Restrict shell commands by default

[lhc/web/wiklou.git] / RELEASE-NOTES-1.31

== MediaWiki 1.31 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.31 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
  a future version. The API is now considered to be stable, secure and
  essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented as a
  temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
  possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does
  not have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
  maintenance/cleanupUsersWithNoId.php.
* $wgResourceLoaderMinifierStatementsOnOwnLine and $wgResourceLoaderMinifierMaxLineLength
  were removed (deprecated since 1.27).
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that are not
  using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a first step of
  migration to human-readable section IDs that will later result in 'html5' being the
  default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
  as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
  option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported for
  performance reasons, and installations with this setting will now work as if it
  was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input, rather than
  being off by default. If you wish to disable HTML tidying entirely, set $wgTidyConfig
  to null; if you wish to use the old, deprecated Tidy external binary, both
  set $wgTidyConfig to null and also set $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.

=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that ….js
  and ….css pages are, so that configuration options can safely be placed there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support
  joins with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
  Html class now provides helper methods for messageBox, successBox, errorBox and
  warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
  a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
  usernames formed like "iw>Example" as interwiki links, as if by wikitext like
  [[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
  users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
  the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
  initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
  hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
  ParserOutput::getText() post-cache transformation. This may be disabled by
  passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
  into a new actor table, with the rows in tables such as revision and logging
  referring to the actor ID instead of storing the user ID and name/IP in
  every row.
  * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
    can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
    soon as any necessary extensions are updated.
  * Most code accessing rows for logged actions from the database should use
    the relevant getQueryInfo() methods to get the information needed to build
    the SQL query. The ActorMigration class may also be used to get feature-flagged
    information needed to access actor-related fields during the migration
    period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
  section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
  and non-MySQL ::replace() and ::upsert() no longer roll back the whole
  transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
  extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
  "1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor
  or enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces" property
  in extension.json. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
  for more details and an example.

=== External library changes in 1.31 ===

==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to
  1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3
  (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.5.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* …

==== New external libraries ====
* Added wikimedia/object-factory 1.0.0
* …

==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
  text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
  'mediawiki.viewport' module instead.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
  Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly instead.

=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor

=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
  removed. It has never made a difference in the output, the name was always
  returned regardless.

=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime was removed (deprecated since 1.25)
* ApiBase::getModuleProfileName was removed (deprecated since 1.25)
* ApiBase::getProfileTime was removed (deprecated since 1.25)

=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK namespaces.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).

=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob() (deprecated in 1.27) was removed.
* The OutputPage class constructor now requires a context parameter,
  (instantiating without context was deprecated in 1.18)
* The mw.page JavaScript singleton (deprecated in 1.30) was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), Article::onArticleCreate(),
  Article::onArticleDelete(), and Article::onArticleEdit() methods, deprecated
  in 1.24, were removed.
* Installer::locateExecutable() and Installer::locateExecutableInDefaultPaths()
  were removed, use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
  DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
  no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
  'byText' or ->setBlocker(). Callers should either ensure the blocker exists
  locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were deprecated in
  1.27, have been removed.
  * WatchedItem::getTitle()
  * WatchedItem::fromUserTitle()
  * WatchedItem::addWatch()
  * WatchedItem::removeWatch()
  * WatchedItem::isWatched()
  * WatchedItem::duplicateEntries()
  * WatchedItem::IGNORE_USER_RIGHTS
  * WatchedItem::CHECK_USER_RIGHTS
  * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
  The corresponding configuration variable ($wgResourceLoaderMinifierStatementsOnOwnLine)
  has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
  The corresponding configuration variable ($wgResourceLoaderMinifierMaxLineLength)
  has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class was removed (deprecated in 1.27). The namespaced
  HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
  The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
  default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have been removed:
  * PreparedEdit->newText
  * PreparedEdit->oldText
  * PreparedEdit->pst
* ParserOutput objects generated using a non-default value for
  ParserOptions::setWrapOutputClass() can no longer be added to the parser cache.
* The following deprecated methods from the OutputPage class have been removed:
  * OutputPage::addExtensionStyle(); deprecated in 1.27
  * OutputPage::getExtStyle(); deprecated in 1.27
  * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
  * OutputPage::setSquidMaxage(); deprecated in 1.27
  * OutputPage::readOnlyPage(); deprecated in 1.25
  * OutputPage::rateLimited(); deprecated in 1.25
  * Additionally, the protected OutputPage::$mExtStyles array, only accessed through
    the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30, were removed:
  * $isCssJsSubpage — use ::isUserConfigPage()
  * $isCssSubpage — use ::isUserCssConfigPage()
  * $isJsSubpage — use ::isUserJsConfigPage()
  * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
  * ::getSummaryInput() – use ::getSummaryInputWidget()
  * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
  * ::getCheckboxes() – use ::getCheckboxesWidget() or ::getCheckboxesDefinition()
  * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or ::getCheckboxesDefinition()
* The method ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on the response
  object, and were deprecated in 1.27, have been removed:
  * ::setCookie()
  * ::clearCookie()
  * ::setExtendedLoginCookie()
  Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27, have been removed:
  * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
  * ::getPasswordFactory() – create a PasswordFactory directly
  * ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
  use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
  can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
  Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when DBO_TRX
  is set results in an exception. Calling Database::commit() explicitly for an implicit
  transaction also results in an exception. Previously these were logged as errors.
  The startAtomic() and endAtomic() methods, or AtomicSectionUpdate should be used
  instead.
* The global function wfOutputHandler() was removed, use the its replacement
  MediaWiki\OutputHandler::handle() instead. The global function was only sometimes defined.
  Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags, deprecated
  in 1.28, have been removed.  Use ::listSoftwareActivatedTags() and
  ::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You
  can use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed.
  Use ResourceLoaderModule::getLessVars() to expose local variables instead
  of global ones.
* As part of work to modernise user-generated content clean-up, a config option and some
  methods related to HTML validity were removed without deprecation. The public methods
  MWTidy::checkErrors() and its callee TidyDriverBase::validate() are removed, as are
  MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument(). The
  $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies RESTRICT_DEFAULT
  Firejail restriction by default.

=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
  RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
  have been deprecated in favor of similar methods that also return the tables
  to select from and the join conditions for those tables.
  * Block::selectFields() → Block::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
  * LocalFile::selectFields() → LocalFile::getQueryInfo()
  * LocalFile::getCacheFields() with a prefix no longer works
  * LocalFile::getLazyCacheFields() with a prefix no longer works
  * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
  * Revision::selectFields() → Revision::getQueryInfo()
  * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
  * User::selectFields() → User::getQueryInfo()
  * WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
  should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
  override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
  Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated, use RevisionRecordInserted instead.
  RevisionInsertComplete is still called, but the second and third parameter will always be null.
  Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
  Callers should use the new stateless $options parameter to
  ParserOutput::getText() instead.
  * ParserOptions::getEditSection()
  * ParserOptions::setEditSection()
  * ParserOutput::getEditSectionTokens()
  * ParserOutput::setEditSectionTokens()
  * ParserOutput::getTOCEnabled()
  * ParserOutput::setTOCEnabled()
  * OutputPage::enableSectionEditLinks()
  * OutputPage::sectionEditLinksEnabled()
  * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
  Setting template variables by reference allowed violating the principle of data being
  immutable once added to the skin template. In practice, this method was not being
  used for that. Rather, setRef() existed as memory optimisation for PHP 4.
* QuickTemplate::setTranslator() was deprecated in favour of Skin::msg() parameters.
* MediaWikiI18N::set() was deprecated in favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
  'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced \Wikimedia\ObjectFactory
  from the wikimedia/object-factory library should be used instead.
* CommentStore::newKey is deprecated. Get an instance from MediaWikiServices instead.
* The following CommentStore methods have had their signatures changed to introduce a $key parameter,
  usage of the methods on instances retrieved from CommentStore::newKey will remain unchanged but deprecated:
  * CommentStore::getFields
  * CommentStore::getJoin
  * CommentStore::getComment
  * CommentStore::getCommentLegacy
  * CommentStore::insert
  * CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are deprecated:
  * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
  * Title::isCssOrJsPage – use ::isSiteConfigPage
  * Title::isCssJsSubpage – use ::isUserConfigPage
  * Title::isCssSubpage – use ::isUserCssConfigPage
  * Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
  * Parser::serializeHalfParsedText()
  * Parser::unserializeHalfParsedText()
  * Parser::isValidHalfParsedText()
  * StripState::getSubState()
  * StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
  deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
  used instead.
* The function wfShellWikiCmd() has been deprecated, use
  MediaWiki\Shell::makeScriptCommand().

=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was removed. Opera 15+ continues at Grade A.
* Introducing multi-content-revision capability into the storage layer. For details,
  see <https://www.mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext. Links
  written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
  wikitext table captions, wikitext table headings, wikitext table cells. HTML
  headings, HTML list items, HTML table captions, HTML table headings, HTML table cells
  will not have this trimming behavior.

== Compatibility ==
MediaWiki 1.31 requires PHP 5.5.9 or later. Although HHVM 3.18.5 or later is supported,
it is generally advised to use PHP 5.5.9 or later for long term support.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==
1.31 has several database changes since 1.30, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

For notes on 1.30.x and older releases, see HISTORY.

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.