X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=HISTORY;h=e57d346316a4a5437fcaa32a7945ba41189a7c72;hb=d8eeb0c82fcd14f51890cf0ae00dddc43a3f740d;hp=0c2b8ac8df926bc8ee2a6bae6037e8304c1708bf;hpb=cb2896f90ebef77c02c9da4067b0e56e37471092;p=lhc%2Fweb%2Fwiklou.git diff --git a/HISTORY b/HISTORY index 0c2b8ac8df..e57d346316 100644 --- a/HISTORY +++ b/HISTORY @@ -1,6 +1,371 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.27. -== MediaWiki 1.25 == += MediaWiki 1.26 = + +== MediaWiki 1.26.2 == + +This is a maintenance release of the MediaWiki 1.26 branch. + +=== Changes since 1.26.1 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1. + +== MediaWiki 1.26.1 == + +This is a maintenance release of the MediaWiki 1.26 branch. + +=== Changes since 1.26.0 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy. +* Fixed stray literal \n in Special:Search. +* Fix issue that breaks HHVM Repo Authorative mode. +* (T120267) Work around APCu memory corruption bug + +== MediaWiki 1.26.0 == + +=== Configuration changes in 1.26 === +* $wgPasswordResetRoutes['email'] = true by default. +* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE + instead if you want to disable the parser cache. +* New-style continuation is now the default for API action=continue. Clients may + use the 'rawcontinue' parameter to receive raw query-continue data, but the + new style is encouraged as it's harder to implement incorrectly. +* Deprecated API formats dump and wddx have been completely removed. +* (T7645) The "Signature" button on the edit toolbar is now hidden by default + in non-talk namespaces. A new configuration variable, + $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces + the "Signature" button on the edit toolbar will be displayed. +* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental + feature that was never enabled by default. +* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed. + This experimental feature was never enabled by default and is obsolete as of + MediaWiki 1.26, in where ResourceLoader became fully asynchronous. +* $wgMasterWaitTimeout was removed (deprecated in 1.24). +* Fields in ParserOptions are now private. Use the accessors instead. +* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or + in extension.json) have been removed, after being deprecated in 1.24. +* $wgAlwaysUseTidy has been removed. +* ResetSessionID hook has been removed. Nothing seems to use it. +* Certain AuthPlugin methods are deprecated in favor of new hooks: +** AuthPlugin::initUser() is replaced by LocalUserCreated. +** AuthPlugin::updateUser() is replaced by UserLoggedIn. +** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings. +** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged. +** AuthPluginUser::isHidden() is replaced by UserIsHidden. +** AuthPluginUser::isLocked() is replaced by UserIsLocked. +* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook. +* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace + the passed User object. +* $wgBlockAllowsUTEdit is now set to true by default. This allows + blocked users to edit their talk pages unless explicitly disabled + when they are being blocked. + +=== New features in 1.26 === +* (T51506) Now action=info gives estimates of actual watchers for a page. + See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret + to learn how to configure if needed. +* Change tags can now be hidden in the interface by disabling the associated + "tag-" interface message. +* ':' (colon) is now invalid in usernames for new accounts. Existing accounts + are not affected. +* Added a new hook, 'LogException', to log exceptions in nonstandard ways. +* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of + search results are rendered. The initial use case is to append a "give us + feedback" link beneath the search results. +* Added a new hook, 'RejectParserCacheValue', which allows extensions to + reject an otherwise-successful parser cache lookup. The intent is to allow + extensions to manage the eviction of archaic HTML output from the cache. +* (T68699) The expiration of the UserID and Token login cookies + ($wgExtendedLoginCookieExpiration) can be configured independently of the + expiration of all other cookies ($wgCookieExpiration). +* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added + if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading + of WebP images still disabled by default. Add $wgFileExtensions[] = + 'webp'; to LocalSettings.php to enable uploading of WebP images. +* Added new hooks 'EnhancedChangesListModifyLineData' & + 'EnhancedChangesListModifyBlockLineData', to modify the data used to build + lines in enhanced recentchanges and watchlist. +* Caches that need purging ability now use the WANObjectCache interface. + This corresponds to a new $wgMainWANCache setting, which defaults to using + the $wgMainCacheType settings. +* Callers needing fast light-weight data stores use $wgMainStash to select + the store type from $wgObjectCaches. The default is the local database. +* Interface message overrides in the MediaWiki namespace will now be cached in + memcached and APC (if available), rather than memcached and local files. +* Added a new hook, 'RandomPageQuery', to allow modification of the query used + by Special:Random to select random pages. +* $wgTransactionalTimeLimit was added, which controls the request time limit + for potentially slow POST requests that need to be as atomic as possible. +* ResourceLoader now loads all scripts asynchronously. The top-queue and + startup modules are no longer synchronously loaded. +* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every + page. During the deprecation period, the styles will only be loaded on pages + which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will + only be loaded if explicitly required. +* If search returns zero results and current search engine has a "did you mean" + suggestion, results for suggestion will be shown. Can be disabled by setting + $wgSearchRunSuggestedQuery to false. +* Added several JavaScript libraries for uploading files to MediaWiki + from the client-side. See documentation for mw.Upload and its + subclasses for more information. +* Added OOUI dialogs and layout for file upload interfaces. See + documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its + subclasses for more information. + +=== extension.json changes in 1.26 === +* (T99344) The extension.json schema is now versioned. All extensions + and skins should set a "manifest_version" property corresponding to + the schema version they were written for. The only supported version + currently is "1". +* (T102523) The error message if a non-array attribute is set was improved. +* (T107646) Configuration settings can now specify how they should be merged, + which is necessary for arrays using integer keys. +* (T110389) Adding namespaces through extension.json now actually works +* $wgNamespaceProtection can now be set in extension.json. +* $wgCapitalLinkOverrides can now be set in extension.json. +* (T97186) Extensions using a custom prefix for their configuration settings + can now set a "_prefix" key to override the default of "wg". +* (T99084) Extensions can now specify what MediaWiki core versions they + depend upon. +* (T105236) The extension.json schema now validates custom classes in + the "ResourceModules" property properly. + +=== External library changes in 1.26 === +==== Upgraded external libraries ==== +* Updated es5-shim from v4.0.0 to v4.1.5. +* Updated json2 from revision 2014-02-04 to 2015-05-03. +* Updated Sinon.JS from 1.10.3 to 1.15.4. +* Updated jQuery Client from v1.0.0 to v2.0.0. +* Updated QUnit from v1.17.1 to v1.18.0. +* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16. +* Updated oojs/oojs-ui from v0.11.3 to v0.12.12. +* Updated wikimedia/cdb from v1.0.1 to v1.3.0. +* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3. +* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0. +* Updated zordius/lightncandy from v0.18 to v0.21. + +==== New external libraries ==== +* Added composer/semver v1.0.0. +* Added mediawiki/at-ease v1.1.0. +* Added wikimedia/assert v0.2.2. +* Added wikimedia/ip-set v1.0.1. +* Added wikimedia/wrappedstring v2.0.0. + +==== Removed and replaced external libraries ==== +* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9. + +=== Bug fixes in 1.26 === +* (T53283) load.php sometimes sends 304 response without full headers +* (T65198) Talk page tabs now have a "rel=discussion" attribute +* (T98841) {{msgnw:}} now preserves comments even when subst: is not used. +* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default + value if set to an empty string. + +=== Action API changes in 1.26 === +* New-style continuation is now the default for action=continue. Clients may + use the 'rawcontinue' parameter to receive raw query-continue data, but the + new style is encouraged as it's harder to implement incorrectly. +* Deprecated API formats dump and wddx have been completely removed. +* API action=query&list=tags: The displayname can now be boolean false if the + tag is meant to be hidden from user interfaces. +* action=import no longer allows both the namespace= and rootpage= parameters + to be set. If they are both set, the value of rootpage= will be ignored. +* prop=revision output in enum mode is now sorted by timestamp rather than + revision ID. This usually won't make any difference. +* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array + with formatversion=2. +* Various other output from meta=siteinfo will now always be arrays instead of + sometimes being numerically-indexed objects with formatversion=2. +* When errors about users being blocked are returned, they now include + information about the relevant block. +* (T99926) list=random has higher limits, in line with other API modules. +* list=random's rnredirect parameter is deprecated in favor of a new + rnfilterredir parameter that also allows for listing both redirects and + non-redirects. +* list=random now supports continuation. +* API responses to GET requests may now include ETag and Last-Modified headers, + and will honor corresponding If-None-Match and If-Modified-Since on such + requests. + +=== Action API internal changes in 1.26 === +* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key + into the value when the value is an assoc. +* API action modules may now provide values for the RFC 7232 ETag and + Last-Modified headers. The API will check these against If-None-Match and + If-Modified-Since request headers on GET requests and avoid executing the + module when appropriate. + +=== Languages updated in 1.26 === + +MediaWiki supports over 350 languages. Many localisations are updated +regularly. Below only new and removed languages are listed, as well as +changes to languages because of Phabricator reports. + +* Languages added: +** ase (American sign language), thanks to translator Icemandeaf +** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द, + मेश सिंह बोहरा, and राम प्रसाद जोशी +** luz (لئری دوٙمینی / Southern Luri) +** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi, + Ilja.mos, and Mashoi7 + +=== Other changes in 1.26 === +* ChangeTags::tagDescription() will return false if the interface message + for the tag is disabled. +* Added PageHistoryPager::doBatchLookups hook. +* Added $wikiId parameter to FormatAutocomments hook. +* Added ParserCacheSaveComplete to ParserCache +* supportsDirectEditing and supportsDirectApiEditing methods added to + ContentHandler, to provide a way for ApiEditPage and EditPage to check + if direct editing of content is allowed. These methods return false, + by default for the ContentHandler base class and true for TextContentHandler + and it's derivative classes (everything in core). For Content types that + do not support direct editing, an alternative mechanism should be provided + for editing, such as action overrides or specific api modules. +* mediaWiki.confirmCloseWindow now returns an object of functions, instead of + one function. The callback can't be called directly any more. The callback + function is replaced with confirmCloseWindow.release(). +* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to + ResourceLoaderModule::getDependencies(). Extension classes that override that + method should be updated. If they aren't updated, PHP Strict standards + warnings will appear when E_STRICT error reporting is enabled. Note: in the + near future, this parameter will probably become non-optional. +* Removed maintenance script deleteImageMemcached.php. +* MWFunction::newObj() was removed (deprecated in 1.25). + ObjectFactory::getObjectFromSpec() should be used instead. +* The parser will no longer randomize the string it uses to mark the place of + items that were stripped during parsing. It will use a fixed string instead. + This causes the parser to re-use the regular expressions it uses to search + and replace markers rather than generate novel expressions on each parse. + Re-using regular expressions will improve performance on HHVM and the + forthcoming PHP 7. The interfaces changes accompanying this change are: + - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated. + - The $uniq_prefix argument for Parser::extractTagsAndParams() and the + $prefix argument for StripState::_construct() are deprecated and their + value is ignored. +* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library, + mediawiki/at-ease, and are now deprecated. Callers should use + MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly. +* The Block class constructor now takes an associative array of parameters + instead of many optional positional arguments. Calling the constructor the old + way will issue a deprecation warning. +* The jquery.mwExtension module was deprecated. +* $wgSpecialPageGroups was removed (deprecated in 1.21). +* SpecialPageFactory::setGroup was removed (deprecated in 1.21). +* SpecialPageFactory::getGroup was removed (deprecated in 1.21). +* DatabaseBase::ignoreErrors() is now protected. +* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following + a lengthy deprecation period. +* The ScopedPHPTimeout class was removed. +* Removed maintenance script fixSlaveDesync.php. +* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption() + are deprecated. Applications using those can work via the OAuth + extension instead. New tokens types should not be added. +* DatabaseBase::errorCount() was removed (unused). +* $wgDeferredUpdateList was removed. +* DeferredUpdates::addHTMLCacheUpdate() was removed. + += MediaWiki 1.25 = + +== MediaWiki 1.25.5 == + +This is a maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.4 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4. + +== MediaWiki 1.25.4 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.3 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. +* (T114606) mw.notify was not correctly fixed to the page if + initialized while not at the top of the page. +* Fix issue that breaks HHVM Repo Authorative mode. + +== MediaWiki 1.25.3 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.2 === + +* (T98975) Fix having multiple callbacks for a single hook. +* (T107632) maintenance/refreshLinks.php did not always remove all links + pointing to nonexistent pages. +* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default + value if set to an empty string. +* (T62174) Provide fallbacks for use of mb_convert_encoding() in + HtmlFormatter. It was causing an error when accessing the api help page + if the mbstring PHP extension was not installed. +* (T105896) Confirmation emails would sometimes contain invalid codes. +* (T105597) Fixed edit stash inclusion queries. +* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload +* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading +* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the + first +* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails + +== MediaWiki 1.25.2 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.1 === + +* (T94116) SECURITY: Compare API watchlist token in constant time +* (T97391) SECURITY: Escape error message strings in thumb.php +* (T106893) SECURITY: Don't leak autoblocked IP addresses on + Special:DeletedContributions +* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only + policy of Wikimedia Commons. +* (T100767) Setting a configuration setting for skin or extension to + false in LocalSettings.php was not working. +* (T100635) API action=opensearch json output no longer breaks when + $wgDebugToolbar is enabled. +* (T102522) Using an extension.json or skin.json file which has + a "manifest_version" property for 1.26 compatability will no longer + trigger warnings. +* (T86156) Running updateSearchIndex.php will not throw an error as + page_restrictions has been added to the locked table list. +* Special:Version would throw notices if using SVN due to an incorrectly + named variable. Add an additional check that an index is defined. + +== MediaWiki 1.25.1 == + +This is a bug fix release of the MediaWiki 1.25 branch. + +=== Changes since 1.25 === +* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension + +== MediaWiki 1.25.0 == === Configuration changes in 1.25 === * $wgPageShowWatchingUsers was removed. @@ -504,49 +869,108 @@ changes to languages because of Bugzilla reports. loadedScripts object, from wikibits.js (deprecated since 1.17) now emit warnings through mw.log.warn when accessed. += MediaWiki 1.24 = -== Compatibility == +== MediaWiki 1.24.6 == -MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for -HHVM 3.3.0. +This is a maintenance release of the MediaWiki 1.24 branch. -MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but -support for them is somewhat less mature. There is experimental support for -Oracle and Microsoft SQL Server. +=== Changes since 1.24.5 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5. -The supported versions are: +== MediaWiki 1.24.5 == -* MySQL 5.0.3 or later -* PostgreSQL 8.3 or later -* SQLite 3.3.7 or later -* Oracle 9.0.1 or later -* Microsoft SQL Server 2005 (9.00.1399) +This is a security and maintenance release of the MediaWiki 1.23 branch. -== Upgrading == +=== Changes since 1.24.4 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. -1.25 has several database changes since 1.24, and will not work without schema -updates. Note that due to changes to some very large tables like the revision -table, the schema update may take quite long (minutes on a medium sized site, -many hours on a large site). +== MediaWiki 1.24.4 == -If upgrading from before 1.11, and you are using a wiki as a commons -repository, make sure that it is updated as well. Otherwise, errors may arise -due to database schema changes. +This is a security and maintenance release of the MediaWiki 1.24 branch. -If upgrading from before 1.7, you may want to run refreshLinks.php to ensure -new database fields are filled with data. +=== Changes since 1.24.3 === -If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to -1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed -with MediaWiki 1.21. +* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. +* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running + update.php to fix. +* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload +* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading +* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the + first +* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails -Don't forget to always back up your database before upgrading! +== MediaWiki 1.24.3 == -See the file UPGRADE for more detailed upgrade instructions. +This is a security and maintenance release of the MediaWiki 1.24 branch. -For notes on 1.24.x and older releases, see HISTORY. +=== Changes since 1.24.2 === -== MediaWiki 1.24 == +* (T94116) SECURITY: Compare API watchlist token in constant time +* (T97391) SECURITY: Escape error message strings in thumb.php +* (T106893) SECURITY: Don't leak autoblocked IP addresses on + Special:DeletedContributions +* Update jQuery from v1.11.2 to v1.11.3. +* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only + policy of Wikimedia Commons. + +== MediaWiki 1.24.2 == + +This is a security and maintenance release of the MediaWiki 1.24 branch. + +=== Changes since 1.24.1 === + +* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, + to prevent various DoS attacks. +* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce + likelihood of DoS. +* (T88310) SECURITY: Always expand xml entities when checking SVG's. +* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. +* (T85855) SECURITY: Don't execute another user's CSS or JS on preview. +* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when + using PBKDF2. +* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to + prevent XSS and protect viewer's privacy. +* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix + loading these special pages when $wgAutoloadAttemptLowercase is false. +* (bug T70087) Fix Special:ActiveUsers page for installations using + PostgreSQL. +* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change + and running update.php to fix. + +== MediaWiki 1.24.1 == + +This is a security and maintenance release of the MediaWiki 1.24 branch. + +=== Changes since 1.24.0 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. +* Fixed a couple of entries in RELEASE-NOTES-1.24. +* (bug T76168) OutputPage: Add accessors for some protected properties. +* (bug T74834) Make 1.24 branch directly installable under PostgreSQL. + +== MediaWiki 1.24.0 == === Configuration changes in 1.24 === * MediaWiki will no longer run if register_globals is enabled. It has been @@ -1240,8 +1664,204 @@ of files that are no longer available follows. * skins/common/images/icons/fileicon.png * skins/common/images/ksh/button_S_italic.png += MediaWiki 1.23 = + +== MediaWiki 1.23.13 == + +This is a maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.12 === +* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12. + +== MediaWiki 1.23.12 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.11 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki + +== MediaWiki 1.23.11 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.10 === + +* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload +* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading +* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails + +== MediaWiki 1.23.10 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.9 === + +* (T94116) SECURITY: Compare API watchlist token in constant time +* (T97391) SECURITY: Escape error message strings in thumb.php +* (T106893) SECURITY: Don't leak autoblocked IP addresses on + Special:DeletedContributions +* (bug 67644) Make AutoLoaderTest handle namespaces +* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. +* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only + policy of Wikimedia Commons. + +== MediaWiki 1.23.9 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.8 === + +* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, + to prevent various DoS attacks. +* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce + likelihood of DoS. +* (T88310) SECURITY: Always expand xml entities when checking SVG's. +* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. +* (T85855) SECURITY: Don't execute another user's CSS or JS on preview. +* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to + prevent XSS and protect viewer's privacy. +* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running + update.php to fix. +* (bug T70087) Fix Special:ActiveUsers page for installations using + PostgreSQL. + +== MediaWiki 1.23.8 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.7 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. + +== MediaWiki 1.23.7 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.6 === + +* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code + into API clients that used format=php to process pages that underwent flash + policy mangling. This was fixed along with improving how the mangling was done + for format=json, and allowing sites to disable the mangling using + $wgMangleFlashPolicy. +* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update + the content model for a page could allow an unprivileged attacker to edit + another user's common.js under certain circumstances. The user right + "editcontentmodel" was added, and is needed to change a revision's content + model. +* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw + HTML, it is not safe to preview wikitext coming from an untrusted source such + as a cross-site request. Thus add an edit token to the form, and when raw HTML + is allowed, ensure the token is provided before showing the preview. This + check is not performed on wikis that both allow raw HTML and anonymous + editing, since there are easier ways to exploit that scenario. +* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with + DELETED_ACTION. NOTICE: this may be reverted in a future release pending a + public RFC about the desired functionality. This issue was reported by user + Bawolff. +* (bug 71621) Make allowing site-wide styles on restricted special pages a + config option. +* (bug 42723) Added updated version history from 1.19.2 to 1.22.13 +* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that + might be a flash policy directive configurable. + +== MediaWiki 1.23.6 == + +This is a maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.5 === +* (Bug 72274) Job queue not running (HTTP 411) due to missing + Content-Length: header +* (Bug 67440) Allow classes to be registered properly from installer + +== MediaWiki 1.23.5 == + +This is a security release of the MediaWiki 1.23 branch. -== MediaWiki 1.23 == +=== Changes since 1.23.4 === +* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module + allowance. + +== MediaWiki 1.23.4 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.3 === + +* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter