From dffdbc54acc5b38f0f38c097c322a9b8833e2848 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 18 Oct 2017 05:28:43 +0000
Subject: [PATCH] SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
 RELEASE-NOTES-1.29 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 35e69697d7..914990598d 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -10,6 +10,8 @@ This not a release yet!
 * Fixed case of SpecialRecentChanges class usage.
 * (T174255) Declare uploadCount property in importDump.php.
 * (T163646) Pass a string not an int to mysql_real_escape_string().
+* (T178451) SECURITY Potential XSS when $wgShowExceptionDetails = false and browser
+  sends non-standard url escaping.
 
 == MediaWiki 1.29.1 ==
 
-- 
2.14.1