= MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.5 alpha 2 == June 3, 2005 MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges, and a security update. Incorrect handling of page template inclusions made it possible to inject JavaScript code into HTML attributes, which could lead to cross-site scripting attacks on a publicly editable wiki. Vulnerable releases and fix: * 1.5 prerelease: fixed in 1.5alpha2 * 1.4 stable series: fixed in 1.4.5 * 1.3 legacy series: fixed in 1.3.13 * 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended == MediaWiki 1.5 alpha 1 == May 3, 2005 This is a testing preview release, being put out mainly to aid testers in finding installation bugs and other major problems. It is strongly recommended NOT to run a live production web site on this alpha release. ** WARNING: USE OF THIS ALPHA RELEASE MAY INFEST YOUR HOUSE WITH ** ** TERMITES, ROT YOUR TEETH, GROW HAIR ON YOUR PALMS, AND PASTE ** ** INNUENDO INTO YOUR C.V. RIGHT BEFORE A JOB INTERVIEW! ** ** DON'T SAY WE DIDN'T WARN YOU, MAN. WE TOTALLY DID RIGHT HERE. ** === Big changes === Schema: The core table schema has changed significantly. This should make better use of the database's cache and disk I/O, and make significantly speed up rename and delete operations on pages with very long edit histories. Unfortunately this does mean upgrading a wiki of size from 1.4 will require some downtime for the schema restructuring, but future storage backend changes should be able to integrate into the new system more easily. Permalinks: The current revision of a page now has a permanent 'oldid' number assigned immediately, and the id numbers are now preserved across deletion/undeletion. A permanent reference to the current revision of a page is now just a matter of going to the 'history' tab and copying the first link in the list. Page move log: Renames of pages are now recorded in Special:Log and the page history. A handy revert link is available from the log for sysops. Editing diff: Ever lost track of what you'd done so far during an edit? A 'Show diff' button on the edit page now makes it easy to remember. Uploads: It's now possible to specify the final filename of an upload distinct from the original filename on your disk. An image link for a missing file will now take you straight to the upload page. More metadata is pre-extracted from uploaded images, which will ease pressure on disk or NFS volumes used to store images. EXIF metadata is displayed on the image description page if PHP is configured with the necessary module. User accounts: There are some changes to the user permissions system, with assignable groups. This is still somewhat in flux; do not rely on the present system that you see in this alpha to still be there. E-mail: User-to-user e-mail can now be restricted to require a mail-back confirmation first to reduce potential for abuse with false addresses. Updates to user talk pages and watchlist entries can optionally send e-mail notifications. External hooks: A somewhat experimental interface for hooking in an external editor application is included. This may not be on by default in final release, depending on support. And... A bunch of stuff we forgot to mention. === What's gone? === Latin-1: Wikis must now be encoded in Unicode UTF-8; this has been the default for some time, but some languages could optionally be installed in Latin-1 mode. This is no longer supported. MySQL 3.x: Some optimization hacks for MySQL 3.x have been removed as part of the schema clean-up (specifically, the inverse_timestamp fields). MediaWiki 1.5 should still run, but wikis of significant size should very seriously consider upgrading to a more modern release. MySQL 3.x support will probably be entirely dropped in the next major release later this year. Special:Maintenance These tools were, ironically enough, not really maintained. This special page has been removed; insofar as some of its pieces were useful and haven't already been supplanted by other special pages they should be rewritten in an efficient and safe manner in the future. === What's still waiting? === These things should be fixed by the time 1.5.0 final is released: Upgrade: Wikis in Latin-1 encoding are no longer supported; only Unicode UTF-8. A new option $wgLegacyEncoding is provided to allow on-the-fly recoding of old page text entries, but other metadata fields (titles, comments etc) need to be pre-converted. The upgrade process does not yet fully automate this. In general the upgrade from 1.4 to 1.5 schema has not been tested for all cases, and there may be problems. Backups: The text entries of deleted pages are no longer removed from the main text table on deletion. If you provide public backup dumps of your databases, you will probably want to use the new XML-format dump generator... but this hasn't been finished yet. PostgreSQL: The table definitions for PostgreSQL install are out of date, and patches to support PostgreSQL from the main installer are still pending. MySQL 4.1+: Proper charset encoding / collation configuration for installs on MySQL 4.1 and higher still needs to be fiddled with. Some bits may fail on the UTF-8 setting due to some long field keys. Authentication plugin fixes: The AuthPlugin interface needs some improvements to work better with LDAP, HTTP basic auth, and other such environments. Some patches are pending. === Smaller changes === Various bugfixes, small features, and a few experimental things: * 'live preview' reduces preview reload burden on supported browsers * support for external editors for files and wiki pages: http://meta.wikimedia.org/wiki/Help:External_editors * Schema reworking: http://meta.wikimedia.org/wiki/Proposed_Database_Schema_Changes/October_2004 * (bug 15) Allow editors to view diff of their change before actually submitting an edit * (bug 190) Hide your own edits on the watchlist * (bug 510): Special:Randompage now works for other namespaces than NS_MAIN. * (bug 1015) support for the full wikisyntax in captions. * (bug 1105) A "Destination filename" (save as) added to Special:Upload Upload. * (bug 1352) Images on description pages now get thumbnailed regardless of whether the thumbnail is larger than the original. * (bug 1662) A new magicword, {{CURRENTMONTHABBREV}} returns the abbreviation of the current month * (bug 1668) 'Date format' supported for other languages than English, see: http://mail.wikipedia.org/pipermail/wikitech-l/2005-March/028364.html * (bug 1739) A new magicword, {{REVISIONID}} give you the article or diff database revision id, useful for proper citation. * (bug 1998) Updated the Russian translation. * (bug 2064) Configurable JavaScript mimetype with $wgJsMimeType * (bug 2084) Fixed a regular expression in includes/Title.php that was accepting invalid syntax like #REDIRECT [[foo] in redirects * It's now possible to invert the namespace selection at Special:Allpages and Special:Contributions * No longer using sorbs.net to check for open proxies by default. * What was $wgDisableUploads is now $wgEnableUploads, and should be set to true if one wishes to enable uploads. * Supplying a reason for a block is no longer mandatory * Language conversion support for category pages * $wgStyleSheetDirectory is no longer an alias for $wgStyleDirectory; * Special:Movepage can now take paramaters like Special:Movepage/Page_to_move (used to just be able to take paramaters via a GET request like index.php?title=Special:Movepage&target=Page_to_move) * (bug 2151) The delete summary now includes editor name, if only one has edited the article. * (bug 2105) Fixed from argument to the PHP mail() function. A missing space could prevent sending mail with some versions of sendmail. * (bug 2228) Updated the Slovak translation * ...and more! === Changes since 1.5alpha1 === * (bug 73) Category sort key is set to file name when adding category to file description from upload page (previously it would be set to "Special:Upload", causing problems with category paging) * (bug 419) The contents of the navigation toolbar are now editable through the MediaWiki namespace on the MediaWiki:navbar page. * (bug 498) The Views heading in MonoBook.php is now localizable * (bug 898) The wiki can now do advanced sanity check on uploaded files including virus checks using external programs. * (bug 1692) Fix margin on unwatch tab * (bug 1906) Generalize project namespace for Latin localization, update namespaces * (bug 1975) The name for Limburgish (li) changed from "Lèmburgs" to "Limburgs * (bug 2019) Wrapped the output of Special:Version in
in order to preserve the correct flow of text on RTL wikis. * (bug 2067) Fixed crash on empty quoted HTML attribute * (bug 2075) Corrected namespace definitions in Tamil localization * (bug 2079) Removed links to Special:Maintenance from movepagetext message * (bug 2094) Multiple use of a template produced wrong results in some cases * (bug 2095) Triple-closing-bracket thing partly fixed * (bug 2110) "noarticletext" should not display on Image page for "sharedupload" media * (bug 2150) Fix tab indexes on edit form * (bug 2152) Add missing bgcolor to attribute whitelist for and * (bug 2176) Section edit 'show changes' button works correctly now * (bug 2178) Use temp dir from environment in parser tests * (bug 2217) Negative ISO years were incorrectly converted to BC notation * (bug 2234) allow special chars in database passwords during install * Deprecated the {{msg:template}} syntax for referring to templates, {{msg: is now the wikisyntax representation of wfMsgForContent() * Fix for reading incorrectly re-gzipped HistoryBlob entries * HistoryBlobStub: the last-used HistoryBlob is kept open to speed up multiple-revision pulls * Add $wgLegacySchemaConversion update-time option to reduce amount of copying during the schema upgrade: creates HistoryBlobCurStub reference records in text instead of copying all the cur_text fields. Requires that the cur table be left in place until/unless such fields are migrated into the main text store. * Special:Export now includes page, revision, and user id numbers by default (previously this was disabled for no particular reason) * dumpBackup.php can dump the full database to Export XML, with current revisions only or complete histories. * The group table was renamed to groups because "group" is a reserved word in SQL which caused some inconveniances. * New fileicons for c, cpp, deb, dvi, exe, h, html, iso, java, mid, mov, o, ogg, pdf, ps, rm, rpm, tar, tex, ttf and txt files based on the KDE crystalsvg theme. * Fixed a bug in Special:Newimages that made it impossible to search for '0' * Added language variant support for Icelandic, now supports "Íslenzka" * The #p-nav id in MonoBook is now #p-navigation * Putting $4 in msg:userstatstext will now give the percentage of admnistrators out of normal users. * links and brokenlinks tables merged to pagelinks; this will reduce pain dealing with moves and deletes of widely-linked pages. * Add validate table and val_ip column through the updater. * Simple rate limiter for edits and page moves; set $wgRateLimits (somewhat experimental; currently needs memcached) * (bug 2262) Hide math preferences when TeX is not enabled * (bug 2267) Don't generate thumbnail at the same size as the source image. * Fix rebuildtextindex.inc for new schema * Remove linkscc table code, no longer used. * (bug 2271) Use faster text-only link replacement in image alt text instead of rerunning expensive link lookup and HTML generation. * Only build the HTML attribute whitelist tree once. * Replace wfMungeToUtf8 and do_html_entity_decode with a single function that does both numeric and named chars: Sanitizer::decodeCharReferences * Removed some obsolete UTF-8 converter functions * Fix function comment in debug dump of SQL statements * (bug 2275) Update search index more or less right on page move * (bug 2053) Move comment whitespace trimming from edit page to save; leaves the whitespace from the section comment there on preview. * (bug 2274) Respect stub threshold in category page list * (bug 2173) Fatal error when removing an article with an empty title from the watchlist * Removed -f parameter from mail() usage, likely to cause failures and bounces. * (bug 2130) Fixed interwiki links with fragments * (bug 684) Accept an attribute parameter array on parser hook tags * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external LDAP authentication plugin * (bug 2034) Armor HTML attributes against template inclusion and links munging === Changes since 1.5alpha2 === * (bug 2319) Fix parse hook tag matching * (bug 2329) Fix title formatting in several special pages * (bug 2223) Add unique index on user_name field to prevent duplicate accounts * (bug 1976) fix shared user database with a table prefix set * (bug 2334) Accept null for attribs in wfElement without PHP warning * (bug 2309) Allow templates and template parameters in HTML attribute zone, with proper validation checks. (regression from fix for 2304) * Disallow close tags and enforce empty tags for
and
* Changed user_groups format quite a bit. * (bug 2368) Avoid fatally breaking PHP 4.1.2 in a debug line * (bug 2367) Insert correct redirect link record on page move * (bug 2372) Fix rendering of empty-title inline interwiki links * (bug 2384) Fix typo in regex for IP address checking * (bug 650) Prominently link MySQL 4.1 help page in installer if a possible version conflict is detected * (bug 2394) Undo incompatible breakage to {{msg:}} compatiblity includes * (bug 1322) Use a shorter cl_sortkey field to avoid breaking on MySQL 4.1 when the default charset is set to utf8 * (bug 2400) don't send confirmation mail on account creation if $wgEmailAuthentication is false. * (bug 2172) Fix problem with nowiki beeing replaced by marker strings when a template with a gallery was used. * Guard Special:Userrights against form submission forgery * (bug 2408) page_is_new was inverted (whoops!) * Added wfMsgHtml() function for escaping messages and leaving params intact * Fix ordering of Special:Listusers; fix groups list so it shows all groups when searching for a specific group and can't be split across pages * (bug 1702) Display a handy upload link instead of a useless blank link for [[media:]] links to nonexistent files. * (bug 873) Fix usage of createaccount permission; replaces $wgWhitelistAccount * (bug 1805) Initialise $wgContLang before $wgUser * (bug 2277) Added Friulian language file * (bug 2457) The "Special page" href now links to the current special page rather than to "". * (bug 1120) Updated the Czech translation * A new magic word, {{SCRIPTPATH}}, returns $wgScriptPath * A new magic word, {{SERVERNAME}}, returns $wgServerName * Special:Imagelist displays titles with " " instead of "_" * Less gratuitous munging of content sample in delete summary * badaccess/badaccesstext to supercede sysop*, developer* messages * Changed $wgGroupPermissions to more cut-n-paste-friendly format * 'developer' group deprecated by default * Special:Upload now uses 'upload' permission instead of hardcoding login check * Add 'importupload' permission to disable direct uploads to Special:Import * (bug 2459) Correct escaping in Special:Log prev/next links * (bug 2462 etc) Taking out the experimental dash conversion; it broke too many things for the current parser to handle cleanly * (bug 2467) Added a Turkish language file * Fixed a bug in Special:Contributions that caused the namespace selection to be forgotten between submits * Special:Watchlist/edit now has namespace subheadings * (bug 1714) the "Save page" button now has right margin to seperate it from "Show preview" and "Show changes" * Special:Statistics now supports action=raw, useful for bots designed to harwest e.g. article counts from multiple wikis. * The copyright confirmation box at Special:Upload is now turned off by default and can be turned back on by setting $wgCopyrightAffirmation to a true value. * Restored prior text for password reminder button and e-mail, replacing the factually inaccurate text that was there. * (bug 2178) Fix temp dir check again * (bug 2488) Format 'deletedtext' message as wikitext * (bug 750) Keep line endings consistent in LocalSettings.php * (bug 1577) Add 'printable version' tab in MonoBook for people who don't realize you can just hit print to get a nicely formatted printable page. * Trim whitespace from option values to weather line-ending corruption problems * Fixed a typo in the Romanian language file (NS_MESIA => NS_MEDIA) * (bug 2504) Updated the Finnish translation * (bug 2506) Updated the Nynorsk translation === Caveats === Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.) For notes on 1.4.x and older releases, see HISTORY. === Online documentation === Documentation for both end-users and site administrators is currently being built up on Meta-Wikipedia, and is covered under the GNU Free Documentation License: http://meta.wikipedia.org/wiki/Help:Contents === Mailing list === A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. === IRC help === There's usually someone online in #mediawiki on irc.freenode.net