Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Wikipedia>
  3. Mediawiki
MediaWiki 1.3.0beta6 released
brion at pobox
Aug 6, 2004, 4:07 PM
Post #1 of 5 (816 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This should be the final beta release of MediaWiki 1.3.0; the final
final version will be released in a few days after some more bug fixing
and polishing up of documentation and installation.

Beta 6 includes a security fix: earlier 1.3.0 beta releases may be
vulnerable to a PHP inclusion attack if you have allow_url_fopen and
register_globals on (this is the default configuration in PHP 4.1.x, but
register_globals is off by default in 4.2.x and later).

Note that while MediaWiki through 1.1 required register_globals to be
on, 1.2 and 1.3 *do not*. If you have register_globals on, you should
turn it off unless you are absolutely sure you require it for some other
package. See http://php.net/register_globals for general information.

Release notes:
https://sourceforge.net/project/shownotes.php?release_id=258701

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.0beta6.tar.gz?download

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
https://sourceforge.net/tracker/?group_id=34373&atid=411192

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBFA81wRnhpk1wk44RAjtcAJ45L8KSHvZEv6strva58iChHvYliQCgj85E
UyHl6D/y/mm4nPhnS6zWjpE=
=lNM6
-----END PGP SIGNATURE-----
Re: MediaWiki 1.3.0beta6 released [ In reply to ]
morbus at disobey
Aug 6, 2004, 4:13 PM
Post #2 of 5 (811 views)
Permalink
>Beta 6 includes a security fix: earlier 1.3.0 beta releases may be
>vulnerable to a PHP inclusion attack if you have allow_url_fopen and
>register_globals on (this is the default configuration in PHP 4.1.x, but
>register_globals is off by default in 4.2.x and later).

Incidentally, a side note about this. From what I've read, you cannot
set allow_url_fopen by using ini_set - it's an admin value only. I
think I saw an attempt to turn this off in one of the source files.
Is this "just in case" sorta stuff?

--
Morbus Iff ( insert pithy quote here )
Technical: http://www.oreillynet.com/pub/au/779
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
Re: MediaWiki 1.3.0beta6 released [ In reply to ]
brion at pobox
Aug 6, 2004, 4:28 PM
Post #3 of 5 (817 views)
Permalink
Morbus Iff wrote:
> Incidentally, a side note about this. From what I've read, you cannot
> set allow_url_fopen by using ini_set - it's an admin value only. I
> think I saw an attempt to turn this off in one of the source files.
> Is this "just in case" sorta stuff?

An empirical test on 4.3.2 shows that you can indeed turn
allow_url_fopen on and off via ini_set(), despite what the documentation
says.

They may have changed it and the documentation is incomplete, or it
might be an old bug.

-- brion vibber (brion @ pobox.com)

Attached Files:

Re: MediaWiki 1.3.0beta6 released [ In reply to ]
tim at ccc
Aug 9, 2004, 9:53 AM
Post #4 of 5 (811 views)
Permalink
Hi,

great work.

Will the final version include the "Wikipedia Portal" menu item by
default? I think the MediaWiki release shouldn't contain any
Wikipedia-specific strings.

By the way: what is the recommended way of customizing the menu on the
left?

And: are there any public tools available to convert a 1.2 iso-8859-1
system to a 1.3 utf-8 installation?

Greetings
Tim

On 07.08.2004, at 01:07, Brion Vibber wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This should be the final beta release of MediaWiki 1.3.0; the final
> final version will be released in a few days after some more bug fixing
> and polishing up of documentation and installation.
>
> Beta 6 includes a security fix: earlier 1.3.0 beta releases may be
> vulnerable to a PHP inclusion attack if you have allow_url_fopen and
> register_globals on (this is the default configuration in PHP 4.1.x,
> but
> register_globals is off by default in 4.2.x and later).
>
> Note that while MediaWiki through 1.1 required register_globals to be
> on, 1.2 and 1.3 *do not*. If you have register_globals on, you should
> turn it off unless you are absolutely sure you require it for some
> other
> package. See http://php.net/register_globals for general information.
>
> Release notes:
> https://sourceforge.net/project/shownotes.php?release_id=258701
>
> Download:
> http://prdownloads.sourceforge.net/wikipedia/mediawiki
> -1.3.0beta6.tar.gz?download
>
> Wiki admin help mailing list:
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
> Bug report system:
> https://sourceforge.net/tracker/?group_id=34373&atid=411192
>
> Play "stump the developers" live on IRC:
> #mediawiki on irc.freenode.net
>
> - -- brion vibber (brion @ pobox.com)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBFA81wRnhpk1wk44RAjtcAJ45L8KSHvZEv6strva58iChHvYliQCgj85E
> UyHl6D/y/mm4nPhnS6zWjpE=
> =lNM6
> -----END PGP SIGNATURE-----
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
>

------
Tim Pritlove, Discordian Evangelist, Chaos Computer Club
<mailto:tim@ccc.de> <http://tim.geekheim.de/>
<aim:timpritlove> <jabber:tim@jabber.berlin.ccc.de>
Project Blinkenlights <http://www.blinkenlights.de/>
------
The Fifth Commandment:
A Discordian is Prohibited of Believing What he reads.
Re: MediaWiki 1.3.0beta6 released [ In reply to ]
brion at pobox
Aug 9, 2004, 11:20 AM
Post #5 of 5 (814 views)
Permalink
Tim Pritlove wrote:
> Will the final version include the "Wikipedia Portal" menu item by
> default? I think the MediaWiki release shouldn't contain any
> Wikipedia-specific strings.

I'm not aware of any such item. There is a "Community Portal" link,
which can be renamed by editing MediaWiki:Portal and MediaWiki:Portal-url

> By the way: what is the recommended way of customizing the menu on the
> left?

There currently is none, sorry. You have to hack up the template or the
code.

> And: are there any public tools available to convert a 1.2 iso-8859-1
> system to a 1.3 utf-8 installation?

There is a tool of some sort but I'm not sure where it is offhand...

-- brion vibber (brion @ pobox.com)

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal