X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=HISTORY;h=4c5e344b3a3b86b1dbfd42f020da63a28ad48985;hp=020ac667ea2454d397b8bb407dd3a3b6abf45ea9;hb=d60849c5de08db4cf027325f17f1a3705e106b5d;hpb=94aa1240f033c4d5851b4f5e6ada8e8d571862cc diff --git a/HISTORY b/HISTORY index 020ac667ea..4c5e344b3a 100644 --- a/HISTORY +++ b/HISTORY @@ -1,7 +1,535 @@ -Change notes from older releases. For current info see RELEASE-NOTES-1.33. +Change notes from older releases. For current info see RELEASE-NOTES-1.34. + += MediaWiki 1.33 = + +=== Upgrading notes for 1.33 === +1.33 has several database changes since 1.32, and will not work without schema +updates. Note that due to changes to some very large tables like the revision +table, the schema update may take quite long (minutes on a medium sized site, +many hours on a large site). + +Don't forget to always back up your database before upgrading! + +See the file UPGRADE for more detailed upgrade instructions, including +important information when upgrading from versions prior to 1.11. + +Some specific notes for MediaWiki 1.33 upgrades are below: + +* Some external link searches will not work correctly until update.php (or + refreshExternallinksIndex.php) is run. These include searches for links using + IP addresses, internationalized domain names, and possibly mailto links. +* If you ran migrateActors.php using an older version of MediaWiki and want to + run your wiki with $wgActorTableSchemaMigrationStage SCHEMA_COMPAT_READ_OLD, + note that log_search rows needed to find revision deletions by target user + were incorrectly deleted. See T215464 for details. +* If revision deletions were performed when the wiki was configured with + $wgActorTableSchemaMigrationStage SCHEMA_COMPAT_WRITE_BOTH and without + migrateActors.php having been run, the log_search table may contain rows with + empty values for "target_author_actor" which will prevent log searches for + revision deletions by target user from finding those log entries. These rows + may be corrected by (re-)running migrateActors.php. + +For notes on 1.32.x and older releases, see HISTORY. + +== MediaWiki 1.33.0 == + +=== Changes since MediaWiki 1.33.0-rc.0 === +* (T225558) Update installer link to PHP intl. +* (T225901) Only attempt to deduplicate if there is data in archive and revision + tables. +* (T225564) Fetch tag ID before calling undefineTag(). +* (T225496) Detect APC for MainCacheType in CLI installer. +* Call unpack() with correct parameters in MimeAnalyzer.php for PHP 7.0 support. +* (T212613) Style change tags correctly on Special:Newpages. +* (T202211) Fix SQLite patch-(page|template)links-fix-pk.sql column order. + +== MediaWiki 1.33.0-rc.0 == + +=== Configuration changes for system administrators in 1.33 === +==== New configuration ==== +* $wgEnablePartialBlocks – This enables the Partial Blocks feature, which gives + accounts with block permissions the ability to block users, IPs, and IP ranges + from editing specific pages, while allowing them to edit the rest of the wiki. + It is a temporary setting for gradual enablement, current default to `false`, + and will be set to `true` and then removed once initial development completes. + +==== Changed configuration ==== +* $wgChangeTagsSchemaMigrationStage (T193868) — This temporary setting, added in + MediaWiki 1.32, now defaults to MIGRATION_NEW instead of MIGRATION_WRITE_BOTH. +* $wgPasswordPolicy – There is a new password policy to check that the account's + password is not in the large blacklist. This is enabled by default for the + built-in user groups bureaucrat, sysop, interface-admin, and bot. To configure + this for other user groups, set the `PasswordNotInLargeBlacklist` flag `true`. +* $wgPasswordDefault – There is a new password type configuration using Argon2 + password hashing (which requires PHP 7.2 and above). It's designed to resist + timing attacks, and (on systems with PHP 7.3+) GPU hacking; if you configure + argon2 to be used, by default, it will automatically choose the best available + algorithm depending on which version of PHP you have available. To use this, + you can set `$wgPasswordDefault = 'argon2';`. +* $wgActorTableSchemaMigrationStage now defaults to reading the new schema. + update.php will back-populate the new database fields due to the changed + setting, which may take some time on large wikis. You can avoid downtime by + following a process like that described in T188327. + +==== Removed configuration ==== +* $wgTagStatisticsNewTable (T199334) — This temporary setting, added in + MediaWiki 1.32, has now been removed. When loading Special:Tags, MediaWiki + will now always use the `change_tag_def` instead of the `change_tag` table. +* $wgUseTidy, $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and + $wgDebugTidy – These options, all deprecated since 1.26, have now all been + removed, as MediaWiki now always tidies user output. The $wgTidyConfig setting + remains only for experimental features and debugging, and should not be used. +* $wgEnableParserCache – This setting has been deprecated since 1.26, has now + been removed. If you still desire to disable the parser cache, instead you can + set `$wgParserCacheType = CACHE_NONE;`. +* $wgCommentTableSchemaMigrationStage – This temporary migration setting has now + been removed. Code finding it unset should treat it as being MIGRATION_NEW. +* $wgAuth – This old setting, deprecated in 1.27, has been removed as part of + the removal of AuthPlugin. +* $wgSitesCacheFile – This configuration was introduced in 1.25 with the intent + to allow sites to configure a file in which to cache the SiteStore database + table, but it was never used. SiteStore already caches its information by + default using BagOStuff (e.g. Memcached or APC). +* $wgClockSkewFudge – This setting was used by User.php to let sites adjust by + how much MediaWiki would fudge when trying to minimize the chances of a + user.user_touched database update to the "current" timestamp being before the + value already there (e.g. due to clock skew between different servers). This + is no longer a problem, because the code now ensures the timestamp is always + higher than the previous one. The writes are guarded with CAS logic (check + and set), which prevents updates that would overlap. +* $wgDBmysql5 (T196185) - This experimental setting, deprecated in 1.31, has + been removed. + +=== New user-facing features in 1.33 === +* (T96041) __EXPECTUNUSEDCATEGORY__ on a category page causes the category + to be hidden on Special:UnusedCategories. +* (T210814) SVGs are now by default displayed in wiki language on image + pages. +* Special:CreateAccount now warns the user if their chosen username has to be + normalized. +* (T205040) Multilingual images are now be displayed in the current parse + language where available. +* Special:ActiveUsers will no longer filter out users who became inactive since + the last time the active users query cache was updated. +* (T215675) RecentChange and ManualLogEntry implement new Taggable interface. +* (T215675) Added a hook, ManualLogEntryBeforePublish, to allow extensions + to modify (example: add tags) log entries. + +=== New developer features in 1.33 === +* The AuthManagerLoginAuthenticateAudit hook has a new parameter for + additional information about the authentication event. +* TextContent::getText() was introduced as a replacement for + Content::getNativeData() for text-based content models. +* (T214706) LinksUpdate::getAddedExternalLinks() and + LinksUpdate::getRemovedExternalLinks() were introduced. +* (T213893) Added 'MaintenanceUpdateAddParams' hook +* (T219655) The MarkPatrolled hook has a new parameter for the tags + associated with this entry in the patrol log. +* (T212472) Extensions can now specify platform abilities they require to work, + limited to shell access for now. + + +=== External library changes in 1.33 === +==== New external libraries ==== +* Added wikimedia/password-blacklist 0.1.4. +* Added guzzlehttp/guzzle 6.3.3. + +==== Changed external libraries ==== +* Updated OOUI from v0.29.2 to v0.31.3. +* Updated OOjs Router from pre-release to v0.2.0. +* Updated moment from v2.19.3 to v2.24.0. +* Updated wikimedia/xmp-reader from 0.6.0 to 0.6.2. +* Updated wikimedia/scoped-callback from 2.0.0 to 3.0.0. +* Updated jquery-client from 2.0.1 to 2.0.2. +* Updated pear/net_smtp from 1.8.0 to 1.8.1. +* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0. +* Updated wikimedia/php-session-serializer from 1.0.6 to 1.0.7. + +==== Removed external libraries ==== +* (T219403) jquery.ui.spinner, deprecated since 1.31, was removed. + + +=== Developer library changes in 1.33 === +==== New developer libraries ==== +* Added jakub-onderka/php-console-highlighter 0.3.2 explicitly (dev-only). +* Added mediawiki/mediawiki-phan-config 0.5.0 (dev-only). + +==== Changed developer libraries ==== +* Updated wikimedia/ip-set from 1.3.0 to 2.0.1. + * The deprecated IPSet\IPSet alias was removed, Wikimedia\IPSet must be + used instead. +* Updated psy/psysh from 0.9.6 to 0.9.9 (dev-only). +* Updated nikic/php-parser from 3.1.3 to 3.1.5 (dev-only). +* Updated mediawiki/mediawiki-codesniffer from 22.0.0 to 25.0.0 (dev-only). +* Updated qunitjs from 2.6.2 to 2.9.1. + +==== Removed developer libraries ==== +* The jetbrains/phpstorm-stubs repository was removed in favour of the minimal + stubs we need, which are kept in the new `.phan/internal_stubs` directory + (dev-only). + + +=== Bug fixes in 1.33 === +* (T164211) Special:UserRights could sometimes fail with a + "conflict detected" error when there weren't any conflicts. +* (T216029) Chrome redirects to Special:BadTitle after editing a section with + a non-Latin name on a page with non-Latin characters in title. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). + +=== Action API changes in 1.33 === +* (T198913) Added 'ApiOptions' hook. +* The JSON formatversion=2 is no longer experimental. +* Internal API errors (those with code beginning "internal_api_error") will + include the exception class name in a data field named "errorclass". + * Class names are not guaranteed to remain stable, and in particular database + exceptions will now include the "Wikimedia\Rdbms\" prefix in the class name. + * The code including an exception class name is deprecated. In the future, + all internal errors will use code "internal_api_error". +* (T212356) When using action=delete on pages with many revisions, the module + may return a boolean-true 'scheduled' and no 'logid'. This signifies that the + deletion will be processed via the job queue. +* action=setnotificationtimestamp will now update the watchlist asynchronously + if entirewatchlist is set, so updates may not be visible immediately +* Block info will be added to "blocked" errors from more modules. +* (T216245) Autoblocks will now be spread by action=edit and action=move. +* action=query&meta=userinfo has a new uiprop, 'latestcontrib', that returns + the date of user's latest contribution. +* (T25227) action=logout now requires to be posted and have a csrf token. + +=== Action API internal changes in 1.33 === +* A number of deprecated methods for API documentation, intended for overriding + by extensions, are no longer called by MediaWiki, and will emit deprecation + notices if your extension attempts to use them: + * ApiBase::getDescription() (deprecated in 1.25) + * ApiBase::getParamDescription() (deprecated in 1.25) + * ApiBase::getExamples() (deprecated in 1.25) + * ApiBase::getDescriptionMessage() (deprecated in 1.30) + Additionally, the 'APIGetDescription' and 'APIGetParamDescription' hooks have + been removed, as their only use was to let extensions override values returned + by getDescription() and getParamDescription(), respectively. +* API error codes may only contain ASCII letters, numbers, underscore, and + hyphen. Methods such as ApiBase::dieWithError() and + ApiMessageTrait::setApiCode() will throw an InvalidArgumentException if + passed a bad code. +* ApiBase::checkTitleUserPermissions() now takes an options array as its third + parameter. Passing a User object or null is deprecated. +* The api-feature-usage log channel now has log context. The text message is + deprecated and will be removed in the future. + +=== Languages updated in 1.33 === +MediaWiki supports over 350 languages. Many localisations are updated regularly. +Below only new and removed languages are listed, as well as changes to languages +because of Phabricator reports. + +* (T203908) Added language support for Eastern Pwo (kjp). +* (T213717) Fixed a translation error on Goan Konkani (gom-deva) translations + for NS_TEMPLATE. +* (T212221) Added $digitTransformTable for Santali (sat). +* (T216479) Added language support for Saisiyat (xsy). +* (T219728) Added support for new Japanese era name "Reiwa" + +=== Breaking changes in 1.33 === +* The parameteter $lang in DifferenceEngine::setTextLanguage must be of type + Language. Other types are deprecated since 1.32. +* Skin::doEditSectionLink requires type Language for the parameter $lang. + The parameters $tooltip and $lang are mandatory. Omitting the parameters is + deprecated since 1.32. +* Language::truncate(), deprecated in 1.31, has been removed. +* UtfNormal, deprecated in 1.25, was removed. Use UtfNormal\Validator directly + instead. +* (T197179) In OOUI HTMLForm fields, the parameters 'notice', 'notice-messages', + and 'notice-message', which were deprecated in 1.32, were removed. Instead, + use 'help', 'help-message', and 'help-messages'. +* (T197179) HTMLFormField::getNotices(), deprecated in 1.32, was removed. +* The "Parsoid v1" compatibility mappings in ParsoidVirtualRESTService and + RestbaseVirtualRESTService, deprecated since 1.26, have been removed. + Use the RESTBase v1 or Parsoid v3 API instead. +* ParserOptions defaults 'tidy' to true now, since the untidy modes of the + parser are being deprecated and ParserOptions::getCanonicalOverrides() + has always been true at any rate. +* Support for disabling tidy and external tidy implementations has been removed. + This was deprecated in 1.32. The pure PHP Remex tidy implementation is now + used and no configuration is necessary. +* A number of deprecated methods for API documentation, intended for overriding + by extensions, are no longer called by MediaWiki, and will emit deprecation + notices if your extension attempts to use them: + * ApiBase::getDescription() (deprecated in 1.25) + * ApiBase::getParamDescription() (deprecated in 1.25) + * ApiBase::getExamples() (deprecated in 1.25) + * ApiBase::getDescriptionMessage() (deprecated in 1.30) + Additionally, the 'APIGetDescription' and 'APIGetParamDescription' hooks have + been removed, as their only use was to let extensions override values returned + by getDescription() and getParamDescription(), respectively. +* The authentication hooks 'AbortAutoAccount' 'AbortNewAccount', 'AbortLogin', + 'LoginUserMigrated', 'UserCreateForm', and 'UserLoginForm', all deprecated by + the creation of AuthManager in 1.27, have been removed. This also means that + the FakeAuthTemplate and LoginForm classes are removed, that FakeAuthTemplate + is no longer passed into LoginSignupSpecialPage->getFieldDefinitions(), and + that LoginSignupSpecialPage->getBCFieldDefinitions() is removed. +* The 'jquery.localize' module, deprecated in 1.32, has been removed. Instead, + use 'jquery.i18n'. +* The hooks LanguageGetSpecialPageAliases and LanguageGetMagic, deprecated since + 1.16, have now been removed. Instead, use $specialPageAliases or $magicWords + respectively in a $wgExtensionMessagesFiles file. +* The following methods of the Preferences class, deprecated in 1.31, have been + removed: + * getSaveBlacklist() + * loadPreferenceValues() + * getOptionFromUser() + * profilePreferences() + * skinPreferences() + * filesPreferences() + * datetimePreferences() + * renderingPreferences() + * editingPreferences() + * rcPreferences() + * watchlistPreferences() + * searchPreferences() + * miscPreferences() + * generateSkinOptions() + * getDateOptions() + * getImageSizes() + * getThumbSizes() + * validateSignature() + * cleanSignature() + * getTimezoneOptions() + * filterIntval() + * filterTimezoneInput() + * getTimeZoneList() +* mw.util.jsMessage(), deprecated in 1.20, was removed. Use mw.notify instead. +* (T61113) User::EDIT_TOKEN_SUFFIX was removed. It was deprecated since 1.27. +* The 'mediawiki.api' module aliases, deprecated in 1.32, have been removed. + Specifically: mediawiki.api.category, mediawiki.api.edit, + mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse, + mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch, + mediawiki.api.messages, and mediawiki.api.rollback. +* The 'jquery.byteLimit' module alias for 'jquery.lengthLimit', + deprecated in 1.31, was removed. +* Revision::fetchRevision(), deprecated in 1.28, was removed. +* Class SquidUpdate, deprecated in 1.27, was removed. +* Title->getSquidURLs(), deprecated in 1.27, was removed. Instead, use + Title->getCdnUrls(). +* Title::escapeFragmentForURL(), deprecated in 1.30, was removed. Use + Sanitizer::escapeIdForLink() or escapeIdForExternalInterwiki() instead. +* Title->canTalk(), deprecated in 1.30, was removed. Instead, use + Title->canHaveTalkPage(). +* Title's methods for site and user page related to CSS and JS, deprecated in + 1.31, were removed: + * Title->isCssOrJsPage() — Use Title->isSiteConfigPage() + * Title->isCssJsSubpage() – Use Title->isUserConfigPage() + * Title->getSkinFromCssJsSubpage() – Use Title->getSkinFromConfigSubpage() + * Title->isCssSubpage() – Use Title->isUserCssConfigPage() + * Title->isJsSubpage() – Use Title->isUserJsConfigPage() +* SiteSQLStore, deprecated in 1.27 and whose only method, ::newInstance(), + would return the global SiteStore instance, has been removed. You can get to + this via MediaWiki\MediaWikiServices::getInstance()->getSiteStore() directly. +* Linker::formatSize, deprecated in 1.28, has been removed (with DummyLinker's). + Instead, use Language->formatSize() with the relevant Language object. +* Linker::formatTemplates, deprecated in 1.28, has been removed (along with the + version in DummyLinker). You can use TemplatesOnThisPageFormatter directly. +* EventRelayerGroup::singleton(), deprecated in 1.27, has been removed. You can + use MediaWikiServices::getInstance()->getEventRelayerGroup() directly. +* LinkCache->addLink(), deprecated in 1.27, has been removed. It is thought to + be unused, and is distinct from OutputPage->addLink(), which remains. +* JsonContent->getJsonData(), deprecated in 1.25, has been removed. Instead, use + JsonContent->getData(). +* MWExceptionHandler::getLogId(), deprecated in 1.27, has been removed, as the + exception ID is the same as the request ID, from WebRequest::getRequestId(). +* SearchEngine::getNearMatchResultSet(), deprecated in 1.27, has been removed. + You can use SearchEngine::getNearMatcher() instead. +* EmailNotification::updateWatchlistTimestamp, deprecated in 1.27, has been + removed. Instead, use WatchedItemStore::updateNotificationTimestamp directly. +* User::getGroupName() and ::getGroupMember(), both deprecated in 1.29, have + been removed. Instead, please use UserGroupMembership::getGroupName() and + UserGroupMembership::getGroupMemberName(). +* Backwards compatibility for setting wgSessionsInObjectCache to false or using + wgSessionHandler, both of which were deprecated in 1.27 with the introduction + of SessionManager, has been removed. +* SessionManager::autoCreateUser, deprecated in 1.27, has been removed. Use + MediaWiki\Auth\AuthManager::autoCreateUser instead. +* The mw.libs.jpegmeta property, deprecated in 1.31, was removed. + Use require( 'mediawiki.libs.jpegmeta' ) instead. +* The mw.user.stickyRandomId() method, deprecated in 1.32, was removed. + Use mw.user.getPageviewToken() instead. +* Removed deprecated class property WikiRevision::$importer. +* ResourceLoaderFileModule::readStyleFiles() now requires its $context + parameter. +* The ChangeList::insertArticleLink() method, that was deprecated in 1.27, has + been removed. +* MessageBlobStore::__construct() now requires its $rl parameter. +* Second parameter to Sanitizer::escapeIdReferenceList() (deprecated in 1.31) + has been removed. +* The 'jquery.xmldom' module has been removed. +* The 'jquery.mockjax' module has been removed. +* The 'jquery.hidpi' module, deprecated in 1.32, has been removed. +* AuthPlugin and related code, deprecated in 1.27, has been removed. Extensions + should instead use AuthManager. The following no longer exist: + * The AuthPlugin class itself and the related AuthPluginUser class and i18n + * The AuthPluginSetup and AuthPluginAutoCreate hooks + * The transitional wrapper classes AuthPluginPrimaryAuthenticationProvider, + AuthManagerAuthPlugin, and AuthManagerAuthPluginUser. + * The $wgAuth configuration setting and its use in Setup.php and unit tests +* (T217772) The 'wgAvailableSkins' mw.config key in JavaScript, was removed. +* Language::markNoConversion, deprecated in 1.32, has been removed. Use + LanguageConverter::markNoConversion instead. +* BagOStuff::modifySimpleRelayEvent() method has been removed. +* ParserOutput::getLegacyOptions, deprecated in 1.30, has been removed. + Use ParserOutput::allCacheVaryingOptions instead. +* CdnCacheUpdate::newSimplePurge, deprecated in 1.27, has been removed. + Use CdnCacheUpdate::newFromTitles() instead. +* Handling of multiple arguments by the Block constructor, deprecated in 1.26, + has been removed. +* The translation of main page in Sardinian (sc) was changed from "Pàgina Base" + to "Pàgina printzipale". Existing wikis using this content language need to + move the main page or change the name through MediaWiki:Mainpage page. +* wfSplitWikiID(), deprecated in 1.32, has been removed. +* MessageBlobStore::getBlob(), deprecated in 1.27, has been removed. + Use ::getBlobs() instead. +* The .background-size() LESS mixin, deprecated in 1.27, has been removed. +* ReadOnlyMode::clearCache() and ConfiguredReadOnlyMode::clearCache() have been + removed. Use MediaWikiTestCase::overrideMwServices() instead. +* Support for the 'aggregator' option of JobQueue (and thus $wgJobTypeConf) was + removed. The JobQueueAggregator interface and JobQueueAggregatorRedis class + have also been removed. They were experimentally developed for use by the + Wikimedia Foundation, but were never used, with no known use cases. (Note that + this does not affect JobQueueRedis which is still supported.) + +=== Deprecations in 1.33 === +* The configuration option $wgUseESI has been deprecated, and is expected + to be removed in a future release. +* The configuration option $wgSquidPurgeUseHostHeader has been deprecated, + and is expected to be removed in a future release. +* The configuration options $wgFixArabicUnicode and $wgFixMalayalamUnicode, + introduced in MW 1.17, have been deprecated. These fixes will always be + applied for Arabic and Malayalam in the future. Please enable these on + your local wiki (if you have them explicitly set to false) and run + maintenance/cleanupTitles.php to fix any existing page titles. +* The LegacyHookPreAuthenticationProvider class, deprecated since its creation + in 1.27 as part of the AuthManager re-write, now emits deprecation warnings. + This will help identify the issue if you added it to $wgAuthManagerConfig. +* wfSplitWikiId() is now deprecated. Cache key generation should have the wiki + domain ID as a key component and use makeGlobalKey(). +* (T202094) Title::getUserCaseDBKey() is deprecated; instead, please use + Title::getDBKey(), which doesn't vary case. +* User::getPasswordValidity() is now deprecated. User::checkPasswordValidity() + returns the same information in a more useful format. +* For Linker::generateTOC() and Linker::tocList(), passing strings or booleans + as the $lang parameter was deprecated. The same applies to DummyLinker. +* The PasswordPolicy 'PasswordCannotBePopular' has been deprecated. To + follow best practices, it is reccommended to use 'PasswordNotInLargeBlacklist' + instead which blacklists 100,000 commonly used passwords. +* (T208862) Action::requiresUnblock() is now called from + Title::getUserPermissionsErrors() and Title::userCan(). Previously, the method + was only called in Action::checkCanExecute(). Actions should ensure that their + requiresUnblock() returns the proper result (the default is `true`). +* (T211608) The MediaWiki\Services namespace has been renamed to + Wikimedia\Services. The old name is still supported, but deprecated. +* (T155582) Content::getNativeData has been deprecated. Please use model- + specific getters, such as TextContent::getText(). +* The class WebInstallerOutput is now marked as @private. +* (T209699) The jquery.async module has been deprecated. JavaScript code that + needs asynchronous behaviour should use Promises. +* Password::equals() is deprecated, use verify(). +* BaseTemplate::msgWiki() and QuickTemplate::msgWiki() will be removed. Use + other means to fetch a properly escaped message string or Message object. +* (T126091) The 'ResourceLoaderTestModules' hook, which lets you declare QUnit + testing code for your JavaScript modules, is deprecated. Instead, you can now + use the new extension registration key 'QUnitTestModule'. +* (T213426) The jquery.throttle-debounce module has been deprecated. JavaScript + code that needs this behaviour should use OO.ui.debounce/throttle. +* The mw.language.specialCharacters property from the + 'mediawiki.language.specialCharacters' module has been deprecated. + Use require( 'mediawiki.language.specialCharacters' ) instead. +* ChangeTags::purgeTagUsageCache() has been deprecated, and is expected to be + removed in a future release. +* Passing a User object or null as the third parameter to + ApiBase::checkTitleUserPermissions() has been deprecated. Pass an array + [ 'user' => $user ] instead. +* (T211578) Block::prevents is deprecated. Use Block::isEmailBlocked, + Block::isCreateAccountBlocked and Block::isUsertalkEditAllowed to get and set + block properties; use Block::appliesToRight and Block::appliesToUsertalk to + check block behaviour. +* The api-feature-usage log channel now has log context. The text message is + deprecated and will be removed in the future. +* The FileBasedSiteLookup class has been deprecated. For a cacheable SiteLookup + implementation, use CachingSiteStore instead. +* Language::viewPrevNext function is deprecated, use + SpecialPage::buildPrevNextNavigation instead +* ManualLogEntry::setTags() is deprecated, use ManualLogEntry::addTags() + instead. The setTags() method was overriding the tags, addTags() doesn't + override, only adds new tags. +* Block::isValid is deprecated, since it is no longer needed in core. +* Calling Maintenance::hasArg() as well as Maintenance::getArg() with no + parameter has been deprecated. Please pass the argument number 0. +* ResourceLoaderContext::expandModuleNames has been deprecated. + Use ResourceLoader::expandModuleNames instead. + +=== Other changes in 1.33 === +* (T201747) Html::openElement() warns if given an element name with a space + in it. +* The implementation of buildStringCast() in Wikimedia\Rdbms\Database has + changed to explicitly cast. Subclasses relying on the base-class + implementation should check whether they need to override it now. +* BagOStuff::add is now abstract and must explicitly be defined in subclasses. +* LinksDeletionUpdate is now a subclass of LinksUpdate. As a consequence, + the following hooks will now be triggered upon page deletion in addition + to page updates: LinksUpdateConstructed, LinksUpdate, LinksUpdateComplete. + LinksUpdateAfterInsert is not triggered since deletions do not cause + insertions into links tables. +* Category::newFromID( $id )->getID() will now return $id without any + validation, to avoid a mostly unnecessary DB query. +* On Special:Version, the name for an extension can no longer be arbitrary + html when no link is specified. + = MediaWiki 1.32 = +== MediaWiki 1.32.3 == + +This is a maintenance release of the MediaWiki 1.32 branch. + +=== Changes since MediaWiki 1.32.2 === +* (T225558) Update installer link to PHP intl. +* (T225496) Detect APC for MainCacheType in CLI installer. +* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies. +* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order. + +== MediaWiki 1.32.2 == + +This is a security and maintenance release of the MediaWiki 1.32 branch. + +=== Changes since MediaWiki 1.32.1 === +* (T204423) Backport support for hyphenated DB names in JobQueueGroup. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL. +* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T216029) Chrome redirects to Special:BadTitle after editing a section with + a non-Latin name on a page with non-Latin characters in title. +* Unbreak language related maintenance scripts that use StaticArrayWriter. +* (T219728) Added support for new Japanese era name "Reiwa". +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0. +* (T221045) Remove orphaned code from ConfigRepository. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is + out of date makes sense. +* (T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to + connect to external server with local database name. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358. + == MediaWiki 1.32.1 == === Changes since MediaWiki 1.32.0 === @@ -716,6 +1244,117 @@ because of Phabricator reports. = MediaWiki 1.31 = +== MediaWiki 1.31.3 == + +This is a maintenance release of the MediaWiki 1.31 branch. + +=== Changes since MediaWiki 1.31.2 === +* (T225558) Update installer link to PHP intl. +* (T225496) Detect APC for MainCacheType in CLI installer. +* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies. +* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order. + +== MediaWiki 1.31.2 == + +This is a security and maintenance release of the MediaWiki 1.31 branch. + +Required PHP version has been increased from 7.0.0 to 7.0.13. + +=== Changes since MediaWiki 1.31.1 === +* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query + all titles when asked for none. +* (T205967) Fix syntax error typo in postgres database upgrade file. +* (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies. +* (T206765) Load installer i18n when running update.php. +* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested + libraries. + [Also in the bundled composer /vendor directory.] +* Various PHP 7.2 and 7.3 compatibility fixes: + * (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some + scenarios instead of "break". + * (T206976, T206977) Also in the bundled LocalisationUpdate and + ParserFunctions extensions. + * (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may + not be set. + * (T215632) FormatMetadata and UploadStash regexes fixed to be PHP + 7.3-compatible. + * Fix PHP warnings "preg_replace(): [...] invalid range in character class. + * Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable. + * Suppress "Headers already sent" in PHP 7.2 too. + * (T206476) Output only to stderr in unit tests. + * (T207112) Add session_write_close() calls to SessionManager tests. + * oyejorge/less.php replaced with our fork wikimedia/less.php + * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0. + * (T213489) Avoid session double-start in Setup.php. + * (T206975) Switch to our fork of less.php. +* (T207540) Include IP address in "Login for $1 succeeded" log entry. +* (T201781) Database: Allow selectFieldValues() to accept SQL fragments. +* (T205765) installer: Don't link to the obsolete "Extension Matrix" page. +* (T206013) Update ImportableUploadRevisionImporter for interwiki usernames. +* (T207541) Pass an email address, not a MailAddress, to mail(). +* (T207603) SECURITY: User JS may no longer be loaded with mime type + text/javascript if there is no account associated with the username. +* (T112937, T113042) SECURITY: Do not allow loading pages raw with a + text/javascript MIME + type if non-admins can edit the page. +* (T17491) / elements can be phrasing or flow. +* (T200827) RemexCompatMunger: Don't call endTag() in case B/b +* (T207088) Upgrade wikimedia/remex-html to 2.0.1. + [Also in the bundled composer /vendor directory.] +* (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0. + [Also in the bundled composer /vendor directory.] +* (T199494) Fix notices in maintenance/removeUnusuedAccounts.php. +* Require ext-fileinfo in composer.json, per PHPVersionCheck. +* (T176390) Bundled LocalisationUpdate extension: Handle exceptions from + GitHubFetcher. +* (T208255) Completion search should not change the search query. +* (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis. +* (T185049) LogFormatter: Fail softer when trying to link an invalid titles. +* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php + if --lang is used with the command-line installer (install.php). +* (T211061) ImageListPager: Actor migration for buildQueryConds(). +* (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself. +* Fix addition of ug_expiry column to user_groups table on MSSQL. +* (T204767) Add join conditions to ActiveUsersPager. +* (T210621) User: Bypass repeatable-read when creating an actor_id. +* (T204531) rdbms: reduce LoadBalancer replication log spam. +* (T195525) Fix db error outage page. +* (T208871) The hard-coded Google search form on the database error page was + removed. +* (T176097) Fix flaky MessageBlobStoreTest assertion failures. +* (T209423) Update required PHP version to 7.0.13. +* (T209885) Prevent populateSearchIndex.php from breaking once actor migration + has been started. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL. +* (T204423) Backport support for hyphenated DB names in JobQueueGroup. +* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T216029) Chrome redirects to Special:BadTitle after editing a section with + a non-Latin name on a page with non-Latin characters in title. +* (T219728) Added support for new Japanese era name "Reiwa". +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is out + of date makes sense. +* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when + reauthenticating. +* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358. + == MediaWiki 1.31.1 == This is a security and maintenance release of the MediaWiki 1.31 branch. @@ -750,7 +1389,8 @@ This is a security and maintenance release of the MediaWiki 1.31 branch. * (T196185) Don't allow setting $wgDBmysql5 in the installer. * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+ -* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete + hook. * (T196672) The mtime of extension.json files is now able to be zero * (T180403) Validate $length in padleft/padright parser functions. * (T143790) Make $wgEmailConfirmToEdit only affect edit actions. @@ -774,7 +1414,8 @@ This is a security and maintenance release of the MediaWiki 1.31 branch. apply patch-drop-ar_text.sql manually, you'll have to apply a default value to the ar_text and ar_flags columns of the archive table or make those columns nullable before upgrading to MediaWiki 1.31. - maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL. + maintenance/archives/patch-nullable-ar_text.sql shows how to do this for + MySQL. === Configuration changes in 1.31 === * $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in @@ -1096,7 +1737,8 @@ changes to languages because of Phabricator reports. * Passing a ParserOptions object to OutputPage::parserOptions() is deprecated. * The RevisionInsertComplete hook is now deprecated; use instead the hook RevisionRecordInserted. RevisionInsertComplete is still called, but the second - and third parameter will always be null. Hard deprecation is scheduled for 1.32. + and third parameter will always be null. Hard deprecation is scheduled for + 1.32. * The following methods that get and set ParserOutput state are deprecated. Callers should use the new stateless $options parameter to ParserOutput::getText() instead. @@ -1228,6 +1870,51 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.30 = +== MediaWiki 1.30.2 == + +This is a security and maintenance release of the MediaWiki 1.30 branch. + +=== Changes since MediaWiki 1.30.1 === +* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query + all titles when asked for none. +* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested + libraries. +* (T207540) Include IP address in "Login for $1 succeeded" log entry. +* (T205765) Don't link to the obsolete "Extension Matrix" page in installer. +* (T207603) SECURITY: User JS may no longer be loaded with mime type + text/javascript if there is no account associated with the username. +* (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME + type if non-admins can edit the page. +* (T207541) Pass email address to mail(). +* Fix addition of ug_expiry column to user_groups table on MSSQL. +* (T204531) rdbms: reduce LoadBalancer replication log spam. +* (T213489) Avoid session double-start in Setup.php. +* (T195525) Fix db error outage page. +* (T208871) The hard-coded Google search form on the database error page was + removed. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is out + of date makes sense. +* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when + reauthenticating. +* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358. + == MediaWiki 1.30.1 == This is a security and maintenance release of the MediaWiki 1.30 branch. @@ -1237,20 +1924,23 @@ This is a security and maintenance release of the MediaWiki 1.30 branch. 'newbie'. * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock. -* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array. +* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative + array. * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). * (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature. * (T190503) Let built-in web server (maintenance/dev) handle .php requests. * (T167507) selenium: Run Chrome headlessly. * selenium: Pass -no-sandbox to Chrome under Docker. -* (T179190) selenium: Move logic for running tests from package.json to selenium.sh +* (T179190) selenium: Move logic for running tests from package.json to + selenium.sh * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). * Add default edit rate limit of 90 edits/minute for all users. * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`. * oojs/oojs-ui updated to remove an unnecessary dependancy. * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. -* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete + hook. * (T196672) The mtime of extension.json files is now able to be zero * (T180403) Validate $length in padleft/padright parser functions. * (T143790) Make $wgEmailConfirmToEdit only affect edit actions. @@ -1298,19 +1988,19 @@ section). * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size of IP ranges that can be queried at Special:Contributions. * (T45547) $wgUsePigLatinVariant added (off by default). -* (T152540) MediaWiki now supports a section ID escaping style that allows to display - non-Latin characters verbatim on many modern browsers. This is controlled by the - new configuration setting, $wgFragmentMode. -* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version, - use $wgFragmentMode to migrate off it to a modern alternative. +* (T152540) MediaWiki now supports a section ID escaping style that allows to + display non-Latin characters verbatim on many modern browsers. This is + controlled by the new configuration setting, $wgFragmentMode. +* $wgExperimentalHtmlIds is now deprecated and will be removed in a future + version, use $wgFragmentMode to migrate off it to a modern alternative. * $wgExternalInterwikiFragmentMode was introduced to control how fragments in sinterwikis going outside of current wiki farm are encoded. -* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'. - This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki - auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly - requested through the configuration parameter $wgDBservers. -* $wgOOUIEditPage was removed, as it is now the default. This was documented as a - temporary variable during the migration period. +* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of + 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. + MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if + explicitly requested through the configuration parameter $wgDBservers. +* $wgOOUIEditPage was removed, as it is now the default. This was documented as + a temporary variable during the migration period. === New features in 1.30 === * (T37247) Output from Parser::parse() will now be wrapped in a div with @@ -1343,9 +2033,9 @@ section). * (T138166) Added ability for users to prohibit other users from sending them emails with Special:Emailuser. Can be enabled by setting $wgEnableUserEmailBlacklist to true. -* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect. - Instead, users using browsers that do not support Unicode will be unable to edit - and should upgrade to a modern browser instead. +* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no + effect. Instead, users using browsers that do not support Unicode will be + unable to edit and should upgrade to a modern browser instead. === External library changes in 1.30 === @@ -1436,9 +2126,10 @@ changes to languages because of Phabricator reports. * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for manipulating Special:Log and Special:NewPages lines. * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, - PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding - hooks have an additional parameter, for manipulating HTML data attributes of - RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the + PageHistoryLineEnding, ContributionsLineEnding and + DeletedContributionsLineEnding hooks have an additional parameter, for + manipulating HTML data attributes of RC/history lines. + EnhancedChangesListModifyBlockLineData can do that via the $data['attribs'] subarray. * (T130632) The OutputPage::enableTOC() method was removed. * WikiPage::getParserOutput() will now throw an exception if passed @@ -1449,10 +2140,10 @@ changes to languages because of Phabricator reports. * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange(). * DeprecatedGlobal no longer supports passing in a direct value, it requires a callable factory function or a class name. -* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton() - are all deprecated. The main ParserCache instance should be obtained from - MediaWikiServices instead. Access to the underlying BagOStuff is possible - through the new ParserCache::getCacheStorage() method. +* The $parserMemc global, wfGetParserCacheStorage(), and + ParserCache::singleton() are all deprecated. The main ParserCache instance + should be obtained from MediaWikiServices instead. Access to the underlying + BagOStuff is possible through the new ParserCache::getCacheStorage() method. * .mw-ui-constructive CSS class (deprecated in 1.27) was removed. * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(), escapeIdForLink() or escapeIdForExternalInterwiki() instead. @@ -1463,9 +2154,9 @@ changes to languages because of Phabricator reports. * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or escapeIdForLink(). * MagicWord::replaceMultiple() (deprecated in 1.25) was removed. -* WikiImporter now requires the second parameter to be an instance of the Config, - class. Prior to that, the Config parameter was optional (a behavior deprecated in - 1.25). +* WikiImporter now requires the second parameter to be an instance of the + Config, class. Prior to that, the Config parameter was optional (a behavior + deprecated in 1.25). * Removed 'jquery.mwExtension' module. (deprecated since 1.26) * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette any more. @@ -1475,55 +2166,60 @@ changes to languages because of Phabricator reports. should be used instead. * RunningStat class (deprecated in 1.27) was removed. The namespaced RunningStat\RunningStat should be used instead. -* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed. +* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were + removed. The MemcachedClient class should be used instead. * EditPage underwent some refactoring and deprecations: * EditPage::isOouiEnabled() is deprecated and will always return true. - * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please - use ::getSummaryInputWidget() instead. + * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. + Please use ::getSummaryInputWidget() instead. * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please use ::getCheckboxesWidget() instead. - * Creating an EditPage instance without calling EditPage::setContextTitle() should - be avoided and will be deprecated in a future release. - * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops. - * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The - corresponding methods from Title should be used instead. + * Creating an EditPage instance without calling EditPage::setContextTitle() + should be avoided and will be deprecated in a future release. + * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and + no-ops. + * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are + deprecated. The corresponding methods from Title should be used instead. * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement. - * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters - ::getArticle() and ::getTitle() should be used instead. - * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut, - and $wgLang is no longer supported and won't work. The IContextSource returned from - EditPage::getContext() must be modified instead. + * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The + getters ::getArticle() and ::getTitle() should be used instead. + * Trying to control or fake EditPage context by overriding $wgUser, + $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The + IContextSource returned from EditPage::getContext() must be modified + instead. * Parser::getRandomString() (deprecated in 1.26) was removed. * Parser::uniqPrefix() (deprecated in 1.26) was removed. * Parser::extractTagsAndParams() now only accepts three arguments. The fourth, $uniq_prefix was deprecated in 1.26 and has now been removed. -* (T172514) The following tables have had their UNIQUE indexes turned into proper - PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks, - langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats, - templatelinks, text, transcache, user_former_groups, user_properties. +* (T172514) The following tables have had their UNIQUE indexes turned into + proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, + iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks, + query_cache, site_stats, templatelinks, text, transcache, user_former_groups, + user_properties. * IDatabase::nextSequenceValue() is no longer needed by any database backends (formerly it was needed by PostgreSQL and Oracle), and is now deprecated. -* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a - PRIMARY KEY. +* (T146591) The lc_lang_key index on the l10n_cache table has been changed into + a PRIMARY KEY. * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id, page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and user_properties.up_user have all been made unsigned on MySQL. * DB_SLAVE is deprecated. DB_REPLICA should be used instead. * wfUsePHP() is deprecated. * wfFixSessionID() was removed. -* wfShellExec() and related functions are deprecated, use Shell::command(). This also - slightly changes the behavior of how execution time limits are calculated when only - some of defaults are overridden per-call. When in doubt, always override both wall - clock and CPU time. -* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending - user object. Using the method without the second argument is deprecated. +* wfShellExec() and related functions are deprecated, use Shell::command(). This + also slightly changes the behavior of how execution time limits are calculated + when only some of defaults are overridden per-call. When in doubt, always + override both wall clock and CPU time. +* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the + sending user object. Using the method without the second argument is + deprecated. * (T67297) Browsers that don't support Unicode will have their edits rejected. -* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future - release. For notifying the user of an event, the Notifications ("Echo") system - should be used instead. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T178450) The module 'jquery.badge' is deprecated and will be removed in a + future release. For notifying the user of an event, the Notifications ("Echo") + system should be used instead. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. = MediaWiki 1.29 = @@ -1538,7 +2234,7 @@ This is a security and maintenance release of the MediaWiki 1.29 branch. * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock. * (T180551) Fix LanguageSrTest for language converter -* (T180552) Fix langauge converter parser test with self-close tags +* (T180552) Fix language converter parser test with self-close tags * (T180537) Remove $wgAuth usage from wrapOldPasswords.php * (T180485) InputBox: Have inputbox langconvert certain attributes * (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3. @@ -1576,7 +2272,8 @@ This is a security and maintenance release of the MediaWiki 1.29 branch. This is a security and maintenance release of the MediaWiki 1.29 branch. === Changes since 1.29.1 === -* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting. +* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to + nesting. * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * Fixed login button label to accept RawMessage. @@ -1585,19 +2282,20 @@ This is a security and maintenance release of the MediaWiki 1.29 branch. * (T163646) Pass a string not an int to mysql_real_escape_string(). * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2. * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. * (T125163) SECURITY: Make anchor for headlines escape > and <. * (T180237) SECURITY: Protect vendor folder with .htaccess. -* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in + update.php. * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. * (T119158) SECURITY: Handle -{}- syntax in attributes safely. -* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all - branches in the previous security release. +* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly + fixed in all branches in the previous security release. == MediaWiki 1.29.1 == @@ -1636,7 +2334,8 @@ packages. * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. * (T158474) "Unknown user" has been added to $wgReservedUsernames. -* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs. +* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single + IPs. * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be added to $wgExtraLanguageCodes instead. * (T161453) LocalisationCache will no longer use the temporary directory in it's @@ -1695,30 +2394,32 @@ packages. ==== Removed and replaced external libraries ==== === Bug fixes in 1.29 === -* (T62604) Core parser functions returning a number now format the number according - to the page content language, not wiki content language. -* (T27187) Search suggestions based on jquery.suggestions will now correctly only - highlight prefix matches in the results. +* (T62604) Core parser functions returning a number now format the number + according to the page content language, not wiki content language. +* (T27187) Search suggestions based on jquery.suggestions will now correctly + only highlight prefix matches in the results. * (T157035) "new mw.Uri()" was ignoring options when using default URI. * Special:Allpages can no longer be filtered by redirect in miser mode. -* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. -* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect - to interwiki links. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is + installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow + redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. -* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF - token. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a + CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. -* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory - in it's fallback chain when trying to work out where to write the cache. -* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion - syntax's link parameter. -* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against - it. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary + directory in it's fallback chain when trying to work out where to write the + cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file + inclusion syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected + against it. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, @@ -1733,8 +2434,8 @@ packages. parameter prefixes (e.g. all query submodules) will no longer be prefixed. * ApiPageSet-using modules will report the 'invalidreason' using the specified 'errorformat'. -* action=emailuser may return a "Warnings" status, and now returns 'warnings' and - 'errors' subelements (as applicable) instead of 'message'. +* action=emailuser may return a "Warnings" status, and now returns 'warnings' + and 'errors' subelements (as applicable) instead of 'message'. * action=imagerotate returns an 'errors' subelement rather than 'errormessage'. * action=move now reports errors when moving the talk page as an array under key 'talkmove-errors', rather than using 'talkmove-error-code' and @@ -1804,8 +2505,8 @@ changes to languages because of Phabricator reports. ==== No fallback for Ukrainian ==== * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian - language will now use the default fallback language: English. When a translation - to Ukrainian is not available, an English string will be shown. + language will now use the default fallback language: English. When a + translation to Ukrainian is not available, an English string will be shown. === Other changes in 1.29 === * Database::getSearchEngine() (deprecated in 1.28) was removed. Use @@ -1820,8 +2521,8 @@ changes to languages because of Phabricator reports. were removed. * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21) were removed. -* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom - instead. +* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use + ArticleContentViewCustom instead. * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed. * Class RevisiondeleteAction (deprecated in 1.25) was removed. * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed. @@ -1832,13 +2533,16 @@ changes to languages because of Phabricator reports. * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed. * Class FSRepo (deprecated in 1.19) was removed. * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use - \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead. + \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() + instead. * Class ImageGallery (deprecated in 1.22) was removed. Use ImageGalleryBase::factory instead. -* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead. +* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class + instead. * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now emit warnings). Create a subclass of Action and add it to $wgActions instead. -* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated. +* WikiRevision::getText() (deprecated since 1.21) is no longer marked + deprecated. * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed. @@ -1846,9 +2550,10 @@ changes to languages because of Phabricator reports. * RedisConnectionPool::handleException (deprecated since 1.23) was removed. * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete and outdated lists of errors/warnings returned by the API, are now deprecated. -* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" - URLs to continue to work, set up redirects. In Apache, this can be done by enabling - mod_rewrite and adding the following rules to your configuration: +* wiki.phtml entry point was removed. Refer to index.php instead. If you want + "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can + be done by enabling mod_rewrite and adding the following rules to your + configuration: RewriteEngine On RewriteBase / @@ -1876,8 +2581,8 @@ changes to languages because of Phabricator reports. * Article::doEditContent() was marked as deprecated, to be removed in 1.30 or later. * ContentHandler::runLegacyHooks() was removed. -* refreshLinks.php now can be limited to a particular category with --category=... - or a tracking category with --tracking-category=... +* refreshLinks.php now can be limited to a particular category with + --category=... or a tracking category with --tracking-category=... * User-like objects that are passed to SpecialUserRights and its subclasses are now required to have a getGroupMemberships() method. See UserRightsProxy for an example. @@ -1951,28 +2656,34 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. === Changes since 1.28.2 == * (T168856) Allow SVGs created by Dia to be uploaded. * (T157545) Add missing doUpdates() call to refreshLinks.php. -* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown. -* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle. +* (T165714) (T100085) Better handling of jobs execution in post-connection + shutdown. +* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of + Database->onTransactionIdle. * (T154425) Make DeferredUpdates detect LBFactory transaction rounds. -* (T149454) Restore erroneously removed realTableName call from DatabasePostgres. +* (T149454) Restore erroneously removed realTableName call from + DatabasePostgres. * (T167798) Fix phrase search and highlighting for phrase queries. * (T151136) Provide credits information to callbacks in extension registration. -* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T160462) Allow namespaces defined in extension.json to be overwritten + locally. * (T168337) Fix ErrorPageError to work from non-UI contexts. * (T143788) Backports for PHP 7.0 and 7.1 support. * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T174255) Declare uploadCount property in importDump.php. -* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to + v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. * (T125163) SECURITY: Make anchor for headlines escape > and <. * (T180237) SECURITY: Protect vendor folder with .htaccess. -* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in + update.php. * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. * (T119158) SECURITY: Handle -{}- syntax in attributes safely. @@ -1991,8 +2702,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. -* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has - more than one database server setup. +* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki + has more than one database server setup. * (T152717) Better escaping for PHP mail() command, * (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored. @@ -2000,25 +2711,28 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * (T158766) Avoid SQL error on MSSQL when using selectRowCount(). * (T145635) Fix too long index error when installing with MSSQL. * (T156184) $wgRawHtml will no longer apply to internationalization messages. -* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. -* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs. -* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect - to interwiki links. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is + installed. +* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 + installs. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow + redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. -* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF - token. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a + CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. -* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory - in it's fallback chain when trying to work out where to write the cache. -* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion - syntax's link parameter. -* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against - it. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary + directory in it's fallback chain when trying to work out where to write the + cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file + inclusion syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected + against it. == MediaWiki 1.28 == @@ -2045,7 +2759,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * (T149759) manifest_version: 2 was removed. === Configuration changes in 1.28 === -* $wgSend404Code now affects status code of action=history if the page is not there. +* $wgSend404Code now affects status code of action=history if the page is not + there. * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported. @@ -2069,16 +2784,19 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes". -* The 'editcontentmodel' permission is now granted to all logged-in users ('user'). +* The 'editcontentmodel' permission is now granted to all logged-in users + ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at . -* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled. -* Magic links are now disabled by default, and can be re-enabled by modifying the value - of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, - a tracking category will be added to help identify usage and make it easier to migrate - away from. If you depend upon magic link functionality, it is requested that you comment - on and - explain your use case(s). +* $wgRevisionCacheExpiry is now set to one week by default instead of being + disabled. +* Magic links are now disabled by default, and can be re-enabled by modifying + the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are + manually enabled, a tracking category will be added to help identify usage and + make it easier to migrate away from. If you depend upon magic link + functionality, it is requested that you comment on + + and explain your use case(s). * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting. @@ -2093,21 +2811,24 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. and the file description page, but does not run for uploads to stash. * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed. -* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation - to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, - a 'numeric' collation is also available. If migrating from another - collation, you will need to run the updateCollation.php maintenance script. -* Two new codes have been added to #time parser function: "xit" for days in current - month, and "xiz" for days passed in the year, both in Iranian calendar. +* (T8948) Numeric sorting in categories is now supported by setting + $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you + can't use UCA collations, a 'numeric' collation is also available. If + migrating from another collation, you will need to run the updateCollation.php + maintenance script. +* Two new codes have been added to #time parser function: "xit" for days in + current month, and "xiz" for days passed in the year, both in Iranian + calendar. * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki. -* After a client performs an action which alters a database that has replica databases, - MediaWiki will wait for the replica databases to synchronize with the master database - while it renders the HTML output. However, if the output is a redirect to another wiki - on the wiki farm with a different domain, MediaWiki will instead alter the redirect - URL to include a ?cpPosTime parameter that triggers the database synchronization when - the URL is followed by the client. The same-domain case uses a new cpPosTime cookie. +* After a client performs an action which alters a database that has replica + databases, MediaWiki will wait for the replica databases to synchronize with + the master database while it renders the HTML output. However, if the output + is a redirect to another wiki on the wiki farm with a different domain, + MediaWiki will instead alter the redirect URL to include a ?cpPosTime + parameter that triggers the database synchronization when the URL is followed + by the client. The same-domain case uses a new cpPosTime cookie. * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. @@ -2124,7 +2845,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * Added wikimedia/wait-condition-loop v1.0.1 === Bug fixes in 1.28 === -* (T146496) action=history pages should return 404 HTTP error code if the page does not exist +* (T146496) action=history pages should return 404 HTTP error code if the page + does not exist * (T137264) SECURITY: XSS in unclosed internal links * (T133147) SECURITY: Escape '<' and ']]>' in inline