= MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. == MediaWiki 1.14 == THIS IS NOT A RELEASE YET MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia. Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN === Configuration changes in 1.14 === * $wgExemptFromUserRobotsControl is an array of namespaces to be exempt from the effect of the new __INDEX__/__NOINDEX__ magic words. (Default: null, ex- empt all content namespaces.) * $wgForwardSearchUrl has been removed entirely. Documented setting since 1.4 has been $wgSearchForwardUrl. * (bug 15080) $wgOverrideSiteFeed has been added. Setting either $wgSiteFeed['rss'] or 'atom' to a URL will override the default Recent Changes feed that appears on all pages. * $wgSQLiteDataDirMode has been introduced as the default directory mode for SQLite data directories on creation. Note this setting is separate from $wgDirectoryMode, which applies to all normal directories created by MediaWiki. * $wgGroupsAddToSelf and $wgGroupsRemoveFromSelf now work more like $wgAddGroups and $wgRemoveGroups, where the user must belong to a specified group in order to add or remove those groups from themselves. Backwards compatibility is maintained. * $wgRestrictDisplayTitle controls if the use of the {{DISPLAYTITLE}} magic word is restricted to titles equivalent to the actual page title. This is true per default, but can be set to false to allow any title. * $wgSpamRegex may now be an array of multiple regular expressions. * $wgAjaxSearch has been removed; use $wgEnableMWSuggest instead. * Editing the MediaWiki namespace is now unconditionally restricted to people with the editinterface right, configuring this in $wgNamespaceProtection is not required. * $wgAllowExternalImagesFrom may now be an array of multiple strings. * Introduced $wgEnableImageWhitelist to toggle the on-wiki external image whitelist on or off. * Added $wgRenderHashAppend to append some string to the parser cache and the sitenotice cache keys. === Migrated extensions === The following extensions are migrated into MediaWiki 1.14: * Special:DeletedContributions to show deleted user contributions (was extension DeletedContributions) * Special:Log/newusers recording new users (was extension Newuserlog) * Special:LinkSearch to search for external links (was extension LinkSearch) * RenderHash * NoMoveUserPages * Special:Nuke to mass delete all pages created by a user === New features in 1.14 === * New URL syntaxes for Special:ListUsers - 'Special:ListUsers/USER' and 'Special:ListUsers/GROUP/USER', in addition to the older syntax 'Special:ListUsers/GROUP' where GROUP is a valid group name. * Configurable per-namespace and per-page notices for the edit form, respectively MediaWiki:Editnotice-# where # is the namespace number, and MediaWiki:Editnotice-#-PAGENAME where # is the page's namespace number and PAGENAME is the page name minus the namespace prefix. * (bug 8068) New __INDEX__ and __NOINDEX__ magic words allow user control of search engine indexing on a per-article basis. * Handheld stylesheet options * Added 'DoEditSectionLink' hook as a cleaner unified version of the old 'EditSectionLink' and 'EditSectionLinkForOther' hooks. Note that the 'EditSectionLinkForOther' hook has been removed, but 'EditSectionLink' is run in all cases instead, so extensions using the old hooks should still work if they ran roughly the same code for both hooks (as is almost certain). * Signature (~~~~) "cleaning", i.e. template removal, can be disabled with $wgCleanSignatures=false * Extensions can use the SkinBuildSidebar hook to modify the content of the sidebar and add custom portlets to it * Added 'MakeGlobalVariablesScript' hook for extensions to be able to add vari- ables into into the output of Skin::makeVariablesScript * (bug 13846) Added $wgAddGroups and $wgRemoveGroups display on Special:ListGroupRights * (bug 14377) Add a date selector to history pages * (bug 15007) New 'pagetitle-view-mainpage' message allows the HTML of the main page to be customized * Added $wgDisableTitleConversion to disabling the conversion for all pages on the wiki * Added 'noconvertlink' toggle that can be set per user preferences, also added 'convertlink=no|yes' on GET requests whether have the link titles being converted or not * (bug 14921) Special:Contributions/: add user name to <title> Patch by Emufarmers * Unescape more "safe" characters when producing URLs, for added prettiness * Introduced a new hook 'SkinAfterContent' that allows extensions to add text after the page content and article metadata. Updated all skins and skin templates to work with that hook. * (bug 14929) removeUnusedAccounts.php now supports 'ignore-touched' and 'ignore-groups'. Patch by Louperivois * (bug 15127) Work around minor display glitch in Opera. * By default, reject file uploads that look like ZIP files, to avoid the so-called GIFAR vulnerability. * (bug 15141) Give ability to only list protected pages with the cascading option enabled on Special:ProtectedPages * (bug 15157) Special:Watchlist has the same options as Special:Watchlist: Show/Hide logged in users, Show/Hide anonymous, Invert namespace selection * Added hook 'UserrightsChangeableGroups' to allow modification of what groups may be added or removed via the Special:UserRights interface. * HTML entities like   now work (are not escaped) in edit summaries. * (bug 13815) In the comment for page moves, use the colon-separator message instead of a hardcoded colon. * Allow <gallery> to accept image names without an Image: prefix * Add tooltips to rollback and undo links * BMP images are now displayed as PNG * (bug 13471) Added NUMBERINGROUP magic word * (bug 11884) Now support Flash EXIF attribute * Show thumbnails in the file history list, patch by User:Agbad * Added support of piped wikilinks using double-width brackets * Added an on-wiki external image whitelist. Items in this whitelist are treated as regular expression fragments to match for when possibly displaying an external image inline. * (bugs 15405, 15436) Sort more currency types correctly in sortable tables * (bug 15422) Sort more different types of numbers in sortable tables * (bug 2889) MediaWiki:Print.css applies to the printable version * Category counts (e.g. from {{PAGESINCATEGORY:}}) should be more accurate for small categories * After logging in, automatically redirect to wherever you logged in from * (bug 5619) Break messages used in Special:Statistics down further * (bug 11029) Add link to Special:Listusers?group=sysop etc at Special:Statistics * (bug 15514) Setting $wgRightsText without $wgRightsUrl now produces a plaintext copyright notice. Patch by Juliano F. Ravasi. * (bug 15551) Deletion log excerpt is now shown whenever a user vists a deleted page, even if they are unable to edit it. * Added Wantedfiles special pages, allowing users to find image links with no image. * (bug 12650) It is now possible to set different expiration times for different restriction types on the protection form. * (bug 8440) Allow preventing blocked users from editing their talk pages * Improved upload file type detection for OpenDocument formats * Added the ability to set the target attribute on external links with $wgExternalLinkTarget * api.php now sends "Retry-After" and "X-Database-Lag" HTTP headers if the maxlag check fails, just like index.php does * Configurable per-namespace and per-page header, respectively MediaWiki:Pageheader-# where # is the namespace number, and MediaWiki:Pagenumber-#-PAGENAME where # is the page's namespace number and PAGENAME is the page name minus the namespace prefix. Can be disabled with the new magic word __NOHEADER__ === Bug fixes in 1.14 === * (bug 14907) DatabasePostgres::fieldType now defined. * (bug 14659) Passing the default limit param to Special:Recentchanges no more falls back to the user option * (bug 14954) Fix regression in Modern and Simple skins * Recursion loop check added to Categoryfinder class * Fixed few performance troubles of large job queue processing * Not setting various parameters in Foreign Repos now fails more gracefully * (bug 2333) Redirects are properly rendered when previewing an edit. * (bug 14972) Use localized alias of Special:Search on all search forms * (bug 11035) Special:Search should have descriptive <title> * Special pages are now not subject to special handling for "self-links" * (bug 15053) Syntactically incorrect redirects with another link in them no longer redirect to the second link * (bug 15049) Fix for CheckUser extension's log search: usernames containing a "-" were incorrectly turned into bogus IP range searches. Patch by Max Semenik. * (bug 15055) Talk page notifications no longer attempt to send mail when user's e-mail address is invalid or unconfirmed * (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in 5 minutes. * (bug 15016) 'Templates used on this page' list in view source should be wrapped in a div with class "templatesUsed" * (bug 14868) Setting $wgFeedDiffCutoff to 0 now disables generation of the diff entirely, not just the display of it. * (bug 6387) Introduced new setting $wgCategoryPrefixedDefaultSortkey which allows having the unprefixed page title as the default category sortkey * (bug 15079) Add class="ns-talk" / "ns-subject" to <body>. Also added ns-special to special pages. * (bug 15052) Skins should add their name as a class in <body> * (bug 14165, bug 14294) Wikimedia specific configuration in convertGrammar() for several languages was removed. The settings have been put in extension WikimediaMessages. Patch for Czech by Danny B. * (bug 15101) Displaying only bots edits in Special:Recentchanges now works again * (bug 13770) Fixed incorrect detection of PHP's DOM module * (bug 14790) Export of category pages when using Category: prefix now actually gives results * Avoid recursive crazy expansions in section edit comments for pages which contain '/*' in the title * Fix excessive memory usage when parsing pages with lots of links * $wgSpamRegex now matches the edit summary and page move descriptions in addition to body text. * Navigation links to images available from a shared repository (like Commons) from their local talk pages no longer appear as redlinks * Action=purge on ForeignApiFiles now works (purges their thumbnails and description pages). * (bug 15303) Title conversion for templates wasn't working in some cases. * (bug 15264) Underscores in Special:Search/Foo_bar parameters were taken literally; now converting them to spaces per expectation. * (bug 15342) "Invert" checkbox now works correctly when selecting main namespace in Special:Watchlist * (bug 15172) 'Go' button of Special:Recentchanges now on the same line as the last input element (like Special:Watchlist too) * (bug 15351) Fix fatal error for invalid section fragments in autocomments * Fixed intermittent deadlock errors involving objectcache table queries. Use a separate database connection for the objectcache table to avoid long-lasting locks on that table. * Respect file restrictions in the file history list * (bug 15399) Odd/even classes on sortable tables' rows could be slow for large tables, and have been disabled by default. * (bug 15482) Special:Recentchangeslinked has no longer two submit buttons * (bug 15292) New message notification for unregistred users now works again * (bug 14398) mwsuggest.js: Let width of container be configurable * (bug 15543) Only include user touched timestamp to generated CSS * (bug 15497) Removed encoding attribute from <?xml ?> tag * (bug 12284) Special:Preferences now sets a returnto parameter on the link to Special:Userlogin. Patch by Marooned. * Fixed the HTTP accept language string detection length in LanguageConverter.php, instead of the fixed length language codes. * Special:Recentchangeslinked no longer shows outgoing links for nonexistent pages even if there are broken link records with source article id 0 in the database * (bug 15598) Special:Newpages default limit uses user preference for recentchanges limit instead of hardcoded 50. * (bug 15617) $wgFeedClassesOutputPage::getHeadLinks() respects $wgFeedClasses, instead of hardcoding rss and atom. Patch by Juliano F. Ravasi. * (bug 14638) Special:Blockip now provides a link to the block log if the user has been blocked more than 10 times. Patch by Matt Johnston. * (bug 12678) Skins don't show Upload link if the user isn't allowed to upload. * Fixed incorrect usage of DB_LAST in Special:Export. Deprecated DB_LAST. * (bug 15642) Blocked sysops can no longer block other users * Http::request() now respects $wgHTTPtimeout when not using cURL * (bug 15158) Userinvalidcssjstitle not shown on preview * (bug 15196) Free external links should be numbered in a localised manner * (bug 15388) Title of Special:PrefixIndex * Links with no title but a curid parameter now use the curid to pick a page === API changes in 1.14 === * Registration time of users registered before the DB field was created is now shown as empty instead of the current time. * API search now falls back to fulltext search by default when using Lucene or other engine which doesn't support a separate title search function. This means you can use API search on Wikipedia without explicitly adding &srwhat=text to the query. * Added iiprop=bitdepth to imageinfo and aiprop=bitdepth to allimages * (bug 14713) API-specific permissions (such as 'writeapi' and 'apihighlimits' are now listed on action=help * (bug 15044) Added requestid parameter to api.php to facilitate distinguishing between requests * (bug 15048) Added limit field for multivalue parameters to action=paraminfo output. * When the limit on multivalue parameters is exceeded, a warning is issued * list=search doesn't list missing pages any more * (bug 15178) Added clshow to prop=categories to allow filtering for hidden/ non-hidden categories * (bug 15228) Combining revids= and redirects now throws a warning instead of an error, and still resolves redirects generated by the generator. * list={backlinks,embeddedin,imageusage} now return arrays with keys 0, 1, 2, etc. (AKA lists) instead of arrays with pageIDs as keys (AKA hash tables) for consistency with other list modules. * Added action=watch * (bug 15275) apprefix and related parameters ignore spaces at the end * action=edit no longer throws unknown error 228 when trying to create an empty section with section=new * Database replication lag doesn't cause all action=edit requests to return the nochange flag any more * (bug 15392) ApiFormatBase::formatHTML now uses $wgUrlProtocols. * (bug 15444) action=edit returns "Unknown error: ``AS_END''" where it should return just "Unknown error" * (bug 15448) YAML output returns empty values instead of 0 * (bug 15445) Added action=patrol * (bug 15466) Added action=purge * (bug 15486) action=block ignores autoblock parameter * (bug 15492) added rcprop=loginfo to list=recentchanges * (bug 15527) action=rollback can now revert anonymous editors * (bug 15535) prop=info&inprop=protection doesn't list pre-1.10 protections if the page is also protected otherwise (1.10+ style or cascading) * list=random now has rnredirect parameter, to get random redirects. * Added APIAfterExecute, APIQueryAfterExecute and APIQueryGeneratorAfterExecute hooks which allow for extending core modules in a cleaner way * action=protect checks for invalid protection types and levels * (bug 15673) Added indentation to format=wddxfm output and improved built-in WDDX formatter to resemble PHP's more * (bug 15706) Empty values for apprtype and apprlevel are now silently ignored rather than causing an exception * Added uiprop=preferencestoken to meta=userinfo * (bug 15609) Add inprop=url and inprop=readable to prop=info * Add ApiDisabled and ApiQueryDisabled classes so individual modules can be disabled in LocalSettings.php * (bug 15653) Add prop=duplicatefiles * (bug 15768) Add list=watchlistraw * (bug 15647) action=edit with basetimestamp fails if the page has been deleted and undeleted since the last edit * (bug 15785) Allow for different expiry times for different protections in action=protect * Added allowsduplicates attribute to action=paraminfo output === Languages updated in 1.14 === MediaWiki supports over 300 languages. Many localisations are updated regularly. Below only new and removed languages are listed. * Bakhtiari (bqi) (new) * Fiji Hindi (Devanagari script) (hif-deva) (new) * Krio (kri) (new) * Lezghian (lez) (new) * Laz (lzz) (new) * Niuean (niu) (new) * Oromo (om) (new) * Plautdietsch (pdt) (new) * Tarantino (roa-tara) (new) * Serbo-Croatian (sh) (new) * Tulu (tcy) (new) == Compatibility == MediaWiki 1.14 requires PHP 5 (5.2 recommended). PHP 4 is no longer supported. PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing: http://bugs.php.net/bug.php?id=34879 Upgrade affected systems to PHP 5.1 or higher. MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases. == Upgrading == 1.14 has several database changes since 1.13, and will not work without schema updates. If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes. If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data. If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed upgrade instructions. === Caveats === Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.) For notes on 1.13.x and older releases, see HISTORY. === Online documentation === Documentation for both end-users and site administrators is currently being built up on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain) : http://www.mediawiki.org/wiki/Documentation === Mailing list === A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: http://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. === IRC help === There's usually someone online in #mediawiki on irc.freenode.net