* Fix for bug 28534: IE 6 content type detection again

* Fix for bug 28639: user object instance cache pollution
* Release notes formatting tweak.

RELEASE-NOTES

@@ -1,7 +1,7 @@
 = MediaWiki release notes =
 
 Security reminder: MediaWiki does not require PHP's register_globals
-setting since version 1.2.0. If you have it on, turn it *off* if you can.
+setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
 == MediaWiki 1.18 ==
 

images/.htaccess

@@ -1,6 +1,6 @@
 # Protect against bug 28235
 <IfModule rewrite_module>
 	RewriteEngine On
-	RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
+	RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
 	RewriteRule . - [forbidden]
 </IfModule>

img_auth.php

@@ -40,7 +40,7 @@ if ( $wgImgAuthPublicTest
 
 // Check for bug 28235: QUERY_STRING overriding the correct extension
 if ( isset( $_SERVER['QUERY_STRING'] )
-	&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+	&& preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
 {
 	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
 }	

includes/User.php

@@ -937,24 +937,25 @@ class User {
 			return false;
 		}
 
-		$this->mId = $sId;
-		if ( !$this->loadFromId() ) {
-			# Not a valid ID, loadFromId has switched the object to anon for us
+		$proposedUser = User::newFromId( $sId );
+		if ( !$proposedUser->isLoggedIn() ) {
+			# Not a valid ID
+			$this->loadDefaults();
 			return false;
 		}
 
 		global $wgBlockDisablesLogin;
-		if( $wgBlockDisablesLogin && $this->isBlocked() ) {
+		if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) {
 			# User blocked and we've disabled blocked user logins
 			$this->loadDefaults();
 			return false;
 		}
 
 		if ( $wgRequest->getSessionData( 'wsToken' ) !== null ) {
-			$passwordCorrect = $this->mToken == $wgRequest->getSessionData( 'wsToken' );
+			$passwordCorrect = $proposedUser->getToken() === $wgRequest->getSessionData( 'wsToken' );
 			$from = 'session';
 		} else if ( $wgRequest->getCookie( 'Token' ) !== null ) {
-			$passwordCorrect = $this->mToken == $wgRequest->getCookie( 'Token' );
+			$passwordCorrect = $proposedUser->getToken() === $wgRequest->getCookie( 'Token' );
 			$from = 'cookie';
 		} else {
 			# No session or persistent login cookie
@@ -962,7 +963,8 @@ class User {
 			return false;
 		}
 
-		if ( ( $sName == $this->mName ) && $passwordCorrect ) {
+		if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) {
+			$this->loadFromUserObject( $proposedUser );
 			$wgRequest->setSessionData( 'wsToken', $this->mToken );
 			wfDebug( "User: logged in from $from\n" );
 			return true;
@@ -1063,6 +1065,18 @@ class User {
 		}
 	}
 
+	/**
+	 * Load the data for this user object from another user object. 
+	 */
+	protected function loadFromUserObject( $user ) {
+		$user->load();
+		$user->loadGroups();
+		$user->loadOptions();
+		foreach ( self::$mCacheVars as $var ) {
+			$this->$var = $user->$var;
+		}
+	}
+
 	/**
 	 * Load the groups from the database if they aren't already loaded.
 	 * @private

includes/WebRequest.php

@@ -786,7 +786,7 @@ class WebRequest {
 		global $wgScriptExtension;
 
 		if ( isset( $_SERVER['QUERY_STRING'] ) 
-			&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+			&& preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
 		{
 			// Bug 28235
 			// Block only Internet Explorer, and requests with missing UA