X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=RELEASE-NOTES-1.34;h=ed23b62e94bb1a9f6684d526585bcf8c489573db;hp=0d6f1e11bd7fabb95d7e0761fe2c6a7c66f63999;hb=18c2d20c54f9851af639cb24603493ca197baaa8;hpb=5155abe0e6ab6589d4104a221df0a0b2c5142c16 diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34 index 0d6f1e11bd..ed23b62e94 100644 --- a/RELEASE-NOTES-1.34 +++ b/RELEASE-NOTES-1.34 @@ -1,11 +1,118 @@ = MediaWiki 1.34 = -== MediaWiki 1.34.0-PRERELEASE == - -THIS IS NOT A RELEASE YET - -MediaWiki 1.34 is an alpha-quality development branch, and is not recommended -for use in production. +== MediaWiki 1.34.2 == + +This is a security and maintenance release of the MediaWiki 1.34 branch. + +=== Changes since MediaWiki 1.34.1 === +* (T247017) PasswordReset performance improvements. +* The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked. +* (T250568) Work around change in SimpleXMLElement behavior introduced in PHP + 7.3.17. +* (T251789) Let $wgResourceLoaderMaxQueryLength=-1 fallback to default. +* Remove some rotten and out of date documentation. +* (T252311) Improvements to some older SQLite update patches. +* (T240307) Minor fixes to extension.schema.v2.json and + extension.schema.v1.json. +* (T238043) cleanupUsersWithNoId.php: Handle missing fields. +* (T199474) Set rc_patrolled to 2 for autopatrolled changes in + rebuildrecentchanges.php. +* (T229461) Update the change_tag table in rebuildrecentchanges.php. +* (T249730) Password Reset Updates. +* (T234450) Per-user concurrency in SpecialContributions can now be limited by + setting $wgPoolCounterConf['SpecialContributions'] appropriately. +* (T248947) SECURITY: img_auth.php may leak private extension images into the + public cache. + +== MediaWiki 1.34.1 == + +This is a security and maintenance release of the MediaWiki 1.34 branch. + +=== Changes since MediaWiki 1.34.0 === +* (T211450) User: better error message when getActorId fails. +* (T241340) Don't redefine MW_ENTRY_POINT in thumb.php if already defined. +* (T236444) User: Allow newSystemUser() to create over anonymous actors. +* (T238483) Fix NewPagesPager "hide registered users" option. +* (T245072) mediawiki.language: Rename languageData back to languageNames. +* Use proper SemVer comparison in CheckComposerLockUpToDate. +* (T212738) Add the MW_VERSION constant, global $wgVersion is soft deprecated. +* (T246127) Fix error when initialising updateCollation.php. +* Update comment about PHP versions supported by The PHP Group. +* (T247215) Fix output of RecountCategories::doWork(). +* Add check for page existence to view.php maintenance script. +* (T245149) Fix fetching login token from action=query&meta=tokens on private + wikis. +* (T236509) SECURITY: Fix HTML escaping in UserGroupMembership::getLink(). +* (T232932) SECURITY: User content can redirect the logout button to different + URL. +* (T246602) SECURITY: jquery.makeCollapsible allows applying event handler to + any CSS selector. + +== MediaWiki 1.34.0 == + +=== Changes since MediaWiki 1.34.0-rc.1 === +* $wgDiffEngine (T237049) – This configuration can be used to specify which + difference engine to use. MediaWiki continues to default to automatically + choosing the first of $wgExternalDiffEngine, wikidiff2, or php that is + usable. +* (T231866) SqlBlobStore no longer needs Language object. +* (T236735) WikiExporter: Remove unnecessary check for SCHEMA_COMPAT_WRITE_OLD + flag. +* (T231673) Set MCR migration stage to SCHEMA_COMPAT_NEW. +* (T229601) Make sure DBLoadBalancerFactory service is not disabled. +* (T232866) Fix support for HTTP/2 in MultiHttpClient. +* (T231866) LocalisationCache: Don't instantiate ResourceLoader. +* (T227461) Stop calling deprecated Redis delete functions. +* (T239561) Mark options as requiring parameters in addSite.php. +* (T232866) Mimic CURLOPT_POST in GuzzleHttpRequest. +* (T239734) Replace deprecated lSize with lLen in Redis code. +* (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset. +* (T239428) ApiEditPage: Test for bad redirect targets. +* (T233342) rdbms: Log debug message traces as 'exception.trace' instead of + 'trace'. +* (T226751) media: Log and fail gracefully on invalid EXIF coordinates. +* (T240924) NewPagesPager: Fix namespace query conditions. +* (T212067) Tests for an old PHP bug in parse_url. + +== MediaWiki 1.34.0-rc.1 == + +=== Changes since MediaWiki 1.34.0-rc.0 === +* (T231742) rdbms: Restore debug toolbar "Queries" feature. +* (T231366) The ProfilerOutputDb class, 'profiling' table, and profileinfo.php + entry point had been deprecated. +* (T234361) localisation: Add debug message for backend of MessageCache. +* (T234361) session: Add debug message for the used store class. +* (T235559) Fix example Kask configuration in RESTBagOStuff class comment. +* (T235137) Don't apply styling for Special:Contributions on other pages. +* Upgrade mediawiki-codesniffer from 26.0.0 to 28.0.0 (dev-only). +* (T219604) The "jquery.ui.*" and "jquery.effects.*" modules are now + deprecated as aliases for the "jquery.ui" module. +* (T235392) Deprecate setting Parser::mTitle to null. +* Supporting commits for T235392 were also backported to prevent divergence + from master (MediaWiki 1.35). +* (T234581) The 'jquery.tabIndex' module is deprecated. +* Fix docs for GetUserBlock hooks. +* Parser: Hard deprecate getConverterLanguage. +* (T236810) A number of public methods of Parser were exposed only for + historical reasons and have been deprecated: doMagicLinks, + doDoubleUnderscore, doHeadings, doAllQuotes, replaceExternalLinks, + replaceInternalLinks, replaceInternalLinks2, getVariableValue, + initialiseVariables, formatHeadings, testPst, testPreprocess, testSrvus, + areSubpagesAllowed, maybeDoSubpageLink, splitWhitespace, createAssocArgs, + armorLinks, makeKnownLinkHolder, getImageParams, parseLinkParameter, + stripAltText, replaceLinkHolders, replaceLinkHoldersText, armorLinks, + makeKnownLinkHolder, getImageParams, parseLinkParameter, stripAltText. +* (T30798) $wgServer must now always be set in LocalSettings.php. This is most + likely the case already for any wiki installed after 1.18. The autodetection + system was informally deprecated since 1.18 and vulnerable to cache poisoning + attacks. Older wikis may need to update their LocalSettings.php file. +* (T232169) Hard deprecate $wgSysopEmailBans. +* (T236628) Fix for ArticleRevisionViewCustom hook in DifferenceEngine.php. +* (T181658) Do not insert page titles into querycache.qc_value. +* ParamValidator has been flagged as unstable. +* Hard deprecate Parser::disableCache(). + +== MediaWiki 1.34.0-rc.0 == == Upgrading notes for 1.34 == 1.34 has several database changes since 1.33, and will not work without schema @@ -20,7 +127,8 @@ important information when upgrading from versions prior to 1.11. Some specific notes for MediaWiki 1.34 upgrades are below: -* … +* MediaWiki now requires PHP 7.2.9 or above. +* MediaWiki no longer supports HHVM. For notes on 1.33.x and older releases, see HISTORY. @@ -47,6 +155,10 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; redirects in their userspace unless the target of the redirect is also in their userspace. By default, this right is given to everyone. * (T226733) Add rate limiter to Special:ConfirmEmail. +* $wgDiffEngine (T237049) – This configuration can be used to specify which + difference engine to use. MediaWiki continues to default to automatically + choosing the first of $wgExternalDiffEngine, wikidiff2, or php that is + usable. ==== Changed configuration ==== * $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four @@ -60,9 +172,16 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; containing some HTML markup in metadata. As a result, the $wgAllowTitlesInSVG setting is no longer applied and is now always true. Note that MSIE 7 may still be able to misinterpret certain malformed PNG files as HTML. +* (T30798) $wgServer must now always be set in LocalSettings.php. This is most + likely the case already for any wiki installed after 1.18. The autodetection + system was informally deprecated since 1.18 and vulnerable to cache poisoning + attacks. Older wikis may need to update their LocalSettings.php file. * Introduced $wgVerifyMimeTypeIE to allow disabling the MSIE 6/7 file type detection heuristic on upload, which is more conservative than the checks that were changed above. +* $wgExternalDiffEngine — Setting this to a string value of 'wikidiff', + 'wikidiff2', or 'wikidiff3' will no longer work. This legacy behaviour was + deprecated in MediaWiki 1.27, 1.32, and 1.27, respectively. * $wgSkipSkin — Setting this instead of $wgSkipSkins, deprecated in 1.23, is now hard-deprecated. * $wgLocalInterwiki — Setting this instead of $wgLocalInterwikis, deprecated in @@ -74,7 +193,6 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; an array with IP addresses as the values, or a string path to a file containing one IP address per line. * $wgCookieSetOnAutoblock and $wgCookieSetOnIpBlock are now enabled by default. -* … ==== Removed configuration ==== * $wgWikiDiff2MovedParagraphDetectionCutoff — If you still want a custom change @@ -132,16 +250,13 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; === External library changes in 1.34 === -==== New external libraries ==== -* … - ==== Changed external libraries ==== * Updated Mustache from 1.0.0 to v3.0.1. * Updated OOUI from v0.31.3 to v0.34.0. * Updated OOjs from v2.2.2 to v3.0.0. * Updated composer/semver from 1.4.2 to 1.5.0. * Updated composer/spdx-licenses from 1.4.0 to 1.5.1 (dev-only). -* Updated mediawiki/codesniffer from 25.0.0 to 26.0.0 (dev-only). +* Updated mediawiki/codesniffer from 25.0.0 to 28.0.0 (dev-only). * Updated cssjanus/cssjanus from 1.2.1 to 1.3.0. * Updated wikimedia/at-ease from 1.2.0 to 2.0.0. * Updated wikimedia/remex-html from 2.0.1 to 2.1.0. @@ -151,11 +266,9 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; * Updated wikimedia/xmp-reader from 0.6.2 to 0.6.3. * Updated mediawiki/mediawiki-phan-config from 0.6.0 to 0.6.1 (dev-only). * Updated wikimedia/avro from 1.8.0 to 1.9.0 (dev-only). -* … ==== Removed external libraries ==== * The jquery.async module, deprecated in 1.33, was removed. -* … === Bug fixes in 1.34 === * (T222529) If a log entry or page revision is recorded in the database with an @@ -178,7 +291,7 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; 'mime', 'mediadtype', 'bitdepth'. Clients that process these fields should first check if 'filemissing' is set. Fields that are supported even if the file is missing include: - 'canonicaltitle', ''archivename' (deleted files only), 'descriptionurl', + 'canonicaltitle', 'archivename' (deleted files only), 'descriptionurl', 'descriptionshorturl'. * The 'blockexpiry' result property in list=users and list=allusers will now be returned in the same format used by the rest of the API: ISO 8601 for @@ -455,6 +568,8 @@ because of Phabricator reports. * User::setNewpassword(), deprecated in 1.27 has been removed. * The ObjectCache::getMainWANInstance and ObjectCache::getMainStashInstance functions, deprecated since 1.28, have been removed. +* Language::$dataCache has been removed (without prior deprecation, for + practical reasons). Use MediaWikiServices instead to get a LocalisationCache. === Deprecations in 1.34 === * The MWNamespace class is deprecated. Use NamespaceInfo. @@ -513,6 +628,8 @@ because of Phabricator reports. * The Profiler::setTemplated and Profiler::getTemplated methods have been deprecated. Use Profiler::setAllowOutput and Profiler::getAllowOutput instead. +* The ProfilerOutputDb class, 'profiling' table, and profileinfo.php entry + point had been deprecated (T231366). * The Preprocessor_DOM implementation has been deprecated. It will be removed in a future release. Use the Preprocessor_Hash implementation instead. @@ -564,6 +681,10 @@ because of Phabricator reports. * IDatabase::bufferResults() has been deprecated. Use query batching instead. * MessageCache::singleton() is deprecated. Use MediaWikiServices::getMessageCache(). +* ObjectCache::getWANInstance() is deprecated. Use + MediaWikiServices::getMainWANObjectCache() instead. +* ObjectCache::newWANCacheFromParams() is deprecated. Use + MediaWikiServices::getMainWANObjectCache() instead. * Constructing MovePage directly is deprecated. Use MovePageFactory. * TempFSFile::factory() has been deprecated. Use TempFSFileFactory instead. * wfIsBadImage() is deprecated. Use the BadFileLookup service instead. @@ -576,6 +697,7 @@ because of Phabricator reports. * Specifying a SpecialPage object for the list of special pages (either through the SpecialPage_initList hook or by adding to $wgSpecialPages) is now deprecated. +* The 'jquery.tabIndex' module is deprecated. * WebInstaller::getInfoBox(), getWarningBox() and getErrorBox() are deprecated. Use Html::errorBox() or Html::warningBox() instead. * Use of ActorMigration with 'ar_user', 'img_user', 'oi_user', 'fa_user', @@ -598,14 +720,42 @@ because of Phabricator reports. $wgGroupPermissions['sysop']['blockemail'] = true; * ApiQueryBase::showHiddenUsersAddBlockInfo() is deprecated. Use ApiQueryBlockInfoTrait instead. +* PasswordReset is now a service, its direct instantiation is deprecated. +* RESTBagOStuff users should specify either "JSON" or "PHP" serialization type. +* The global function wfIsHHVM() is deprecated and will now always return false + regardless of the runtime environment. This is part of the continuing work to + remove HHVM support from MediaWiki, which started in MediaWiki 1.31. +* Language::getLocalisationCache() is deprecated. Use MediaWikiServices + instead. +* The following Language methods are deprecated: isSupportedLanguage, + isValidCode, isValidBuiltInCode, isKnownLanguageTag, fetchLanguageNames, + fetchLanguageName, getFileName, getMessagesFileName, getJsonMessagesFileName. + Use the new LanguageNameUtils class instead. (Note that fetchLanguageName(s) + are called getLanguageName(s) in the new class.) +* Using the Parser without initializing its $mTitle property to non-null has + been deprecated. In a future release Parser::getTitle() will throw a + TypeError if $mTitle is uninitialized. +* A number of public methods of Parser were exposed only for historical + reasons and have been deprecated: doMagicLinks, doDoubleUnderscore, + doHeadings, doAllQuotes, replaceExternalLinks, replaceInternalLinks, + replaceInternalLinks2, getVariableValue, initialiseVariables, formatHeadings, + testPst, testPreprocess, testSrvus, areSubpagesAllowed, maybeDoSubpageLink, + splitWhitespace, createAssocArgs, armorLinks, makeKnownLinkHolder, + getImageParams, parseLinkParameter, stripAltText, replaceLinkHolders, + replaceLinkHoldersText, armorLinks, makeKnownLinkHolder, getImageParams, + parseLinkParameter, stripAltText. === Other changes in 1.34 === -* … +* Added option to specify "Various authors" as author in extension credits using + "..." as the only author name. If the "author" array contains more than one + entry and "..." is one of the entries in the array, "..." will be parsed as + "others" (version-poweredby-others i18n message) like previously. +* (T232563) Browser support ("Grade C") for Internet Explorer 6 and 7 + was discontinued. Basic content and security features may no longer + work correctly in these browsers. == Compatibility == -MediaWiki 1.34 requires PHP 7.2.0 or later. Although HHVM 3.18.5 or later is -supported, it is generally advised to use PHP 7.2.0 or later for long term -support. It also requires the following PHP extensions: +MediaWiki 1.34 requires PHP 7.2.9 or later, and the following PHP extensions: * ctype * dom