MediaWiki 1.26.4
23 August 2016
MediaWiki version 1.26.4 is now available (security release).
Upgrading to MediaWiki 1.26.4
MediaWiki 1.26.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.26.4 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.26.4
- BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
- (T124163) Fixed fatal error in DifferenceEngine under HHVM.
- (T139565) SECURITY: API: Generate head items in the context of the given title
- (T137264) SECURITY: XSS in unclosed internal links
- (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
- (T133147) SECURITY: Require login to preview user CSS pages
- (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
- (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
- (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
- (T115333) SECURITY: Check read permission when loading page content in ApiParse
- Remove support for $wgWellFormedXml = false, all output is now well formed