Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php	(.../REL1_10_2/phase3)	(revision 30098)
+++ includes/DefaultSettings.php	(.../REL1_10_3/phase3)	(revision 30098)
@@ -31,7 +31,7 @@
 $wgConf = new SiteConfiguration;
 
 /** MediaWiki version number */
-$wgVersion			= '1.10.2';
+$wgVersion			= '1.10.3';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
Index: api.php
===================================================================
--- api.php	(.../REL1_10_2/phase3)	(revision 30098)
+++ api.php	(.../REL1_10_3/phase3)	(revision 30098)
@@ -27,6 +27,29 @@
 
 wfProfileIn('api.php');
 
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+	$url = $_SERVER['SCRIPT_URL'];
+} else {
+	$url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+	wfHttpError( 403, 'Forbidden',
+		'API must be accessed through the primary script entry point.' );
+	return;
+}
+
 // Verify that the API has not been disabled
 if (!$wgEnableAPI) {
 	echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
Index: RELEASE-NOTES
===================================================================
--- RELEASE-NOTES	(.../REL1_10_2/phase3)	(revision 30098)
+++ RELEASE-NOTES	(.../REL1_10_3/phase3)	(revision 30098)
@@ -3,6 +3,38 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
+== MediaWiki 1.10.3 ==
+
+January 23, 2008
+
+This is a security update to the Winter 2007 quarterly release. A potential
+XSS injection vector affecting api.php only for Microsoft Internet Explorer
+users has been closed.
+
+
+To work around the vulnerability without upgrading, you may disable the
+API if you don't need it:
+
+  $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.12 or later
+* 1.11 >= 1.11.1
+* 1.10 >= 1.10.3
+* 1.9 >= 1.9.5
+* 1.8 any version (if $wgEnableAPI has been left off)
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.2
+* 1.9 <= 1.9.4
+* 1.8 any version (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the API functionality, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
+
+
 == MediaWiki 1.10.2 ==
 
 September 10, 2007