User talk:Terra: Difference between revisions

From Heroes 3 wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
== Permission requests ==
I'd like to request permission to edit and update the [[Main Page|main page]]. <br>
--[[User:imahero|imahero]] 23:24, 11 September 2016 (CEST)
== [[Proposals]] ==
== [[Proposals]] ==


Line 41: Line 35:
: Wiki has now been updated to latest version, sorry about the delay.
: Wiki has now been updated to latest version, sorry about the delay.
:--Terrasque
:--Terrasque
::If you could update to the latest version again, that would be great! :) <br>
::--[[User:imahero|imahero]] 13:24, 11 September 2016 (CEST)
:::I see that the wiki is currently using 1.23.5 LTS, so it should only be necessary to update to 1.23.15 LTS to get all the most recent <span class="plainlinks">[https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_23/RELEASE-NOTES-1.23 security updates]</span> without having to worry too much about breaking anything on the site. It'll be a different story in May 2017 when 1.23.x reaches end of life. At that point we'll want to update to the <span class="plainlinks">[https://www.mediawiki.org/wiki/Version_lifecycle#Versions_and_their_end-of-life latest LTS release]</span>. <br>
:::--[[User:imahero|imahero]] 09:36, 15 September 2016 (CEST)
== List of security issues currently affecting the site, possibly putting all users at risk ==
* Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* Remove support for $wgWellFormedXml = false, all output is now well formed
* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in (many?) parser tags
* (T126685) Globally throttle password attempts
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks.Configuration values such as <nowiki>"http://my.wiki.com/wiki/$1"</nowiki> are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions
* (bug 67644) Make AutoLoaderTest handle namespaces
* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.
* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix.
* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy.
* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model.
* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a config option.
* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.
* (Bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header
* (Bug 67440) Allow classes to be registered properly from installer




__notoc__
__notoc__

Revision as of 00:17, 29 September 2016

Proposals

This is my proposed update to the main page: Conservative Main Page.
--imahero 23:45, 16 September 2016 (CEST)


Images

Hi there, I started adding some images, hope it is no problem with some low resolution screenshots from the game. Was thinking of getting images for most articles. Take care, Kdanv 12:55, 9 April 2009 (UTC)


Still around?

Hey Terra! Are you still monitoring this site / watching your talk page? I'm wondering if you were the person who asked about me at my Wikipedia Talk page... Memetics 09:43, 11 November 2012 (UTC)

Yep, still around. And no, wasn't me that poked your WP page.
I still have my RSS reader monitoring changes to the wiki, so get noticed when something happens :)
Terrasque 12:49, 11 November 2012 (UTC)
Well, that's good to know. :-) (Guess I'll be careful not to do anything crazy.  ;-) Memetics 14:15, 11 November 2012 (UTC)
At some point, I'd like to upload a spreadsheet with a bunch of test data I gathered years ago, if I'm allowed to. It has a ton of information on various RMG treasure values and the resulting treasures produced, and a bunch of other stuff. Is it possible to add such a file somewhere on the wiki, or would that be something that would have to be hosted off-site and linked to? Memetics 10:11, 12 November 2012 (UTC)
Sorry for late reply. There should be no problem hosting it on this site :) Terrasque 19:14, 15 November 2012 (UTC)


Current wiki version

Hello, Terra. If you have the possibility to update this wiki with current version it would be nice. It's outdated for 4 years already: Special:Version.

ParserFunctions do not work here, that's why I ask --HaxLi 20:16, 19 March 2014 (CET)

Wiki has now been updated to latest version, sorry about the delay.
--Terrasque