This opens up a hole for administrators to load images from external resources,
potentially leaking user's private information to external servers (IP address,
User-Agent, etc.).
Change-Id: Ie780637b292493e664e4d54671a5bb81046106f4
* $wgPopularPasswordFile — The location of the default popular passwords file
has been moved to be in line with other non-PHP files used by libraries and
classes.
+* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
+ potential privacy leaks by administrators. You can check
+ "MediaWiki:External image whitelist" on your wiki to see whether the feature
+ was ever used, and whether it needs to be re-enabled.
==== Removed configuration ====
* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
*
* Set this to true to enable the on-wiki whitelist (MediaWiki:External image whitelist)
* Or false to disable it
+ *
+ * @since 1.14
*/
-$wgEnableImageWhitelist = true;
+$wgEnableImageWhitelist = false;
/**
* A different approach to the above: simply allow the "<img>" tag to be used.