MediaWiki 1.22.3
27 February 2014
MediaWiki version 1.22.3 is now available (security release).
Upgrading to MediaWiki 1.22.3
MediaWiki 1.22.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.22.3 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.22.3
Security:
- (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
- (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
- (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
Bug Fixes:
- (bug 53710) Add sequence support for upsert in DatabaseOracle in the same way as in selectInsert
- (bug 60231, 58719) Various fixes to job running code in Wiki.php: Make it async on Windows. Fixed possible "invalid filename" errors on Windows. Redirect output to dev/null to avoid hanging PHP.
- (bug 60083) Correct sequence name for fresh Postgres installation. Spotted by gebhkla
- (bug 60531) Avoid variable naming conflicts in DatabasePostgres::selectSQLText. Spotted by gebhkla
- (bug 60094) Fix rebuildall.php fatal error with PostgreSQL. The fix for 47055 introduced a fatal error when running rebuildall.php. This is a workaround suggested by gebhkla on Bugzilla. It just checks to make sure $options is actually an array before calling array_search on it.
- (bug 43817c12) Add error handling if descriptionmsg isn't defined for extension.
- (bug 60543) Special:PrefixIndex omits stripprefix=1 for "Next page" link.