303,8 @@ changes to languages because of Phabricator reports. rather than tags. The old class name, "selflink", was deprecated and will be removed in a future release. (T160480) * (T156184) $wgRawHtml will no longer apply to internationalization messages. -* Browser support for non-ES5 JavaScript browsers, including Android 2, Opera 12, - and Internet Explorer 9, was lowered from Grade A to Grade C. +* Browser support for non-ES5 JavaScript browsers, including Android 2, + Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C. == Compatibility ==