Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
-** NOTE TO COMMITTERS: Before 1.5.0 release, rearrange these nicely
-** and move 1.4 stuff to HISTORY.
-== MediaWiki 1.5 ==
+== MediaWiki 1.5 alpha 2 ==
+
+June 3, 2005
+
+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
+and a security update.
+
+Incorrect handling of page template inclusions made it possible to
+inject JavaScript code into HTML attributes, which could lead to
+cross-site scripting attacks on a publicly editable wiki.
+
+Vulnerable releases and fix:
+* 1.5 prerelease: fixed in 1.5alpha2
+* 1.4 stable series: fixed in 1.4.5
+* 1.3 legacy series: fixed in 1.3.13
+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
+
+
+== MediaWiki 1.5 alpha 1 ==
+
+May 3, 2005
+
+This is a testing preview release, being put out mainly to aid testers in
+finding installation bugs and other major problems. It is strongly recommended
+NOT to run a live production web site on this alpha release.
+
+** WARNING: USE OF THIS ALPHA RELEASE MAY INFEST YOUR HOUSE WITH **
+** TERMITES, ROT YOUR TEETH, GROW HAIR ON YOUR PALMS, AND PASTE **
+** INNUENDO INTO YOUR C.V. RIGHT BEFORE A JOB INTERVIEW! **
+** DON'T SAY WE DIDN'T WARN YOU, MAN. WE TOTALLY DID RIGHT HERE. **
+
+
+=== Big changes ===
+
+Schema:
+ The core table schema has changed significantly. This should make better
+ use of the database's cache and disk I/O, and make significantly speed up
+ rename and delete operations on pages with very long edit histories.
+
+ Unfortunately this does mean upgrading a wiki of size from 1.4 will require
+ some downtime for the schema restructuring, but future storage backend
+ changes should be able to integrate into the new system more easily.
+
+Permalinks:
+ The current revision of a page now has a permanent 'oldid' number assigned
+ immediately, and the id numbers are now preserved across deletion/undeletion.
+ A permanent reference to the current revision of a page is now just a matter
+ of going to the 'history' tab and copying the first link in the list.
+
+Page move log:
+ Renames of pages are now recorded in Special:Log and the page history.
+ A handy revert link is available from the log for sysops.
+
+Editing diff:
+ Ever lost track of what you'd done so far during an edit? A 'Show diff'
+ button on the edit page now makes it easy to remember.
+
+Uploads:
+ It's now possible to specify the final filename of an upload distinct
+ from the original filename on your disk.
+
+ An image link for a missing file will now take you straight to the upload page.
+
+ More metadata is pre-extracted from uploaded images, which will ease pressure
+ on disk or NFS volumes used to store images. EXIF metadata is displayed on
+ the image description page if PHP is configured with the necessary module.
+
+User accounts:
+ There are some changes to the user permissions system, with assignable
+ groups. This is still somewhat in flux; do not rely on the present system
+ that you see in this alpha to still be there.
+
+E-mail:
+ User-to-user e-mail can now be restricted to require a mail-back confirmation
+ first to reduce potential for abuse with false addresses.
+
+ Updates to user talk pages and watchlist entries can optionally send e-mail
+ notifications.
+
+External hooks:
+ A somewhat experimental interface for hooking in an external editor
+ application is included. This may not be on by default in final release,
+ depending on support.
+
+And...
+ A bunch of stuff we forgot to mention.
+
+
+=== What's gone? ===
+
+Latin-1:
+ Wikis must now be encoded in Unicode UTF-8; this has been the default for
+ some time, but some languages could optionally be installed in Latin-1 mode.
+ This is no longer supported.
+
+MySQL 3.x:
+ Some optimization hacks for MySQL 3.x have been removed as part of the schema
+ clean-up (specifically, the inverse_timestamp fields). MediaWiki 1.5 should
+ still run, but wikis of significant size should very seriously consider
+ upgrading to a more modern release. MySQL 3.x support will probably be
+ entirely dropped in the next major release later this year.
+
+Special:Maintenance
+ These tools were, ironically enough, not really maintained. This special
+ page has been removed; insofar as some of its pieces were useful and haven't
+ already been supplanted by other special pages they should be rewritten in
+ an efficient and safe manner in the future.
+
+
+=== What's still waiting? ===
+
+These things should be fixed by the time 1.5.0 final is released:
+
+Upgrade:
+ Wikis in Latin-1 encoding are no longer supported; only Unicode UTF-8.
+ A new option $wgLegacyEncoding is provided to allow on-the-fly recoding of
+ old page text entries, but other metadata fields (titles, comments etc) need
+ to be pre-converted. The upgrade process does not yet fully automate this.
+
+ In general the upgrade from 1.4 to 1.5 schema has not been tested for all
+ cases, and there may be problems.
+
+Backups:
+ The text entries of deleted pages are no longer removed from the main
+ text table on deletion. If you provide public backup dumps of your databases,
+ you will probably want to use the new XML-format dump generator... but
+ this hasn't been finished yet.
+
+PostgreSQL:
+ The table definitions for PostgreSQL install are out of date, and patches
+ to support PostgreSQL from the main installer are still pending.
+
+MySQL 4.1+:
+ Proper charset encoding / collation configuration for installs on MySQL 4.1
+ and higher still needs to be fiddled with. Some bits may fail on the UTF-8
+ setting due to some long field keys.
+
+Authentication plugin fixes:
+ The AuthPlugin interface needs some improvements to work better with LDAP,
+ HTTP basic auth, and other such environments. Some patches are pending.
+
+
+=== Smaller changes ===
+
+Various bugfixes, small features, and a few experimental things:
-New exciting things! Need further work and testing...
-* user groups/permissions scheme
-* e-mail change notifications
* 'live preview' reduces preview reload burden on supported browsers
+* support for external editors for files and wiki pages:
+ http://meta.wikimedia.org/wiki/Help:External_editors
* Schema reworking: http://meta.wikimedia.org/wiki/Proposed_Database_Schema_Changes/October_2004
+* New WikiSyntax: -- turns into — or – depending on context
+* (bug 15) Allow editors to view diff of their change before actually submitting an edit
+* (bug 190) Hide your own edits on the watchlist
+* (bug 510): Special:Randompage now works for other namespaces than NS_MAIN.
+* (bug 1015) support for the full wikisyntax in <gallery> captions.
+* (bug 1105) A "Destination filename" (save as) added to Special:Upload Upload.
+* (bug 1352) Images on description pages now get thumbnailed regardless of whether the thumbnail is larger than the original.
+* (bug 1662) A new magicword, {{CURRENTMONTHABBREV}} returns the abbreviation of the current month
+* (bug 1668) 'Date format' supported for other languages than English, see:
+ http://mail.wikipedia.org/pipermail/wikitech-l/2005-March/028364.html
+* (bug 1739) A new magicword, {{REVISIONID}} give you the article or diff database
+ revision id, useful for proper citation.
+* (bug 1998) Updated the Russian translation.
+* (bug 2064) Configurable JavaScript mimetype with $wgJsMimeType
+* (bug 2084) Fixed a regular expression in includes/Title.php that was accepting invalid syntax like #REDIRECT [[foo] in redirects
+* It's now possible to invert the namespace selection at Special:Allpages and Special:Contributions
+* No longer using sorbs.net to check for open proxies by default.
+* What was $wgDisableUploads is now $wgEnableUploads, and should be set to true if one wishes to enable uploads.
+* Supplying a reason for a block is no longer mandatory
+* Language conversion support for category pages
+* $wgStyleSheetDirectory is no longer an alias for $wgStyleDirectory;
+* Special:Movepage can now take paramaters like Special:Movepage/Page_to_move
+ (used to just be able to take paramaters via a GET request like index.php?title=Special:Movepage&target=Page_to_move)
+* (bug 2151) The delete summary now includes editor name, if only one has edited the article.
+* (bug 2105) Fixed from argument to the PHP mail() function. A missing space could prevent sending mail with some versions of sendmail.
+* (bug 2228) Updated the Slovak translation
* ...and more!
-Need to merge:
-* stuff
-
-
-== Version Enotif+Eauthent EN+EA v2.00/CVS, 14.12.2004 ==
-written by Thomas Gries, Berlin and Markus Arndt, Munich
-
-Executive summary for the impatient reader:
-
-Enotif adds e-mail notification to MediaWiki and sends e-mails
-to watching users when a watch-listed page or user_talk page is changed
-http://bugzilla.wikipedia.org/show_bug.cgi?id=454
-Visit the complete documentation on http://meta.wikipedia.org/Enotif
-
-Eauthent is a mechanism to use a temporary one-time password cycle
-to check whether the email address a user has entered is a valid one.
-http://bugzilla.wikipedia.org/show_bug.cgi?id=866
-Visit the complete documentation on http://meta.wikipedia.org/Eauthent
-
-The current patch has only been checked for (see DefaultSettings.php):
-
-- php mail()
- ( = not using PEAR:Mail() module --- I do not know anyone who uses that)
- $wgSMTP = false;
-- MySQL database
- ( = not using PostgreSQL --- I do not know anyone who uses that)
- $wgDBtype = "mysql";
- $wgSearchType = "MyISAM";
-
-- STILL TODO:
- NEW (newpageletter) and CORR (minoreditletter) markers needs
- corresponding "spacers"
-
-- table user_newtalk dropped; changes on usertalk pages and their
- notifications are now fully handled via existing table watchlist
- The user interface and behavious is unchanged to previous version.
-- updaters.inc for compatibility with older mediawiki tables:
- the conversion script converts existing user_newtalk entries
- watchlist table entries
- (user_newtalk) id ==> (watchlist) NS_USER_TALK:namefromId(id) timestamp=1
-- minor bug fixes:
- updated marker now correctly shown on watchlist page
- watching users number display with enhanced RC view + RCUseModStyle
-- wfUrlencode() instead of rawurlencode() in enotif mails
-- duplicate enotif code moved from UserTalkUpdate.php and
- merged into UserMailer.php and using usermailer() solely
-- fixed an enotif mail text error for user names with spaces
-- fixed missing part for suppressing watching user number
-
-v1.36:
-magic watchlist shows and counts now only the content page, notwithstanding
-the content and talk page are stored separately in watchlist.
-* bug fixed: rawurlencode for pagetitles in enotif mails
-* bug fixed: link to userpages of anonymous user are correct now
-
-* Enotif v1.34
- bugs fixed regarding missing $oldid parameter
-
-* v1.33
-* Details:
- Implements almost all enotif options as user preferences.
- These are only shown on the user preference page, if they are globally
- enabled by the corresponding admin option in DefaultSettings.php.
- Added admin feature to let enotifs appear to come from the page editor.
- This facilitates automatic mail sorting and anti-spam filtering; feature was
- originally proposed by Nick Triantos, thank you !
- Page editor's email address is however only shown, if this user enabled
- the option "reveal my email address" in user preferences. Otherwise,
- the enotifs appear to come from WikiAdmin as usual (tricky to program,
- but simply trust the algorithm. or look into UserMailer.php and
- UserTalkPage.php).
-
-* Changes from previous enotif versions
-* v1.31 is an improved version with many security and also cosmetic changes
- applied after two first reviews by Brion Vibber. v1.31 is basically the same as
- the older Enotif v1.30 and v1.22 versions.
-
- Added UseMod style for recent changes view so that only the most recent
- change of any page is listed. The (diff) and (hist) still allow to retrieve the
- older versions at users' discretion, but the RC view is much cleaner for
- trusted environments such as medium-size companies or family wikis.
-
-* Enotif v1.30 redesign after review by Brion Vibber 25.10.2003
-
-* v1.22 "updated (since my last visit)" also shown for users without stored
- email address in preferences, so that they can see, what watched pages
- have changed.
-* show "updated (since my last visit)" markers in RC, history and watchlist
-* Systemvariables to suppress updated marker in all views
-* show number of watching users in RC and on bottom of articles in
- classic skin and in monobook skin
-* Systemvariables in DefaultSettings.php to enable or disable features
-* v1.21 now suppresses displaying the marker "updated (since my last visit)"
- in recent changes view for the older (already visited) versions of watched
- pages - i.e. page versions before the enotif was sent do not bear that
- marker any longer.
-* enotif mails come with a link to the diff view between current and last
- visited version of the watching user.
-*database structure is changed automatically when installing via the
- recommended way (starting index.php and re-using the old database name).
- run php /maintenance/update.php
- OR see /maintenance/archives/patch-email-notification.sql and apply the
- command
- ALTER TABLE watchlist
- ADD (wl_notificationtimestamp varchar(14) binary NOT NULL default '0');
- manually to your database, which does not harm the non notification versions
-
-*adding a page x to the watchlist does automatically add a watch
- for the accompanying talk_page talk:x and vice versa;
-
-== MediaWiki 1.4 BETA ==
-
-[Not everything is 100% working in beta yet, the installer needs fixes still.]
-
-Major changes from 1.3.x:
-* Support for table prefixes for better sharing with other web apps
-* (?) PostgreSQL support
-* Optional article validation voting features
-* 'Recentchanges Patrol' to mark new edits that haven't yet been viewed
-* Support for faster C++ diff module (WikiDiff extension)
-* More scary link caching modes
-* Old manually maintained log pages replaced with searchable Special:Log
-* Skins system more modular: templates and CSS are now in /skins/
-* New user preference for limitting the image size for images on image description
- pages
-* Error pages no more offer edit / talk / watch links (bug #502)
-* Allow user to preview article on first edit (bug #530)
-* New dark background skin named Amethyst (thanks Sorwena and Sorkhiri)
-* [[RFC 1234]] will now make an internal link (bug #479)
-* PhpTal skins shown bogus 'What links here' etc on special pages (bug #511)
-* Experimental code to manage user and group rights (Special:Userlevels)
-* UI language switching
-* Adding filter and username exact search match for Special:Listusers (bug #770)
-* Special:Listadmins outdated, use Special:Listusers instead (bug #857)
-* Traditional/Simplified Chinese conversion
-* New tag "<gallery>" to generate a table of image thumbnails
-* Installer die if it can not write LocalSettings.php (bug #733)
-* Various special pages no more show the rss/atom feed links (bug #705)
-* Support for external authentication plug-ins
-* (bug 114) use category backlinks in Special:Recentchangeslinked
-* ... and more!
+
+=== Changes since 1.5alpha1 ===
+
+* (bug 73) Category sort key is set to file name when adding category to
+ file description from upload page (previously it would be set to
+ "Special:Upload", causing problems with category paging)
+* (bug 419) The contents of the navigation toolbar are now editable through
+ the MediaWiki namespace on the MediaWiki:navbar page.
+* (bug 498) The Views heading in MonoBook.php is now localizable
+* (bug 898) The wiki can now do advanced sanity check on uploaded files
+ including virus checks using external programs.
+* (bug 1692) Fix margin on unwatch tab
+* (bug 1906) Generalize project namespace for Latin localization, update namespaces
+* (bug 1975) The name for Limburgish (li) changed from "Lèmburgs" to "Limburgs
+* (bug 2019) Wrapped the output of Special:Version in <div dir='ltr'> in order
+ to preserve the correct flow of text on RTL wikis.
+* (bug 2067) Fixed crash on empty quoted HTML attribute
+* (bug 2075) Corrected namespace definitions in Tamil localization
+* (bug 2079) Removed links to Special:Maintenance from movepagetext message
+* (bug 2094) Multiple use of a template produced wrong results in some cases
+* (bug 2095) Triple-closing-bracket thing partly fixed
+* (bug 2110) "noarticletext" should not display on Image page for "sharedupload" media
+* (bug 2150) Fix tab indexes on edit form
+* (bug 2152) Add missing bgcolor to attribute whitelist for <td> and <th>
+* (bug 2176) Section edit 'show changes' button works correctly now
+* (bug 2178) Use temp dir from environment in parser tests
+* (bug 2217) Negative ISO years were incorrectly converted to BC notation
+* (bug 2234) allow special chars in database passwords during install
+* Deprecated the {{msg:template}} syntax for referring to templates, {{msg: is
+ now the wikisyntax representation of wfMsgForContent()
+* Fix for reading incorrectly re-gzipped HistoryBlob entries
+* HistoryBlobStub: the last-used HistoryBlob is kept open to speed up
+ multiple-revision pulls
+* Add $wgLegacySchemaConversion update-time option to reduce amount of
+ copying during the schema upgrade: creates HistoryBlobCurStub reference
+ records in text instead of copying all the cur_text fields. Requires
+ that the cur table be left in place until/unless such fields are migrated
+ into the main text store.
+* Special:Export now includes page, revision, and user id numbers by
+ default (previously this was disabled for no particular reason)
+* dumpBackup.php can dump the full database to Export XML, with current
+ revisions only or complete histories.
+* The group table was renamed to groups because "group" is a reserved word in
+ SQL which caused some inconveniances.
+* New fileicons for c, cpp, deb, dvi, exe, h, html, iso, java, mid, mov, o,
+ ogg, pdf, ps, rm, rpm, tar, tex, ttf and txt files based on the KDE
+ crystalsvg theme.
+* Fixed a bug in Special:Newimages that made it impossible to search for '0'
+* Added language variant support for Icelandic, now supports "Íslenzka"
+* The #p-nav id in MonoBook is now #p-navigation
+* Putting $4 in msg:userstatstext will now give the percentage of
+ admnistrators out of normal users.
+* links and brokenlinks tables merged to pagelinks; this will reduce pain
+ dealing with moves and deletes of widely-linked pages.
+* Add validate table and val_ip column through the updater.
+* Simple rate limiter for edits and page moves; set $wgRateLimits
+ (somewhat experimental; currently needs memcached)
+* (bug 2262) Hide math preferences when TeX is not enabled
+* (bug 2267) Don't generate thumbnail at the same size as the source image.
+* Fix rebuildtextindex.inc for new schema
+* Remove linkscc table code, no longer used.
+* (bug 2271) Use faster text-only link replacement in image alt text
+ instead of rerunning expensive link lookup and HTML generation.
+* Only build the HTML attribute whitelist tree once.
+* Replace wfMungeToUtf8 and do_html_entity_decode with a single function
+ that does both numeric and named chars: Sanitizer::decodeCharReferences
+* Removed some obsolete UTF-8 converter functions
+* Fix function comment in debug dump of SQL statements
+* (bug 2275) Update search index more or less right on page move
+* (bug 2053) Move comment whitespace trimming from edit page to save;
+ leaves the whitespace from the section comment there on preview.
+* (bug 2274) Respect stub threshold in category page list
+* (bug 2173) Fatal error when removing an article with an empty title from the watchlist
+* Removed -f parameter from mail() usage, likely to cause failures and bounces.
+* (bug 2130) Fixed interwiki links with fragments
+* (bug 684) Accept an attribute parameter array on parser hook tags
+* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
+ LDAP authentication plugin
+* (bug 2034) Armor HTML attributes against template inclusion and links munging
+
+=== Changes since 1.5alpha2 ===
+
+* (bug 2319) Fix parse hook tag matching
+* (bug 2329) Fix title formatting in several special pages
+* (bug 2223) Add unique index on user_name field to prevent duplicate accounts
+* (bug 1976) fix shared user database with a table prefix set
+* (bug 2334) Accept null for attribs in wfElement without PHP warning
+* (bug 2309) Allow templates and template parameters in HTML attribute zone,
+ with proper validation checks. (regression from fix for 2304)
+* Disallow close tags and enforce empty tags for <hr> and <br>
+
=== Caveats ===
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)
-The new 'MonoBook' skin is not compatible with PHP 5 due to bugs in the
-underlying PHPTAL library. It will be automatically disabled when running
-on PHP5; the older look and feel will be used instead.
-
-For notes on 1.3.x and older releases, see HISTORY.
+For notes on 1.4.x and older releases, see HISTORY.
=== Online documentation ===
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
+A low-traffic announcements-only list is also available:
+ http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
+
+It's highly recommended that you sign up for one of these lists if you're
+going to run a public MediaWiki, so you can be notified of security fixes.
+
=== IRC help ===
dépôts / lhc / web / wiklou.git / blobdiff