What's true for Special:ExpandTemplates is true for Special:TemplateSandbox, too:
- Mentioned In
- rMEXTfd3f6c69e52a: Updated mediawiki/extensions Project: mediawiki/extensions/TemplateSandbox…
rMEXT3e5f7ef5a736: Updated mediawiki/extensions Project: mediawiki/extensions/TemplateSandbox…
rETSA7484d5da2386: Require post with edit token if $wgRawHtml is set
rETSAc0143ccbcc18: Require post with edit token if $wgRawHtml is set
rETSAba3e93d5a018: Require post with edit token if $wgRawHtml is set
rETSA2fc676fcffb0: Require post with edit token if $wgRawHtml is set
Had trouble with committing to the right branch and decided that time from disclosure to publication of _any_ fix should be kept as minimal as possible. Thanks for the REL1_23 backport.
This makes absolutely no sense. So no fix is preferable to a delayed fix??? This basically screwed over 1.23/1.22 users who, after the bug was publicly disclosed still had no patch, with absolutely no indication that 1.23/1.22 patches were not ready. So I'm in the middle of upgrading my wikis and then realize that hey, there's no patch!
If you're trying to reduce the time from disclosure to publication, there are many other things you could be doing (prepping patches beforehand, not putting them in git until after the release, not waiting hours for jenkins to -1 patches, etc.) but aren't, so *not* releasing a security fix is completely ridiculous.