X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=HISTORY;h=72ff437a88cc91c73e58783c0eb466829deaff18;hb=93de72d9ae938e93bf89a7c45a29e9bb736d7b3c;hp=2dc94ba85069aa60581ad39fcc0afbeef16ddf89;hpb=7bf08b18758e314e725f9bf3855164595d257eb2;p=lhc%2Fweb%2Fwiklou.git diff --git a/HISTORY b/HISTORY index 2dc94ba850..72ff437a88 100644 --- a/HISTORY +++ b/HISTORY @@ -1,7 +1,726 @@ -Change notes from older releases. For current info see RELEASE-NOTES-1.32. +Change notes from older releases. For current info see RELEASE-NOTES-1.33. + += MediaWiki 1.32 = + +== MediaWiki 1.32.0 == + +=== Changes since MediaWiki 1.32.0-rc.2 === +* (T188327) Fix slow queries in migrateActors.php. +* (T102320) Fix $magicWords for the Sanskrit language. + +=== Changes since MediaWiki 1.32.0-rc.1 === +* Fix addition of ug_expiry column to user_groups table on MSSQL. +* (T210307) Fix the cache timestamp for forced updates. +* (T210621) User: Bypass repeatable-read when creating an actor_id. +* (T197535) Extensions can now specify PHP versions and PHP extensions they + depend on. +* Updated wikimedia/ip-set from v1.2.0 to v1.3.0. +* (T212356) When using action=delete on pages with many revisions, the module + may return a boolean-true 'scheduled' and no 'logid'. This signifies that the + deletion will be processed via the job queue. +* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and + recentchanges.rc_cur_time from the PostgreSQL schema. + +=== Changes since MediaWiki 1.32.0-rc.0 === +* (T209885) Prevent populateSearchIndex.php from breaking once actor migration + has been started. +* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php + if --lang is used with the command-line installer (install.php). + +=== Configuration changes in 1.32 === + +==== New configuration ==== +* $wgJpegQuality – The quality of JPEG thumbnails is now configurable through + this setting. The default is 80, which matches the quality of JPEG thumbnails + previously generated by ImageMagick. The quality of JPEG thumbnails generated + by GD was previously 95, but now uses the $wgJpegQuality setting as well. +* $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP + user is blocked. Doing so means that a blocked user, even after moving to a + new IP address, will still be blocked. +* $wgRawHtmlMessages – This new configuration setting is added for listing + messages which are displayed as raw HTML. +* $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a + "Content Security Policy" for your wiki. This adds a defense-in-depth feature + to stop an attacker who has found a bug in the parser allowing them to insert + malicious attributes. Disabled by default. (T135963) +* $wgGroupPermissions – A new user group, 'interface-admin', is added for + controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No + other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs' + by default. +* $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for + granting the above rights. +* $wgDBDefaultGroup – A default database group for use by maintenance scripts. +* $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you + enable client-side profiling of JavaScript modules; it is off by default. +* (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration + setting allows sysadmins to gradually migrate the database table schema for + how change tags are stored. +* (T199334) $wgTagStatisticsNewTable — This temporary configuration setting + allows sysadmins to enable the caching of Special:Tags via the new + change_tag_def table. + +==== Changed configuration ==== +* $wgUseAjax – This setting, deprecated in 1.31, is now ignored. +* $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has + been increased from 3 to 7 days. (T194414) +* $wgGroupPermissions – The right to edit sitewide Javascript + (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface' + and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having + 'editinterface' is still necessary to edit such pages. +* $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the + old and the new schema, but reading the new schema, so Multi-Content Revisions + (MCR) are now functional per default. The new default value of the setting is + SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW. +* $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or + MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH | + SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW + for intermediate stages of migration. +* $wgDBTableOptions – The default table options now use the binary charset. The + default was already overridden in the installer-generated LocalSettings.php, + and so is always set to binary after the installer UI option was removed. The + default value is only used when the installer installs an extension. +* $wgPopularPasswordFile — The location of the default popular passwords file + has been moved to be in line with other non-PHP files used by libraries and + classes. +* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for + potential privacy leaks by administrators. You can check + "MediaWiki:External image whitelist" on your wiki to see whether the feature + was ever used, and whether it needs to be re-enabled. + +==== Removed configuration ==== +* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31, + have been removed. (T115414) +* $wgSiteSupportPage – This setting, unused since 1.5, was removed. +* $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed. +* $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed. + The 'html5-legacy' value for $wgFragmentMode is no longer accepted. +* $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and + most extensions, is no longer set. Instead, you can modify the system + message `emailsender`. +* $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers + were removed. RemexHtml, which is the default, should be used instead. +* (T181318) The $wgStyleVersion setting and its appendage to various script and + style URLs in OutputPage, deprecated in 1.31, was removed. +* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed + from ResourceLoader. Instead, use `@import` statements in LESS to import + files directly from nearby directories within the same project. +* (T140804) The wgResourceLoaderLESSVars configuration option, deprecated + since 1.30, was removed. Instead, to expose variables from PHP to LESS, use + the ResourceLoaderModule::getLessVars() method. +* $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18, + was removed. +* Two temporary variables for deploying the feature of filters on change lists, + $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and + $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed. + +=== New features in 1.32 === +* (T112474) Generalized the ResourceLoader mechanism for overriding modules + using a particular page during edit previews. +* (T12331) You can now log page creation events by setting $wgPageCreationLog + to true. +* Added 'ApiParseMakeOutputPage' hook. +* (T174313) Added checkbox on Special:ListUsers to display only users in + temporary user groups. +* (T152462) A cookie can now be set when an IP user is blocked to track that + user if they move to a new IP address. This is disabled by default. +* (T194950) Added 'ApiMaxLagInfo' hook. +* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when + reauthenticating. +* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser, + &$query and &$widthOption, allowing extensions even finer control over the + resulting HTML code. +* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine + if the [mark as patrolled] link should be shown at the footer of patrollable + pages. +* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook + is now passed by reference, allowing extensions to modify or even unset it. +* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to + modify the return value of OutputPage#getHeadLinksArray in order to add, + remove or otherwise alter the elements to be output in the page . +* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append + additional links to the subtitle of a history page. +* The 'GetLinkColours' hook now receives an additional $title parameter, + the Title object of the page being parsed, on which the links will be shown. +* (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to + render diffs between two Content objects, and DifferenceEngine::setRevisions() + to render diffs between two custom (potentially multi-content) revisions. + Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots. +* Added a temporary action=mcrundo to the web UI, as the normal undo logic + can't yet handle MCR and deadlines are forcing is to put off fixing that. + This action should be considered deprecated and should not be used directly. +* Extensions overriding ContentHandler::getUndoContent() will need to be + updated for the changed method signature. +* Added a new hook, 'UserGetRightsRemove', which can be used to remove rights + from user. Unlike the 'UserGetRights' it will ensure that removed rights + will not be reinserted. +* (T197535) Extensions can now specify PHP versions and PHP extensions they + depend on. + +=== External library changes in 1.32 === + +==== New external libraries ==== +* Added pear/Net_SMTP v1.8.0. +* Added wikimedia/xmp-reader v0.6.0. + +* Added cache/integration-tests v0.16.0 (dev-only). +* Added giorgiosironi/eris v0.10.0 (dev-only). +* Added seld/jsonlint v1.7.1 (dev-only). + +* Added EasyDeflate (unversioned). + +==== Changed external libraries ==== +* Updated OOUI from v0.26.3 to v0.29.2. +* Updated wikimedia/base-convert from v1.0.1 to v2.0.0. +* Updated wikimedia/remex-html from v1.0.3 to v2.0.1. +* Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0. +** ScopedCallback objects can no longer be serialized. +* Updated wikimedia/timestamp from v1.0.0 to v2.2.0. +* Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1. +* oyejorge/less.php replaced with our fork wikimedia/less.php +* Updated wikimedia/ip-set from v1.2.0 to v1.3.0. + +* Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only). +* Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only). +* Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only). + +* Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre. +* Updated jquery from v3.2.1 to v3.3.1. +* Updated jquery.client from v2.0.0 to v2.0.1. +* Updated jquery.i18n from v1.0.4 to v1.0.5. +* Updated mustache.js from v0.8.2-d9aa703 to v1.0.0. +* Updated OOjs from v2.2.0 to v2.2.2. +* Updated qunitjs from v2.4.0 to v2.6.2. +* Updated sinonjs from v1.17.3 to v1.17.7. + +==== Removed external libraries ==== +* pear/mail_mime-decode was removed. + +=== Bug fixes in 1.32 === +* SpecialPage::execute() will now only call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* (T43720, T46197) Improved page display title handling for category pages +* (T65080) Fixed resetting options of some types via API action=options. + +=== Action API changes in 1.32 === +* Added templated parameters. + * A module can define a templated parameter like "{fruit}-quantity", where + the actual parameters recognized correspond to the values of a multi-valued + parameter. Then clients can make requests like + "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5". + * action=paraminfo will return templated parameter definitions separately + from normal parameters. All parameter definitions now include an "index" + key to allow clients to maintain parameter ordering when merging normal and + templated parameters. +* It is now an error to submit too many values for a multi-valued parameter. + This has generated a warning since MediaWiki 1.14. +* Assertion failures from the 'assert' and 'assertuser' parameters will no + longer use the action module's custom response format, for the few modules + that use custom formatters that handle errors. +* (T198935) User list preferences such as `email-blacklist` and similar + extension preferences are no longer represented as arrays when returned by + action=query&meta=userinfo&uiprop=options. +* 'missingparam' errors will now use the prefixed parameter name in the code + and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather + than "nofoo" and "The 'foo' parameter must be set". +* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the + multi-content revision slots for which content should be returned. It also + has a new rvprop, 'roles', to indicate which roles have slots. A deprecation + warning will be issued if rvprop=content or rvprop=contentmodel are used + without rvslots. +* The rvcontentformat parameter to action=query&prop=revisions has been + deprecated. Clients should be prepared to deal with the default format for + relevant models. +* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse, + rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated + rvprop=parsetree is forbidden with the new 'rvslots' parameter. +* action=query&prop=deletedrevisions, action=query&list=allrevisions, and + action=query&list=alldeletedrevisions are changed similarly to + &prop=revisions (see the three previous items). +* (T174032) action=compare now supports multi-content revisions. + * It has a 'slots' parameter to select diffing of individual slots. The + default behavior is to return one combined diff. + * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat', + 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters + are deprecated. Specify the new 'fromslots' and 'toslots' to identify which + slots have text supplied and the corresponding templated parameters for + each slot. + * The behavior of 'fromsection' and 'tosection' of extracting one section's + content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}' + instead expand the given text as if for a section edit. This effectively + declines T183823 in favor of T185723. +* (T198214) The 'disabletidy' parameter to action=parse has been + deprecated; untidy output will not be supported by future wikitext + parsers. +* Added intestactionsdetail to action=query&prop=info to allow retrieving the + reasons an action is not allowed. +* Deprecated action=query&prop=info inprop=readable in favor of + intestactions=read. +* (T212356) When using action=delete on pages with many revisions, the module + may return a boolean-true 'scheduled' and no 'logid'. This signifies that the + deletion will be processed via the job queue. + +=== Action API internal changes in 1.32 === +* Added 'ApiParseMakeOutputPage' hook. +* Parameter names may no longer contain '{' or '}', as these are now used for + templated parameters. +* (T194950) Added 'ApiMaxLagInfo' hook. +* The following methods now take a RevisionRecord rather than a Revision. No + external callers are known. + * ApiFeedContributions::feedItemAuthor() + * ApiFeedContributions::feedItemDesc() + * ApiQueryRevisionsBase::extractRevisionInfo() +* The following deprecated methods have been removed: + * ApiBase::profileIn() (deprecated in 1.25) + * ApiBase::profileOut() (deprecated in 1.25) + * ApiBase::safeProfileOut() (deprecated in 1.25) + * ApiBase::profileDBIn() (deprecated in 1.25) + * ApiBase::profileDBOut() (deprecated in 1.25) + * ApiBase::dieUsage() (deprecated in 1.29) + * ApiBase::dieUsageMsg() (deprecated in 1.29) + * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29) + * ApiBase::getErrorFromStatus() (deprecated in 1.29) + * ApiBase::parseMsg() (deprecated in 1.29) + * ApiBase::setWarning() (deprecated in 1.29) + * ApiPageSet::getInvalidTitles() (deprecated in 1.26) + * ApiQueryLogEvents::addLogParams() (deprecated in 1.25) + * ApiUsageException::getCodeString() (deprecated in 1.29) + * ApiUsageException::getMessageArray() (deprecated in 1.29) +* Class UsageException, deprecated in 1.29, has been removed. +* ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you + can now easily test $formatter->getFormat() === 'bc', and then call + $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter. + +=== Languages updated in 1.32 === +MediaWiki supports over 350 languages. Many localisations are updated regularly. +Below only new and removed languages are listed, as well as changes to languages +because of Phabricator reports. + +* (T193566) Added language support for Ambonese Malay (abs). +* (T194047) Added language support for Shawiya, Latin script (shy-latn). +* (T195940) Added language support for Batak Mandailing (btm). +* (T137491) Added language support for Standard Moroccan Amazigh (zgh). +* (T198132) Added language support for Manipuri (mni). +* (T201276) Added language support for Western Armenian (hyw). +* (T201583) Added language support for Mon (mnw). + +=== Breaking changes in 1.32 === +* $wgRequestTime, deprecated in 1.25, was removed. Use + $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead. +* The MediaWikiI18N class, deprecated in 1.31, was removed. +* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use + Skin::msg() instead. +* wfInitShellLocale(), deprecated in 1.30, was removed. +* wfShellExecDisabled(), deprecated in 1.30, was removed. +* The type string for the parameter $lang of DateFormatter::getInstance, + deprecated in 1.31, was removed. +* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use + MediaWiki\Session\Token::SUFFIX instead. +* EditPage::isOouiEnabled() deprecated in 1.30, was removed. +* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl() + instead. +* (T61113) The following methods and constants from the Revision class, which + were deprecated in 1.25, have now been removed: + * Revision::getRawUser() + * Revision::getRawUserText() + * Revision::getRawComment() +* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use + mw.msg() or mw.message() instead. +* mw.util.escapeId(), deprecated in 1.30, was removed. Use + mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead. +* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use + jquery.accessKeyLabel instead. +* The SqlDataUpdate class, deprecated in 1.28, has been removed. +* The Html5Internal and Html5Depurate tidy driver classes were removed, along + with the Balancer tidy implementation. Both implementations were experimental, + and were replaced by RemexHtml. +* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both + removed. Use JobQueueGroup::singleton()->push() instead. +* The jquery.footHovzer module, for mediawiki.debug, was removed. +* The es5-shim module, empty and deprecated since 1.29, was removed. +* the dom-level2-shim module, empty and deprecated since 1.29, was removed. +* the json module, empty and deprecated since 1.29, was removed. +* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was + removed. Use mediawiki.widgets.visibleLengthLimit instead. +* The jquery.farbtastic module, unused since 1.18, was removed. +* The 'jquery.expandableField' module, unused since 1.22, was removed. +* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide + any HTMLForm object rather than PreferencesForm. +* The non namespaced TimestampException class, deprecated in 1.29, was removed. + Use Wikimedia\Timestamp\TimestampException instead. +* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence, + utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed. + The UtfNormal\Utils class from the utfnormal library should be used instead. +* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants + from the UtfNormal\Constants class from the utfnormal library should be used +* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(), + only needed for PHP5 compatibility, have been removed. It now uses the boolean + values `true` and `false` respectively. +* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30, + were removed. Use the ParserCache class instead. +* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback + instead. +* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(), + deprecated since 1.26, was removed. Use getDefinitionSummary() instead. +* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump" + and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump" + is no longer loaded by default. The Vector and MonoBook skins have made a + minor change to implement the toggle feature with CSS instead. To restore + prior functionality, either explicitly load "jquery.mw-jump" in your skin + or refer to T195256 for details on how to make the same change. +* Hook 'EditPageBeforeEditChecks' was removed; + use 'EditPageGetCheckboxesDefinition' instead. +* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since + 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead. +* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has + been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode() + instead. +* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of + CapsuleMultiselectWidget. The following methods may no longer be used: + * setItemsFromData: Use setValue instead + * getItemsData: Use getItems instead and get the data property +* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were + removed. Use addLink() instead. +* Another two OutputPage methods, setPageTitleActionText() and + getPageTitleActionText(), were removed. They did nothing since 1.15 (almost + ten years). Use setHTMLTitle() directly. +* The return value of OutputPage::adaptCdnTTL() has been removed. The + value returned was misleading and probably not what any caller would + have wanted. +* All MagicWord static member variables have been removed. Use appropriate + hooks or MagicWordFactory methods instead. +* MagicWord::clearCache() has been removed. Instead, create a new + MagicWordFactory, such as by calling + resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices. +* mw.util.init() has been removed. This function is not needed anymore and was + a no-op function since 1.30. +* SpecialPageFactory::resetList() is a no-op. Call overrideMwServices() + instead. +* MediaWiki no longer supports a StartProfiler.php file. Instead, you can set + $wgProfiler and $wgEnableProfileInfo. +* The mw.loader.addSource() is now considered a private method, and no longer + supports the `id, url` signature. Use the `Object` parameter instead. +* The backwards-compatibility code in HTMLForm to add a drop-down control to an + option that is not set to be a drop-down if the "mw-chosen" class is present, + is now removed. +* Several collations were removed. They were workarounds for bugs in the ICU + library and they are no longer needed (as of ICU 57.1): + * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead + * 'xx-uca-et' (CollationEt) - use 'uca-et' instead + * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead +* LanguageCode::bcp47() now always returns a valid BCP 47 code. This means + that some MediaWiki-specific language codes, such as `simple`, are mapped + into valid BCP 47 codes (eg `en-simple`). +* The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated + in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'. + The ChangesListSpecialPage code for these legacy hooks, and their use in + SpecialRecentchanges.php and SpecialWatchlist, was also removed: + * ChangesListSpecialPage->getCustomFilters() + * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters() + * ChangesListSpecialPage::customFilters +* The global function wfUseMW, deprecated since 1.26, has now been removed. Use + the "requires" property of static extension registration instead. +* $wgSpecialPages no longer accepts array syntax, deprecated since 1.18. +* The MailAddress constructor can no longer be called with a User object, + behaviour which has been deprecated since 1.24. +* LBFactory, deprecated since 1.28, has been removed. Instead, use + Wikimedia\Rdbms\LBFactory. +* The MimeMagic class, deprecated since 1.28 has been removed. Get a + MimeAnalyzer instance from MediaWikiServices instead. +* The '--tidy' option to maintenance/parse.php has been removed. Tidying + the output is now the default. Use '--no-tidy' to bypass the tidy + phase. +* The global function wfErrorLog, deprecated since 1.25, has now been removed. + Use MWLoggerLegacyLogger::emit or UDPTransport. +* The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in + 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or + ChangesListSpecialPageQuery. +* The global function wfUsePHP, deprecated since 1.30, has now been removed. To + assert a newer version of PHP than MediaWiki does, use extension registration. +* The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been + removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead. +* DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed. +* File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed. +* The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use + the hook 'SkinEditSectionLinks' instead. +* The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed. +* The global function wfRunHooks, deprecated since 1.25, has now been removed. + Use Hooks::run(). +* The hook 'UnknownAction', deprecated since 1.19, has now been removed. +* The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use + the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead. +* The following deprecated API methods have been removed: + * ApiBase::profileIn() (deprecated in 1.25) + * ApiBase::profileOut() (deprecated in 1.25) + * ApiBase::safeProfileOut() (deprecated in 1.25) + * ApiBase::profileDBIn() (deprecated in 1.25) + * ApiBase::profileDBOut() (deprecated in 1.25) + * ApiBase::dieUsage() (deprecated in 1.29) + * ApiBase::dieUsageMsg() (deprecated in 1.29) + * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29) + * ApiBase::getErrorFromStatus() (deprecated in 1.29) + * ApiBase::parseMsg() (deprecated in 1.29) + * ApiBase::setWarning() (deprecated in 1.29) + * ApiPageSet::getInvalidTitles() (deprecated in 1.26) + * ApiQueryLogEvents::addLogParams() (deprecated in 1.25) + * ApiUsageException::getCodeString() (deprecated in 1.29) + * ApiUsageException::getMessageArray() (deprecated in 1.29) +* Class UsageException, deprecated in 1.29, has been removed. +* MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The + old "bulletin board style toolbar", known as "the 2006 wikitext editor", has + been removed, and instead sysadmins will be required to choose one (or more) + of the several extensions available for this purpose if they need the + functionality. The MediaWiki "tarball" releases have included the replacement + extension for this, the WikiEditor extension aka "the 2010 wikitext editor", + for many years now. As part of this, several parts of MediaWiki have been + removed or simplified: + * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer + available; if an extension adds a toolbar via the EditPageBeforeEditToolbar + hook, it will be shown; extensions should provide a specific user preference + to disable themselves as needed. + * The public methods Language::getImageFile() and ::getImageFiles(), and the + related specification of $imageFiles within individual languages' code file, + as well as the referenced static media assets, all of which were only used + inside MediaWiki itself for providing the icons for the old toolbar, have + been removed without explicit deprecation. + * The internal ResourceLoader module "mediawiki.toolbar", which is unused + except by MediaWiki itself and back-compatibility code, has been removed. + * The internal ResourceLoaderEditToolbarModule class has been removed. + +=== Deprecations in 1.32 === +* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit + button is already marked as progressive. +* Skin::setupSkinUserCss() is deprecated. Adding of modules to load + has been centralised to Skin::getDefaultModules(), which is now capable + of queueing style modules as well. +* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are + deprecated. Use addModules() instead. +* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle} + in extending classes is deprecated. Extend related doSearch* methods + instead. +* The following 'mediawiki.api' plugin modules were merged into mediawiki.api + and deprecated: mediawiki.api.category, mediawiki.api.edit, + mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse, + mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch, + mediawiki.api.messages, and mediawiki.api.rollback. +* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known + to use it. +* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken + with the 'unwatch' action parameter instead. +* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP + constant INTL_ICU_VERSION directly in all versions that MediaWiki supports. +* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead. +* The ApiQueryContributions class has been renamed to ApiQueryUserContribs. +* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor + of the namespaced classes provided by the wikimedia/xmp-reader library. +* SearchResultSet::{next,rewind} are deprecated. Calling code should + use foreach on the SearchResultSet, or the extractResults method. Extending + code should override extractResults. +* Instantiating SearchResultSet directly is deprecated. SearchEngine + implementations must subclass SearchResultSet for their purposes. +* SearchResult::setExtensionData argument has been changed from accepting an + array to accepting a Closure that returns the array when called. +* Class CryptRand, everything in MWCryptRand except generateHex() and function + MediaWikiServices::getCryptRand() are deprecated, use random_bytes() to + generate cryptographically secure random byte sequences. +* Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage() + instead. +* Language::markNoConversion() is deprecated. It confused readers because + it had unexpected behavior (only marking text if it looked like a URL) + and was only used in a single place in the code. Use + LanguageConverter::markNoConversion() instead. +* (T197492) Language::truncate() was soft deprecated in 1.31 and is + hard deprecated in this release. It has been split into two similar + methods, Language::truncateForVisual() and Language::truncateForDatabase(), + which measure length in characters and bytes, respectively. Use + Language::truncateForVisual() when possible to provide equity to users + of multibyte scripts. +* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the + context title is unset is now deprecated; anything creating an EditPage + instance should set the context title via ::setContextTitle(). +* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated. +* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules() + are deprecated. These concepts are obsolete and have no replacement. +* String type for $lang of DifferenceEngine::setTextLanguage is deprecated. +* The following methods of OutputPage are now deprecated in favour + of using showFatalError directly: OutputPage::showFileDeleteError() + OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError() + OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError(). +* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer + classes are now deprecated. Use a Closure instead. +* (T194263) ContentHandler::makeParserOptions() is deprecated. Use + WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead. +* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in + MediaWiki 1.26, is now hard-deprecated. All known clients were converted to + the Parsoid v3 API in May 2015. +* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use + $formDescriptor instead. +* SearchEngine::transformSearchTerm( $term ) should no longer be called prior + to running searchText. This method was mainly implemented to support the + 'prefix' URI param in SpecialSearch, but there are no reasons to expose this + logic as it should be handled internally by SearchEngine implementations + supporting this feature. SearchEngine implementations should no longer + override this methods. +* SearchEngine::replacePrefixes( $query ) should no longer be called prior + to running searchText/searchTitle. +* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the + 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'. +* Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated. + use array_filter() directly. +* The $wgShowSQLErrors global is deprecated and nonfunctional. + Set $wgShowExceptionDetails and/or $wgShowHostnames instead. +* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional. + Set $wgShowExceptionDetails instead. +* Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev, + mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded, + mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() / + getOldRevision() / getNewRevision() for the first four (note that the + revision ones return a RevisionRecord, not a Revision), do your own lookup + for page/content. +* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2 + just enable the PHP extension, and it will be autodetected. +* (T194731) DifferenceEngine properties mOldContent and mNewContent and methods + setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff() + are deprecated. To interact with a single slot, use a SlotDiffRenderer (and + subclass it to customize diff rendering); to diff custom (e.g. unsaved) + content, use setRevisions(). Subclassing DifferenceEngine should only be done + to customize page-level diff properties (such as the navigation header). +* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated. +* All MagicWord static methods are now deprecated. Use the MagicWordFactory + methods instead. +* PasswordFactory::init is deprecated. To get a password factory with the + standard configuration, use MediaWikiServices::getPasswordFactory. +* $wgContLang is deprecated, use MediaWikiServices::getContentLanguage() + instead. +* $wgParser is deprecated, use MediaWikiServices::getParser() instead. +* wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance() + instead. +* wfGetCache() is deprecated, use ObjectCache::getInstance() instead. +* All SpecialPageFactory static methods are deprecated. Instead, call the + methods on a SpecialPageFactory instance, which may be obtained from + MediaWikiServices. +* mw.user.stickyRandomId was renamed to the more explicit + mw.user.getPageviewToken to better capture its function. +* Passing Revision objects to ContentHandler::getUndoContent() is deprecated, + Content object should be passed instead. +* (T197179) Parameters 'notice', 'notice-messages', 'notice-message', + previously used by OOUI HTMLForm fields, are now deprecated. Use + 'help', 'help-message', 'help-messages' instead. +* (T197179) HTMLFormField::getNotices() is now deprecated. +* The jquery.localize module is now deprecated. Use jquery.i18n instead. +* The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates, + or overriding ContentHandler::getSecondaryDataUpdates (T194038). +* The WikiPageDeletionUpdates hook was deprecated in favor of + PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates + (T194038). +* Content::getSecondaryDataUpdates has been deprecated in favor of + ContentHandler::getSecondaryDataUpdates() for overriding by extensions + (T194038). + Application logic should call WikiPage::doSecondaryDataUpdates() (T194037). +* Content::getDeletionUpdates has been deprecated in favor of + ContentHandler::getDeletionUpdates() for overriding by extensions (T194038). + Application logic should call WikiPage::doSecondaryDataUpdates() (T194037). +* (T198214) Old Tidy-related configuration settings, which were soft-deprecated + in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy, + $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use + $wgTidyConfig instead. +* All Tidy configurations other than Remex have been hard deprecated; + future parsers will not emit compatible output for these configurations. + In particular, running MediaWiki with tidy disabled has been deprecated. +* (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(), + and OutputPage::addWikiTextTitle() have been deprecated, since they + can result in untidy output. In addition OutputPage::addWikiTextTidy() + and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new + methods consistent. Use OutputPage::addWikiTextAsInterface() or + OutputPage::addWikiTextAsContent() instead, which ensures the output is + tidy and clarifies whether content-language specific postprocessing should + be done on the text. +* OutputPage::parse() and OutputPage::parseInline() have been deprecated + due to untidy output and inconsistent handling of wrapper divs and + interface/content language defaults. Use OutputPage::parseAsContent(), + OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface() + as appropriate. +* QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated + as they promote bad practises. I18n messages should always be properly + escaped. +* Skin::getDynamicStylesheetQuery() has been deprecated. It always + returns action=raw&ctype=text/css which callers should use directly. +* Class LegacyFormatter is deprecated. +* Use of CommentStore::insertWithTempTable() with 'img_description' is + deprecated. Use CommentStore::insert() instead. +* Language::setCode is deprecated as public function. Use Language::factory + to create a new Language object with a different language code. +* Several classes have been moved from the MediaWiki\Storage\ namespace to the + MediaWiki\Revision\ namespace. The old class names are aliased for + compatibility, but are deprecated. Classes are IncompleteRevisionException, + MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException, + RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord, + RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and + SuppressedDataException. +* When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow' + option, it is now deprecated to give its contents (the 'default' option) + as a string. They should be given as a OOUI\FieldLayout object instead. + Notably, this affects fields defined in the 'GetPreferences' hook, because + Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.) +* In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is + deprecated. For the $lang parameter, types other than Language are + deprecated. +* The $wgUseKeyHeader configuration option and the + OutputPage::getKeyHeader() method have been deprecated; the relevant + draft IETF spec expired without becoming a standard. +* Deprecated API action=query&prop=info inprop=readable in favor of + intestactions=read. + +=== Other changes in 1.32 === +* (T198811) The following tables have had their UNIQUE indexes turned into + proper PRIMARY KEYs for increased maintainability: interwiki, page_props, + protected_titles and site_identifiers. +* OOUI HTMLForm will now display help text inline after the input field, + rather than in a popup. Previous behavior can be restored by using + `'help-inline' => false`. +* The archive table's ar_rev_id field is now unique. +* Special:BotPasswords now requires reauthentication. +* (T174023) Multi-Content Revision (MCR) capabilities were introduced into the + storage layer and have basic support for display. No user interface exists + yet for creating or managing content in slots beides the main slot. See + for more + information. +* The image_comment_temp database table has been removed. Since all access + should be mediated by the CommentStore class, this change shouldn't affect + external code. +* (T206147) Database::close() will no longer commit any open transactions. +* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and + recentchanges.rc_cur_time from the PostgreSQL schema. = MediaWiki 1.31 = +== MediaWiki 1.31.1 == + +This is a security and maintenance release of the MediaWiki 1.31 branch. + +=== Changes since MediaWiki 1.31.0 === +* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides + 'newbie'. +* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's + account lock. +* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files. +* (T197229) Bundle Nuke extension, it was accidentally omitted. +* (T193995) Fix undefined patchPath() method call in parser tests. +* (T198687) Fix various selectFields methods to use the string 'NULL', not null. +* Special:BotPasswords now requires reauthentication. +* (T191608, T187638) Add 'logid' parameter to Special:Log. +* (T193829) Indicate when a Bot Password needs reset. +* (T198037) GitInfo: Don't try shelling out if it's disabled. +* (T151415) Log email changes. +* (T197206) Fix performance regression when multiple DB used without caching. +* (T197030) PHPSessionHandler: Suppress headers warnings in initialize(). +* (T182377, T196793) Exif: Guard against uncountable tag values. +* (T200861) Fix total breakage of SQLite web upgrade. +* (T200864) Fix pingback over-reporting on non-MySQL databases +* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader + hooks. + == MediaWiki 1.31.0 == === Changes since MediaWiki 1.31.0-rc.2 === @@ -488,6 +1207,43 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.30 = +== MediaWiki 1.30.1 == + +This is a security and maintenance release of the MediaWiki 1.30 branch. + +=== Changes since MediaWiki 1.30.0 === +* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides + 'newbie'. +* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's + account lock. +* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array. +* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). +* (T189567) the CLI installer (maintenance/install.php) learned to detect and + include extensions. Pass --with-extensions to enable that feature. +* (T190503) Let built-in web server (maintenance/dev) handle .php requests. +* (T167507) selenium: Run Chrome headlessly. +* selenium: Pass -no-sandbox to Chrome under Docker. +* (T179190) selenium: Move logic for running tests from package.json to selenium.sh +* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). +* Add default edit rate limit of 90 edits/minute for all users. +* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`. +* oojs/oojs-ui updated to remove an unnecessary dependancy. +* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T196672) The mtime of extension.json files is now able to be zero +* (T180403) Validate $length in padleft/padright parser functions. +* (T143790) Make $wgEmailConfirmToEdit only affect edit actions. +* (T193995) Fix undefined patchPath() method call in parser tests. +* Special:BotPasswords now requires reauthentication. +* (T191608, T187638) Add 'logid' parameter to Special:Log. +* (T193829) Indicate when a Bot Password needs reset. +* (T151415) Log email changes. +* (T200861) Fix total breakage of SQLite web upgrade. +* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader + hooks. +* (T190539) Explicitly require Postgres 9.1. +* (T118420) Unbreak Oracle installer. + == MediaWiki 1.30.0 == === Changes since MediaWiki 1.30.0-rc.0 === @@ -751,6 +1507,49 @@ changes to languages because of Phabricator reports. = MediaWiki 1.29 = +== MediaWiki 1.29.3 == + +This is a security and maintenance release of the MediaWiki 1.29 branch. + +=== Changes since 1.29.2 === +* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides + 'newbie'. +* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's + account lock. +* (T180551) Fix LanguageSrTest for language converter +* (T180552) Fix langauge converter parser test with self-close tags +* (T180537) Remove $wgAuth usage from wrapOldPasswords.php +* (T180485) InputBox: Have inputbox langconvert certain attributes +* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3. +* (T172927) Drop vendor from MW release branch +* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array +* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). +* (T189567) the CLI installer (maintenance/install.php) learned to detect and + include extensions. Pass --with-extensions to enable that feature. +* (T182381) Mask deprecated call in WatchedItemUnitTest +* (T190503) Let built-in web server (maintenance/dev) handle .php requests. +* The karma qunit tests would fail on some configuration due to headers already + sent. Check headers_sent() before sending cpPosTime headers +* (T167507) selenium: Run Chrome headlessly. +* selenium: Pass -no-sandbox to Chrome under Docker +* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @ +* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel + fails under SQLite. +* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). +* (T179190) selenium: Move test running logic from package.json to selenium.sh. +* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48. +* Add default edit rate limit of 90 edits/minute for all users. +* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. +* (T196672) The mtime of extension.json files is now able to be zero +* (T180403) Validate $length in padleft/padright parser functions. +* (T143790) Make $wgEmailConfirmToEdit only affect edit actions. +* (T194237) Special:BotPasswords now requires reauthentication. +* (T191608, T187638) Add 'logid' parameter to Special:Log. +* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case +* (T193829) Indicate when a Bot Password needs reset. +* (T151415) Log email changes. +* (T118420) Unbreak Oracle installer. + == MediaWiki 1.29.2 == This is a security and maintenance release of the MediaWiki 1.29 branch. @@ -1526,6 +2325,34 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.27 = +== MediaWiki 1.27.5 == + +This is a security and maintenance release of the MediaWiki 1.27 branch. + +=== Changes since 1.27.4 === +* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides + 'newbie'. +* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's + account lock. +* Upgraded Moment.js from v2.8.4 to v2.19.3. +* (T160298) Fixed Special:ActiveUsers due to bad backport. +* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array. +* Updated list of SPDX licenses for extensions. +* (T189567) the CLI installer (maintenance/install.php) learned to detect and + include extensions. Pass --with-extensions to enable that feature. +* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). +* Add default edit rate limit of 90 edits/minute for all users. +* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. +* (T196672) The mtime of extension.json files is now able to be zero. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T180403) Validate $length in padleft/padright parser functions. +* (T143790) Make $wgEmailConfirmToEdit only affect edit actions. +* Special:BotPasswords now requires reauthentication. +* (T191608, T187638) Add 'logid' parameter to Special:Log. +* (T193829) Indicate when a Bot Password needs reset. +* (T151415) Log email changes. +* (T118420) Unbreak Oracle installer. + == MediaWiki 1.27.4 == This is a security and maintenance release of the MediaWiki 1.27 branch. @@ -5808,7 +6635,7 @@ This is a security and maintenance release of the MediaWiki 1.20 branch. * Localisation updates from http://translatewiki.net. * mwdocgen.php: Implement --version option. * Remove svnstat stuff used in Doxygen generation -* (bug 43594) Correctly supress warnings that were missed after the upstream +* (bug 43594) Correctly suppress warnings that were missed after the upstream * PHP change to E_STRICT being included in E_ALL. == MediaWiki 1.20.4 == @@ -8467,6 +9294,141 @@ Other significant changes to MediaWiki's language support: == MediaWiki 1.16 == +== MediaWiki 1.16.5 == +=== Changes since 1.16.4 === + +* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third + attempt at fixing bug 28235. +* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin + is enabled. + +== MediaWiki 1.16.4 == +=== Changes since 1.16.3 === + +* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 + clients) was not actually sufficient to fix that bug. This release contains + a second attempt, hopefully we have fixed it this time. + +== MediaWiki 1.16.3 == +=== Changes since 1.16.2 === + +* (bug 28449) Fixed permissions checks in Special:Import which allowed users + without the 'import' permission to import pages from the configured import + sources. +* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those + browsers looking for a file extension in the query string of the URL, and + ignoring the Content-Type header if one is found. +* (bug 28450) Fixed a CSS validation issue involving escaped comments, which + led to XSS for Internet Explorer clients and privacy loss for other clients. + +== MediaWiki 1.16.2 == +=== Changes since 1.16.1 === + +* (bug 26642) Fixed incorrect translated namespace due to a regression in the + language converter. +* The interface translations were updated. +* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. +* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability. + Affects Windows servers only. A malicious file with extension ".php" must + exist on the server for the exploit to be effective. + +== MediaWiki 1.16.1 == +=== Changes since 1.16.0 === + +* (bug 24981) Allow extensions to access SpecialUpload variables again +* (bug 24724) list=allusers was out by 1 (shows total users - 1) +* (bug 24166) Fixed API error when using rvprop=tags +* For wikis using French as a content language, Special:Téléchargement works + again as an alias for Special:Upload. +* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0) +* (bug 25248) Fixed paraminfo errors in certain API modules. +* The installer now has improved handling for situations where safe_mode is + active or exec() and similar functions are disabled. +* (bug 19593) Specifying --server in now works for all maintenance scripts. +* Fixed $wgLicenseTerms register globals. +* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for + X-Frame-Options. The header value can be configured using $wgBreakFrames and + $wgEditPageFrameOptions. + +== MediaWiki 1.16.0 == +=== Changes since 1.16 beta 3 === + +* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in + 1.16 beta 1, but is currently poorly supported by browsers. +* (bug 23175) Re-added window.ta variable for backwards compatibility. +* (bug 23264) Fixed breakage of various command line scripts due to extra line + endings being inserted by Maintenance::output(). +* Fixed HTTP client functionality with safe_mode=On. +* Fixed parser tests broken in 1.16 beta 3. +* For Oracle DB backend: fixed parser tests and table prefix feature. +* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue). +* Fixed plural function for Northern Sami (se) +* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and + parser-generated heading IDs. Renamed head, panel, head-base and page-base. +* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet. +* (bug 23465) Don't ignore the predefined destination filename on + Special:Upload after following a red link to a file. +* In SQLite full-text search feature: fixed "move page" feature, was non- + functional. +* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect + user privacy in the case where an attacker can access the wiki through the + same HTTP proxy as a logged-in user. +* Fixed an XSS vulnerability in profileinfo.php for installations with + $wgEnableProfileInfo = true (false by default) +* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being + false. Fixed a minor header parsing issue when $wgUseXVO = true. +* Fixed a register_globals arbitrary inclusion vulnerability in + MediaWikiParserTest.php, introduced in 1.16 beta 1. + +=== Changes since 1.16 beta 2 === + +* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of + invalid usernames. +* Fixed sorting in [[Special:Allmessages]] +* (bug 23113) Fixed title in the show/hide links on diff pages +* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests +* (bug 23127) Re-added missing $1 parameter to the uploadtext message +* Fixed a bug in the Vector skin where personal tools display behind the logo +* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes + showed the same text. +* (bug 23115, bug 23124) Fixed various problems with and <h1> elements + in page views and previews when the language converter is enabled. +* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image + scaling, which was introduced in 1.16 beta 1. +* Improved error checking on installer. +* (bug 22970) Fixed a JavaScript error in the upload destination conflict + check. +* (bug 23167) Check the watch checkbox by default if the watchcreations + preference is set. +* (bug 23171) Improve IE6 version check to avoid false positives. +* (bug 23176) Fixed upload warning override feature "upload new version", + broken in 1.16 beta 1. +* Fixed regression in unwatch links sent out in notification emails. When the + mailing job was deferred via the job queue, the title was incorrect. +* (bug 23534) Fixed SQL query error in API list=allusers. +* Fixed a bug in uploads for non-JavaScript clients. An empty string was used + as the default destination filename, instead of the source filename as + expected. +* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create + account" and "create by e-mail" features of [[Special:Userlogin]] +* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS + validation issue. +* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick + expanded wildcard characters "?" and "*" in image filenames, potentially + causing large numbers of images to be scaled in response to a single request. + The fix for this involves breaking the scaling of such image filenames until + ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details. +* (bug 23608) Fixed invalid HTML in diff pages. + +=== Changes since 1.16 beta 1 === + +* Fixed errors in maintenance/patchSql.php +* (bug 19627) Fix regression from r57867 where HTMLForm would output + <element classes="foo bar"> rather than <element class="foo bar"> +* Fixed broken "-r" option to maintenance/lag.php +* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to + be submitted along with the user name and password. + === Configuration changes in 1.16 === * (bug 18222) $wgMinimalPasswordLength default is now 1 @@ -9341,6 +10303,77 @@ changes to languages because of Bugzilla reports. == MediaWiki 1.15 == +== MediaWiki 1.15.5 == +=== Changes since 1.15.4 === + +* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect + user privacy in the case where an attacker can access the wiki through the + same HTTP proxy as a logged-in user. +* Fixed a minor cookie header parsing issue causing incorrect Cache-Control + headers to be sent. +* Fixed an XSS vulnerability in profileinfo.php for installations with + $wgEnableProfileInfo = true (false by default) +* For backwards compatibility with extensions from 1.14.x or before, restored + the original function ApiMain::requestWriteMode(). +* In API login "need token" responses, added the cookieprefix and sessionid + fields, as in MediaWiki 1.16.x. This is an improvement to the CSRF fix + introduced in 1.15.3. + +== MediaWiki 1.15.4 == +=== Changes since 1.15.3 === + +* (bug 23534) Fixed SQL query error in API list=allusers. +* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create + account" and "create by e-mail" features of [[Special:Userlogin]] +* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS + validation issue. + +== MediaWiki 1.15.3 == +=== Changes since 1.15.2 === + +* (bug 22828) Fixed deletion on SQLite. +* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to + be submitted along with the user name and password. + +== MediaWiki 1.15.2 == +=== Changes since 1.15.1 === + +* The installer now includes a check for a data corruption issue with certain + versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug + present in the official release of PHP 5.3.1. +* (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which + was displayed to the user +* (bug 21150) SQLite no longer raise an error when deleting files +* (bug 20880) Fixed updater failure on SQLite backend +* upgrade1_5.php now requires to be run --update option to prevent confusion +* Fixed a CSS validation issue which allowed external images to be included + into wikis where that is disallowed by configuration. +* Fixed a data leakage vulnerability for private wikis using img_auth.php or + similar image access authentication schemes. Check user permissions before + streaming out scaled images from thumb.php. + +== MediaWiki 1.15.1 == +=== Changes since 1.15.0 === +* Fixed fatal errors for unusual file repository configurations, such as + ForeignAPIRepo. +* Fixed the "change password" link on Special:Preferences to have the correct + returnto parameter. +* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block + +== MediaWiki 1.15.0 == +=== Changes since 1.15.0rc1 === + +* Removed category redirect feature, implementation was incomplete. +* (bug 18846) Remove update_password_format(), unnecessary, destroys all + passwords if a wiki with $wgPasswordSalt=false is upgraded with the web + installer. +* (bug 19127) Documentation warning for PostgreSQL users who run update.php: + use the same user in AdminSettings.php as in LocalSettings.php. +* Fixed possible web invocation of some maintenance scripts, due to the use of + include() instead of require(). A full exploit would require a very strange + web server configuration. +* Localisation updates. + === Configuration changes in 1.15 === * Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to @@ -9702,6 +10735,27 @@ changes to languages because of Bugzilla reports. == MediaWiki 1.14 == +== MediaWiki 1.14.1 == +=== Changes since 1.14.0 === + +* (bug 17737) Fixed russian URLs for Special:BookSources +* (bug 17713) Using links with only an anchor no longer add an dummy entry in + the pagelinks table +* (bug 17897) Fixed string offset error in <pre> tags +* (bug 17832) Fixed action=delete returning 'unknownerror' instead of + 'permissiondenied' when the user is blocked +* Fixed performance regression when accessing deleted (archived) files +* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block + +== MediaWiki 1.14.0 == +=== Changes since 1.14.0rc1 === + +* Fixed the performance of the backlinks API module +* (bug 17420) Send the correct content type from action=raw when the HTML file + cache is enabled. +* (bug 17437) Fixed incorrect link to web-based installer +* (bug 17527) Fixed missing MySQL-specific options in installer + === Configuration changes in 1.14 === * $wgExemptFromUserRobotsControl is an array of namespaces to be exempt from @@ -11905,7 +12959,7 @@ it from source control: https://www.mediawiki.org/wiki/Download_from_SVN * (bug 11082) Fix check for fully-specced table names in Database::tableName * (bug 11067) Fix regression in upload conflict thumbnail display * (bug 10985) Resolved cached entries on Special:DoubleRedirects were being - supressed, breaking paging - now strikes out "fixed" results + suppressed, breaking paging - now strikes out "fixed" results * (bug 8393) <sup> and <sub> need to be preserved (without attributes) for entries in the table of contents * (bug 11114) Fix regression in read-only mode error display during editing @@ -16315,7 +17369,7 @@ pages for purposes of page relevancy ranking. * (bug 1241) Don't show 'cont.' for first entry of the category list * (bug 1240) Special:Preferences was broken in Slovenian locale when $wgUseDynamicDates is enabled -* Added magic word MAG_NOCONTENTCONVERT to supress the conversion of the +* Added magic word MAG_NOCONTENTCONVERT to suppress the conversion of the content of an article. Useful in zh: * write-lock for updating the zh conversion tables in memcache * recursively parse subpages of MediaWiki:Zhconversiontable