MediaWiki 1.26.1
18 December 2015
MediaWiki version 1.26.1 is now available (security release).
Upgrading to MediaWiki 1.26.1
MediaWiki 1.26.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.26.1 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.26.1
This release fixes six security issues in core, in addition to other bug fixes.
Security fixes
- (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
- (bug T119309) SECURITY: Use hash_compare() for edit token comparison
- (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
- (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
- (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
- (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki
Bugfixes
- Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
- Fixed stray literal \n in Special:Search.
- Fix issue that breaks HHVM Repo Authorative mode.
- (bug T120267) Work around APCu memory corruption bug