Change notes from older releases. For current info see RELEASE-NOTES-1.27.
-== MediaWiki 1.25 ==
+= MediaWiki 1.26 =
+
+== MediaWiki 1.26.2 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.1 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
+
+== MediaWiki 1.26.1 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.0 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
+* Fixed stray literal \n in Special:Search.
+* Fix issue that breaks HHVM Repo Authorative mode.
+* (T120267) Work around APCu memory corruption bug
+
+== MediaWiki 1.26.0 ==
+
+=== Configuration changes in 1.26 ===
+* $wgPasswordResetRoutes['email'] = true by default.
+* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
+ instead if you want to disable the parser cache.
+* New-style continuation is now the default for API action=continue. Clients may
+ use the 'rawcontinue' parameter to receive raw query-continue data, but the
+ new style is encouraged as it's harder to implement incorrectly.
+* Deprecated API formats dump and wddx have been completely removed.
+* (T7645) The "Signature" button on the edit toolbar is now hidden by default
+ in non-talk namespaces. A new configuration variable,
+ $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
+ the "Signature" button on the edit toolbar will be displayed.
+* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
+ feature that was never enabled by default.
+* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
+ This experimental feature was never enabled by default and is obsolete as of
+ MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
+* $wgMasterWaitTimeout was removed (deprecated in 1.24).
+* Fields in ParserOptions are now private. Use the accessors instead.
+* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
+ in extension.json) have been removed, after being deprecated in 1.24.
+* $wgAlwaysUseTidy has been removed.
+* ResetSessionID hook has been removed. Nothing seems to use it.
+* Certain AuthPlugin methods are deprecated in favor of new hooks:
+** AuthPlugin::initUser() is replaced by LocalUserCreated.
+** AuthPlugin::updateUser() is replaced by UserLoggedIn.
+** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
+** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
+** AuthPluginUser::isHidden() is replaced by UserIsHidden.
+** AuthPluginUser::isLocked() is replaced by UserIsLocked.
+* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
+* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
+ the passed User object.
+* $wgBlockAllowsUTEdit is now set to true by default. This allows
+ blocked users to edit their talk pages unless explicitly disabled
+ when they are being blocked.
+
+=== New features in 1.26 ===
+* (T51506) Now action=info gives estimates of actual watchers for a page.
+ See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
+ to learn how to configure if needed.
+* Change tags can now be hidden in the interface by disabling the associated
+ "tag-<id>" interface message.
+* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
+ are not affected.
+* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
+* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
+ search results are rendered. The initial use case is to append a "give us
+ feedback" link beneath the search results.
+* Added a new hook, 'RejectParserCacheValue', which allows extensions to
+ reject an otherwise-successful parser cache lookup. The intent is to allow
+ extensions to manage the eviction of archaic HTML output from the cache.
+* (T68699) The expiration of the UserID and Token login cookies
+ ($wgExtendedLoginCookieExpiration) can be configured independently of the
+ expiration of all other cookies ($wgCookieExpiration).
+* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
+ if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
+ of WebP images still disabled by default. Add $wgFileExtensions[] =
+ 'webp'; to LocalSettings.php to enable uploading of WebP images.
+* Added new hooks 'EnhancedChangesListModifyLineData' &
+ 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
+ lines in enhanced recentchanges and watchlist.
+* Caches that need purging ability now use the WANObjectCache interface.
+ This corresponds to a new $wgMainWANCache setting, which defaults to using
+ the $wgMainCacheType settings.
+* Callers needing fast light-weight data stores use $wgMainStash to select
+ the store type from $wgObjectCaches. The default is the local database.
+* Interface message overrides in the MediaWiki namespace will now be cached in
+ memcached and APC (if available), rather than memcached and local files.
+* Added a new hook, 'RandomPageQuery', to allow modification of the query used
+ by Special:Random to select random pages.
+* $wgTransactionalTimeLimit was added, which controls the request time limit
+ for potentially slow POST requests that need to be as atomic as possible.
+* ResourceLoader now loads all scripts asynchronously. The top-queue and
+ startup modules are no longer synchronously loaded.
+* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
+ page. During the deprecation period, the styles will only be loaded on pages
+ which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
+ only be loaded if explicitly required.
+* If search returns zero results and current search engine has a "did you mean"
+ suggestion, results for suggestion will be shown. Can be disabled by setting
+ $wgSearchRunSuggestedQuery to false.
+* Added several JavaScript libraries for uploading files to MediaWiki
+ from the client-side. See documentation for mw.Upload and its
+ subclasses for more information.
+* Added OOUI dialogs and layout for file upload interfaces. See
+ documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
+ subclasses for more information.
+
+=== extension.json changes in 1.26 ===
+* (T99344) The extension.json schema is now versioned. All extensions
+ and skins should set a "manifest_version" property corresponding to
+ the schema version they were written for. The only supported version
+ currently is "1".
+* (T102523) The error message if a non-array attribute is set was improved.
+* (T107646) Configuration settings can now specify how they should be merged,
+ which is necessary for arrays using integer keys.
+* (T110389) Adding namespaces through extension.json now actually works
+* $wgNamespaceProtection can now be set in extension.json.
+* $wgCapitalLinkOverrides can now be set in extension.json.
+* (T97186) Extensions using a custom prefix for their configuration settings
+ can now set a "_prefix" key to override the default of "wg".
+* (T99084) Extensions can now specify what MediaWiki core versions they
+ depend upon.
+* (T105236) The extension.json schema now validates custom classes in
+ the "ResourceModules" property properly.
+
+=== External library changes in 1.26 ===
+==== Upgraded external libraries ====
+* Updated es5-shim from v4.0.0 to v4.1.5.
+* Updated json2 from revision 2014-02-04 to 2015-05-03.
+* Updated Sinon.JS from 1.10.3 to 1.15.4.
+* Updated jQuery Client from v1.0.0 to v2.0.0.
+* Updated QUnit from v1.17.1 to v1.18.0.
+* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
+* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
+* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
+* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
+* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
+* Updated zordius/lightncandy from v0.18 to v0.21.
+
+==== New external libraries ====
+* Added composer/semver v1.0.0.
+* Added mediawiki/at-ease v1.1.0.
+* Added wikimedia/assert v0.2.2.
+* Added wikimedia/ip-set v1.0.1.
+* Added wikimedia/wrappedstring v2.0.0.
+
+==== Removed and replaced external libraries ====
+* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
+
+=== Bug fixes in 1.26 ===
+* (T53283) load.php sometimes sends 304 response without full headers
+* (T65198) Talk page tabs now have a "rel=discussion" attribute
+* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
+* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
+ value if set to an empty string.
+
+=== Action API changes in 1.26 ===
+* New-style continuation is now the default for action=continue. Clients may
+ use the 'rawcontinue' parameter to receive raw query-continue data, but the
+ new style is encouraged as it's harder to implement incorrectly.
+* Deprecated API formats dump and wddx have been completely removed.
+* API action=query&list=tags: The displayname can now be boolean false if the
+ tag is meant to be hidden from user interfaces.
+* action=import no longer allows both the namespace= and rootpage= parameters
+ to be set. If they are both set, the value of rootpage= will be ignored.
+* prop=revision output in enum mode is now sorted by timestamp rather than
+ revision ID. This usually won't make any difference.
+* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
+ with formatversion=2.
+* Various other output from meta=siteinfo will now always be arrays instead of
+ sometimes being numerically-indexed objects with formatversion=2.
+* When errors about users being blocked are returned, they now include
+ information about the relevant block.
+* (T99926) list=random has higher limits, in line with other API modules.
+* list=random's rnredirect parameter is deprecated in favor of a new
+ rnfilterredir parameter that also allows for listing both redirects and
+ non-redirects.
+* list=random now supports continuation.
+* API responses to GET requests may now include ETag and Last-Modified headers,
+ and will honor corresponding If-None-Match and If-Modified-Since on such
+ requests.
+
+=== Action API internal changes in 1.26 ===
+* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
+ into the value when the value is an assoc.
+* API action modules may now provide values for the RFC 7232 ETag and
+ Last-Modified headers. The API will check these against If-None-Match and
+ If-Modified-Since request headers on GET requests and avoid executing the
+ module when appropriate.
+
+=== Languages updated in 1.26 ===
+
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Phabricator reports.
+
+* Languages added:
+** ase (American sign language), thanks to translator Icemandeaf
+** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
+ मेश सिंह बोहरा, and राम प्रसाद जोशी
+** luz (لئری دوٙمینی / Southern Luri)
+** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
+ Ilja.mos, and Mashoi7
+
+=== Other changes in 1.26 ===
+* ChangeTags::tagDescription() will return false if the interface message
+ for the tag is disabled.
+* Added PageHistoryPager::doBatchLookups hook.
+* Added $wikiId parameter to FormatAutocomments hook.
+* Added ParserCacheSaveComplete to ParserCache
+* supportsDirectEditing and supportsDirectApiEditing methods added to
+ ContentHandler, to provide a way for ApiEditPage and EditPage to check
+ if direct editing of content is allowed. These methods return false,
+ by default for the ContentHandler base class and true for TextContentHandler
+ and it's derivative classes (everything in core). For Content types that
+ do not support direct editing, an alternative mechanism should be provided
+ for editing, such as action overrides or specific api modules.
+* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
+ one function. The callback can't be called directly any more. The callback
+ function is replaced with confirmCloseWindow.release().
+* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
+ ResourceLoaderModule::getDependencies(). Extension classes that override that
+ method should be updated. If they aren't updated, PHP Strict standards
+ warnings will appear when E_STRICT error reporting is enabled. Note: in the
+ near future, this parameter will probably become non-optional.
+* Removed maintenance script deleteImageMemcached.php.
+* MWFunction::newObj() was removed (deprecated in 1.25).
+ ObjectFactory::getObjectFromSpec() should be used instead.
+* The parser will no longer randomize the string it uses to mark the place of
+ items that were stripped during parsing. It will use a fixed string instead.
+ This causes the parser to re-use the regular expressions it uses to search
+ and replace markers rather than generate novel expressions on each parse.
+ Re-using regular expressions will improve performance on HHVM and the
+ forthcoming PHP 7. The interfaces changes accompanying this change are:
+ - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
+ - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
+ $prefix argument for StripState::_construct() are deprecated and their
+ value is ignored.
+* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
+ mediawiki/at-ease, and are now deprecated. Callers should use
+ MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
+* The Block class constructor now takes an associative array of parameters
+ instead of many optional positional arguments. Calling the constructor the old
+ way will issue a deprecation warning.
+* The jquery.mwExtension module was deprecated.
+* $wgSpecialPageGroups was removed (deprecated in 1.21).
+* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
+* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
+* DatabaseBase::ignoreErrors() is now protected.
+* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
+ a lengthy deprecation period.
+* The ScopedPHPTimeout class was removed.
+* Removed maintenance script fixSlaveDesync.php.
+* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
+ are deprecated. Applications using those can work via the OAuth
+ extension instead. New tokens types should not be added.
+* DatabaseBase::errorCount() was removed (unused).
+* $wgDeferredUpdateList was removed.
+* DeferredUpdates::addHTMLCacheUpdate() was removed.
+
+= MediaWiki 1.25 =
+
+== MediaWiki 1.25.5 ==
+
+This is a maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.4 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
+
+== MediaWiki 1.25.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.3 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+* (T114606) mw.notify was not correctly fixed to the page if
+ initialized while not at the top of the page.
+* Fix issue that breaks HHVM Repo Authorative mode.
+
+== MediaWiki 1.25.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.2 ===
+
+* (T98975) Fix having multiple callbacks for a single hook.
+* (T107632) maintenance/refreshLinks.php did not always remove all links
+ pointing to nonexistent pages.
+* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
+ value if set to an empty string.
+* (T62174) Provide fallbacks for use of mb_convert_encoding() in
+ HtmlFormatter. It was causing an error when accessing the api help page
+ if the mbstring PHP extension was not installed.
+* (T105896) Confirmation emails would sometimes contain invalid codes.
+* (T105597) Fixed edit stash inclusion queries.
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
+ first
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.25.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.1 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+* (T100767) Setting a configuration setting for skin or extension to
+ false in LocalSettings.php was not working.
+* (T100635) API action=opensearch json output no longer breaks when
+ $wgDebugToolbar is enabled.
+* (T102522) Using an extension.json or skin.json file which has
+ a "manifest_version" property for 1.26 compatability will no longer
+ trigger warnings.
+* (T86156) Running updateSearchIndex.php will not throw an error as
+ page_restrictions has been added to the locked table list.
+* Special:Version would throw notices if using SVN due to an incorrectly
+ named variable. Add an additional check that an index is defined.
+
+== MediaWiki 1.25.1 ==
+
+This is a bug fix release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25 ===
+* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
+
+== MediaWiki 1.25.0 ==
=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
warnings through mw.log.warn when accessed.
+= MediaWiki 1.24 =
-== Compatibility ==
+== MediaWiki 1.24.6 ==
-MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for
-HHVM 3.3.0.
+This is a maintenance release of the MediaWiki 1.24 branch.
-MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
-support for them is somewhat less mature. There is experimental support for
-Oracle and Microsoft SQL Server.
+=== Changes since 1.24.5 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
-The supported versions are:
+== MediaWiki 1.24.5 ==
-* MySQL 5.0.3 or later
-* PostgreSQL 8.3 or later
-* SQLite 3.3.7 or later
-* Oracle 9.0.1 or later
-* Microsoft SQL Server 2005 (9.00.1399)
+This is a security and maintenance release of the MediaWiki 1.23 branch.
-== Upgrading ==
+=== Changes since 1.24.4 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
-1.25 has several database changes since 1.24, and will not work without schema
-updates. Note that due to changes to some very large tables like the revision
-table, the schema update may take quite long (minutes on a medium sized site,
-many hours on a large site).
+== MediaWiki 1.24.4 ==
-If upgrading from before 1.11, and you are using a wiki as a commons
-repository, make sure that it is updated as well. Otherwise, errors may arise
-due to database schema changes.
+This is a security and maintenance release of the MediaWiki 1.24 branch.
-If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
-new database fields are filled with data.
+=== Changes since 1.24.3 ===
-If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
-1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
-with MediaWiki 1.21.
+* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
+* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
+ update.php to fix.
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
+ first
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
-Don't forget to always back up your database before upgrading!
+== MediaWiki 1.24.3 ==
-See the file UPGRADE for more detailed upgrade instructions.
+This is a security and maintenance release of the MediaWiki 1.24 branch.
-For notes on 1.24.x and older releases, see HISTORY.
+=== Changes since 1.24.2 ===
-== MediaWiki 1.24 ==
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* Update jQuery from v1.11.2 to v1.11.3.
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+
+== MediaWiki 1.24.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.1 ===
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+ to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+ likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
+ using PBKDF2.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+ prevent XSS and protect viewer's privacy.
+* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
+ loading these special pages when $wgAutoloadAttemptLowercase is false.
+* (bug T70087) Fix Special:ActiveUsers page for installations using
+ PostgreSQL.
+* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
+ and running update.php to fix.
+
+== MediaWiki 1.24.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.0 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+* Fixed a couple of entries in RELEASE-NOTES-1.24.
+* (bug T76168) OutputPage: Add accessors for some protected properties.
+* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
+
+== MediaWiki 1.24.0 ==
=== Configuration changes in 1.24 ===
* MediaWiki will no longer run if register_globals is enabled. It has been
* skins/common/images/icons/fileicon.png
* skins/common/images/ksh/button_S_italic.png
+= MediaWiki 1.23 =
+
+== MediaWiki 1.23.13 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.12 ===
+* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
+
+== MediaWiki 1.23.12 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.11 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+
+== MediaWiki 1.23.11 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.10 ===
+
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.23.10 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.9 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* (bug 67644) Make AutoLoaderTest handle namespaces
+* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+
+== MediaWiki 1.23.9 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.8 ===
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+ to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+ likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+ prevent XSS and protect viewer's privacy.
+* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
+ update.php to fix.
+* (bug T70087) Fix Special:ActiveUsers page for installations using
+ PostgreSQL.
+
+== MediaWiki 1.23.8 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.7 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
+== MediaWiki 1.23.7 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.6 ===
+
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+ $wgMangleFlashPolicy.
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+ model.
+* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
+ HTML, it is not safe to preview wikitext coming from an untrusted source such
+ as a cross-site request. Thus add an edit token to the form, and when raw HTML
+ is allowed, ensure the token is provided before showing the preview. This
+ check is not performed on wikis that both allow raw HTML and anonymous
+ editing, since there are easier ways to exploit that scenario.
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+ Bawolff.
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
+
+== MediaWiki 1.23.6 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.5 ===
+* (Bug 72274) Job queue not running (HTTP 411) due to missing
+ Content-Length: header
+* (Bug 67440) Allow classes to be registered properly from installer
+
+== MediaWiki 1.23.5 ==
+
+This is a security release of the MediaWiki 1.23 branch.
-== MediaWiki 1.23 ==
+=== Changes since 1.23.4 ===
+* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
+ allowance.
+
+== MediaWiki 1.23.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.3 ===
+
+* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
+ elements; normalize style elements and attributes before filtering; add
+ checks for attributes that contain css; add unit tests for html5sec and
+ reported bugs.
+* (bug 65998) Make MySQLi work with non-standard socket.
+* (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
+ settings.
+
+== MediaWiki 1.23.3 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.2 ===
+
+* (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
+* (bug 64970) Fix support for blobs on DatabaseOracle::update.
+* (bug 66574) Display MediaWiki:Loginprompt on the login page.
+* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
+* (bug 60629) Handle invalid language code gracefully in
+ Language::fetchLanguageNames.
+* (bug 62017) Restore the number of rows shown on Special:Watchlist.
+* Check for boolean false result from database query in SqlBagOStuff.
+
+== MediaWiki 1.23.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.1 ===
+
+* (bug 68187) SECURITY: Prepend jsonp callback with comment.
+* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
+ for loading a new page in Javascript,instead of relying on the URL in the link
+ that has been clicked.
+* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
+ ParserOutput.
+* (bug 68313) Preferences: Turn stubthreshold back into a combo box.
+* (bug 65214) Fix initSiteStats.php maintenance script.
+* (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
+
+== MediaWiki 1.23.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.0 ===
+
+* (bug 65839) SECURITY: Prevent external resources in SVG files.
+* (bug 67025) Special:Watchlist: Don't try to render empty row.
+* (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
+* (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
+* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
+ like only extracting the tail of the file partially or not at all.
+* (bug 66182) Removed -x flag on some php files.
+
+== MediaWiki 1.23.0 ==
=== Configuration changes in 1.23 ===
* (bug 13250) Restored method for clearing a watchlist in web UI
==== Removed globals ====
* $wgBetterDirectionality (deprecated in 1.18)
-== MediaWiki 1.22 ==
+= MediaWiki 1.22 =
+
+== MediaWiki 1.22.15 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.14 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
+== MediaWiki 1.22.14 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+=== Changes since 1.22.13 ===
+
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+ $wgMangleFlashPolicy.
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+ model.
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+ Bawolff.
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
== MediaWiki 1.22.13 ==
This is a maintenance release of the MediaWiki 1.22 branch.
* (bug 47055) Changed FOR UPDATE handling in Postgresql
* (bug 57026) Avoid extra parsing in prepareContentForEdit()
+== MediaWiki 1.22.0 ==
+
=== Configuration changes in 1.22 ===
* $wgRedirectScript was removed. It was unused.
* Removed $wgLocalMessageCacheSerialized, it is now always true.
file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl.
* The new query module list=allfileusages to enumerate file usages was added.
-=== Languages updated in 1.22===
+=== Languages updated in 1.22 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
* mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name
still works, but is deprecated.)
-== MediaWiki 1.21 ==
+= MediaWiki 1.21 =
== MediaWiki 1.21.11 ==
This is a security and maintenance release of the MediaWiki 1.21 branch.
* A problem with the Oracle SQL table creation was fixed.
* (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.
+== MediaWiki 1.21.0 ==
+
=== Configuration changes in 1.21 ===
* (bug 29374) $wgVectorUseSimpleSearch is now enabled by default.
* Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname'
* BREAKING CHANGE: (bug 38244) Removed the mediawiki.api.titleblacklist module
and moved it to the TitleBlacklist extension.
-== MediaWiki 1.20 ==
+= MediaWiki 1.20 =
== MediaWiki 1.20.8 ==
This is a security release of the MediaWiki 1.20 branch.
== MediaWiki 1.20.3 ==
This is a security and maintenance release of the MediaWiki 1.20 branch.
-== MediaWiki 1.20.2 ==
+=== Changes since MediaWiki 1.20.2 ===
* New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
* (bug 44010) Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
== MediaWiki 1.20.2 ==
This is a maintenance release of the MediaWiki 1.20 branch
-== MediaWiki 1.20.1 ==
+=== Changes since MediaWiki 1.20.1 ===
* (bug 42638) Fix API action=options&reset=1 & unit tests.
* (bug 42370) Fixed backport of 60cc060 to use mDoneWrites — caused * (bug 42592) User rights, preferences and other things are not saving in 1.20.1.
== MediaWiki 1.20.1 ==
This is a security release of the MediaWiki 1.20 branch
-Changes since 1.20
+=== Changes since 1.20.0 ===
* (bug 42202) Validate options to prevent html injection
* (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
* (bug 40632) Remove CleanupPresentationalAttributes feature
* [Database] Fixed case where trx idle callbacks might be lost.
-
-
-== MediaWiki 1.20 ==
+== MediaWiki 1.20.0 ==
=== PHP 5.3 now required ===
Since 1.20, the lowest supported version of PHP is now 5.3.2. Please
== MediaWiki 1.19.21 ==
This is a maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.20===
+=== Changes since 1.19.20 ===
* (bug 67440) Allow classes to be registered properly from installer.
* (bug 47281) Fixed a dumpBackup.php error with --uploads --include-filesoptions: Unable to find the wrapper "mwstore". * System administrators are encouraged to upgrade to this release or 1.22+ and produce a full data dump. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki
* (bug 63049) Removed anonymous functions from ApiFormatBase, added in1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility.
== MediaWiki 1.19.20 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.19===
+=== Changes since 1.19.19 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
== MediaWiki 1.19.19 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.18===
+=== Changes since 1.19.18 ===
* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
== MediaWiki 1.19.18 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.17===
+=== Changes since 1.19.17 ===
* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
== MediaWiki 1.19.17 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.16===
+=== Changes since 1.19.16 ===
* (bug 65839) SECURITY: Prevent external resources in SVG files.
* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
== MediaWiki 1.19.16 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.15===
+=== Changes since 1.19.15 ===
* (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
== MediaWiki 1.19.15 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.14===
+=== Changes since 1.19.14 ===
Fixed resetting passwords.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
== MediaWiki 1.19.14 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.13===
+=== Changes since 1.19.13 ===
* (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
* (bug 62467) Set a title for the context during import on the cli.
== MediaWiki 1.19.13 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.12===
+=== Changes since 1.19.12 ===
* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
* Use the correct branch of the extensions' git repositories.
== MediaWiki 1.19.12 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.11===
+=== Changes since 1.19.11 ===
* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
== MediaWiki 1.19.11 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.10===
+=== Changes since 1.19.10 ===
* (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
== MediaWiki 1.19.10 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.9===
+=== Changes since 1.19.9 ===
* (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
* (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
* (bug 58472) SECURITY: Disallow -o-link in styles
== MediaWiki 1.19.9 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.8===
+=== Changes since 1.19.8 ===
* (bug 53032) SECURITY: Don't cache when a call could autocreate
* (bug 55332) SECURITY: Improve css javascript detection
* (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.7===
+=== Changes since 1.19.7 ===
* SECURITY: Sanitize ResourceLoader exception messages
* SECURITY: Token-getting functions will fail when using jsonp callbacks.
* SECURITY: Fix extension detection with 2 .'s
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.6===
+=== Changes since 1.19.6 ===
* (bug 48306) SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.
== MediaWiki 1.19.6 ==
This is a security and maintenance release of the MediaWiki 1.19 branch
-=== Changes since 1.19.5===
+=== Changes since 1.19.5 ===
* (bug 47304) SECURITY: Check SVG xml encoding against whitelist
* (bug 46590) Added AbortChangePassword hook to allow extensions to abort password changes from Special:ChangePassword
* Localisation updates from http://translatewiki.net.
This is a security and maintenance release of the MediaWiki 1.19 branch
-=== Changes since 1.19.4===
+=== Changes since 1.19.4 ===
* (bug 47251) SECURITY: Disable external entities in Import
* (bug 46859) SECURITY: Disable external entities in XMLReader
* (bug 46084) SECURITY: Sanitize $limitReport before outputting
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.3===
+=== Changes since 1.19.3 ===
* New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
* (bug 44010) Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.2===
+=== Changes since 1.19.2 ===
* (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
* Increase permitted runtime for testParserTest (only used for continuous integration).