Index: includes/api/ApiFormatJson.php
===================================================================
--- includes/api/ApiFormatJson.php	(.../REL1_11_1/phase3)	(revision 31488)
+++ includes/api/ApiFormatJson.php	(.../REL1_11_2/phase3)	(revision 31488)
@@ -74,7 +74,7 @@
 
 	protected function getParamDescription() {
 		return array (
-			'callback' => 'If specified, wraps the output into a given function call',
+			'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
 		);
 	}
 
Index: includes/api/ApiMain.php
===================================================================
--- includes/api/ApiMain.php	(.../REL1_11_1/phase3)	(revision 31488)
+++ includes/api/ApiMain.php	(.../REL1_11_2/phase3)	(revision 31488)
@@ -98,6 +98,14 @@
 			// If the current user cannot read, 
 			// Remove all modules other than login
 			global $wgUser;
+			
+			if( $request->getVal( 'callback' ) !== null ) {
+				// JSON callback allows cross-site reads.
+				// For safety, strip user credentials.
+				wfDebug( "API: stripping user credentials for JSON callback\n" );
+				$wgUser = new User();
+			}
+			
 			if (!$wgUser->isAllowed('read')) {
 				self::$Modules = array(
 					'login' => self::$Modules['login'],
Index: includes/api/ApiQueryBase.php
===================================================================
--- includes/api/ApiQueryBase.php	(.../REL1_11_1/phase3)	(revision 31488)
+++ includes/api/ApiQueryBase.php	(.../REL1_11_2/phase3)	(revision 31488)
@@ -215,6 +215,10 @@
 	}
 
 	public function getTokenFlag($tokenArr, $action) {
+		if ($this->getMain()->getRequest()->getVal('callback') !== null) {
+			// Don't do any session-specific data.
+			return false;
+		}
 		if (in_array($action, $tokenArr)) {
 			global $wgUser;
 			if ($wgUser->isAllowed($action))
Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php	(.../REL1_11_1/phase3)	(revision 31488)
+++ includes/DefaultSettings.php	(.../REL1_11_2/phase3)	(revision 31488)
@@ -31,7 +31,7 @@
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.11.1';
+$wgVersion			= '1.11.2';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
Index: RELEASE-NOTES
===================================================================
--- RELEASE-NOTES	(.../REL1_11_1/phase3)	(revision 31488)
+++ RELEASE-NOTES	(.../REL1_11_2/phase3)	(revision 31488)
@@ -3,6 +3,24 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
+== MediaWiki 1.11.2 ==
+
+March 2, 2008
+
+This is a security release of the Fall 2007 snapshot release of MediaWiki.
+Possible cross-site information leaks using the callback parameter for
+JSON-formatted results in the API are prevented by dropping user credentials.
+
+MediaWiki release versions prior to 1.11 are not vulnerable, as they do
+not include the callback feature which allows client-side JavaScript on
+other sites to reach API data.
+
+Changes in this release:
+
+* User credentials are dropped for API JSON requests using a callback
+* Edit tokens are not reported for API JSON requests using a callback
+
+
 == MediaWiki 1.11.1 ==
 
 January 23, 2008