SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

[lhc/web/wiklou.git] / RELEASE-NOTES-1.29

diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 94bdcf7..eece3de 100644 (file)
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -92,6 +92,8 @@ production.
   $wgAdvancedSearchHighlighting is true.
 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
   their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+  token.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,