= MediaWiki release notes =
-== MediaWiki 1.16.3 ==
+== MediaWiki 1.16.4 ==
-2011-04-12
+2011-04-14
This is a security and maintenance release of the MediaWiki 1.16 branch.
you have the DBA extension for PHP installed, this will improve performance
further.
+== Changes since 1.16.3 ==
+
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
+ clients) was not actually sufficient to fix that bug. This release contains
+ a second attempt, hopefully we have fixed it this time.
+
== Changes since 1.16.2 ==
* (bug 28449) Fixed permissions checks in Special:Import which allowed users
# Protect against bug 28235
<IfModule rewrite_module>
RewriteEngine On
- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
+ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
RewriteRule . - [forbidden]
</IfModule>
// Check for bug 28235: QUERY_STRING overriding the correct extension
if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
{
wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
}
}
/** MediaWiki version number */
-$wgVersion = '1.16.3';
+$wgVersion = '1.16.4';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
global $wgScriptExtension;
if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
{
// Bug 28235
// Block only Internet Explorer, and requests with missing UA
'img-auth-streaming',
'img-auth-public',
'img-auth-noread',
+ 'img-auth-bad-query-string',
),
'http-errors' => array(