From 13e2a9dc59fbd61cd2a4ba9c963d7029a8766c6a Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 18 Oct 2017 05:28:43 +0000
Subject: [PATCH 1/2] SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
 RELEASE-NOTES-1.28 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index b916d23768..870f9c33ab 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -17,6 +17,8 @@ This is not a release yet!
 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
 * (T174255) Declare uploadCount property in importDump.php.
 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
+  sends non-standard url escaping.
 
 == MediaWiki 1.28.1 ==
 
-- 
2.14.1