Add 1.31.3/1.32.3 to HISTORY
[lhc/web/wiklou.git] / HISTORY
1 Change notes from older releases. For current info see RELEASE-NOTES-1.34.
2
3 = MediaWiki 1.32 =
4
5 == MediaWiki 1.32.3 ==
6
7 This is a maintenance release of the MediaWiki 1.32 branch.
8
9 === Changes since MediaWiki 1.32.2 ===
10 * (T225558) Update installer link to PHP intl.
11 * (T225496) Detect APC for MainCacheType in CLI installer.
12 * (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
13 * (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.
14
15 == MediaWiki 1.32.2 ==
16
17 This is a security and maintenance release of the MediaWiki 1.32 branch.
18
19 === Changes since MediaWiki 1.32.1 ===
20 * (T204423) Backport support for hyphenated DB names in JobQueueGroup.
21 * (T216968) Return pageid as int in both list=iwbacklinks and
22 list=langbacklinks.
23 * (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
24 * (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
25 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
26 $wgBlockDisablesLogin is true.
27 * (T216029) Chrome redirects to Special:BadTitle after editing a section with
28 a non-Latin name on a page with non-Latin characters in title.
29 * Unbreak language related maintenance scripts that use StaticArrayWriter.
30 * (T219728) Added support for new Japanese era name "Reiwa".
31 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
32 token.
33 * Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
34 * (T221045) Remove orphaned code from ConfigRepository.
35 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
36 saveFileDependencies().
37 * (T224374) Fix message parameters so that the message that says SQLite is
38 out of date makes sense.
39 * (T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to
40 connect to external server with local database name.
41 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
42 * (T208881) SECURITY: blacklist CSS var().
43 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
44 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
45 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
46 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
47 view the log type.
48 * (T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358.
49
50 == MediaWiki 1.32.1 ==
51
52 === Changes since MediaWiki 1.32.0 ===
53 * (T213577) rdbms: avoid transaction status errors from ping() in rollback().
54 * rdbms: Pass required parameter.
55 * rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
56 * (T204531) rdbms: reduce LoadBalancer replication log spam.
57 * (T213489) Avoid session double-start in Setup.php.
58 * (T213717) Correct namespace 'Template' for gom-deva
59 * (T198054) Fix login page crash caused by unknown language via ?uselang
60 * (T215324) (T210937) list=users mistakenly reports user as missing.
61 * (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for
62 use with scripts like addWiki.php to avoid mismatched domain errors.
63 * (T208871) The hard-coded Google search form on the database error page was
64 removed.
65 * (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
66 * (T215566) Fix installer being unable to determine if the database exists
67 during a fresh installation.
68
69 == MediaWiki 1.32.0 ==
70
71 === Changes since MediaWiki 1.32.0-rc.2 ===
72 * (T188327) Fix slow queries in migrateActors.php.
73 * (T102320) Fix $magicWords for the Sanskrit language.
74
75 === Changes since MediaWiki 1.32.0-rc.1 ===
76 * Fix addition of ug_expiry column to user_groups table on MSSQL.
77 * (T210307) Fix the cache timestamp for forced updates.
78 * (T210621) User: Bypass repeatable-read when creating an actor_id.
79 * (T197535) Extensions can now specify PHP versions and PHP extensions they
80 depend on.
81 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
82 * (T212356) When using action=delete on pages with many revisions, the module
83 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
84 deletion will be processed via the job queue.
85 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
86 recentchanges.rc_cur_time from the PostgreSQL schema.
87
88 === Changes since MediaWiki 1.32.0-rc.0 ===
89 * (T209885) Prevent populateSearchIndex.php from breaking once actor migration
90 has been started.
91 * (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
92 if --lang is used with the command-line installer (install.php).
93
94 === Configuration changes in 1.32 ===
95
96 ==== New configuration ====
97 * $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
98 this setting. The default is 80, which matches the quality of JPEG thumbnails
99 previously generated by ImageMagick. The quality of JPEG thumbnails generated
100 by GD was previously 95, but now uses the $wgJpegQuality setting as well.
101 * $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
102 user is blocked. Doing so means that a blocked user, even after moving to a
103 new IP address, will still be blocked.
104 * $wgRawHtmlMessages – This new configuration setting is added for listing
105 messages which are displayed as raw HTML.
106 * $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
107 "Content Security Policy" for your wiki. This adds a defense-in-depth feature
108 to stop an attacker who has found a bug in the parser allowing them to insert
109 malicious attributes. Disabled by default. (T135963)
110 * $wgGroupPermissions – A new user group, 'interface-admin', is added for
111 controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
112 other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
113 by default.
114 * $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
115 granting the above rights.
116 * $wgDBDefaultGroup – A default database group for use by maintenance scripts.
117 * $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
118 enable client-side profiling of JavaScript modules; it is off by default.
119 * (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
120 setting allows sysadmins to gradually migrate the database table schema for
121 how change tags are stored.
122 * (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
123 allows sysadmins to enable the caching of Special:Tags via the new
124 change_tag_def table.
125
126 ==== Changed configuration ====
127 * $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
128 * $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
129 been increased from 3 to 7 days. (T194414)
130 * $wgGroupPermissions – The right to edit sitewide Javascript
131 (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
132 and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
133 'editinterface' is still necessary to edit such pages.
134 * $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
135 old and the new schema, but reading the new schema, so Multi-Content Revisions
136 (MCR) are now functional per default. The new default value of the setting is
137 SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
138 * $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
139 MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
140 SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
141 for intermediate stages of migration.
142 * $wgDBTableOptions – The default table options now use the binary charset. The
143 default was already overridden in the installer-generated LocalSettings.php,
144 and so is always set to binary after the installer UI option was removed. The
145 default value is only used when the installer installs an extension.
146 * $wgPopularPasswordFile — The location of the default popular passwords file
147 has been moved to be in line with other non-PHP files used by libraries and
148 classes.
149 * $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
150 potential privacy leaks by administrators. You can check
151 "MediaWiki:External image whitelist" on your wiki to see whether the feature
152 was ever used, and whether it needs to be re-enabled.
153
154 ==== Removed configuration ====
155 * $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
156 have been removed. (T115414)
157 * $wgSiteSupportPage – This setting, unused since 1.5, was removed.
158 * $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
159 * $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
160 The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
161 * $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
162 most extensions, is no longer set. Instead, you can modify the system
163 message `emailsender`.
164 * $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
165 were removed. RemexHtml, which is the default, should be used instead.
166 * (T181318) The $wgStyleVersion setting and its appendage to various script and
167 style URLs in OutputPage, deprecated in 1.31, was removed.
168 * (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
169 from ResourceLoader. Instead, use `@import` statements in LESS to import
170 files directly from nearby directories within the same project.
171 * (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
172 since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
173 the ResourceLoaderModule::getLessVars() method.
174 * $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
175 was removed.
176 * Two temporary variables for deploying the feature of filters on change lists,
177 $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
178 $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
179
180 === New features in 1.32 ===
181 * (T112474) Generalized the ResourceLoader mechanism for overriding modules
182 using a particular page during edit previews.
183 * (T12331) You can now log page creation events by setting $wgPageCreationLog
184 to true.
185 * Added 'ApiParseMakeOutputPage' hook.
186 * (T174313) Added checkbox on Special:ListUsers to display only users in
187 temporary user groups.
188 * (T152462) A cookie can now be set when an IP user is blocked to track that
189 user if they move to a new IP address. This is disabled by default.
190 * (T194950) Added 'ApiMaxLagInfo' hook.
191 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
192 reauthenticating.
193 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
194 getLoginSecurityLevel() returns non-false.
195 * The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
196 &$query and &$widthOption, allowing extensions even finer control over the
197 resulting HTML code.
198 * Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
199 if the [mark as patrolled] link should be shown at the footer of patrollable
200 pages.
201 * The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
202 is now passed by reference, allowing extensions to modify or even unset it.
203 * Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
204 modify the return value of OutputPage#getHeadLinksArray in order to add,
205 remove or otherwise alter the elements to be output in the page <head>.
206 * (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
207 additional links to the subtitle of a history page.
208 * The 'GetLinkColours' hook now receives an additional $title parameter,
209 the Title object of the page being parsed, on which the links will be shown.
210 * (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
211 render diffs between two Content objects, and DifferenceEngine::setRevisions()
212 to render diffs between two custom (potentially multi-content) revisions.
213 Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
214 * Added a temporary action=mcrundo to the web UI, as the normal undo logic
215 can't yet handle MCR and deadlines are forcing is to put off fixing that.
216 This action should be considered deprecated and should not be used directly.
217 * Extensions overriding ContentHandler::getUndoContent() will need to be
218 updated for the changed method signature.
219 * Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
220 from user. Unlike the 'UserGetRights' it will ensure that removed rights
221 will not be reinserted.
222 * (T197535) Extensions can now specify PHP versions and PHP extensions they
223 depend on.
224
225 === External library changes in 1.32 ===
226
227 ==== New external libraries ====
228 * Added pear/Net_SMTP v1.8.0.
229 * Added wikimedia/xmp-reader v0.6.0.
230
231 * Added cache/integration-tests v0.16.0 (dev-only).
232 * Added giorgiosironi/eris v0.10.0 (dev-only).
233 * Added seld/jsonlint v1.7.1 (dev-only).
234
235 * Added EasyDeflate (unversioned).
236
237 ==== Changed external libraries ====
238 * Updated OOUI from v0.26.3 to v0.29.2.
239 * Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
240 * Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
241 * Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
242 ** ScopedCallback objects can no longer be serialized.
243 * Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
244 * Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
245 * oyejorge/less.php replaced with our fork wikimedia/less.php
246 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
247
248 * Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
249 * Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
250 * Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
251
252 * Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
253 * Updated jquery from v3.2.1 to v3.3.1.
254 * Updated jquery.client from v2.0.0 to v2.0.1.
255 * Updated jquery.i18n from v1.0.4 to v1.0.5.
256 * Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
257 * Updated OOjs from v2.2.0 to v2.2.2.
258 * Updated qunitjs from v2.4.0 to v2.6.2.
259 * Updated sinonjs from v1.17.3 to v1.17.7.
260
261 ==== Removed external libraries ====
262 * pear/mail_mime-decode was removed.
263
264 === Bug fixes in 1.32 ===
265 * SpecialPage::execute() will now only call checkLoginSecurityLevel() if
266 getLoginSecurityLevel() returns non-false.
267 * (T43720, T46197) Improved page display title handling for category pages
268 * (T65080) Fixed resetting options of some types via API action=options.
269
270 === Action API changes in 1.32 ===
271 * Added templated parameters.
272 * A module can define a templated parameter like "{fruit}-quantity", where
273 the actual parameters recognized correspond to the values of a multi-valued
274 parameter. Then clients can make requests like
275 "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
276 * action=paraminfo will return templated parameter definitions separately
277 from normal parameters. All parameter definitions now include an "index"
278 key to allow clients to maintain parameter ordering when merging normal and
279 templated parameters.
280 * It is now an error to submit too many values for a multi-valued parameter.
281 This has generated a warning since MediaWiki 1.14.
282 * Assertion failures from the 'assert' and 'assertuser' parameters will no
283 longer use the action module's custom response format, for the few modules
284 that use custom formatters that handle errors.
285 * (T198935) User list preferences such as `email-blacklist` and similar
286 extension preferences are no longer represented as arrays when returned by
287 action=query&meta=userinfo&uiprop=options.
288 * 'missingparam' errors will now use the prefixed parameter name in the code
289 and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
290 than "nofoo" and "The 'foo' parameter must be set".
291 * action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
292 multi-content revision slots for which content should be returned. It also
293 has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
294 warning will be issued if rvprop=content or rvprop=contentmodel are used
295 without rvslots.
296 * The rvcontentformat parameter to action=query&prop=revisions has been
297 deprecated. Clients should be prepared to deal with the default format for
298 relevant models.
299 * Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
300 rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
301 rvprop=parsetree is forbidden with the new 'rvslots' parameter.
302 * action=query&prop=deletedrevisions, action=query&list=allrevisions, and
303 action=query&list=alldeletedrevisions are changed similarly to
304 &prop=revisions (see the three previous items).
305 * (T174032) action=compare now supports multi-content revisions.
306 * It has a 'slots' parameter to select diffing of individual slots. The
307 default behavior is to return one combined diff.
308 * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
309 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
310 are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
311 slots have text supplied and the corresponding templated parameters for
312 each slot.
313 * The behavior of 'fromsection' and 'tosection' of extracting one section's
314 content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
315 instead expand the given text as if for a section edit. This effectively
316 declines T183823 in favor of T185723.
317 * (T198214) The 'disabletidy' parameter to action=parse has been
318 deprecated; untidy output will not be supported by future wikitext
319 parsers.
320 * Added intestactionsdetail to action=query&prop=info to allow retrieving the
321 reasons an action is not allowed.
322 * Deprecated action=query&prop=info inprop=readable in favor of
323 intestactions=read.
324 * (T212356) When using action=delete on pages with many revisions, the module
325 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
326 deletion will be processed via the job queue.
327
328 === Action API internal changes in 1.32 ===
329 * Added 'ApiParseMakeOutputPage' hook.
330 * Parameter names may no longer contain '{' or '}', as these are now used for
331 templated parameters.
332 * (T194950) Added 'ApiMaxLagInfo' hook.
333 * The following methods now take a RevisionRecord rather than a Revision. No
334 external callers are known.
335 * ApiFeedContributions::feedItemAuthor()
336 * ApiFeedContributions::feedItemDesc()
337 * ApiQueryRevisionsBase::extractRevisionInfo()
338 * The following deprecated methods have been removed:
339 * ApiBase::profileIn() (deprecated in 1.25)
340 * ApiBase::profileOut() (deprecated in 1.25)
341 * ApiBase::safeProfileOut() (deprecated in 1.25)
342 * ApiBase::profileDBIn() (deprecated in 1.25)
343 * ApiBase::profileDBOut() (deprecated in 1.25)
344 * ApiBase::dieUsage() (deprecated in 1.29)
345 * ApiBase::dieUsageMsg() (deprecated in 1.29)
346 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
347 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
348 * ApiBase::parseMsg() (deprecated in 1.29)
349 * ApiBase::setWarning() (deprecated in 1.29)
350 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
351 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
352 * ApiUsageException::getCodeString() (deprecated in 1.29)
353 * ApiUsageException::getMessageArray() (deprecated in 1.29)
354 * Class UsageException, deprecated in 1.29, has been removed.
355 * ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
356 can now easily test $formatter->getFormat() === 'bc', and then call
357 $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
358
359 === Languages updated in 1.32 ===
360 MediaWiki supports over 350 languages. Many localisations are updated regularly.
361 Below only new and removed languages are listed, as well as changes to languages
362 because of Phabricator reports.
363
364 * (T193566) Added language support for Ambonese Malay (abs).
365 * (T194047) Added language support for Shawiya, Latin script (shy-latn).
366 * (T195940) Added language support for Batak Mandailing (btm).
367 * (T137491) Added language support for Standard Moroccan Amazigh (zgh).
368 * (T198132) Added language support for Manipuri (mni).
369 * (T201276) Added language support for Western Armenian (hyw).
370 * (T201583) Added language support for Mon (mnw).
371
372 === Breaking changes in 1.32 ===
373 * $wgRequestTime, deprecated in 1.25, was removed. Use
374 $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
375 * The MediaWikiI18N class, deprecated in 1.31, was removed.
376 * QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
377 Skin::msg() instead.
378 * wfInitShellLocale(), deprecated in 1.30, was removed.
379 * wfShellExecDisabled(), deprecated in 1.30, was removed.
380 * The type string for the parameter $lang of DateFormatter::getInstance,
381 deprecated in 1.31, was removed.
382 * The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
383 MediaWiki\Session\Token::SUFFIX instead.
384 * EditPage::isOouiEnabled() deprecated in 1.30, was removed.
385 * mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
386 instead.
387 * (T61113) The following methods and constants from the Revision class, which
388 were deprecated in 1.25, have now been removed:
389 * Revision::getRawUser()
390 * Revision::getRawUserText()
391 * Revision::getRawComment()
392 * window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
393 mw.msg() or mw.message() instead.
394 * mw.util.escapeId(), deprecated in 1.30, was removed. Use
395 mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
396 * mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
397 jquery.accessKeyLabel instead.
398 * The SqlDataUpdate class, deprecated in 1.28, has been removed.
399 * The Html5Internal and Html5Depurate tidy driver classes were removed, along
400 with the Balancer tidy implementation. Both implementations were experimental,
401 and were replaced by RemexHtml.
402 * (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
403 removed. Use JobQueueGroup::singleton()->push() instead.
404 * The jquery.footHovzer module, for mediawiki.debug, was removed.
405 * The es5-shim module, empty and deprecated since 1.29, was removed.
406 * the dom-level2-shim module, empty and deprecated since 1.29, was removed.
407 * the json module, empty and deprecated since 1.29, was removed.
408 * The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
409 removed. Use mediawiki.widgets.visibleLengthLimit instead.
410 * The jquery.farbtastic module, unused since 1.18, was removed.
411 * The 'jquery.expandableField' module, unused since 1.22, was removed.
412 * The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
413 any HTMLForm object rather than PreferencesForm.
414 * The non namespaced TimestampException class, deprecated in 1.29, was removed.
415 Use Wikimedia\Timestamp\TimestampException instead.
416 * The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
417 utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
418 The UtfNormal\Utils class from the utfnormal library should be used instead.
419 * The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
420 from the UtfNormal\Constants class from the utfnormal library should be used
421 * The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
422 only needed for PHP5 compatibility, have been removed. It now uses the boolean
423 values `true` and `false` respectively.
424 * The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
425 were removed. Use the ParserCache class instead.
426 * ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
427 instead.
428 * Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
429 deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
430 * (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
431 and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
432 is no longer loaded by default. The Vector and MonoBook skins have made a
433 minor change to implement the toggle feature with CSS instead. To restore
434 prior functionality, either explicitly load "jquery.mw-jump" in your skin
435 or refer to T195256 for details on how to make the same change.
436 * Hook 'EditPageBeforeEditChecks' was removed;
437 use 'EditPageGetCheckboxesDefinition' instead.
438 * Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
439 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
440 * Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
441 been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
442 instead.
443 * mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
444 CapsuleMultiselectWidget. The following methods may no longer be used:
445 * setItemsFromData: Use setValue instead
446 * getItemsData: Use getItems instead and get the data property
447 * Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
448 removed. Use addLink() instead.
449 * Another two OutputPage methods, setPageTitleActionText() and
450 getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
451 ten years). Use setHTMLTitle() directly.
452 * The return value of OutputPage::adaptCdnTTL() has been removed. The
453 value returned was misleading and probably not what any caller would
454 have wanted.
455 * All MagicWord static member variables have been removed. Use appropriate
456 hooks or MagicWordFactory methods instead.
457 * MagicWord::clearCache() has been removed. Instead, create a new
458 MagicWordFactory, such as by calling
459 resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
460 * mw.util.init() has been removed. This function is not needed anymore and was
461 a no-op function since 1.30.
462 * SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
463 instead.
464 * MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
465 $wgProfiler and $wgEnableProfileInfo.
466 * The mw.loader.addSource() is now considered a private method, and no longer
467 supports the `id, url` signature. Use the `Object` parameter instead.
468 * The backwards-compatibility code in HTMLForm to add a drop-down control to an
469 option that is not set to be a drop-down if the "mw-chosen" class is present,
470 is now removed.
471 * Several collations were removed. They were workarounds for bugs in the ICU
472 library and they are no longer needed (as of ICU 57.1):
473 * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
474 * 'xx-uca-et' (CollationEt) - use 'uca-et' instead
475 * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
476 * LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
477 that some MediaWiki-specific language codes, such as `simple`, are mapped
478 into valid BCP 47 codes (eg `en-simple`).
479 * The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
480 in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
481 The ChangesListSpecialPage code for these legacy hooks, and their use in
482 SpecialRecentchanges.php and SpecialWatchlist, was also removed:
483 * ChangesListSpecialPage->getCustomFilters()
484 * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
485 * ChangesListSpecialPage::customFilters
486 * The global function wfUseMW, deprecated since 1.26, has now been removed. Use
487 the "requires" property of static extension registration instead.
488 * $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
489 * The MailAddress constructor can no longer be called with a User object,
490 behaviour which has been deprecated since 1.24.
491 * LBFactory, deprecated since 1.28, has been removed. Instead, use
492 Wikimedia\Rdbms\LBFactory.
493 * The MimeMagic class, deprecated since 1.28 has been removed. Get a
494 MimeAnalyzer instance from MediaWikiServices instead.
495 * The '--tidy' option to maintenance/parse.php has been removed. Tidying
496 the output is now the default. Use '--no-tidy' to bypass the tidy
497 phase.
498 * The global function wfErrorLog, deprecated since 1.25, has now been removed.
499 Use MWLoggerLegacyLogger::emit or UDPTransport.
500 * The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
501 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
502 ChangesListSpecialPageQuery.
503 * The global function wfUsePHP, deprecated since 1.30, has now been removed. To
504 assert a newer version of PHP than MediaWiki does, use extension registration.
505 * The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
506 removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
507 * DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
508 * File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
509 * The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
510 the hook 'SkinEditSectionLinks' instead.
511 * The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
512 * The global function wfRunHooks, deprecated since 1.25, has now been removed.
513 Use Hooks::run().
514 * The hook 'UnknownAction', deprecated since 1.19, has now been removed.
515 * The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
516 the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
517 * The following deprecated API methods have been removed:
518 * ApiBase::profileIn() (deprecated in 1.25)
519 * ApiBase::profileOut() (deprecated in 1.25)
520 * ApiBase::safeProfileOut() (deprecated in 1.25)
521 * ApiBase::profileDBIn() (deprecated in 1.25)
522 * ApiBase::profileDBOut() (deprecated in 1.25)
523 * ApiBase::dieUsage() (deprecated in 1.29)
524 * ApiBase::dieUsageMsg() (deprecated in 1.29)
525 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
526 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
527 * ApiBase::parseMsg() (deprecated in 1.29)
528 * ApiBase::setWarning() (deprecated in 1.29)
529 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
530 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
531 * ApiUsageException::getCodeString() (deprecated in 1.29)
532 * ApiUsageException::getMessageArray() (deprecated in 1.29)
533 * Class UsageException, deprecated in 1.29, has been removed.
534 * MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
535 old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
536 been removed, and instead sysadmins will be required to choose one (or more)
537 of the several extensions available for this purpose if they need the
538 functionality. The MediaWiki "tarball" releases have included the replacement
539 extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
540 for many years now. As part of this, several parts of MediaWiki have been
541 removed or simplified:
542 * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
543 available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
544 hook, it will be shown; extensions should provide a specific user preference
545 to disable themselves as needed.
546 * The public methods Language::getImageFile() and ::getImageFiles(), and the
547 related specification of $imageFiles within individual languages' code file,
548 as well as the referenced static media assets, all of which were only used
549 inside MediaWiki itself for providing the icons for the old toolbar, have
550 been removed without explicit deprecation.
551 * The internal ResourceLoader module "mediawiki.toolbar", which is unused
552 except by MediaWiki itself and back-compatibility code, has been removed.
553 * The internal ResourceLoaderEditToolbarModule class has been removed.
554
555 === Deprecations in 1.32 ===
556 * HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
557 button is already marked as progressive.
558 * Skin::setupSkinUserCss() is deprecated. Adding of modules to load
559 has been centralised to Skin::getDefaultModules(), which is now capable
560 of queueing style modules as well.
561 * OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
562 deprecated. Use addModules() instead.
563 * Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
564 in extending classes is deprecated. Extend related doSearch* methods
565 instead.
566 * The following 'mediawiki.api' plugin modules were merged into mediawiki.api
567 and deprecated: mediawiki.api.category, mediawiki.api.edit,
568 mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
569 mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
570 mediawiki.api.messages, and mediawiki.api.rollback.
571 * ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
572 to use it.
573 * WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
574 with the 'unwatch' action parameter instead.
575 * IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
576 constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
577 * Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
578 * The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
579 * The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
580 of the namespaced classes provided by the wikimedia/xmp-reader library.
581 * SearchResultSet::{next,rewind} are deprecated. Calling code should
582 use foreach on the SearchResultSet, or the extractResults method. Extending
583 code should override extractResults.
584 * Instantiating SearchResultSet directly is deprecated. SearchEngine
585 implementations must subclass SearchResultSet for their purposes.
586 * SearchResult::setExtensionData argument has been changed from accepting an
587 array to accepting a Closure that returns the array when called.
588 * Class CryptRand, everything in MWCryptRand except generateHex() and function
589 MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
590 random_bytes() to generate cryptographically secure random byte sequences.
591 * Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
592 instead.
593 * Language::markNoConversion() is deprecated. It confused readers because
594 it had unexpected behavior (only marking text if it looked like a URL)
595 and was only used in a single place in the code. Use
596 LanguageConverter::markNoConversion() instead.
597 * (T197492) Language::truncate() was soft deprecated in 1.31 and is
598 hard deprecated in this release. It has been split into two similar
599 methods, Language::truncateForVisual() and Language::truncateForDatabase(),
600 which measure length in characters and bytes, respectively. Use
601 Language::truncateForVisual() when possible to provide equity to users
602 of multibyte scripts.
603 * (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
604 context title is unset is now deprecated; anything creating an EditPage
605 instance should set the context title via ::setContextTitle().
606 * The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
607 * ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
608 are deprecated. These concepts are obsolete and have no replacement.
609 * String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
610 * The following methods of OutputPage are now deprecated in favour
611 of using showFatalError directly: OutputPage::showFileDeleteError()
612 OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
613 OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
614 * The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
615 classes are now deprecated. Use a Closure instead.
616 * (T194263) ContentHandler::makeParserOptions() is deprecated. Use
617 WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
618 * (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
619 MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
620 the Parsoid v3 API in May 2015.
621 * $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
622 $formDescriptor instead.
623 * SearchEngine::transformSearchTerm( $term ) should no longer be called prior
624 to running searchText. This method was mainly implemented to support the
625 'prefix' URI param in SpecialSearch, but there are no reasons to expose this
626 logic as it should be handled internally by SearchEngine implementations
627 supporting this feature. SearchEngine implementations should no longer
628 override this methods.
629 * SearchEngine::replacePrefixes( $query ) should no longer be called prior
630 to running searchText/searchTitle.
631 * (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
632 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
633 * Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
634 use array_filter() directly.
635 * The $wgShowSQLErrors global is deprecated and nonfunctional.
636 Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
637 * The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
638 Set $wgShowExceptionDetails instead.
639 * Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
640 mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
641 mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
642 getOldRevision() / getNewRevision() for the first four (note that the
643 revision ones return a RevisionRecord, not a Revision), do your own lookup
644 for page/content.
645 * The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
646 just enable the PHP extension, and it will be autodetected.
647 * (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
648 setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
649 are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
650 subclass it to customize diff rendering); to diff custom (e.g. unsaved)
651 content, use setRevisions(). Subclassing DifferenceEngine should only be done
652 to customize page-level diff properties (such as the navigation header).
653 * The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
654 * All MagicWord static methods are now deprecated. Use the MagicWordFactory
655 methods instead.
656 * PasswordFactory::init is deprecated. To get a password factory with the
657 standard configuration, use
658 MediaWikiServices::getInstance()->getPasswordFactory.
659 * $wgContLang is deprecated, use
660 MediaWikiServices::getInstance()->getContentLanguage() instead.
661 * $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
662 instead.
663 * wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
664 instead.
665 * wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
666 * All SpecialPageFactory static methods are deprecated. Instead, call the
667 methods on a SpecialPageFactory instance, which may be obtained from
668 MediaWikiServices.
669 * mw.user.stickyRandomId was renamed to the more explicit
670 mw.user.getPageviewToken to better capture its function.
671 * Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
672 Content object should be passed instead.
673 * (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
674 previously used by OOUI HTMLForm fields, are now deprecated. Use
675 'help', 'help-message', 'help-messages' instead.
676 * (T197179) HTMLFormField::getNotices() is now deprecated.
677 * The jquery.localize module is now deprecated. Use jquery.i18n instead.
678 * The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
679 or overriding ContentHandler::getSecondaryDataUpdates (T194038).
680 * The WikiPageDeletionUpdates hook was deprecated in favor of
681 PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
682 (T194038).
683 * Content::getSecondaryDataUpdates has been deprecated in favor of
684 ContentHandler::getSecondaryDataUpdates() for overriding by extensions
685 (T194038).
686 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
687 * Content::getDeletionUpdates has been deprecated in favor of
688 ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
689 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
690 * (T198214) Old Tidy-related configuration settings, which were soft-deprecated
691 in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
692 $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
693 $wgTidyConfig instead.
694 * All Tidy configurations other than Remex have been hard deprecated;
695 future parsers will not emit compatible output for these configurations.
696 In particular, running MediaWiki with tidy disabled has been deprecated.
697 * (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
698 and OutputPage::addWikiTextTitle() have been deprecated, since they
699 can result in untidy output. In addition OutputPage::addWikiTextTidy()
700 and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
701 methods consistent. Use OutputPage::addWikiTextAsInterface() or
702 OutputPage::addWikiTextAsContent() instead, which ensures the output is
703 tidy and clarifies whether content-language specific postprocessing should
704 be done on the text.
705 * OutputPage::parse() and OutputPage::parseInline() have been deprecated
706 due to untidy output and inconsistent handling of wrapper divs and
707 interface/content language defaults. Use OutputPage::parseAsContent(),
708 OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
709 as appropriate.
710 * QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
711 as they promote bad practises. I18n messages should always be properly
712 escaped.
713 * Skin::getDynamicStylesheetQuery() has been deprecated. It always
714 returns action=raw&ctype=text/css which callers should use directly.
715 * Class LegacyFormatter is deprecated.
716 * Use of CommentStore::insertWithTempTable() with 'img_description' is
717 deprecated. Use CommentStore::insert() instead.
718 * Language::setCode is deprecated as public function. Use Language::factory
719 to create a new Language object with a different language code.
720 * Several classes have been moved from the MediaWiki\Storage\ namespace to the
721 MediaWiki\Revision\ namespace. The old class names are aliased for
722 compatibility, but are deprecated. Classes are IncompleteRevisionException,
723 MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
724 RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
725 RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
726 SuppressedDataException.
727 * When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
728 option, it is now deprecated to give its contents (the 'default' option)
729 as a string. They should be given as a OOUI\FieldLayout object instead.
730 Notably, this affects fields defined in the 'GetPreferences' hook, because
731 Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
732 * In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
733 deprecated. For the $lang parameter, types other than Language are
734 deprecated.
735 * The $wgUseKeyHeader configuration option and the
736 OutputPage::getKeyHeader() method have been deprecated; the relevant
737 draft IETF spec expired without becoming a standard.
738 * Deprecated API action=query&prop=info inprop=readable in favor of
739 intestactions=read.
740
741 === Other changes in 1.32 ===
742 * (T198811) The following tables have had their UNIQUE indexes turned into
743 proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
744 protected_titles and site_identifiers.
745 * OOUI HTMLForm will now display help text inline after the input field,
746 rather than in a popup. Previous behavior can be restored by using
747 `'help-inline' => false`.
748 * The archive table's ar_rev_id field is now unique.
749 * Special:BotPasswords now requires reauthentication.
750 * (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
751 storage layer and have basic support for display. No user interface exists
752 yet for creating or managing content in slots beides the main slot. See
753 <https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
754 information.
755 * The image_comment_temp database table has been removed. Since all access
756 should be mediated by the CommentStore class, this change shouldn't affect
757 external code.
758 * (T206147) Database::close() will no longer commit any open transactions.
759 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
760 recentchanges.rc_cur_time from the PostgreSQL schema.
761
762 = MediaWiki 1.31 =
763
764 == MediaWiki 1.31.3 ==
765
766 This is a maintenance release of the MediaWiki 1.31 branch.
767
768 === Changes since MediaWiki 1.31.2 ===
769 * (T225558) Update installer link to PHP intl.
770 * (T225496) Detect APC for MainCacheType in CLI installer.
771 * (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
772 * (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.
773
774 == MediaWiki 1.31.2 ==
775
776 This is a security and maintenance release of the MediaWiki 1.31 branch.
777
778 Required PHP version has been increased from 7.0.0 to 7.0.13.
779
780 === Changes since MediaWiki 1.31.1 ===
781 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
782 all titles when asked for none.
783 * (T205967) Fix syntax error typo in postgres database upgrade file.
784 * (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies.
785 * (T206765) Load installer i18n when running update.php.
786 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
787 libraries.
788 [Also in the bundled composer /vendor directory.]
789 * Various PHP 7.2 and 7.3 compatibility fixes:
790 * (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some
791 scenarios instead of "break".
792 * (T206976, T206977) Also in the bundled LocalisationUpdate and
793 ParserFunctions extensions.
794 * (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may
795 not be set.
796 * (T215632) FormatMetadata and UploadStash regexes fixed to be PHP
797 7.3-compatible.
798 * Fix PHP warnings "preg_replace(): [...] invalid range in character class.
799 * Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable.
800 * Suppress "Headers already sent" in PHP 7.2 too.
801 * (T206476) Output only to stderr in unit tests.
802 * (T207112) Add session_write_close() calls to SessionManager tests.
803 * oyejorge/less.php replaced with our fork wikimedia/less.php
804 * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0.
805 * (T213489) Avoid session double-start in Setup.php.
806 * (T206975) Switch to our fork of less.php.
807 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
808 * (T201781) Database: Allow selectFieldValues() to accept SQL fragments.
809 * (T205765) installer: Don't link to the obsolete "Extension Matrix" page.
810 * (T206013) Update ImportableUploadRevisionImporter for interwiki usernames.
811 * (T207541) Pass an email address, not a MailAddress, to mail().
812 * (T207603) SECURITY: User JS may no longer be loaded with mime type
813 text/javascript if there is no account associated with the username.
814 * (T112937, T113042) SECURITY: Do not allow loading pages raw with a
815 text/javascript MIME
816 type if non-admins can edit the page.
817 * (T17491) <ins>/<del> elements can be phrasing or flow.
818 * (T200827) RemexCompatMunger: Don't call endTag() in case B/b
819 * (T207088) Upgrade wikimedia/remex-html to 2.0.1.
820 [Also in the bundled composer /vendor directory.]
821 * (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0.
822 [Also in the bundled composer /vendor directory.]
823 * (T199494) Fix notices in maintenance/removeUnusuedAccounts.php.
824 * Require ext-fileinfo in composer.json, per PHPVersionCheck.
825 * (T176390) Bundled LocalisationUpdate extension: Handle exceptions from
826 GitHubFetcher.
827 * (T208255) Completion search should not change the search query.
828 * (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis.
829 * (T185049) LogFormatter: Fail softer when trying to link an invalid titles.
830 * (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
831 if --lang is used with the command-line installer (install.php).
832 * (T211061) ImageListPager: Actor migration for buildQueryConds().
833 * (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
834 * Fix addition of ug_expiry column to user_groups table on MSSQL.
835 * (T204767) Add join conditions to ActiveUsersPager.
836 * (T210621) User: Bypass repeatable-read when creating an actor_id.
837 * (T204531) rdbms: reduce LoadBalancer replication log spam.
838 * (T195525) Fix db error outage page.
839 * (T208871) The hard-coded Google search form on the database error page was
840 removed.
841 * (T176097) Fix flaky MessageBlobStoreTest assertion failures.
842 * (T209423) Update required PHP version to 7.0.13.
843 * (T209885) Prevent populateSearchIndex.php from breaking once actor migration
844 has been started.
845 * (T216968) Return pageid as int in both list=iwbacklinks and
846 list=langbacklinks.
847 * (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
848 * (T204423) Backport support for hyphenated DB names in JobQueueGroup.
849 * (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
850 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
851 $wgBlockDisablesLogin is true.
852 * (T216029) Chrome redirects to Special:BadTitle after editing a section with
853 a non-Latin name on a page with non-Latin characters in title.
854 * (T219728) Added support for new Japanese era name "Reiwa".
855 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
856 token.
857 * Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
858 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
859 saveFileDependencies().
860 * (T224374) Fix message parameters so that the message that says SQLite is out
861 of date makes sense.
862 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
863 reauthenticating.
864 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
865 getLoginSecurityLevel() returns non-false.
866 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
867 * (T208881) SECURITY: blacklist CSS var().
868 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
869 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
870 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
871 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
872 view the log type.
873 * (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358.
874
875 == MediaWiki 1.31.1 ==
876
877 This is a security and maintenance release of the MediaWiki 1.31 branch.
878
879 === Changes since MediaWiki 1.31.0 ===
880 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
881 'newbie'.
882 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
883 account lock.
884 * (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
885 * (T197229) Bundle Nuke extension, it was accidentally omitted.
886 * (T193995) Fix undefined patchPath() method call in parser tests.
887 * (T198687) Fix various selectFields methods to use the string 'NULL', not null.
888 * Special:BotPasswords now requires reauthentication.
889 * (T191608, T187638) Add 'logid' parameter to Special:Log.
890 * (T193829) Indicate when a Bot Password needs reset.
891 * (T198037) GitInfo: Don't try shelling out if it's disabled.
892 * (T151415) Log email changes.
893 * (T197206) Fix performance regression when multiple DB used without caching.
894 * (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
895 * (T182377, T196793) Exif: Guard against uncountable tag values.
896 * (T200861) Fix total breakage of SQLite web upgrade.
897 * (T200864) Fix pingback over-reporting on non-MySQL databases
898 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
899 hooks.
900
901 == MediaWiki 1.31.0 ==
902
903 === Changes since MediaWiki 1.31.0-rc.2 ===
904 * (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
905 * (T196092) Hide MySQL binary/utf-8 charset option in the installer.
906 * (T196185) Don't allow setting $wgDBmysql5 in the installer.
907 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
908 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
909 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
910 hook.
911 * (T196672) The mtime of extension.json files is now able to be zero
912 * (T180403) Validate $length in padleft/padright parser functions.
913 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
914
915 === Changes since MediaWiki 1.31.0-rc.0 ===
916 * (T33223) Drop archive.ar_text and ar_flags.
917 * Add default edit rate limit of 90 edits/minute for all users.
918 * (T187645) Use codepoint as tiebreaker when getting first-letters in
919 IcuCollation.
920 * (T191947) Don't shell during the installer if shelling out is disabled.
921 * (T194319) Improve duplicate config setting exception as part of extension
922 registration.
923 * (T195211) Don't require trailing slash in PSR-4 autoloader directory.
924 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
925 * Do not incorrectly hide namespace input field in the installer.
926 * (T186456) Refactor checks looking for PEAR maik libraries to be clearer.
927
928 === Important pre-upgrade notes for 1.31 ===
929 * If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
930 schema changes, and cannot have downtime to run migrateArchiveText.php and
931 apply patch-drop-ar_text.sql manually, you'll have to apply a default value
932 to the ar_text and ar_flags columns of the archive table or make those
933 columns nullable before upgrading to MediaWiki 1.31.
934 maintenance/archives/patch-nullable-ar_text.sql shows how to do this for
935 MySQL.
936
937 === Configuration changes in 1.31 ===
938 * $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
939 a future version. The API is now considered to be stable, secure and
940 essential.
941 * $wgUsejQueryThree was removed, as it is now the default. This was documented
942 as a temporary variable during the migration period, deprecated since 1.29.
943 * $wgLogoHD has been updated to support svg images and uses $wgLogo where
944 possible for fallback images such as png.
945 * (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
946 have the right to mark things patrolled.
947 * Wikis that contain imported revisions or CentralAuth global blocks should run
948 maintenance/cleanupUsersWithNoId.php.
949 * The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
950 $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
951 * (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
952 are not using the latest version of the Referrer Policy specification.
953 * $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
954 first step of migration to human-readable section IDs that will later result
955 in 'html5' being the default mode.
956 * CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
957 as upstream is inactive and has no plans to move to PHP 7.
958 * The old CategorizedRecentChanges feature, including its related configuration
959 option $wgAllowCategorizedRecentChanges, has been removed.
960 * (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
961 for performance reasons, and installations with this setting will now work as
962 if it was configured with 'any'.
963 * (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
964 rather than being off by default. If you wish to disable HTML tidying
965 entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
966 Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
967 * $wgLogAutopatrol now defaults to false instead of true.
968 * $wgValidateAllHtml was removed and will be ignored.
969 * $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
970 1.25 release notes for more information.
971 * $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
972 framework that it enables. Some extensions mistakenly used this to check
973 whether any AJAX functionality at all should be enabled, further making this
974 problematic to retain.
975 * $wgDBmysql5 is now deprecated, and will be removed in a future version. It
976 has been marked as experimental ever since it was introduced.
977
978 === New features in 1.31 ===
979 * (T76554) User sub-pages named ….json are now protected in the same way that
980 ….js and ….css pages are, so that configuration options can safely be placed
981 there.
982 * Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
983 with parentheses for grouping.
984 * As a first pass in standardizing dialog boxes across the MediaWiki product,
985 Html class now provides helper methods for messageBox, successBox, errorBox
986 and warningBox generation.
987 * (T9240) Imports will now record unknown (and, optionally, known) usernames in
988 a format like "iw>Example".
989 * (T20209) Linker (used on history pages, log pages, and so on) will display
990 usernames formed like "iw>Example" as interwiki links, as if by wikitext like
991 [[iw:User:Example|iw>Example]].
992 * (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
993 users during an import.
994 * Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
995 the ParserOutput::getText() post-cache transformations.
996 * Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
997 initial page text for file uploads.
998 * (T181651) The info page for File pages now displays the file's base-16 SHA1
999 hash value in the table of basic information.
1000 * Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
1001 ParserOutput::getText() post-cache transformation. This may be disabled by
1002 passing 'deduplicateStyles' => false to that method.
1003 * The identity of the logged-in or IP "actor" for logged actions is being moved
1004 into a new actor table, with the rows in tables such as revision and logging
1005 referring to the actor ID instead of storing the user ID and name/IP in
1006 every row.
1007 * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
1008 can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
1009 soon as any necessary extensions are updated.
1010 * Most code accessing rows for logged actions from the database should use
1011 the relevant getQueryInfo() methods to get the information needed to build
1012 the SQL query. The ActorMigration class may also be used to get feature
1013 -flagged information needed to access actor-related fields during the
1014 migration period.
1015 * Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
1016 section without having to roll back the whole transaction.
1017 * Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
1018 and non-MySQL ::replace() and ::upsert() no longer roll back the whole
1019 transaction on failure.
1020 * (T189785) Added a monthly heartbeat ping to the pingback feature.
1021 * The CLI installer (maintenance/install.php) learned to detect and include
1022 extensions. Pass --with-extensions to enable that feature.
1023 * (T184791) rc_patrolled now has three states: "0" for unpatrolled,
1024 "1" for manually patrolled and "2" for autopatrolled actions.
1025 * Extensions can now set their type to "editor" if they provide an editor or
1026 enhance the editing experience.
1027 * Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
1028 property in extension.json. See the documentation at
1029 <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
1030 for more details and an example.
1031 * (T19099) Tabs which link to pages that don't exist (like those to uncreated
1032 discussion pages) now have a tooltip to indicate state, not just colour.
1033
1034 === External library changes in 1.31 ===
1035 * pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
1036 suggested to required. These packages now must be installed via composer
1037 and not via PEAR itself.
1038
1039 ==== Upgraded external libraries ====
1040 * Updated jquery.chosen from v0.9.14 to v1.8.2.
1041 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1042 * Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
1043 * Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
1044 * Updated wikimedia/relpath from 2.0.0 to 2.1.1.
1045 * Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
1046 * Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
1047 * Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
1048 * Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
1049 * Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
1050 * Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
1051
1052 ==== New external libraries ====
1053 * Added wikimedia/object-factory 1.0.0
1054
1055 ==== Removed and replaced external libraries ====
1056 * (T17845) The deprecated 'jquery.badge' module was removed.
1057 * The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
1058 text-overflow property instead.
1059 * The deprecated 'jquery.placeholder' module was removed.
1060 * The deprecated 'jquery.appear' module was removed. Use the
1061 'mediawiki.viewport' module instead.
1062 * mediawiki/at-ease was replaced with wikimedia/at-ease.
1063
1064 === Bug fixes in 1.31 ===
1065 * (T90902) Non-breaking space in header ID breaks anchor.
1066 * (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
1067 space.
1068 * (T2087, T10897, T87753, T174639) Whitespace created by category and language
1069 links is now stripped rather than leaving blank lines in odd places.
1070 * (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
1071 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
1072
1073 === Action API changes in 1.31 ===
1074 * (T185058) The 'name' value to tgprop for action=query&list=tags has been
1075 removed. It has never made a difference in the output, the name was always
1076 returned regardless.
1077 * The 'watch' and 'unwatch' parameters for action=move have been removed. They
1078 were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
1079 'watchlist' instead.
1080
1081 === Action API internal changes in 1.31 ===
1082 * ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
1083 * ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
1084 * ApiBase::getProfileTime, deprecated since 1.25, was removed.
1085
1086 === Languages updated in 1.31 ===
1087 MediaWiki supports over 350 languages. Many localisations are updated
1088 regularly. Below only new and removed languages are listed, as well as
1089 changes to languages because of Phabricator reports.
1090
1091 * (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
1092 * (T182305) New language support: Nyungar (nys).
1093 * (T186359) New language support: Siberian Tatar [cебертатар] (sty).
1094 * (T186635) New language support: Guianan Creole (gcr).
1095 * (T186647) New language support: Kumyk [къумукъ] (kum).
1096 * (T187750) New language support: Spanish formal address (es-formal).
1097 * (T187824) New language support: Hungarian formal address (hu-formal).
1098 * (T189127) New language support: Gorontalo (gor).
1099
1100 === Breaking changes in 1.31 ===
1101 * MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
1102 * The OutputPage class constructor now requires a context parameter.
1103 Instantiating without context was deprecated in 1.18.
1104 * The mw.page JavaScript singleton, deprecated in 1.30, was removed.
1105 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
1106 related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
1107 * The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
1108 ::onArticleEdit() methods, deprecated in 1.24, were removed.
1109 * Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
1110 removed. Use ExecutableFinder::findInDefaultPaths() instead.
1111 * The deprecated MW_DIFF_VERSION constant was removed.
1112 DifferenceEngine::MW_DIFF_VERSION should be used instead.
1113 * Due to significant refactoring, method ContribsPager::getUserCond() that had
1114 no access restriction has been removed.
1115 * The Block class will no longer accept usable-but-missing usernames for
1116 'byText' or ->setBlocker(). Callers should either ensure the blocker exists
1117 locally or use a new interwiki-format username like "iw>Example".
1118 * The following methods and constants from the WatchedItem class, which were
1119 deprecated in 1.27, have been removed:
1120 * WatchedItem::getTitle()
1121 * WatchedItem::fromUserTitle()
1122 * WatchedItem::addWatch()
1123 * WatchedItem::removeWatch()
1124 * WatchedItem::isWatched()
1125 * WatchedItem::duplicateEntries()
1126 * WatchedItem::IGNORE_USER_RIGHTS
1127 * WatchedItem::CHECK_USER_RIGHTS
1128 * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
1129 * The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
1130 $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
1131 variable, has been deprecated since 1.27 and was removed as well.
1132 * The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
1133 $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
1134 variable, has been deprecated since 1.27 and was removed as well.
1135 * The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
1136 HtmlFormatter\HtmlFormatter class should be used instead.
1137 * The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
1138 The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
1139 default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
1140 * The following properties of PreparedEdit were deprecated in 1.21 and have
1141 been removed:
1142 * PreparedEdit->newText
1143 * PreparedEdit->oldText
1144 * PreparedEdit->pst
1145 * ParserOutput objects which are generated using a non-default value for
1146 ParserOptions::setWrapOutputClass() can no longer be added to the parser
1147 cache.
1148 * The following deprecated methods from the OutputPage class have been removed:
1149 * OutputPage::addExtensionStyle(); deprecated in 1.27
1150 * OutputPage::getExtStyle(); deprecated in 1.27
1151 * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
1152 * OutputPage::setSquidMaxage(); deprecated in 1.27
1153 * OutputPage::readOnlyPage(); deprecated in 1.25
1154 * OutputPage::rateLimited(); deprecated in 1.25
1155 * Additionally, the protected OutputPage::$mExtStyles array, only accessed
1156 through the above and with no known uses, was removed.
1157 * The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
1158 * The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
1159 were removed:
1160 * $isCssJsSubpage — use ::isUserConfigPage()
1161 * $isCssSubpage — use ::isUserCssConfigPage()
1162 * $isJsSubpage — use ::isUserJsConfigPage()
1163 * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
1164 * ::getSummaryInput() – use ::getSummaryInputWidget()
1165 * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
1166 * ::getCheckboxes() – use ::getCheckboxesWidget() or
1167 ::getCheckboxesDefinition()
1168 * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
1169 ::getCheckboxesDefinition()
1170 * ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
1171 * In User, the cookie-related methods which were wrappers for the functions on
1172 the response object, and were deprecated in 1.27, have been removed:
1173 * ::setCookie()
1174 * ::clearCookie()
1175 * ::setExtendedLoginCookie()
1176 Note that User::setCookies() remains, and is not deprecated.
1177 * Also in User, some auth-related methods which were deprecated in 1.27 have
1178 been removed:
1179 * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
1180 * ::getPasswordFactory() – create a PasswordFactory directly
1181 * ::passwordChangeInputAttribs()
1182 * The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
1183 been removed.
1184 * SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
1185 use ::getNames() instead.
1186 * OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
1187 can use ApiOpenSearch::getOpenSearchTemplate() instead.
1188 * The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
1189 Wikimedia\base_convert() directly.
1190 * Calling Database::begin() explicitly during an implicit transaction or when
1191 DBO_TRX is set results in an exception. Calling Database::commit() explicitly
1192 for an implicit transaction also results in an exception. Previously these
1193 were logged as errors. The startAtomic() and endAtomic() methods, or
1194 AtomicSectionUpdate should be used instead.
1195 * The global function wfOutputHandler() was removed, use the its replacement
1196 MediaWiki\OutputHandler::handle() instead. The global function was only
1197 sometimes defined. Its replacement is always available via the autoloader.
1198 * ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
1199 deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
1200 ::listSoftwareDefinedTags() instead.
1201 * Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
1202 use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
1203 * HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
1204 * The ProfileSection class, deprecated in 1.25 and unused, has been removed.
1205 * The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
1206 ResourceLoaderModule::getLessVars() to expose local variables instead of
1207 global ones.
1208 * As part of work to modernise user-generated content clean-up, a config option
1209 and some methods related to HTML validity were removed without deprecation.
1210 The public methods MWTidy::checkErrors() and the path through which it was
1211 called, TidyDriverBase::validate(), are removed, as are the testing methods
1212 MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
1213 The $wgValidateAllHtml configuration option is removed and will be ignored.
1214 * Execution of external programs using MediaWiki\Shell\Command now applies
1215 the RESTRICT_DEFAULT Firejail restriction by default.
1216 * The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
1217 deprecated in 1.26, were removed.
1218 * The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
1219 Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
1220
1221 === Deprecations in 1.31 ===
1222 * The Revision class was deprecated in favor of RevisionStore, BlobStore, and
1223 RevisionRecord and its subclasses.
1224 * The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
1225 * The global function wfCountDown is now deprecated in favor of
1226 Maintenance::countDown.
1227 * Several methods for returning lists of fields to select from the database
1228 have been deprecated in favor of similar methods that also return the tables
1229 to select from and the join conditions for those tables.
1230 * Block::selectFields() → Block::getQueryInfo()
1231 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1232 * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
1233 * LocalFile::selectFields() → LocalFile::getQueryInfo()
1234 * LocalFile::getCacheFields() with a prefix no longer works
1235 * LocalFile::getLazyCacheFields() with a prefix no longer works
1236 * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
1237 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1238 * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
1239 * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
1240 * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
1241 * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
1242 * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
1243 * Revision::selectFields() → Revision::getQueryInfo()
1244 * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
1245 * User::selectFields() → User::getQueryInfo()
1246 * WikiPage::selectFields() → WikiPage::getQueryInfo()
1247 * Revision::setUserIdAndName() was deprecated.
1248 * Access to TitleValue class properties was deprecated, the relevant getters
1249 should be used instead.
1250 * DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
1251 override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
1252 * Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
1253 Maintenance::fatalError() instead.
1254 * Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
1255 * The RevisionInsertComplete hook is now deprecated; use instead the hook
1256 RevisionRecordInserted. RevisionInsertComplete is still called, but the second
1257 and third parameter will always be null. Hard deprecation is scheduled for
1258 1.32.
1259 * The following methods that get and set ParserOutput state are deprecated.
1260 Callers should use the new stateless $options parameter to
1261 ParserOutput::getText() instead.
1262 * ParserOptions::getEditSection()
1263 * ParserOptions::setEditSection()
1264 * ParserOutput::getEditSectionTokens()
1265 * ParserOutput::setEditSectionTokens()
1266 * ParserOutput::getTOCEnabled()
1267 * ParserOutput::setTOCEnabled()
1268 * OutputPage::enableSectionEditLinks()
1269 * OutputPage::sectionEditLinksEnabled()
1270 * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
1271 are also deprecated.
1272 * License::getLicenses has been deprecated; use License::getLines instead.
1273 * QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
1274 Setting template variables by reference allowed violating the principle of
1275 data being immutable once added to the skin template. In practice, this method
1276 was not being used for that. Rather, setRef() existed as memory optimisation
1277 for PHP 4.
1278 * QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
1279 favour of Skin::msg() parameters.
1280 * MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
1281 wfMessage().
1282 * Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
1283 'unwrap' transform to ParserOutput::getText() instead.
1284 * \ObjectFactory (no namespace) is deprecated, the namespaced class
1285 \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
1286 used instead.
1287 * CommentStore::newKey is deprecated. Instead, get an instance from
1288 MediaWikiServices.
1289 * The following CommentStore methods have had their signatures changed to
1290 introduce a $key parameter, usage of the methods on instances retrieved from
1291 CommentStore::newKey will remain unchanged but deprecated:
1292 * CommentStore::getFields
1293 * CommentStore::getJoin
1294 * CommentStore::getComment
1295 * CommentStore::getCommentLegacy
1296 * CommentStore::insert
1297 * CommentStore::insertWithTemplate
1298 * The following methods in Title have been renamed, and the old ones are
1299 deprecated:
1300 * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
1301 * Title::isCssOrJsPage – use ::isSiteConfigPage
1302 * Title::isCssJsSubpage – use ::isUserConfigPage
1303 * Title::isCssSubpage – use ::isUserCssConfigPage
1304 * Title::isJsSubpage – use ::isUserJsConfigPage
1305 * The following methods related to caching of half-parsed HTML were deprecated:
1306 * Parser::serializeHalfParsedText()
1307 * Parser::unserializeHalfParsedText()
1308 * Parser::isValidHalfParsedText()
1309 * StripState::getSubState()
1310 * StripState::merge()
1311 * The DeferredStringifier class is deprecated, use Message::listParam() instead.
1312 * The type string for the parameter $lang of DateFormatter::getInstance is
1313 deprecated.
1314 * Wikimedia\Rdbms\SavepointPostgres is deprecated.
1315 * The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
1316 used instead.
1317 * The function wfShellWikiCmd() has been deprecated, use
1318 MediaWiki\Shell::makeScriptCommand().
1319 * In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
1320 will be allowed to provide any HTMLForm object rather than PreferencesForm.
1321
1322 === Other changes in 1.31 ===
1323 * Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
1324 * Browser support for Opera 12 and older was dropped entirely. Opera 15+
1325 continues at Grade A.
1326 * Multi-content-revision capability was introduced into the storage layer. See
1327 <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
1328 * The "free" CSS class is now only applied to unbracketed URLs in wikitext.
1329 Links written using square brackets will get the class "text" not "free".
1330 * RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
1331 wikitext table captions, wikitext table headings, wikitext table cells. HTML
1332 headings, HTML list items, HTML table captions, HTML table headings, HTML
1333 table cells will not have this trimming behavior.
1334
1335 == Compatibility ==
1336 MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
1337 supported, it is generally advised to use PHP 7.0.0 or later for long term
1338 support.
1339
1340 MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
1341 but support for them is somewhat less mature. There is experimental support for
1342 Oracle and Microsoft SQL Server.
1343
1344 The supported versions are:
1345
1346 * MySQL 5.5.8 or later
1347 * PostgreSQL 9.2 or later
1348 * SQLite 3.3.7 or later
1349 * Oracle 9.0.1 or later
1350 * Microsoft SQL Server 2005 (9.00.1399)
1351
1352 == Upgrading ==
1353 1.31 has several database changes since 1.30, and will not work without schema
1354 updates. Note that due to changes to some very large tables like the revision
1355 table, the schema update may take quite long (minutes on a medium sized site,
1356 many hours on a large site).
1357
1358 Don't forget to always back up your database before upgrading!
1359
1360 See the file UPGRADE for more detailed upgrade instructions, including
1361 important information when upgrading from versions prior to 1.11.
1362
1363 For notes on 1.30.x and older releases, see HISTORY.
1364
1365 == Online documentation ==
1366 Documentation for both end-users and site administrators is available on
1367 MediaWiki.org, and is covered under the GNU Free Documentation License (except
1368 for pages that explicitly state that their contents are in the public domain):
1369
1370 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
1371
1372 == Mailing list ==
1373 A mailing list is available for MediaWiki user support and discussion:
1374
1375 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
1376
1377 A low-traffic announcements-only list is also available:
1378
1379 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
1380
1381 It's highly recommended that you sign up for one of these lists if you're
1382 going to run a public MediaWiki, so you can be notified of security fixes.
1383
1384 == IRC help ==
1385 There's usually someone online in #mediawiki on irc.freenode.net.
1386
1387
1388 = MediaWiki 1.30 =
1389
1390 == MediaWiki 1.30.2 ==
1391
1392 This is a security and maintenance release of the MediaWiki 1.30 branch.
1393
1394 === Changes since MediaWiki 1.30.1 ===
1395 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
1396 all titles when asked for none.
1397 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
1398 libraries.
1399 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
1400 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
1401 * (T207603) SECURITY: User JS may no longer be loaded with mime type
1402 text/javascript if there is no account associated with the username.
1403 * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
1404 type if non-admins can edit the page.
1405 * (T207541) Pass email address to mail().
1406 * Fix addition of ug_expiry column to user_groups table on MSSQL.
1407 * (T204531) rdbms: reduce LoadBalancer replication log spam.
1408 * (T213489) Avoid session double-start in Setup.php.
1409 * (T195525) Fix db error outage page.
1410 * (T208871) The hard-coded Google search form on the database error page was
1411 removed.
1412 * (T216968) Return pageid as int in both list=iwbacklinks and
1413 list=langbacklinks.
1414 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
1415 $wgBlockDisablesLogin is true.
1416 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
1417 token.
1418 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
1419 saveFileDependencies().
1420 * (T224374) Fix message parameters so that the message that says SQLite is out
1421 of date makes sense.
1422 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
1423 reauthenticating.
1424 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
1425 getLoginSecurityLevel() returns non-false.
1426 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
1427 * (T208881) SECURITY: blacklist CSS var().
1428 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
1429 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
1430 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
1431 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
1432 view the log type.
1433 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
1434
1435 == MediaWiki 1.30.1 ==
1436
1437 This is a security and maintenance release of the MediaWiki 1.30 branch.
1438
1439 === Changes since MediaWiki 1.30.0 ===
1440 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1441 'newbie'.
1442 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1443 account lock.
1444 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
1445 array.
1446 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1447 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1448 include extensions. Pass --with-extensions to enable that feature.
1449 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1450 * (T167507) selenium: Run Chrome headlessly.
1451 * selenium: Pass -no-sandbox to Chrome under Docker.
1452 * (T179190) selenium: Move logic for running tests from package.json to
1453 selenium.sh
1454 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1455 * Add default edit rate limit of 90 edits/minute for all users.
1456 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
1457 * oojs/oojs-ui updated to remove an unnecessary dependancy.
1458 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1459 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
1460 hook.
1461 * (T196672) The mtime of extension.json files is now able to be zero
1462 * (T180403) Validate $length in padleft/padright parser functions.
1463 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1464 * (T193995) Fix undefined patchPath() method call in parser tests.
1465 * Special:BotPasswords now requires reauthentication.
1466 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1467 * (T193829) Indicate when a Bot Password needs reset.
1468 * (T151415) Log email changes.
1469 * (T200861) Fix total breakage of SQLite web upgrade.
1470 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
1471 hooks.
1472 * (T190539) Explicitly require Postgres 9.1.
1473 * (T118420) Unbreak Oracle installer.
1474
1475 == MediaWiki 1.30.0 ==
1476
1477 === Changes since MediaWiki 1.30.0-rc.0 ===
1478 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1479 * Add ip_changes to postgres/tables.sql.
1480 * Skip null shell parameters.
1481 * Add wfWaitForSlaves() to maintenance/migrateComments.php.
1482 * (T182245) Fix join conditions in ImageListPager.
1483 * (T178626) Revert #contentSub and #jump-to-nav margin changes.
1484
1485 === MySQL version requirement in 1.30 ===
1486 As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
1487 section).
1488
1489 === Configuration changes in 1.30 ===
1490 * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
1491 unexpected behavior when code uses locale-sensitive string comparisons. For
1492 example, the Scribunto extension considers "bar" < "Foo" in most locales
1493 since it ignores case.
1494 * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
1495 documentation of $wgShellLocale for details.
1496 * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
1497 deprecated and a no-op, as it is no longer needed.
1498 * $wgJobClasses may now specify callback functions as an alternative to plain
1499 class names. This is intended for extensions that want control over the
1500 instantiation of their jobs, to allow for proper dependency injection.
1501 * $wgResourceModules may now specify callback functions as an alternative
1502 to plain class names, using the 'factory' key in the module description
1503 array. This allows dependency injection to be used for ResourceLoader modules.
1504 * $wgExceptionHooks has been removed.
1505 * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
1506 of IP ranges that can be queried at Special:Contributions.
1507 * (T45547) $wgUsePigLatinVariant added (off by default).
1508 * (T152540) MediaWiki now supports a section ID escaping style that allows to
1509 display non-Latin characters verbatim on many modern browsers. This is
1510 controlled by the new configuration setting, $wgFragmentMode.
1511 * $wgExperimentalHtmlIds is now deprecated and will be removed in a future
1512 version, use $wgFragmentMode to migrate off it to a modern alternative.
1513 * $wgExternalInterwikiFragmentMode was introduced to control how fragments in
1514 sinterwikis going outside of current wiki farm are encoded.
1515 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of
1516 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0.
1517 MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if
1518 explicitly requested through the configuration parameter $wgDBservers.
1519 * $wgOOUIEditPage was removed, as it is now the default. This was documented as
1520 a temporary variable during the migration period.
1521
1522 === New features in 1.30 ===
1523 * (T37247) Output from Parser::parse() will now be wrapped in a div with
1524 class="mw-parser-output" by default. This may be changed or disabled using
1525 ParserOptions::setWrapOutputClass().
1526 * (T163562) Added ability to search for contributions within an IP ranges
1527 at Special:Contributions.
1528 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
1529 specific tags to be added by users.
1530 * Added a 'ParserOptionsRegister' hook to allow extensions to register
1531 additional parser options.
1532 * (T45547) Included Pig Latin, a language game in English, as a
1533 LanguageConverter variant. This allows English-speaking developers
1534 to develop and test LanguageConverter more easily. Pig Latin can be
1535 enabled by setting $wgUsePigLatinVariant to true.
1536 * Added RecentChangesPurgeRows hook to allow extensions to purge data that
1537 depends on the recentchanges table.
1538 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
1539 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
1540 'watchlistunwatchlinks' preference option is enabled). With JavaScript
1541 enabled, these links toggle so the user can also re-watch pages that have
1542 just been unwatched.
1543 * Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
1544 MediaHandlerFactory for parser tests.
1545 * Edit summaries, block reasons, and other "comments" are now stored in a
1546 separate database table. Use the CommentFormatter class to access them.
1547 ** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
1548 can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
1549 soon as any necessary extensions are updated.
1550 * (T138166) Added ability for users to prohibit other users from sending them
1551 emails with Special:Emailuser. Can be enabled by setting
1552 $wgEnableUserEmailBlacklist to true.
1553 * (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no
1554 effect. Instead, users using browsers that do not support Unicode will be
1555 unable to edit and should upgrade to a modern browser instead.
1556
1557 === External library changes in 1.30 ===
1558
1559 ==== Upgraded external libraries ====
1560 * Updated justinrainbow/json-schema from v3.0 to v5.2.
1561 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
1562 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
1563 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
1564 * Updated OOjs from v2.0.0 to v2.1.0.
1565 * Updated OOUI from v0.21.1 to v0.23.0.
1566 * Updated QUnit from v1.23.1 to v2.4.0.
1567 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
1568 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1569
1570 ==== New external libraries ====
1571 * The class \TestingAccessWrapper has been moved to the external library
1572 wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
1573 * Purtle, a fast, lightweight RDF generator.
1574
1575 ==== Removed and replaced external libraries ====
1576 * …
1577
1578 === Bug fixes in 1.30 ===
1579 * (T151633) Ordered list items use now Devanagari digits in Nepalese
1580 (thanks to Sfic)
1581
1582 === Action API changes in 1.30 ===
1583 * (T37247) action=parse output will be wrapped in a div with
1584 class="mw-parser-output" by default. This may be changed or disabled using
1585 the new 'wrapoutputclass' parameter.
1586 * When errorformat is not 'bc', abort reasons from action=login will be
1587 formatted as specified by the error formatter parameters.
1588 * action=compare can now handle arbitrary text, deleted revisions, and
1589 returning users and edit comments.
1590 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
1591 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
1592 parameters to prop=revisions are deprecated, as are the similarly named
1593 parameters to prop=deletedrevisions, list=allrevisions, and
1594 list=alldeletedrevisions. Use action=compare, action=parse, or
1595 action=expandtemplates instead.
1596
1597 === Action API internal changes in 1.30 ===
1598 * ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
1599 deprecated. The existing message should be split between "apihelp-*-summary"
1600 and "apihelp-*-extended-description".
1601 * (T123931) Individual values of multi-valued parameters can now be marked as
1602 deprecated.
1603
1604 === Languages updated in 1.30 ===
1605 MediaWiki supports over 350 languages. Many localisations are updated
1606 regularly. Below only new and removed languages are listed, as well as
1607 changes to languages because of Phabricator reports.
1608
1609 * Added: kbp (Kabɩyɛ / Kabiyè)
1610 * Added: skr (Saraiki, سرائیکی)
1611 * Added: tay (Tayal / Atayal)
1612 * Removed: tokipona (Toki Pona)
1613
1614 ==== Pig Latin added ====
1615 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
1616 for easier variant development and testing. Disabled by default. It can be
1617 enabled by setting $wgUsePigLatinVariant to true.
1618
1619 === Other changes in 1.30 ===
1620 * The use of an associative array for $wgProxyList, where the IP address is in
1621 the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
1622 Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
1623 * mw.user.bucket (deprecated in 1.23) was removed.
1624 * LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
1625 deprecated. There are no known callers.
1626 * File::getStreamHeaders() was deprecated.
1627 * MediaHandler::getStreamHeaders() was deprecated.
1628 * Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
1629 used instead.
1630 * MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
1631 should be used instead.
1632 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
1633 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
1634 deprecated in 1.24) were removed.
1635 * wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
1636 BagOStuff::makeGlobalKey() should be used instead.
1637 * (T146304) Preprocessor handling of LanguageConverter markup has been improved.
1638 As a result of the new uniform handling, '-{' may need to be escaped
1639 (for example, as '-<nowiki/>{') where it occurs inside template arguments
1640 or wikilinks.
1641 * (T163966) Page moves are now counted as edits for the purposes of
1642 autopromotion, i.e., they increment the user_editcount field in the database.
1643 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
1644 manipulating Special:Log and Special:NewPages lines.
1645 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
1646 PageHistoryLineEnding, ContributionsLineEnding and
1647 DeletedContributionsLineEnding hooks have an additional parameter, for
1648 manipulating HTML data attributes of RC/history lines.
1649 EnhancedChangesListModifyBlockLineData can do that via the
1650 $data['attribs'] subarray.
1651 * (T130632) The OutputPage::enableTOC() method was removed.
1652 * WikiPage::getParserOutput() will now throw an exception if passed
1653 ParserOptions that would pollute the parser cache. Callers should use
1654 WikiPage::makeParserOptions() to create the ParserOptions object and only
1655 change options that affect the parser cache key.
1656 * Article::viewRedirect() is deprecated.
1657 * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
1658 * DeprecatedGlobal no longer supports passing in a direct value, it requires a
1659 callable factory function or a class name.
1660 * The $parserMemc global, wfGetParserCacheStorage(), and
1661 ParserCache::singleton() are all deprecated. The main ParserCache instance
1662 should be obtained from MediaWikiServices instead. Access to the underlying
1663 BagOStuff is possible through the new ParserCache::getCacheStorage() method.
1664 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
1665 * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
1666 escapeIdForLink() or escapeIdForExternalInterwiki() instead.
1667 * Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
1668 Sanitizer functions or, if possible, Title::getFragmentForURL().
1669 * Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
1670 nothing and is deprecated.
1671 * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
1672 escapeIdForLink().
1673 * MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
1674 * WikiImporter now requires the second parameter to be an instance of the
1675 Config, class. Prior to that, the Config parameter was optional (a behavior
1676 deprecated in 1.25).
1677 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
1678 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
1679 any more.
1680 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
1681 The namespaced classes in the Cdb namespace should be used instead.
1682 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
1683 should be used instead.
1684 * RunningStat class (deprecated in 1.27) was removed. The namespaced
1685 RunningStat\RunningStat should be used instead.
1686 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were
1687 removed.
1688 The MemcachedClient class should be used instead.
1689 * EditPage underwent some refactoring and deprecations:
1690 * EditPage::isOouiEnabled() is deprecated and will always return true.
1691 * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated.
1692 Please use ::getSummaryInputWidget() instead.
1693 * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
1694 use ::getCheckboxesWidget() instead.
1695 * Creating an EditPage instance without calling EditPage::setContextTitle()
1696 should be avoided and will be deprecated in a future release.
1697 * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and
1698 no-ops.
1699 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are
1700 deprecated. The corresponding methods from Title should be used instead.
1701 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
1702 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The
1703 getters ::getArticle() and ::getTitle() should be used instead.
1704 * Trying to control or fake EditPage context by overriding $wgUser,
1705 $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The
1706 IContextSource returned from EditPage::getContext() must be modified
1707 instead.
1708 * Parser::getRandomString() (deprecated in 1.26) was removed.
1709 * Parser::uniqPrefix() (deprecated in 1.26) was removed.
1710 * Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
1711 $uniq_prefix was deprecated in 1.26 and has now been removed.
1712 * (T172514) The following tables have had their UNIQUE indexes turned into
1713 proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks,
1714 iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks,
1715 query_cache, site_stats, templatelinks, text, transcache, user_former_groups,
1716 user_properties.
1717 * IDatabase::nextSequenceValue() is no longer needed by any database backends
1718 (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
1719 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into
1720 a PRIMARY KEY.
1721 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
1722 page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
1723 user_properties.up_user have all been made unsigned on MySQL.
1724 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
1725 * wfUsePHP() is deprecated.
1726 * wfFixSessionID() was removed.
1727 * wfShellExec() and related functions are deprecated, use Shell::command(). This
1728 also slightly changes the behavior of how execution time limits are calculated
1729 when only some of defaults are overridden per-call. When in doubt, always
1730 override both wall clock and CPU time.
1731 * (T138166) SpecialEmailUser::getTarget() now requires a second argument, the
1732 sending user object. Using the method without the second argument is
1733 deprecated.
1734 * (T67297) Browsers that don't support Unicode will have their edits rejected.
1735 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a
1736 future release. For notifying the user of an event, the Notifications ("Echo")
1737 system should be used instead.
1738 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1739 browser sends non-standard url escaping.
1740 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1741
1742 = MediaWiki 1.29 =
1743
1744 == MediaWiki 1.29.3 ==
1745
1746 This is a security and maintenance release of the MediaWiki 1.29 branch.
1747
1748 === Changes since 1.29.2 ===
1749 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1750 'newbie'.
1751 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1752 account lock.
1753 * (T180551) Fix LanguageSrTest for language converter
1754 * (T180552) Fix langauge converter parser test with self-close tags
1755 * (T180537) Remove $wgAuth usage from wrapOldPasswords.php
1756 * (T180485) InputBox: Have inputbox langconvert certain attributes
1757 * (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
1758 * (T172927) Drop vendor from MW release branch
1759 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
1760 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1761 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1762 include extensions. Pass --with-extensions to enable that feature.
1763 * (T182381) Mask deprecated call in WatchedItemUnitTest
1764 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1765 * The karma qunit tests would fail on some configuration due to headers already
1766 sent. Check headers_sent() before sending cpPosTime headers
1767 * (T167507) selenium: Run Chrome headlessly.
1768 * selenium: Pass -no-sandbox to Chrome under Docker
1769 * (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
1770 * (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
1771 fails under SQLite.
1772 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1773 * (T179190) selenium: Move test running logic from package.json to selenium.sh.
1774 * (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
1775 * Add default edit rate limit of 90 edits/minute for all users.
1776 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1777 * (T196672) The mtime of extension.json files is now able to be zero
1778 * (T180403) Validate $length in padleft/padright parser functions.
1779 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1780 * (T194237) Special:BotPasswords now requires reauthentication.
1781 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1782 * (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
1783 * (T193829) Indicate when a Bot Password needs reset.
1784 * (T151415) Log email changes.
1785 * (T118420) Unbreak Oracle installer.
1786
1787 == MediaWiki 1.29.2 ==
1788
1789 This is a security and maintenance release of the MediaWiki 1.29 branch.
1790
1791 === Changes since 1.29.1 ===
1792 * (T166757) Avoid scoped lock errors in Category::refreshCounts() due to
1793 nesting.
1794 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
1795 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
1796 * Fixed login button label to accept RawMessage.
1797 * Fixed case of SpecialRecentChanges class usage.
1798 * (T174255) Declare uploadCount property in importDump.php.
1799 * (T163646) Pass a string not an int to mysql_real_escape_string().
1800 * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
1801 * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
1802 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1803 browser sends non-standard url escaping.
1804 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1805 * (T128209) SECURITY: Reflected File Download from api.php.
1806 * (T134100) SECURITY: Do not reveal if user exists during login failure.
1807 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
1808 * (T125163) SECURITY: Make anchor for headlines escape > and <.
1809 * (T180237) SECURITY: Protect vendor folder with .htaccess.
1810 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
1811 update.php.
1812 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
1813 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
1814 * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly
1815 fixed in all branches in the previous security release.
1816
1817 == MediaWiki 1.29.1 ==
1818
1819 This is a maintenance release of the MediaWiki 1.29 branch.
1820
1821 The SpamBlacklist and PdfHandler extensions were missing from the generated
1822 packages.
1823
1824 === Changes since 1.29.1 ===
1825 * (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
1826 * (T172061) Fix fatal when passing a category to refreshLinks.php.
1827
1828 == MediaWiki 1.29.0 ==
1829
1830 === Configuration changes in 1.29 ===
1831 * Default cookie expiration time has been reduced to 30 days. Login cookie
1832 expiration time is kept at 180 days.
1833 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
1834 determines whether to set a cookie when a user is autoblocked. Doing so means
1835 that a blocked user, even after logging out and moving to a new IP address,
1836 will still be blocked.
1837 * The resetpassword right and associated password reset capture feature has
1838 been removed.
1839 * The $error parameter to the EmailUser hook should be set to a Status object
1840 or boolean false. This should be compatible with at least MediaWiki 1.23 if
1841 not earlier. Returning a raw HTML string is now deprecated.
1842 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1843 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1844 code for ApiBase::parseMsg() will no longer work.
1845 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1846 result in a PHP fatal error.
1847 * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
1848 policies.
1849 * Subpages are now enabled by default in the Template namespace. Set
1850 $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
1851 * $wgRunJobsAsync is now false by default (T142751). This change only affects
1852 wikis with $wgJobRunRate > 0.
1853 * (T158474) "Unknown user" has been added to $wgReservedUsernames.
1854 * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single
1855 IPs.
1856 * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
1857 added to $wgExtraLanguageCodes instead.
1858 * (T161453) LocalisationCache will no longer use the temporary directory in it's
1859 fallback chain when trying to work out where to write the cache.
1860 * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
1861 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
1862
1863 === New features in 1.29 ===
1864 * (T5233) A cookie can now be set when a user is autoblocked, to track that user
1865 if they move to a new IP address. This is disabled by default.
1866 * Added ILocalizedException interface to standardize the use of localized
1867 exceptions, largely so the API can handle them more sensibly.
1868 * Blocks created automatically by MediaWiki, such as for configured proxies or
1869 dnsbls, are now indicated as such and use a new i18n message when displayed.
1870 * Added new $wgHTTPImportTimeout setting. Sets timeout for
1871 downloading the XML dump during a transwiki import in seconds.
1872 * Parser limit report is now available in machine-readable format to JavaScript
1873 via mw.config.get('wgPageParseReport').
1874 * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
1875 from certain IP ranges (e.g. private IPs).
1876 * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
1877 of the page being parsed.
1878 * HTML5 form validation attributes will no longer be suppressed. Originally
1879 browsers had poor support for them, but modern browsers handle them fine.
1880 This might affect some forms that used them and only worked because the
1881 attributes were not actually being set.
1882 * Expiry times can now be specified when users are added to user groups.
1883 * Completely new user interface for the RecentChanges page, which
1884 structures filters into user-friendly groups. This has corresponding
1885 changes to how filters are registered by core and extensions.
1886 * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
1887 Because this change can cause problems for extensions and on-wiki
1888 scripts depending on the exact HTML, the old version is still available
1889 and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
1890 This will be removed later and OOjs UI will become the only option.
1891 To make testing easier, users can also force either mode by adding
1892 &ooui=true or &ooui=false to the action=edit URL.
1893
1894 === External library changes in 1.29 ===
1895
1896 ==== Upgraded external libraries ====
1897 * Updated QUnit from v1.22.0 to v1.23.1.
1898 * Updated cssjanus from v1.1.2 to v1.2.0.
1899 * Updated psr/log from v1.0.0 to v1.0.2.
1900 * Update Moment.js from v2.8.4 to v2.15.0.
1901 * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
1902 * Updated monolog from v1.18.2 to 1.22.1.
1903 * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
1904 * Updated OOjs from v1.1.10 to v2.0.0.
1905 * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
1906
1907 ==== New external libraries ====
1908 * Added wikimedia/timestamp v1.0.0.
1909 * Added wikimedia/remex-html v1.0.1.
1910
1911 ==== Removed and replaced external libraries ====
1912
1913 === Bug fixes in 1.29 ===
1914 * (T62604) Core parser functions returning a number now format the number
1915 according to the page content language, not wiki content language.
1916 * (T27187) Search suggestions based on jquery.suggestions will now correctly
1917 only highlight prefix matches in the results.
1918 * (T157035) "new mw.Uri()" was ignoring options when using default URI.
1919 * Special:Allpages can no longer be filtered by redirect in miser mode.
1920 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
1921 installed.
1922 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
1923 redirect to interwiki links.
1924 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
1925 $wgAdvancedSearchHighlighting is true.
1926 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
1927 their values out of the logs.
1928 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
1929 CSRF token.
1930 * (T156184) SECURITY: Escape content model/format url parameter in message.
1931 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
1932 declaration.
1933 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
1934 directory in it's fallback chain when trying to work out where to write the
1935 cache.
1936 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
1937 inclusion syntax's link parameter.
1938 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
1939 against it.
1940
1941 === Action API changes in 1.29 ===
1942 * Submitting sensitive authentication request parameters to action=login,
1943 action=clientlogin, action=createaccount, action=linkaccount, and
1944 action=changeauthenticationdata in the query string is now an error. They
1945 should be submitted in the POST body instead.
1946 * The capture option for action=resetpassword has been removed
1947 * action=clearhasmsg now requires a POST.
1948 * (T47843) API errors and warnings may be requested in non-English languages
1949 using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
1950 * API error codes may have changed. Most notably, errors from modules using
1951 parameter prefixes (e.g. all query submodules) will no longer be prefixed.
1952 * ApiPageSet-using modules will report the 'invalidreason' using the specified
1953 'errorformat'.
1954 * action=emailuser may return a "Warnings" status, and now returns 'warnings'
1955 and 'errors' subelements (as applicable) instead of 'message'.
1956 * action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
1957 * action=move now reports errors when moving the talk page as an array under
1958 key 'talkmove-errors', rather than using 'talkmove-error-code' and
1959 'talkmove-error-info'. The format for subpage move errors has also changed.
1960 * action=revisiondelete no longer includes a "rendered" property on warnings
1961 and errors for each item. Use errorformat=wikitext if you're wanting parsed
1962 output.
1963 * action=rollback no longer returns a "messageHtml" property. Use
1964 errorformat=html if you're wanting HTML formatting of error messages.
1965 * action=upload now reports optional stash failures as an array under key
1966 'stasherrors' rather than a 'stashfailed' text string.
1967 * action=watch reports 'errors' and 'warnings' instead of a single 'error', and
1968 no longer returns a 'message' on success.
1969 * Added action=validatepassword to validate passwords for the account creation
1970 and password change forms.
1971 * action=purge now requires a POST.
1972 * There is a new `languagevariants` siprop for action=query&meta=siteinfo,
1973 which returns a list of languages with active LanguageConverter instances.
1974 * action=query&query=allpages will no longer filter redirects using a database
1975 query in miser mode. This may result in less results being returned than were
1976 requested.
1977
1978 === Action API internal changes in 1.29 ===
1979 * New methods were added to ApiBase to handle errors and warnings using i18n
1980 keys. Methods for using hard-coded English messages were deprecated:
1981 * ApiBase::dieUsage() was deprecated
1982 * ApiBase::dieUsageMsg() was deprecated
1983 * ApiBase::dieUsageMsgOrDebug() was deprecated
1984 * ApiBase::getErrorFromStatus() was deprecated
1985 * ApiBase::parseMsg() was deprecated
1986 * ApiBase::setWarning() was deprecated
1987 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1988 result in a PHP fatal error.
1989 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1990 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1991 code for ApiBase::parseMsg() will no longer work.
1992 * UsageException is deprecated in favor of ApiUsageException. For the time
1993 being ApiUsageException is a subclass of UsageException to allow things that
1994 catch only UsageException to still function properly.
1995 * If, for some strange reason, code was using an ApiErrorFormatter instead of
1996 ApiErrorFormatter_BackCompat, note that the result format has changed and
1997 various methods now take a module path rather than a module name.
1998 * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
1999 from the message key, and maps some message keys for backwards compatibility.
2000 * API parameters may now be marked as "sensitive" to keep their values out of
2001 the logs.
2002
2003 === Languages updated in 1.29 ===
2004
2005 MediaWiki supports over 350 languages. Many localisations are updated
2006 regularly. Below only new and removed languages are listed, as well as
2007 changes to languages because of Phabricator reports.
2008
2009 * Based as always on linguistic studies on intelligibility and language
2010 knowledge by geography, language fallbacks have been expanded. When a
2011 translation is missing in the user's preferred interface language, the
2012 corresponding translation for the fallback language will be used instead.
2013 English will only be used as last resort when there are no translations.
2014 Some configurations (such as date formats and gender namespaces) have also
2015 been updated when using the fallback language's configuration was inadequate.
2016 The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
2017 ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
2018 sh → bs, sr-el, hr.
2019 * (T137376) New language support: Atikamekw (atj).
2020 * (T163600) New language support: Dinka (din).
2021 * (T155957) Talk Namespaces for Javanese language (jv) have been updated.
2022
2023 ==== No fallback for Ukrainian ====
2024 * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
2025 language will now use the default fallback language: English. When a
2026 translation to Ukrainian is not available, an English string will be shown.
2027
2028 === Other changes in 1.29 ===
2029 * Database::getSearchEngine() (deprecated in 1.28) was removed. Use
2030 SearchEngineFactory::getSearchEngineClass() instead.
2031 * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
2032 required as all sessions are stored in Object Cache now.
2033 * MWHttpRequest::execute() should be considered to return a StatusValue; the
2034 Status return type is deprecated.
2035 * User::edits() (deprecated in 1.21) was removed.
2036 * Xml::escapeJsString() (deprecated in 1.21) was removed.
2037 * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
2038 were removed.
2039 * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
2040 were removed.
2041 * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use
2042 ArticleContentViewCustom instead.
2043 * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
2044 * Class RevisiondeleteAction (deprecated in 1.25) was removed.
2045 * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
2046 * WikiPage::getText() (deprecated in 1.21) was removed.
2047 * Article::fetchContent() (deprecated in 1.21) was removed.
2048 * User::getPassword() (deprecated in 1.27) was removed.
2049 * User::getTemporaryPassword() (deprecated in 1.27) was removed.
2050 * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
2051 * Class FSRepo (deprecated in 1.19) was removed.
2052 * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
2053 \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId()
2054 instead.
2055 * Class ImageGallery (deprecated in 1.22) was removed.
2056 Use ImageGalleryBase::factory instead.
2057 * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class
2058 instead.
2059 * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
2060 emit warnings). Create a subclass of Action and add it to $wgActions instead.
2061 * WikiRevision::getText() (deprecated since 1.21) is no longer marked
2062 deprecated.
2063 * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
2064 * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
2065 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
2066 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
2067 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
2068 * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
2069 and outdated lists of errors/warnings returned by the API, are now deprecated.
2070 * wiki.phtml entry point was removed. Refer to index.php instead. If you want
2071 "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can
2072 be done by enabling mod_rewrite and adding the following rules to your
2073 configuration:
2074
2075 RewriteEngine On
2076 RewriteBase /
2077 RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
2078 * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
2079 Use ArticleAfterFetchContentObject instead.
2080 * Hook ArticleInsertComplete (deprecated in 1.21) was removed.
2081 Use PageContentInsertComplete instead.
2082 * Hook ArticleSave (deprecated in 1.21) was removed.
2083 Use PageContentSave instead.
2084 * Hook ArticleSaveComplete (deprecated in 1.21) was removed.
2085 Use PageContentSaveComplete instead.
2086 * Hook EditFilterMerged (deprecated in 1.21) was removed.
2087 Use EditFilterMergedContent instead.
2088 * Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
2089 Use EditPageGetPreviewContent instead.
2090 * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
2091 Use ContentHandlerDefaultModelFor instead.
2092 * Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
2093 Use ContentHandlerDefaultModelFor instead.
2094 * Article::getContent() (deprecated in 1.21) was removed.
2095 * Revision::getText() (deprecated in 1.21) was removed.
2096 * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
2097 * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
2098 * Article::doEditContent() was marked as deprecated, to be removed in 1.30
2099 or later.
2100 * ContentHandler::runLegacyHooks() was removed.
2101 * refreshLinks.php now can be limited to a particular category with
2102 --category=... or a tracking category with --tracking-category=...
2103 * User-like objects that are passed to SpecialUserRights and its subclasses are
2104 now required to have a getGroupMemberships() method. See UserRightsProxy for
2105 an example.
2106 * User::$mGroups (instance variable) was marked private. Use User::getGroups()
2107 instead.
2108 * User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
2109 User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
2110 Use equivalent methods on the UserGroupMembership class.
2111 * Maintenance scripts and tests that call User::addGroup() must now ensure that
2112 User objects have been added to the database prior to calling addGroup().
2113 * Protected function UsersPager::getGroups() was removed, and protected function
2114 UsersPager::buildGroupLink() was changed from a static to an instance method.
2115 * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
2116 see docs/hooks.txt.
2117 * User::crypt() (deprecated in 1.24) was removed.
2118 * User::comparePasswords() (deprecated in 1.24) was removed.
2119 * ArchivedFile::getUserText() (deprecated in 1.23) was removed.
2120 * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
2121 * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
2122 and subclasses. It should only break if you call buildMainQueryConds
2123 (changed to buildQuery with new signature) or doMainQuery (new
2124 signature). Subclasses are likely to call at least doMainQuery
2125 (possibly both), but other classes might too, because they were
2126 public.
2127 Also, some related hooks were deprecated, but this is not yet a
2128 breaking change.
2129 * Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
2130 * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
2131 * WikiRevision::$fileIsTemp was deprecated.
2132 * WikiRevision::$importer was deprecated.
2133 * WikiRevision::$user was deprecated.
2134 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
2135 WikiPage::PURGE_* constants are deprecated, and the functions will always
2136 return false. They were a hack for an issue that has since been fixed.
2137 * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
2138 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
2139 if you don't actually care about checkboxes and just want to add some HTML
2140 to the page.
2141 * Selflinks are now rendered as href-less <a> tags with the class mw-selflink
2142 rather than <strong> tags. The old class name, "selflink", was deprecated
2143 and will be removed in a future release. (T160480)
2144 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2145 * Browser support for non-ES5 JavaScript browsers, including Android 2,
2146 Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
2147 * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
2148 is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
2149 webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
2150 opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
2151 ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
2152 addClickHandler, removeHandler, getElementsByClassName, getInnerText,
2153 setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
2154 mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
2155 escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
2156 tooltipAccessKeyRegexp, updateTooltipAccessKeys.
2157 * The ID of the <li> element containing the login link has changed from
2158 'pt-login' to 'pt-login-private' in private wikis.
2159 * The old, neglected "bulletin board style toolbar" in the edit form is now
2160 deprecated (T30856). This old code dates from 2006, and was replaced in the
2161 MediaWiki release tarball and in Wikimedia production by the WikiEditor
2162 extension in 2010. It is only shown to users if no other editor was
2163 installed, and leads to confusion.
2164 * (T92459) Loading ResourceLoader modules containing JavaScript through
2165 addModuleStyles() is deprecated and will log a warning server-side.
2166
2167 = MediaWiki 1.28 =
2168
2169 == MediaWiki 1.28.3 ==
2170
2171 This is a security and maintenance release of the MediaWiki 1.28 branch.
2172
2173 === Changes since 1.28.2 ==
2174 * (T168856) Allow SVGs created by Dia to be uploaded.
2175 * (T157545) Add missing doUpdates() call to refreshLinks.php.
2176 * (T165714) (T100085) Better handling of jobs execution in post-connection
2177 shutdown.
2178 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of
2179 Database->onTransactionIdle.
2180 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
2181 * (T149454) Restore erroneously removed realTableName call from
2182 DatabasePostgres.
2183 * (T167798) Fix phrase search and highlighting for phrase queries.
2184 * (T151136) Provide credits information to callbacks in extension registration.
2185 * (T160462) Allow namespaces defined in extension.json to be overwritten
2186 locally.
2187 * (T168337) Fix ErrorPageError to work from non-UI contexts.
2188 * (T143788) Backports for PHP 7.0 and 7.1 support.
2189 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
2190 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
2191 * (T174255) Declare uploadCount property in importDump.php.
2192 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to
2193 v4.8.36.
2194 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
2195 browser sends non-standard url escaping.
2196 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
2197 * (T128209) SECURITY: Reflected File Download from api.php.
2198 * (T134100) SECURITY: Do not reveal if user exists during login failure.
2199 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
2200 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2201 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2202 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2203 update.php.
2204 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2205 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2206
2207 == MediaWiki 1.28.2 ==
2208
2209 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2210 included in the tarball version of MediaWiki 1.28.1. The version included had a
2211 serious security issue in it (T158689). There was also some minor code fixes in
2212 MediaWiki itself since 1.28.1, but none of them were security relevant.
2213
2214 == MediaWiki 1.28.1 ==
2215
2216 This is a security and maintenance release of the MediaWiki 1.28 branch.
2217
2218 === Changes since 1.28.0 ===
2219
2220 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2221 wikis with $wgJobRunRate > 0.
2222 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki
2223 has more than one database server setup.
2224 * (T152717) Better escaping for PHP mail() command,
2225 * (T154670) A missing method causing the MySQL installer to fatal in rare
2226 circumstances was restored.
2227 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
2228 * (T158766) Avoid SQL error on MSSQL when using selectRowCount().
2229 * (T145635) Fix too long index error when installing with MSSQL.
2230 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2231 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2232 installed.
2233 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28
2234 installs.
2235 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2236 redirect to interwiki links.
2237 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2238 $wgAdvancedSearchHighlighting is true.
2239 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2240 their values out of the logs.
2241 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2242 CSRF token.
2243 * (T156184) SECURITY: Escape content model/format url parameter in message.
2244 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2245 declaration.
2246 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2247 directory in it's fallback chain when trying to work out where to write the
2248 cache.
2249 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2250 inclusion syntax's link parameter.
2251 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2252 against it.
2253
2254 == MediaWiki 1.28 ==
2255
2256 === Changes since 1.28.0-rc1 ===
2257 * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
2258 errors.
2259 * (T148956) Only apply wgDBschema to postgres/mssql.
2260 * (T145991) Introduce separate log action for deleting pages on move.
2261 * (T141474) (T110464) Bypass login page if no user input is required.
2262
2263 === Changes since 1.28.0-rc0 ===
2264 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
2265 comment to a machine-readable JavaScript config option 'wgPageParseReport'
2266 have been undone. They caused the human-readable limit report to be shown
2267 incompletely or not at all. ParserOutput::setLimitReportData() and
2268 getLimitReportData() behave as they did in MediaWiki 1.27 again.
2269 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
2270 the text of subheadings on a category page when creating it. This wasn't
2271 working correctly.
2272 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
2273 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
2274 loops in some clients and in some server configurations. This undoes a change
2275 made in MediaWiki 1.26.
2276 * (T149759) manifest_version: 2 was removed.
2277
2278 === Configuration changes in 1.28 ===
2279 * $wgSend404Code now affects status code of action=history if the page is not
2280 there.
2281 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2282 made by MediaWiki via a proxy. Relying on the http_proxy environment
2283 variable is no longer supported.
2284 * The load.php entry point now enforces the existing policy of not allowing
2285 access to session data, which includes the session user and the session
2286 user's language. If such access is attempted, an exception will be thrown.
2287 * The number of internal PBKDF2 iterations used to derive the session secret
2288 is configurable via $wgSessionPbkdf2Iterations.
2289 * Upload dialog's file upload log comment can now be configured separately for
2290 local and foreign uploads.
2291 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
2292 signifies local uploads. A value of `[]` (empty array) now means that
2293 no upload targets are allowed, effectively disabling the upload dialog.
2294 * The deprecated $wgEditEncoding variable has been removed; it was only used
2295 for Esperanto language character conversion. You are now recommended to use
2296 input methods provided by the UniversalLanguageSelector extension.
2297 * When $wgPingback is true, MediaWiki will periodically ping
2298 https://www.mediawiki.org/beacon with basic information about the local
2299 MediaWiki installation. This data includes, for example, the type of system,
2300 PHP version, and chosen database backend. This behavior is off by default.
2301 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
2302 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
2303 if false, the default, they will be "Save page"/"Save changes".
2304 * The 'editcontentmodel' permission is now granted to all logged-in users
2305 ('user').
2306 instead of just administrators ('sysop'). Documentation for this feature is
2307 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
2308 * $wgRevisionCacheExpiry is now set to one week by default instead of being
2309 disabled.
2310 * Magic links are now disabled by default, and can be re-enabled by modifying
2311 the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are
2312 manually enabled, a tracking category will be added to help identify usage and
2313 make it easier to migrate away from. If you depend upon magic link
2314 functionality, it is requested that you comment on
2315 <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links>
2316 and explain your use case(s).
2317 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
2318 in upcoming Content-Security-Policy feature's reporting.
2319
2320 === New features in 1.28 ===
2321 * User::isBot() method for checking if an account is a bot role account.
2322 * Added a new 'slideshow' mode for galleries.
2323 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
2324 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2325 interact with API parsing.
2326 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
2327 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
2328 and the file description page, but does not run for uploads to stash.
2329 * (T141604) Extensions can now provide a better error message when their
2330 maintenance scripts are run without the extension being installed.
2331 * (T8948) Numeric sorting in categories is now supported by setting
2332 $wgCategoryCollation to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you
2333 can't use UCA collations, a 'numeric' collation is also available. If
2334 migrating from another collation, you will need to run the updateCollation.php
2335 maintenance script.
2336 * Two new codes have been added to #time parser function: "xit" for days in
2337 current month, and "xiz" for days passed in the year, both in Iranian
2338 calendar.
2339 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
2340 appropriate for sending multi-valued parameters. This defaults to true when
2341 the mw.Api instance seems to be for the local wiki.
2342 * After a client performs an action which alters a database that has replica
2343 databases, MediaWiki will wait for the replica databases to synchronize with
2344 the master database while it renders the HTML output. However, if the output
2345 is a redirect to another wiki on the wiki farm with a different domain,
2346 MediaWiki will instead alter the redirect URL to include a ?cpPosTime
2347 parameter that triggers the database synchronization when the URL is followed
2348 by the client. The same-domain case uses a new cpPosTime cookie.
2349 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2350 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2351 'show' parameters to existing API query modules.
2352
2353 === External library changes in 1.28 ===
2354
2355 ==== Upgraded external libraries ====
2356 * Updated es5-shim from v4.1.5 to v4.5.8
2357 * Updated composer/semver from v1.4.1 to v1.4.2
2358 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
2359
2360 ==== New external libraries ====
2361 * Added wikimedia/scoped-callback v1.0.0
2362 * Added wikimedia/wait-condition-loop v1.0.1
2363
2364 === Bug fixes in 1.28 ===
2365 * (T146496) action=history pages should return 404 HTTP error code if the page
2366 does not exist
2367 * (T137264) SECURITY: XSS in unclosed internal links
2368 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2369 * (T133147) SECURITY: Require login to preview user CSS pages
2370 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2371 the top file
2372 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2373 permissions
2374 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2375 * (T139670) Move 'UserGetRights' call before application of
2376 Session::getAllowedUserRights()
2377
2378 === Action API changes in 1.28 ===
2379 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
2380 the value of $wgMaxArticleSize.
2381 * Property 'modulemessages' from action=parse&prop=modules was removed
2382 (deprecated since 1.26).
2383 * The following response properties from action=login, deprecated in 1.27, are
2384 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
2385 to properly manage session state.
2386 * Submitting the lgtoken and lgpassword parameters in the query string to
2387 action=login is now deprecated and outputs a warning. They should be submitted
2388 in the POST body instead.
2389 * Submitting sensitive authentication request parameters to action=clientlogin,
2390 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2391 in the query string is now deprecated and outputs a warning. They should be
2392 submitted in the POST body instead.
2393 * (T141960) Multi-valued parameters may now be separated using U+001F
2394 (Unit Separator) instead of the pipe character. This will be useful if some of
2395 the multiple values need to contain pipes, e.g. for action=options.
2396 * The API will now warn if input is not NFC-normalized Unicode or if it
2397 contains invalid characters.
2398 * The 'normalized' list output by action=query and other modules that use
2399 ApiPageSet may contain entries where the 'from' value is percent-encoded as
2400 the raw value cannot be represented in a valid API response. These are
2401 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
2402 * (T28680) action=paraminfo can now return info about all submodules of a
2403 module without listing them all explicitly.
2404 * (T146770) It is now possible to assert that the current user is a specific
2405 named user, using the 'assertuser' parameter.
2406 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
2407 the 'TitleIsAlwaysKnown' hook) are output in various modules.
2408
2409 === Action API internal changes in 1.28 ===
2410 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2411 interact with ApiParse and ApiExpandTemplates.
2412 * (T139565) SECURITY: API: Generate head items in the context of the given title
2413 * (T115333) SECURITY: Check read permission when loading page content in
2414 ApiParse
2415 * ApiBase::getResultData() was removed (deprecated since 1.25)
2416 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
2417 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
2418 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
2419 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
2420 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
2421 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
2422 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
2423 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
2424 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
2425 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
2426 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
2427 * ApiMain::setHelp() was removed (deprecated since 1.25)
2428 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
2429 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
2430 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
2431 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
2432 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
2433 * ApiResult::endContinuation() was removed (deprecated since 1.25)
2434 * ApiResult::getData() was removed (deprecated since 1.25)
2435 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
2436 * ApiResult::setContent() was removed (deprecated since 1.25)
2437 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
2438 * ApiResult::setElement() was removed (deprecated since 1.25)
2439 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
2440 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
2441 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
2442 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
2443 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
2444 * ApiResult::setRawMode() was removed (deprecated since 1.25)
2445 * ApiResult::size() was removed (deprecated since 1.25)
2446 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2447 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2448 'show' parameters to existing API query modules. A query module can enable
2449 these hooks by passing an array for $hookData to ApiQueryBase::select() and
2450 by calling ApiQueryBase->processRow() before adding a row's data to the
2451 result.
2452
2453 === Languages updated in 1.28 ===
2454
2455 MediaWiki supports over 375 languages. Many localisations are updated
2456 regularly. Below only new and removed languages are listed, as well as
2457 changes to languages because of Phabricator reports.
2458
2459 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
2460 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
2461 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
2462 Saiddzone Saimawnkham, Saosukham, and Sengwan.
2463 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
2464 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator
2465 Ilja.mos.
2466
2467 === Other changes in 1.28 ===
2468 * (T128697) Improved handling of large diffs.
2469 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
2470 use or update a custom session provider if needed.
2471 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
2472 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
2473 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
2474 * The 'UserLoginComplete' hook has a new parameter to differentiate between
2475 actual login and visiting the login page while already logged in.
2476 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
2477 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
2478 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
2479 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
2480 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
2481 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
2482 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
2483 respectively. See docs/hooks.txt for the specific changes needed for those
2484 hooks.
2485 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
2486 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
2487 * Skin::commentBlock() (use Linker::commentBlock() instead)
2488 * Skin::generateRollback() (use Linker::generateRollback() instead)
2489 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
2490 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
2491 * Skin::userLink() (use Linker::userLink() instead)
2492 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
2493 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
2494 disabled.
2495 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
2496 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
2497 Use ...->stashFile()->getFileKey() instead.
2498 * "Public domain" was removed as a wiki license option from the installer, in
2499 favour of CC-0.
2500 * AuthenticationRequest::$required is now changed from REQUIRED to
2501 PRIMARY_REQUIRED on requests needed by primary providers even if all primaries
2502 need them.
2503 Primary providers are discouraged from returning multiple REQUIRED requests.
2504 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
2505 will no longer be automatically infused. You should call `OO.ui.infuse()`
2506 on them yourself from your JavaScript code.
2507 * parserTests.php has moved to tests/parser/parserTests.php
2508 * The command line options specific to parser tests have been removed from
2509 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
2510 Instead of --keep-uploads, use the same option to parserTests.php, but you
2511 must specify a directory with --upload-dir.
2512 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
2513 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
2514 migrate to using the same functions on a ProxyLookup instance, obtainable from
2515 MediaWikiServices.
2516 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave,
2517 ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText,
2518 EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation
2519 warnings if used.
2520 * (T68404) CSS3 attr() function with url type is no longer allowed
2521 in inline styles.
2522 * Database::getSearchEngine() is deprecated, use
2523 SearchEngineFactory::getSearchEngineClass instead.
2524
2525 == Compatibility ==
2526
2527 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
2528 HHVM 3.6.5 or later.
2529
2530 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
2531 support for them is somewhat less mature. There is experimental support for
2532 Oracle and Microsoft SQL Server.
2533
2534 The supported versions are:
2535
2536 * MySQL 5.0.3 or later
2537 * PostgreSQL 8.3 or later
2538 * SQLite 3.3.7 or later
2539 * Oracle 9.0.1 or later
2540 * Microsoft SQL Server 2005 (9.00.1399)
2541
2542 == Upgrading ==
2543
2544 1.28 has several database changes since 1.27, and will not work without schema
2545 updates. Note that due to changes to some very large tables like the revision
2546 table, the schema update may take quite long (minutes on a medium sized site,
2547 many hours on a large site).
2548
2549 If upgrading from before 1.11, and you are using a wiki as a commons
2550 repository, make sure that it is updated as well. Otherwise, errors may arise
2551 due to database schema changes.
2552
2553 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
2554 new database fields are filled with data.
2555
2556 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
2557 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
2558 with MediaWiki 1.21.
2559
2560 Don't forget to always back up your database before upgrading!
2561
2562 See the file UPGRADE for more detailed upgrade instructions.
2563
2564 For notes on 1.27.x and older releases, see HISTORY.
2565
2566 == Online documentation ==
2567
2568 Documentation for both end-users and site administrators is available on
2569 MediaWiki.org, and is covered under the GNU Free Documentation License (except
2570 for pages that explicitly state that their contents are in the public domain):
2571
2572 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
2573
2574 == Mailing list ==
2575
2576 A mailing list is available for MediaWiki user support and discussion:
2577
2578 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
2579
2580 A low-traffic announcements-only list is also available:
2581
2582 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
2583
2584 It's highly recommended that you sign up for one of these lists if you're
2585 going to run a public MediaWiki, so you can be notified of security fixes.
2586
2587 == IRC help ==
2588
2589 There's usually someone online in #mediawiki on irc.freenode.net.
2590
2591 = MediaWiki 1.27 =
2592
2593 == MediaWiki 1.27.7 ==
2594
2595 This is a maintenance release of the MediaWiki 1.27 branch.
2596
2597 === Changes since MediaWiki 1.27.6 ===
2598 * Add missing `use MediaWiki\MediaWikiServices;` to LogEventsList.php.
2599 * Remove broken tests from ApiBlockTest.php.
2600
2601 == MediaWiki 1.27.6 ==
2602
2603 This is a security and maintenance release of the MediaWiki 1.27 branch.
2604
2605 === Changes since MediaWiki 1.27.5 ===
2606 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
2607 all titles when asked for none.
2608 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
2609 libraries.
2610 * (T207241) Augment precision of updatelist time.
2611 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
2612 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
2613 * (T207603) SECURITY: User JS may no longer be loaded with mime type
2614 text/javascript if there is no account associated with the username.
2615 * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
2616 type if non-admins can edit the page.
2617 * (T207541) Pass email address to mail().
2618 * (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
2619 * (T213359) Update mediawiki/mediawiki-codesniffer to 0.8.1.
2620 * (T208871) The hard-coded Google search form on the database error page was
2621 removed.
2622 * (T216968) Return pageid as int in both list=iwbacklinks and
2623 list=langbacklinks.
2624 * (T218608) Fix an issue that prevents Extension:OAuth working when
2625 $wgBlockDisablesLogin is true.
2626 * (T219728) Added support for new Japanese era name "Reiwa".
2627 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
2628 token.
2629 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
2630 reauthenticating.
2631 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
2632 getLoginSecurityLevel() returns non-false.
2633 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
2634 * (T208881) SECURITY: blacklist CSS var().
2635 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
2636 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
2637 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
2638 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
2639 view the log type.
2640 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
2641
2642 == MediaWiki 1.27.5 ==
2643
2644 This is a security and maintenance release of the MediaWiki 1.27 branch.
2645
2646 === Changes since 1.27.4 ===
2647 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
2648 'newbie'.
2649 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
2650 account lock.
2651 * Upgraded Moment.js from v2.8.4 to v2.19.3.
2652 * (T160298) Fixed Special:ActiveUsers due to bad backport.
2653 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
2654 array.
2655 * Updated list of SPDX licenses for extensions.
2656 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
2657 include extensions. Pass --with-extensions to enable that feature.
2658 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
2659 * Add default edit rate limit of 90 edits/minute for all users.
2660 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
2661 * (T196672) The mtime of extension.json files is now able to be zero.
2662 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
2663 hook.
2664 * (T180403) Validate $length in padleft/padright parser functions.
2665 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
2666 * Special:BotPasswords now requires reauthentication.
2667 * (T191608, T187638) Add 'logid' parameter to Special:Log.
2668 * (T193829) Indicate when a Bot Password needs reset.
2669 * (T151415) Log email changes.
2670 * (T118420) Unbreak Oracle installer.
2671
2672 == MediaWiki 1.27.4 ==
2673 This is a security and maintenance release of the MediaWiki 1.27 branch.
2674
2675 === Changes since 1.27.3 ===
2676 * (T100085) Better handling of jobs execution in post-connection shutdown.
2677 * (T141604) Support conditionally registered namespaces.
2678 * (T167798) Fix highlighting for phrase queries and phrase search.
2679 * (T151136) Provide credits information to callbacks.
2680 * (T160462) Allow namespaces defined in extension.json to be overwritten
2681 locally.
2682 * (T168856) Allow SVGs created by Dia to be uploaded.
2683 * (T144705) (T148662) Password reset link is no longer shown when no reset
2684 options are available.
2685 * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
2686 * (T66795) $wgUserEmailUseReplyTo is now true by default to work around
2687 restrictive DMARC policies.
2688 * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and
2689 core.
2690 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
2691 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
2692 * (T142304) Allow putting the app ID in the password for bot passwords.
2693 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
2694 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
2695 browser sends non-standard url escaping.
2696 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
2697 * (T128209) SECURITY: Reflected File Download from api.php.
2698 * (T134100) SECURITY: Do not reveal if user exists during login failure.
2699 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
2700 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2701 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2702 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2703 update.php.
2704 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2705 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2706
2707 == MediaWiki 1.27.3 ==
2708 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2709 included in the tarball version of MediaWiki 1.27.2. The version included had a
2710 serious security issue in it (T158689). There was also some minor code fixes in
2711 MediaWiki itself since 1.27.2, but none of them were security relevant.
2712
2713 === Changes since 1.27.2 ===
2714 * (T145664) Fix broken wincache merge() implementation
2715 * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
2716 * (T153505) Fix php warnings on php 7.1 due to use of &$this
2717
2718 == MediaWiki 1.27.2 ==
2719 This is a security and maintenance release of the MediaWiki 1.27 branch.
2720
2721 ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
2722 deprecated (rather than already removed) in the RELEASE-NOTES at the point
2723 1.27.0 was released.
2724
2725 === Changes since 1.27.1 ===
2726
2727 * (T68404) CSS3 attr() function with url type argument is no longer allowed
2728 in inline styles.
2729 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2730 wikis with $wgJobRunRate > 0.
2731 * (T152717) Better escaping for PHP mail() command
2732 * Submitting the lgtoken and lgpassword parameters in the query string to
2733 action=login is now deprecated and outputs a warning. They should be submitted
2734 in the POST body instead.
2735 * Submitting sensitive authentication request parameters to action=clientlogin,
2736 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2737 in the query string is now deprecated and outputs a warning. They should be
2738 submitted in the POST body instead.
2739 * (T158766) Avoid SQL error on MSSQL when using selectRowCount()
2740 * (T145635) Fix too long index error when installing with MSSQL.
2741 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2742 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2743 installed.
2744 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2745 redirect to interwiki links.
2746 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2747 $wgAdvancedSearchHighlighting is true.
2748 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2749 their values out of the logs.
2750 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2751 CSRF token.
2752 * (T156184) SECURITY: Escape content model/format url parameter in message.
2753 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2754 declaration.
2755 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2756 directory in it's fallback chain when trying to work out where to write the
2757 cache.
2758 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2759 inclusion syntax's link parameter.
2760 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2761 against it.
2762
2763 == MediaWiki 1.27.1 ==
2764
2765 This is a maintenance release of the MediaWiki 1.27 branch.
2766
2767 === Changes since 1.27.0 ===
2768 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2769 made by MediaWiki via a proxy. Relying on the http_proxy environment
2770 variable is no longer supported.
2771 * (T139565) SECURITY: API: Generate head items in the context of the given title
2772 * (T137264) SECURITY: XSS in unclosed internal links
2773 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2774 * (T133147) SECURITY: Require login to preview user CSS pages
2775 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2776 the top file
2777 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2778 permissions
2779 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2780 * (T115333) SECURITY: Check read permission when loading page content in
2781 ApiParse
2782 * (T57548) Remove support for $wgWellFormedXml = false, all output is now well
2783 formed
2784 * (T139670) Move 'UserGetRights' call before application of
2785 Session::getAllowedUserRights()
2786
2787 == MediaWiki 1.27.0 ==
2788
2789 === PHP version requirement in 1.27 ===
2790 As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
2791 section). Additionally, the following PHP extensions are required:
2792 * ctype
2793 * iconv
2794 * json
2795 * mbstring (new requirement in 1.27)
2796 * xml
2797 The following PHP extensions are strongly recommended:
2798 * openssl
2799
2800 === Configuration changes in 1.27 ===
2801 * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
2802 now always enabled. If you use RDFa on your wiki, you now have to explicitly
2803 set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
2804 * $wgUseLinkNamespaceDBFields was removed.
2805 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
2806 $wgResourceLoaderMinifierMaxLineLength, because there was little value in
2807 making the behavior configurable. The default values (`false` for the former,
2808 1000 for the latter) are now hard-coded.
2809 * $wgDebugDumpSqlLength was removed (deprecated in 1.24).
2810 * $wgDebugDBTransactions was removed (deprecated in 1.20).
2811 * $wgUseXVO has been removed, as it provides functionality only used by
2812 custom Wikimedia patches against Squid 2.x that probably noone uses in
2813 production anymore. There is now $wgUseKeyHeader that provides similar
2814 functionality but instead of the MediaWiki-specific X-Vary-Options header,
2815 uses the draft Key header standard.
2816 * $wgScriptExtension (and support for '.php5' entry points) was removed. See the
2817 deprecation notice in the release notes for version 1.25 for advice on how to
2818 preserve support for '.php5' entry points via URL rewriting.
2819 * Password handling via the User object has been deprecated and partially
2820 removed, pending the future introduction of AuthManager. In particular:
2821 ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
2822 getPasswordExpired() have been removed. They were unused outside of core.
2823 ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
2824 now private and will be removed in the future.
2825 ** The getPassword() and getTemporaryPassword() methods now throw
2826 BadMethodCallException and will be removed in the future.
2827 ** The ability to pass 'password' and 'newpassword' to createNew() has been
2828 removed. The only users of it seem to have been using it to set invalid
2829 passwords, and so shouldn't be greatly affected.
2830 ** setPassword(), setInternalPassword(), and setNewpassword() have been
2831 deprecated, pending the introduction of AuthManager.
2832 ** User::randomPassword() is deprecated in favor of a new method
2833 PasswordFactory::generateRandomPasswordString()
2834 ** User::getPasswordFactory() is deprecated, callers should just create a
2835 PasswordFactory themselves.
2836 ** A new constructor, User::newSystemUser(), has been added to simplify the
2837 creation of passwordless "system" users for logged actions.
2838 * $wgMaxSquidPurgeTitles was removed.
2839 * $wgAjaxWatch was removed. This is now enabled by default.
2840 * $wgUseInstantCommons now hotlinks Commons images by default instead of
2841 downloading originals and thumbnailing them locally. This allows wikis to save
2842 on CPU and bandwidth while reducing time to first byte for pages, even without
2843 a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
2844 * (T27397) WebP is enabled by default as an uploadable filetype.
2845 * (T48998) $wgArticlePath must now be either a full url, or start with a "/".
2846 * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
2847 * Deprecated API formats dbg, txt, and yaml have been removed.
2848 * CLDRPluralRule* classes have been replaced with
2849 wikimedia/cldr-plural-rule-parser.
2850 * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
2851 $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
2852 $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
2853 * For proper operation of LocalIdLookup with shared user tables, ensure that
2854 $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
2855 that all others are sharing from and that $wgLocalDatabases is set to the
2856 full list of sharing wikis on all those wikis.
2857 * Massive overhaul to session handling:
2858 ** $wgSessionsInObjectCache is no longer supported and must be true, due to
2859 MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
2860 used.
2861 ** ObjectCacheSessionHandler is removed, replaced with
2862 MediaWiki\Session\PhpSessionHandler.
2863 ** PHP session handling in general ($_SESSION, session_id(), and so on) is
2864 deprecated. Use MediaWiki\Session\SessionManager instead. A new config
2865 variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
2866 issue a deprecation warning or to cause most PHP session handling to throw
2867 exceptions.
2868 ** Deprecated UserSetCookies hook. Session-handling extensions should generally
2869 be creating a custom subclass of CookieSessionProvider. Other extensions
2870 messing with cookies can no longer count on user data being saved in cookies
2871 versus other methods.
2872 ** Deprecated UserLoadFromSession hook, extensions should create a
2873 MediaWiki\Session\SessionProvider.
2874 ** The User cannot be loaded from session until after Setup.php completes.
2875 Attempts to do so will be ignored and the User will remain unloaded.
2876 ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
2877 the MediaWiki\Session\Token class.
2878 * MediaWiki will now auto-create users as necessary, removing the need for
2879 extensions to do so. An 'autocreateaccount' right is added to allow
2880 auto-creation when 'createaccount' is not granted to all users.
2881 * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
2882 * Most cookie-handling methods in User are deprecated.
2883 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
2884 experimental feature that has never worked.
2885 * Login and createaccount tokens now vary by timestamp.
2886 * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
2887 return a MediaWiki\Session\Token, and tokens must be checked using that
2888 class's methods.
2889 * $wgEnotifUseJobQ was removed and the job queue is always used.
2890 * The functionality of the ApiSandbox extension has been merged into core. The
2891 extension should no longer be used.
2892 * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
2893 Extensions, skins, gadgets and scripts that use the mediawiki.util module must
2894 express a dependency on it.
2895 * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
2896 Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
2897 module should express a dependency on it.
2898 * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
2899 $wgFooterIcons['copyright']['copyright'] instead.
2900 * If the openssl and mcrypt PHP extensions are both unavailable, secure
2901 session storage (used for login) will raise an exception. This exception may
2902 be bypassed by setting $wgSessionInsecureSecrets = true.
2903 * Massive overhaul to authentication:
2904 ** AuthPlugin and AuthPluginUser are deprecated.
2905 ** LoginForm and associated templates are deprecated. Extensions which called
2906 static LoginForm methods should be converted into authentication providers.
2907 ** The following hooks are deprecated:
2908 *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2909 *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2910 *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2911 *** AddNewAccount (use LocalUserCreated instead)
2912 *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider
2913 instead)
2914 *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
2915 *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider
2916 instead)
2917 *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2918 instead)
2919 *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2920 instead)
2921 ** The following hooks are removed:
2922 *** AbortChangePassword
2923 *** LoginPasswordResetMessage
2924 *** PrefsPasswordAudit
2925 ** The UserLoginComplete hook will no longer be called for all logins, only for
2926 those via the web UI. Use UserLoggedIn if you need to do something on all
2927 logins.
2928 ** $wgRequirePasswordforEmailChange is removed.
2929
2930 === New features in 1.27 ===
2931 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
2932 sticks to the primary DC (via cookies) after they make changes to the site.
2933 * Added a new hook, 'UserMailerTransformContent', to transform the contents
2934 of an email. This is similar to the EmailUser hook but applies to all mail
2935 sent via UserMailer.
2936 * Added a new hook, 'UserMailerTransformMessage', to transform the contents
2937 of an emai after MIME encoding.
2938 * Added a new hook, 'UserMailerSplitTo', to control which users have to be
2939 emailed separately (ie. there is a single address in the To: field) so
2940 user-specific changes to the email can be applied safely.
2941 * $wgCdnMaxageLagged was added, which limits the CDN cache TTL
2942 when any load balancer uses a DB that is lagged beyond the 'max lag'
2943 setting in the relevant section of $wgLBFactoryConf.
2944 * User::newSystemUser() may be used to simplify the creation of passwordless
2945 "system" users for logged actions from scripts and extensions.
2946 * Extensions can now return detailed error information via the API when
2947 preventing user actions using 'getUserPermissionsErrors' and similar hooks
2948 by using ApiMessage instances instead of strings for the $result value.
2949 * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
2950 becomes too high.
2951 * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
2952 and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
2953 cross-browser-compatible FlexBox rules. Users will still need to add fallback
2954 float rules or the like for compatibility with IE9- separately.
2955 * Added MWTimestamp::getTimezoneString() which returns the localized timezone
2956 string, if available. To localize this string, see the comments of
2957 $wgLocaltimezone in includes/DefaultSettings.php.
2958 * Added CentralIdLookup, a service that allows extensions needing a concept of
2959 "central" users to get that without having to know about specific central
2960 authentication extensions.
2961 * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
2962 Regular web request transactions that takes longer than this are aborted.
2963 * Added a new hook, 'TitleMoveCompleting', which runs before a page move is
2964 committed.
2965 * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
2966 from CDN to mitigate DB replication lag and WAN cache purge lag.
2967 * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
2968 if it is available.
2969 * It is now possible to patrol file uploads (both for new files and new versions
2970 of existing files). Special:NewFiles has gained an option to filter by patrol
2971 status. This functionality can be disabled using $wgUseFilePatrol.
2972 * MediaWiki\Session infrastructure allows for easier use of session mechanisms
2973 other than the usual cookies.
2974 ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
2975 custom session metadata.
2976 * Added MWGrants and associated configuration settings $wgGrantPermissions and
2977 $wgGrantPermissionGroups to hold configuration for authentication features
2978 such as OAuth that want to allow restricting the user rights a user may make
2979 use of.
2980 ** If you're already using the OAuth extension, these new variables are
2981 identical to (and will replace) $wgMWOAuthGrantPermissions and
2982 $wgMWOAuthGrantPermissionGroups.
2983 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
2984 to assert that the request comes from a particular IP range.
2985 * Added bot passwords, a rights-restricted login mechanism for API-using bots.
2986 * Whitelisted the following HTML attributes for all elements in wikitext:
2987 aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
2988 * Removed "presentation" restriction on the HTML role attribute in wikitext.
2989 All values are now allowed for the role attribute.
2990 * $wgContentHandlers now also supports callbacks to create an instance of the
2991 appropriate ContentHandler subclass.
2992 * Added $wgAuthenticationTokenVersion, which if non-null prevents the
2993 user_token database field from being exposed in cookies. Setting this would
2994 be a good idea, but will log out all current sessions.
2995 * $wgEventRelayerConfig was added, for managing PubSub event relay
2996 configuration, specifically for reliable CDN url purges.
2997 * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
2998 MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
2999 generated 24-character string. This request ID is used to annotate log records
3000 and error messages. It is available client-side via
3001 mw.config.get( 'wgRequestId' ).
3002 The request ID supplants exception IDs. Accordingly,
3003 MWExceptionHandler::getLogId() is deprecated.
3004 * (T33313) Add a preference for watching uploads by default, also applies
3005 to API-based upload tools.
3006 * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
3007 thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
3008 savings versus the previous behavior on many files.
3009 * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
3010 configuration of multiple authentication pieces that was possible with
3011 AuthPlugin. For example, it's now easy to plug in second-factor
3012 authentication, or add additional checks to the login process, or to support
3013 multiple login methods at once, or to support non-password-based login
3014 methods.
3015 ** Providers are configured via the global setting $wgAuthManagerConfig.
3016 ** A global, $wgDisableAuthManager, is temporarily available to disable
3017 AuthManager until extensions are ready to support it.
3018 ** New hook, AuthChangeFormFields, to adjust the form fields on
3019 AuthManager-related special pages.
3020 ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
3021 AuthManager-related authentication requests.
3022 ** New hook, ChangeAuthenticationDataAudit, for additional logging of
3023 AuthManager-related authentication data changes.
3024 ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
3025 for requiring a recent login before taking security-sensitive operations
3026 like changing a password.
3027 ** Two new globals, $wgChangeCredentialsBlacklist and
3028 $wgRemoveCredentialsBlacklist can be used to prevent the web UI and the API
3029 changing certain authentication data.
3030 * The file upload dialog (available if you install WikiEditor or VisualEditor)
3031 can now be configured using $wgUploadDialog.
3032
3033 === External library changes in 1.27 ===
3034
3035 ==== Upgraded external libraries ====
3036 * Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
3037 * Updated composer/semver from v1.0.0 to v1.2.0.
3038 * Updated liuggio/statsd-php-client to 1.0.18.
3039 * Updated QUnit from v1.18.0 to v1.22.0.
3040
3041 ==== New external libraries ====
3042 * Added wikimedia/base-convert v1.0.1.
3043 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
3044 * Added wikimedia/relpath v1.0.3.
3045 * Added wikimedia/running-stat v1.1.0.
3046 * Added wikimedia/php-session-serializer v1.0.3.
3047
3048 ==== Removed and replaced external libraries ====
3049
3050 === Bug fixes in 1.27 ===
3051 * Special:Upload will now display correct maximum allowed file size when running
3052 under HHVM (T116347).
3053 * (T54077) The APIEditBeforeSave hook will once again give only the content of
3054 the section being edited, rather than the whole revision. This reverts the
3055 change made in MediaWiki 1.22.
3056
3057 === Action API changes in 1.27 ===
3058 * Added list=allrevisions.
3059 * generator=recentchanges now has the option to generate revids.
3060 * ApiPageSet::setRedirectMergePolicy() was added. This allows generator
3061 modules to define how generator data for a redirect source gets merged
3062 into the redirect destination.
3063 * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
3064 "was-deleted" warning.
3065 * Added difftotextpst to query=revisions which preforms a pre-save transform on
3066 the text before diffing it.
3067 * Deprecated formats dbg, txt, and yaml have been removed.
3068 * (T47988) The protect log event details now use new-style formatting.
3069 * The following response properties from action=login are deprecated, and may
3070 be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
3071 handle cookies to properly manage session state.
3072 * action=login transparently allows login using bot passwords. Clients should
3073 merely need to change the username and password used after setting up a bot
3074 password.
3075 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
3076 * Several changes when $wgDisableAuthManager is false:
3077 ** action=login is deprecated for uses other than bot passwords.
3078 ** list=users can now indicate if a missing username is creatable.
3079 ** action=createaccount is changed in a non-backwards-compatible manner.
3080 ** Added action=query&meta=authmanagerinfo.
3081 ** Added action=clientlogin to be used to log into the main account instead of
3082 action=login.
3083 ** Added action=linkaccount.
3084 ** Added action=unlinkaccount.
3085 ** Added action=changeauthenticationdata.
3086 ** Added action=removeauthenticationdata.
3087 ** Added action=resetpassword.
3088
3089 === Action API internal changes in 1.27 ===
3090 * ApiQueryORM removed.
3091 * The following classes have been removed:
3092 ** ApiFormatDbg
3093 ** ApiFormatTxt
3094 ** ApiFormatYaml
3095 * ApiBase::addTokenProperties() was removed (deprecated since 1.24).
3096 * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
3097 * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
3098 * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated
3099 since 1.24).
3100 * ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
3101 * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated
3102 since 1.24).
3103 * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated
3104 since 1.24).
3105 * ApiBase::getResultProperties() was removed (deprecated since 1.24).
3106 * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
3107 * ApiBase::parseErrors() was removed (deprecated since 1.24).
3108 * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
3109 ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
3110 * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
3111 * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
3112 * ApiQuery::getGenerators() was removed (deprecated since 1.21).
3113 * ApiQuery::getModules() was removed (deprecated since 1.21).
3114 * ApiQuery::getModuleType() was removed (deprecated since 1.21).
3115 * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
3116 * ApiMain::getModules() was removed (deprecated since 1.21).
3117 * ApiBase::getVersion() was removed (deprecated since 1.21).
3118 * ApiMain::getShowVersions() was removed (deprecated in 1.21).
3119 * ApiMain::addModule() was removed (deprecated in 1.21).
3120 * ApiMain::addFormat() was removed (deprecated in 1.21).
3121 * ApiMain::getFormats() was removed (deprecated in 1.21).
3122 * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
3123 * ApiCreateAccount was removed.
3124
3125 === Languages updated in 1.27 ===
3126
3127 MediaWiki supports over 350 languages. Many localisations are updated
3128 regularly. Below only new and removed languages are listed, as well as
3129 changes to languages because of Phabricator reports.
3130
3131 * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
3132 * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
3133
3134 === Other changes in 1.27 ===
3135 * Added dependency injection (DI) infrastructure, see docs/injection.txt for
3136 details.
3137 It is planned to incrementally move MediaWiki code towards using DI, using the
3138 service locator (SL) pattern as a stepping stone.
3139 * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
3140 * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
3141 ignore the 2nd and 3rd arguments (formerly $id and $commit).
3142 * Removed "loaderScripts" option from ResourceLoaderFileModule class.
3143 * Removed ORM-like wrapper added in 1.20.
3144 * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
3145 (deprecated in 1.26).
3146 * WikiPage::doQuickEdit() was removed (deprecated since 1.21).
3147 * Removed SiteObject and SiteArray classes (deprecated in 1.21).
3148 * MessageBlobStore::getInstance() was removed (deprecated since 1.25).
3149 * (T84937) Free external links ("autolinked" urls) will now be terminated
3150 by &nbsp; and HTML entity encodings of &nbsp, <, and >.
3151 * (T36948) The default file revert message's timestamp is now in
3152 $wgLocaltimezone, instead of UTC.
3153 * The default name of the 'suppress' group page has been changed from
3154 'Project:Oversight' to 'Project:Suppress'.
3155 * DatabaseBase::resultObject() is now protected (use outside Database classes
3156 not necessary since 1.11).
3157 * Calling ResourceLoaderFileModule::readStyleFiles() without a
3158 ResourceLoaderContext instance is deprecated.
3159 * ResourceLoader::getLessCompiler() now takes an optional parameter of
3160 additional LESS variables to set for the compiler.
3161 * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
3162 instead.
3163 * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
3164 were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
3165 * Removed msg_resource_links database table and associated code.
3166 * Removed msg_resource database table and associated code.
3167 * Skin::getNamespaceNotice() was removed.
3168 * wfIsConfiguredProxy() was removed (deprecated since 1.24).
3169 * wfDebugTimer() was removed (deprecated since 1.25).
3170 * wfIsTrustedProxy() was removed (deprecated since 1.24).
3171 * wfGetIP() was removed (deprecated since 1.19).
3172 * MWHookException was removed.
3173 * OutputPage::appendSubtitle() was removed (deprecated since 1.19).
3174 * OutputPage::loginToUse() was removed (deprecated since 1.19).
3175 * Article::loadContent() was removed (deprecated since 1.19).
3176 * User::editToken() was removed (deprecated since 1.19).
3177 * Removed --force-normal option of dumpBackup.php, as it no longer served
3178 any useful purpose since 1.22.
3179 * The functions processOption() and processArgs() on the BackupDumper and
3180 TextPassDumper classes have been removed.
3181 * The maintenance/backupTextPass.inc file was deleted. You should include
3182 maintenance/dumpTextPass.php instead.
3183 * WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
3184 * wfEmptyMsg() was removed (deprecated since 1.18).
3185 * OutputPage::permissionRequired() was removed (deprecated since 1.18).
3186 * OutputPage::blockedPage() was removed (deprecated since 1.18).
3187 * User::getSkin() was removed (deprecated since 1.18).
3188 * OutputPage::includeJQuery() was removed (deprecated since 1.17).
3189 * WikiPage::updateRestrictions() was removed (deprecated since 1.19).
3190 * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
3191 * LogPage::logName() was removed (deprecated since 1.19).
3192 * LogPage::logHeader() was removed (deprecated since 1.19).
3193 * wfCheckLimits() was removed (deprecated since 1.24).
3194 * Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
3195 * Linker::makeLinkObj() was removed (deprecated since 1.16).
3196 * wfMsgForContentNoTrans() was removed (deprecated since 1.18).
3197 * ChangesList::usePatrol was removed (deprecated since 1.22).
3198 * wfMsgNoTrans() was removed (deprecated since 1.18).
3199 * Linker::makeImageLink2 was removed (deprecated since 1.20).
3200 * Title::userIsWatching() was removed (deprecated since 1.20).
3201 * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
3202 database function directly instead.
3203 * wfMsg() was removed (deprecated since 1.18).
3204 * wfMsgForContent() was removed (deprecated since 1.18).
3205 * wfMsgReal() was removed (deprecated since 1.18).
3206 * wfMsgGetKey() was removed (deprecated since 1.18).
3207 * wfMsgHtml() was removed (deprecated since 1.18).
3208 * wfMsgWikiHtml() was removed (deprecated since 1.18).
3209 * wfMsgExt() was removed (deprecated since 1.18).
3210 * Language::armourMath() was removed (deprecated since 1.22).
3211 * LanguageConverter::armourMath() was removed (deprecated since 1.22).
3212 * FakeConverter::armourMath() was removed (deprecated since 1.22).
3213 * The unused jquery.validate ResourceLoader module was removed.
3214 * FileRepo::getRootUrl() was removed (deprecated since 1.20).
3215 * User::generateToken() was removed (deprecated since 1.20).
3216 * WikiPage::getRawText() was removed (deprecated since 1.21).
3217 * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
3218 * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
3219 * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
3220 * Gallery images with multiple caption pipes no longer concatenate them all
3221 together but instead pick the final one, similar to image syntax.
3222 * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
3223 rather than consume everything until the end of the page.
3224 * New maintenance script resetUserEmail.php allows sysadmins to reset user
3225 emails in case a user forgot password/account was stolen.
3226 * wfCheckEntropy() was removed (deprecated in 1.27).
3227 * Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
3228 * ContentHandler::supportsCategories method added. Default is true.
3229 CategoryMembershipChangeJob updates are skipped for content that
3230 does not support categories.
3231 * wikidiff difference engine is no longer supported, anyone still using it are
3232 encouraged to upgrade to wikidiff2 which is actively maintained and has better
3233 package availability.
3234 * Database logic was removed from WatchedItem and a WatchedItemStore was
3235 created:
3236 ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were
3237 deprecated. User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were
3238 introduced.
3239 ** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
3240 ** WatchedItem::resetNotificationTimestamp was deprecated.
3241 ** WatchedItem::batchAddWatch was deprecated.
3242 ** WatchedItem::addWatch was deprecated.
3243 ** WatchedItem::removeWatch was deprecated.
3244 ** WatchedItem::isWatched was deprecated.
3245 ** WatchedItem::duplicateEntries was deprecated.
3246 ** EmailNotification::updateWatchlistTimestamp was deprecated.
3247 ** User::getWatchedItem was removed.
3248 * Unit tests don't work with external PHPUnit anymore, Composer is now the only
3249 supported way. Run `composer install` to install it and other dev dependencies
3250 to run unit tests.
3251 * wl_id field added to the watchlist table.
3252 * Revision::getRawText() was removed (deprecated since 1.21).
3253 * WikiPage::replaceSection() was removed (deprecated since 1.21).
3254 * Article::replaceSection() was removed (deprecated since 1.21).
3255 * Language::getLangObj() was removed (deprecated since 1.24).
3256 * Language::getLanguageName() was removed (deprecated since 1.20).
3257 * Language::getLanguageNames() was removed (deprecated since 1.20).
3258 * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
3259 * Language::specialPage() was removed (deprecated since 1.24).
3260 * MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
3261 * OutputPage::getHeadItems() was removed (deprecated since 1.24).
3262 * OutputPage::getScript() was removed (deprecated since 1.24).
3263 * OutputPage::out() was removed (deprecated since 1.22).
3264 * OutputPage::setAllowedModules() was removed (deprecated since 1.24).
3265 * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
3266 * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
3267 * Title::newFromRedirect() was removed (deprecated since 1.21).
3268 * Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
3269 * Skin::getCommonStylePath() was removed (deprecated since 1.24).
3270 * Skin::newFromKey() was removed (deprecated since 1.24).
3271 * Skin::getUsableSkins() was removed (deprecated since 1.23).
3272 * LoadBalancer::pickRandom() was removed (deprecated in 1.21).
3273 * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated
3274 since 1.21).
3275 * DifferenceEngine::setText() was removed (deprecated in 1.21).
3276 * Title::newFromRedirectArray() was removed (deprecated in 1.21).
3277 * UserMailer::send() no longer accepts $replyto as the 5th argument and
3278 $contentType as the 6th. These must be passed in the options array now.
3279 * Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
3280 * Skin::accesskey was removed (deprecated since 1.21).
3281 * Skin::blockLink was removed (deprecated since 1.21).
3282 * Skin::buildRollbackLink was removed (deprecated since 1.21).
3283 * Skin::emailLink was removed (deprecated since 1.21).
3284 * Skin::formatComment was removed (deprecated since 1.21).
3285 * Skin::formatHiddenCategories was removed (deprecated since 1.21).
3286 * Skin::formatLinksInComment was removed (deprecated since 1.21).
3287 * Skin::formatRevisionSize was removed (deprecated since 1.21).
3288 * Skin::formatSize was removed (deprecated since 1.21).
3289 * Skin::formatTemplates was removed (deprecated since 1.21).
3290 * Skin::generateTOC was removed (deprecated since 1.21).
3291 * Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
3292 * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
3293 * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
3294 * Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
3295 * Skin::getLinkColour was removed (deprecated since 1.21).
3296 * Skin::getRevDeleteLink was removed (deprecated since 1.21).
3297 * Skin::getRollbackEditCount was removed (deprecated since 1.21).
3298 * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
3299 * Skin::makeCommentLink was removed (deprecated since 1.21).
3300 * Skin::makeExternalImage was removed (deprecated since 1.21).
3301 * Skin::makeExternalLink was removed (deprecated since 1.21).
3302 * Skin::makeHeadline was removed (deprecated since 1.21).
3303 * Skin::makeImageLink was removed (deprecated since 1.21).
3304 * Skin::makeMediaLinkFile was removed (deprecated since 1.21).
3305 * Skin::makeMediaLinkObj was removed (deprecated since 1.21).
3306 * Skin::makeSelfLinkObj was removed (deprecated since 1.21).
3307 * Skin::makeThumbLink2 was removed (deprecated since 1.21).
3308 * Skin::makeThumbLinkObj was removed (deprecated since 1.21).
3309 * Skin::normaliseSpecialPage was removed (deprecated since 1.21).
3310 * Skin::normalizeSubpageLink was removed (deprecated since 1.21).
3311 * Skin::processResponsiveImages was removed (deprecated since 1.21).
3312 * Skin::revComment was removed (deprecated since 1.21).
3313 * Skin::revDeleteLink was removed (deprecated since 1.21).
3314 * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
3315 * Skin::revUserLink was removed (deprecated since 1.21).
3316 * Skin::revUserTools was removed (deprecated since 1.21).
3317 * Skin::specialLink was removed (deprecated since 1.21).
3318 * Skin::splitTrail was removed (deprecated since 1.21).
3319 * Skin::titleAttrib was removed (deprecated since 1.21).
3320 * Skin::tocIndent was removed (deprecated since 1.21).
3321 * Skin::tocLine was removed (deprecated since 1.21).
3322 * Skin::tocLineEnd was removed (deprecated since 1.21).
3323 * Skin::tocList was removed (deprecated since 1.21).
3324 * Skin::tocUnindent was removed (deprecated since 1.21).
3325 * Skin::tooltip was removed (deprecated since 1.21).
3326 * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
3327 * Skin::userTalkLink was removed (deprecated since 1.21).
3328 * Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
3329 * wikidiff3 is now the default and only PHP diff engine. It provides improved
3330 diff performance on complex changes. $wgExternalDiffEngine = 'wikidiff3'
3331 therefore makes no difference now. Users are still recommended to use
3332 wikidiff2 if possible, though.
3333 * User::addNewUserLogEntry() was deprecated.
3334 * User::addNewUserLogEntryAutoCreate() was deprecated.
3335 * User::isPasswordReminderThrottled() was deprecated.
3336 * Bot-oriented parameters to Special:UserLogin (wpCookieCheck,
3337 wpSkipCookieCheck) were removed.
3338 * Installer can now be customized without patching MediaWiki code, see
3339 mw-config/overrides/README for details.
3340
3341 === Compatibility ===
3342
3343 MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
3344 HHVM 3.6.5 or later.
3345
3346 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
3347 support for them is somewhat less mature. There is experimental support for
3348 Oracle and Microsoft SQL Server.
3349
3350 The supported versions are:
3351
3352 * MySQL 5.0.3 or later
3353 * PostgreSQL 8.3 or later
3354 * SQLite 3.3.7 or later
3355 * Oracle 9.0.1 or later
3356 * Microsoft SQL Server 2005 (9.00.1399)
3357
3358 === Upgrading ===
3359
3360 1.27 has several database changes since 1.26, and will not work without schema
3361 updates. Note that due to changes to some very large tables like the revision
3362 table, the schema update may take quite long (minutes on a medium sized site,
3363 many hours on a large site).
3364
3365 If upgrading from before 1.11, and you are using a wiki as a commons
3366 repository, make sure that it is updated as well. Otherwise, errors may arise
3367 due to database schema changes.
3368
3369 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
3370 new database fields are filled with data.
3371
3372 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
3373 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
3374 with MediaWiki 1.21.
3375
3376 Don't forget to always back up your database before upgrading!
3377
3378 See the file UPGRADE for more detailed upgrade instructions.
3379
3380 For notes on 1.26.x and older releases, see HISTORY.
3381
3382
3383 = MediaWiki 1.26 =
3384
3385 == MediaWiki 1.26.4 ==
3386
3387 This is a maintenance release of the MediaWiki 1.26 branch.
3388
3389 === Changes since 1.26.3 ===
3390 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
3391 made by MediaWiki via a proxy. Relying on the http_proxy environment
3392 variable is no longer supported.
3393 * (T124163) Fixed fatal error in DifferenceEngine under HHVM.
3394 * (T139565) SECURITY: API: Generate head items in the context of the given title
3395 * (T137264) SECURITY: XSS in unclosed internal links
3396 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
3397 * (T133147) SECURITY: Require login to preview user CSS pages
3398 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
3399 the top file
3400 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
3401 permissions
3402 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
3403 * (T115333) SECURITY: Check read permission when loading page content in
3404 ApiParse
3405 * Remove support for $wgWellFormedXml = false, all output is now well formed
3406
3407 == MediaWiki 1.26.3 ==
3408
3409 This is a maintenance release of the MediaWiki 1.26 branch.
3410
3411 === Changes since 1.26.2 ===
3412 * (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
3413 * (T123166) Fix fatal error when importing pages to titles which cannot be
3414 created, such as invalid titles or titles the user is not allowed to edit.
3415 * (T122056) Old tokens are remaining valid within a new session
3416 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3417 * (T123653) Cross-domain policy regexp is too narrow
3418 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3419 m modifier in regex
3420 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3421 * (T125283) Users occasionally logged in as different users after
3422 SessionManager deployment
3423 * (T103239) Patrol allows click catching and patrolling of any page
3424 * (T122807) [tracking] Check php crypto primatives
3425 * (T98313) Graphs can leak tokens, leading to CSRF
3426 * (T130947) Diff generation should use PoolCounter
3427 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3428 * (T132874) API action=move is not rate limited
3429 * (T110143) strip markers can be used to get around html attribute escaping in
3430 (many?) parser tags
3431 * (T116030) Increase pbkdf2 parameter strengths
3432 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3433 * (T126685) Globally throttle password attempts
3434
3435 == MediaWiki 1.26.2 ==
3436
3437 This is a maintenance release of the MediaWiki 1.26 branch.
3438
3439 === Changes since 1.26.1 ===
3440 * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
3441
3442 == MediaWiki 1.26.1 ==
3443
3444 This is a maintenance release of the MediaWiki 1.26 branch.
3445
3446 === Changes since 1.26.0 ===
3447 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3448 that do not begin with a slash. This enabled trivial XSS attacks.
3449 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3450 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3451 error.
3452 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3453 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3454 with '@' as file uploads
3455 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3456 longer be shorter than $wgMinimalPasswordLength
3457 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3458 result in improper blocks being issued
3459 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3460 and related pages no longer use HTTP redirects and are now redirected by
3461 MediaWiki
3462 * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
3463 * Fixed stray literal \n in Special:Search.
3464 * Fix issue that breaks HHVM Repo Authorative mode.
3465 * (T120267) Work around APCu memory corruption bug
3466
3467 == MediaWiki 1.26.0 ==
3468
3469 === Configuration changes in 1.26 ===
3470 * $wgPasswordResetRoutes['email'] = true by default.
3471 * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
3472 instead if you want to disable the parser cache.
3473 * New-style continuation is now the default for API action=continue. Clients may
3474 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3475 new style is encouraged as it's harder to implement incorrectly.
3476 * Deprecated API formats dump and wddx have been completely removed.
3477 * (T7645) The "Signature" button on the edit toolbar is now hidden by default
3478 in non-talk namespaces. A new configuration variable,
3479 $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
3480 the "Signature" button on the edit toolbar will be displayed.
3481 * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
3482 feature that was never enabled by default.
3483 * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
3484 This experimental feature was never enabled by default and is obsolete as of
3485 MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
3486 * $wgMasterWaitTimeout was removed (deprecated in 1.24).
3487 * Fields in ParserOptions are now private. Use the accessors instead.
3488 * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
3489 in extension.json) have been removed, after being deprecated in 1.24.
3490 * $wgAlwaysUseTidy has been removed.
3491 * ResetSessionID hook has been removed. Nothing seems to use it.
3492 * Certain AuthPlugin methods are deprecated in favor of new hooks:
3493 ** AuthPlugin::initUser() is replaced by LocalUserCreated.
3494 ** AuthPlugin::updateUser() is replaced by UserLoggedIn.
3495 ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
3496 ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
3497 ** AuthPluginUser::isHidden() is replaced by UserIsHidden.
3498 ** AuthPluginUser::isLocked() is replaced by UserIsLocked.
3499 * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
3500 * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
3501 the passed User object.
3502 * $wgBlockAllowsUTEdit is now set to true by default. This allows
3503 blocked users to edit their talk pages unless explicitly disabled
3504 when they are being blocked.
3505
3506 === New features in 1.26 ===
3507 * (T51506) Now action=info gives estimates of actual watchers for a page.
3508 See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
3509 to learn how to configure if needed.
3510 * Change tags can now be hidden in the interface by disabling the associated
3511 "tag-<id>" interface message.
3512 * ':' (colon) is now invalid in usernames for new accounts. Existing accounts
3513 are not affected.
3514 * Added a new hook, 'LogException', to log exceptions in nonstandard ways.
3515 * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
3516 search results are rendered. The initial use case is to append a "give us
3517 feedback" link beneath the search results.
3518 * Added a new hook, 'RejectParserCacheValue', which allows extensions to
3519 reject an otherwise-successful parser cache lookup. The intent is to allow
3520 extensions to manage the eviction of archaic HTML output from the cache.
3521 * (T68699) The expiration of the UserID and Token login cookies
3522 ($wgExtendedLoginCookieExpiration) can be configured independently of the
3523 expiration of all other cookies ($wgCookieExpiration).
3524 * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
3525 if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
3526 of WebP images still disabled by default. Add $wgFileExtensions[] =
3527 'webp'; to LocalSettings.php to enable uploading of WebP images.
3528 * Added new hooks 'EnhancedChangesListModifyLineData' &
3529 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
3530 lines in enhanced recentchanges and watchlist.
3531 * Caches that need purging ability now use the WANObjectCache interface.
3532 This corresponds to a new $wgMainWANCache setting, which defaults to using
3533 the $wgMainCacheType settings.
3534 * Callers needing fast light-weight data stores use $wgMainStash to select
3535 the store type from $wgObjectCaches. The default is the local database.
3536 * Interface message overrides in the MediaWiki namespace will now be cached in
3537 memcached and APC (if available), rather than memcached and local files.
3538 * Added a new hook, 'RandomPageQuery', to allow modification of the query used
3539 by Special:Random to select random pages.
3540 * $wgTransactionalTimeLimit was added, which controls the request time limit
3541 for potentially slow POST requests that need to be as atomic as possible.
3542 * ResourceLoader now loads all scripts asynchronously. The top-queue and
3543 startup modules are no longer synchronously loaded.
3544 * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
3545 page. During the deprecation period, the styles will only be loaded on pages
3546 which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
3547 only be loaded if explicitly required.
3548 * If search returns zero results and current search engine has a "did you mean"
3549 suggestion, results for suggestion will be shown. Can be disabled by setting
3550 $wgSearchRunSuggestedQuery to false.
3551 * Added several JavaScript libraries for uploading files to MediaWiki
3552 from the client-side. See documentation for mw.Upload and its
3553 subclasses for more information.
3554 * Added OOUI dialogs and layout for file upload interfaces. See
3555 documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
3556 subclasses for more information.
3557
3558 === extension.json changes in 1.26 ===
3559 * (T99344) The extension.json schema is now versioned. All extensions
3560 and skins should set a "manifest_version" property corresponding to
3561 the schema version they were written for. The only supported version
3562 currently is "1".
3563 * (T102523) The error message if a non-array attribute is set was improved.
3564 * (T107646) Configuration settings can now specify how they should be merged,
3565 which is necessary for arrays using integer keys.
3566 * (T110389) Adding namespaces through extension.json now actually works
3567 * $wgNamespaceProtection can now be set in extension.json.
3568 * $wgCapitalLinkOverrides can now be set in extension.json.
3569 * (T97186) Extensions using a custom prefix for their configuration settings
3570 can now set a "_prefix" key to override the default of "wg".
3571 * (T99084) Extensions can now specify what MediaWiki core versions they
3572 depend upon.
3573 * (T105236) The extension.json schema now validates custom classes in
3574 the "ResourceModules" property properly.
3575
3576 === External library changes in 1.26 ===
3577 ==== Upgraded external libraries ====
3578 * Updated es5-shim from v4.0.0 to v4.1.5.
3579 * Updated json2 from revision 2014-02-04 to 2015-05-03.
3580 * Updated Sinon.JS from 1.10.3 to 1.15.4.
3581 * Updated jQuery Client from v1.0.0 to v2.0.0.
3582 * Updated QUnit from v1.17.1 to v1.18.0.
3583 * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
3584 * Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
3585 * Updated wikimedia/cdb from v1.0.1 to v1.3.0.
3586 * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
3587 * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
3588 * Updated zordius/lightncandy from v0.18 to v0.21.
3589
3590 ==== New external libraries ====
3591 * Added composer/semver v1.0.0.
3592 * Added mediawiki/at-ease v1.1.0.
3593 * Added wikimedia/assert v0.2.2.
3594 * Added wikimedia/ip-set v1.0.1.
3595 * Added wikimedia/wrappedstring v2.0.0.
3596
3597 ==== Removed and replaced external libraries ====
3598 * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
3599
3600 === Bug fixes in 1.26 ===
3601 * (T53283) load.php sometimes sends 304 response without full headers
3602 * (T65198) Talk page tabs now have a "rel=discussion" attribute
3603 * (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
3604 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3605 value if set to an empty string.
3606
3607 === Action API changes in 1.26 ===
3608 * New-style continuation is now the default for action=continue. Clients may
3609 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3610 new style is encouraged as it's harder to implement incorrectly.
3611 * Deprecated API formats dump and wddx have been completely removed.
3612 * API action=query&list=tags: The displayname can now be boolean false if the
3613 tag is meant to be hidden from user interfaces.
3614 * action=import no longer allows both the namespace= and rootpage= parameters
3615 to be set. If they are both set, the value of rootpage= will be ignored.
3616 * prop=revision output in enum mode is now sorted by timestamp rather than
3617 revision ID. This usually won't make any difference.
3618 * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
3619 with formatversion=2.
3620 * Various other output from meta=siteinfo will now always be arrays instead of
3621 sometimes being numerically-indexed objects with formatversion=2.
3622 * When errors about users being blocked are returned, they now include
3623 information about the relevant block.
3624 * (T99926) list=random has higher limits, in line with other API modules.
3625 * list=random's rnredirect parameter is deprecated in favor of a new
3626 rnfilterredir parameter that also allows for listing both redirects and
3627 non-redirects.
3628 * list=random now supports continuation.
3629 * API responses to GET requests may now include ETag and Last-Modified headers,
3630 and will honor corresponding If-None-Match and If-Modified-Since on such
3631 requests.
3632
3633 === Action API internal changes in 1.26 ===
3634 * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
3635 into the value when the value is an assoc.
3636 * API action modules may now provide values for the RFC 7232 ETag and
3637 Last-Modified headers. The API will check these against If-None-Match and
3638 If-Modified-Since request headers on GET requests and avoid executing the
3639 module when appropriate.
3640
3641 === Languages updated in 1.26 ===
3642
3643 MediaWiki supports over 350 languages. Many localisations are updated
3644 regularly. Below only new and removed languages are listed, as well as
3645 changes to languages because of Phabricator reports.
3646
3647 * Languages added:
3648 ** ase (American sign language), thanks to translator Icemandeaf
3649 ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
3650 मेश सिंह बोहरा, and राम प्रसाद जोशी
3651 ** luz (لئری دوٙمینی / Southern Luri)
3652 ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin
3653 Natoi, Ilja.mos, and Mashoi7
3654
3655 === Other changes in 1.26 ===
3656 * ChangeTags::tagDescription() will return false if the interface message
3657 for the tag is disabled.
3658 * Added PageHistoryPager::doBatchLookups hook.
3659 * Added $wikiId parameter to FormatAutocomments hook.
3660 * Added ParserCacheSaveComplete to ParserCache
3661 * supportsDirectEditing and supportsDirectApiEditing methods added to
3662 ContentHandler, to provide a way for ApiEditPage and EditPage to check
3663 if direct editing of content is allowed. These methods return false,
3664 by default for the ContentHandler base class and true for TextContentHandler
3665 and it's derivative classes (everything in core). For Content types that
3666 do not support direct editing, an alternative mechanism should be provided
3667 for editing, such as action overrides or specific api modules.
3668 * mediaWiki.confirmCloseWindow now returns an object of functions, instead of
3669 one function. The callback can't be called directly any more. The callback
3670 function is replaced with confirmCloseWindow.release().
3671 * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
3672 ResourceLoaderModule::getDependencies(). Extension classes that override that
3673 method should be updated. If they aren't updated, PHP Strict standards
3674 warnings will appear when E_STRICT error reporting is enabled. Note: in the
3675 near future, this parameter will probably become non-optional.
3676 * Removed maintenance script deleteImageMemcached.php.
3677 * MWFunction::newObj() was removed (deprecated in 1.25).
3678 ObjectFactory::getObjectFromSpec() should be used instead.
3679 * The parser will no longer randomize the string it uses to mark the place of
3680 items that were stripped during parsing. It will use a fixed string instead.
3681 This causes the parser to re-use the regular expressions it uses to search
3682 and replace markers rather than generate novel expressions on each parse.
3683 Re-using regular expressions will improve performance on HHVM and the
3684 forthcoming PHP 7. The interfaces changes accompanying this change are:
3685 - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
3686 - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
3687 $prefix argument for StripState::_construct() are deprecated and their
3688 value is ignored.
3689 * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate
3690 library, mediawiki/at-ease, and are now deprecated. Callers should use
3691 MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
3692 * The Block class constructor now takes an associative array of parameters
3693 instead of many optional positional arguments. Calling the constructor the old
3694 way will issue a deprecation warning.
3695 * The jquery.mwExtension module was deprecated.
3696 * $wgSpecialPageGroups was removed (deprecated in 1.21).
3697 * SpecialPageFactory::setGroup was removed (deprecated in 1.21).
3698 * SpecialPageFactory::getGroup was removed (deprecated in 1.21).
3699 * DatabaseBase::ignoreErrors() is now protected.
3700 * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
3701 a lengthy deprecation period.
3702 * The ScopedPHPTimeout class was removed.
3703 * Removed maintenance script fixSlaveDesync.php.
3704 * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
3705 are deprecated. Applications using those can work via the OAuth
3706 extension instead. New tokens types should not be added.
3707 * DatabaseBase::errorCount() was removed (unused).
3708 * $wgDeferredUpdateList was removed.
3709 * DeferredUpdates::addHTMLCacheUpdate() was removed.
3710
3711 = MediaWiki 1.25 =
3712
3713 == MediaWiki 1.25.6 ==
3714
3715 This is a maintenance release of the MediaWiki 1.25 branch.
3716
3717 === Changes since 1.25.5 ===
3718 * (T123166) Fix fatal error when importing pages to titles which cannot be
3719 created, such as invalid titles or titles the user is not allowed to edit.
3720 * (T122056) Old tokens are remaining valid within a new session
3721 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3722 * (T123653) Cross-domain policy regexp is too narrow
3723 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3724 m modifier in regex
3725 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3726 * (T125283) Users occasionally logged in as different users after
3727 SessionManager deployment
3728 * (T103239) Patrol allows click catching and patrolling of any page
3729 * (T122807) [tracking] Check php crypto primatives
3730 * (T98313) Graphs can leak tokens, leading to CSRF
3731 * (T130947) Diff generation should use PoolCounter
3732 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3733 * (T132874) API action=move is not rate limited
3734 * (T110143) strip markers can be used to get around html attribute escaping in
3735 (many?) parser tags
3736 * (T116030) Increase pbkdf2 parameter strengths
3737 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3738 * (T126685) Globally throttle password attempts
3739
3740 == MediaWiki 1.25.5 ==
3741
3742 This is a maintenance release of the MediaWiki 1.25 branch.
3743
3744 === Changes since 1.25.4 ===
3745 * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
3746
3747 == MediaWiki 1.25.4 ==
3748
3749 This is a security and maintenance release of the MediaWiki 1.25 branch.
3750
3751 === Changes since 1.25.3 ===
3752 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3753 that do not begin with a slash. This enabled trivial XSS attacks.
3754 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3755 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3756 error.
3757 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3758 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3759 with '@' as file uploads
3760 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3761 longer be shorter than $wgMinimalPasswordLength
3762 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3763 result in improper blocks being issued
3764 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3765 and related pages no longer use HTTP redirects and are now redirected by
3766 MediaWiki
3767 * (T103237) $wgUseGzip had no effect when using file cache.
3768 * (T114606) mw.notify was not correctly fixed to the page if
3769 initialized while not at the top of the page.
3770 * Fix issue that breaks HHVM Repo Authorative mode.
3771
3772 == MediaWiki 1.25.3 ==
3773
3774 This is a security and maintenance release of the MediaWiki 1.25 branch.
3775
3776 === Changes since 1.25.2 ===
3777
3778 * (T98975) Fix having multiple callbacks for a single hook.
3779 * (T107632) maintenance/refreshLinks.php did not always remove all links
3780 pointing to nonexistent pages.
3781 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3782 value if set to an empty string.
3783 * (T62174) Provide fallbacks for use of mb_convert_encoding() in
3784 HtmlFormatter. It was causing an error when accessing the api help page
3785 if the mbstring PHP extension was not installed.
3786 * (T105896) Confirmation emails would sometimes contain invalid codes.
3787 * (T105597) Fixed edit stash inclusion queries.
3788 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
3789 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
3790 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
3791 first
3792 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
3793
3794 == MediaWiki 1.25.2 ==
3795
3796 This is a security and maintenance release of the MediaWiki 1.25 branch.
3797
3798 === Changes since 1.25.1 ===
3799
3800 * (T94116) SECURITY: Compare API watchlist token in constant time
3801 * (T97391) SECURITY: Escape error message strings in thumb.php
3802 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
3803 Special:DeletedContributions
3804 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
3805 policy of Wikimedia Commons.
3806 * (T100767) Setting a configuration setting for skin or extension to
3807 false in LocalSettings.php was not working.
3808 * (T100635) API action=opensearch json output no longer breaks when
3809 $wgDebugToolbar is enabled.
3810 * (T102522) Using an extension.json or skin.json file which has
3811 a "manifest_version" property for 1.26 compatability will no longer
3812 trigger warnings.
3813 * (T86156) Running updateSearchIndex.php will not throw an error as
3814 page_restrictions has been added to the locked table list.
3815 * Special:Version would throw notices if using SVN due to an incorrectly
3816 named variable. Add an additional check that an index is defined.
3817
3818 == MediaWiki 1.25.1 ==
3819
3820 This is a bug fix release of the MediaWiki 1.25 branch.
3821
3822 === Changes since 1.25 ===
3823 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
3824
3825 == MediaWiki 1.25.0 ==
3826
3827 === Configuration changes in 1.25 ===
3828 * $wgPageShowWatchingUsers was removed.
3829 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
3830 * $wgAntiLockFlags was removed.
3831 * $wgJavaScriptTestConfig was removed.
3832 * Edit tokens returned from User::getEditToken may change on every call. Token
3833 validity must be checked by passing the user-supplied token to
3834 User::matchEditToken rather than by testing for equality with a
3835 newly-generated token.
3836 * (T74951) The UserGetLanguageObject hook may be passed any IContextSource
3837 for its $context parameter. Formerly it was documented as receiving a
3838 RequestContext specifically.
3839 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
3840 See StartProfiler.sample for details.
3841 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3842 might be a flash policy directive configurable.
3843 * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
3844 longer be used. If extracts and page images are desired, the TextExtracts and
3845 PageImages extensions are required.
3846 * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
3847 * Edits are now prepared via AJAX as users type edit summaries. This behavior
3848 can be disabled via $wgAjaxEditStash.
3849 * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
3850 with the jQuery Migrate library, as indicated when this option was provided in
3851 MediaWiki 1.24.
3852 * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
3853 StartProfiler.php config is updated to reflect this. Xhprof is available
3854 for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
3855 * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
3856 rather than 'rsvg'.
3857 * Default value of $wgSVGConverters['ImageMagick'] now uses transparent
3858 background with white fallback color, rather than just white background.
3859 * MediaWikiBagOStuff class removed, make sure any object cache config
3860 uses SqlBagOStuff instead.
3861 * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
3862 job queues. This means that mediawiki/services/jobrunner service has to
3863 be installed and running for any such queues to work.
3864 * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
3865 compatibility, any 'view' event triggers will still trigger on 'edit'.
3866 * $wgExtensionDirectory was added for when your extensions directory is
3867 somewhere other than $IP/extensions (as $wgStyleDirectory does with the skins
3868 directory).
3869
3870 === New features in 1.25 ===
3871 * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
3872 for plural forms in Russian, Prussian, Tagalog, Manx and several languages
3873 that fall back to Russian.
3874 * (T60139) ResourceLoaderFileModule now supports language fallback
3875 for 'languageScripts'.
3876 * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify
3877 the parser output for a content object before links update.
3878 * (T37785) Enhanced recent changes and extended watchlist are now default.
3879 Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
3880 and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions
3881 * (T69341) SVG images will no longer be base64-encoded when being embedded
3882 in CSS. This results in slight size increase before gzip compression (due to
3883 percent-encoding), but up to 20% decrease after it.
3884 * Update jStorage to v0.4.12.
3885 * MediaWiki now natively supports page status indicators: icons (or short text
3886 snippets) usually displayed in the top-right corner of the page. They have
3887 been in use on Wikipedia for a long time, implemented using templates and CSS
3888 absolute positioning.
3889 - Basic wikitext syntax:
3890 <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
3891 - Usage instructions:
3892 https://www.mediawiki.org/wiki/Help:Page_status_indicators
3893 - Adjusting custom skins to support indicators:
3894 https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
3895 * Edit tokens may now be time-limited: passing a maximum age to
3896 User::matchEditToken will reject any older tokens.
3897 * The debug logging internals have been overhauled, and are now using the
3898 PSR-3 interfaces.
3899 * Update CSSJanus to v1.1.1.
3900 * Update lessphp to v0.5.0.
3901 * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
3902 and images for ApiOpenSearch output. The semantics are identical to the
3903 "OpenSearchXml" hook provided by the OpenSearchXml extension.
3904 * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
3905 this allows for pagination of prefix results. Extensions using this hook
3906 should implement supporting behavior. Not doing so can result in undefined
3907 behavior from API clients trying to continue through prefix results.
3908 * Update jQuery from v1.11.1 to v1.11.3.
3909 * External libraries installed via composer will now be displayed
3910 on Special:Version in their own section. Extensions or skins that are
3911 installed via composer will not be shown in this section as it is assumed
3912 they will add the proper credits to the skins or extensions section. They
3913 can also be accessed through the API via the new siprop=libraries to
3914 ApiQuerySiteInfo.
3915 * Update QUnit from v1.14.0 to v1.16.0.
3916 * Update Moment.js from v2.8.3 to v2.8.4.
3917 * Special:Tags now allows for manipulating the list of user-modifiable change
3918 tags.
3919 * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
3920 and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
3921 tags.
3922 * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
3923 "active" formerly conflated by the 'ListDefinedTags' hook.
3924 * Added TemplateParser class that provides a server-side interface to cachable
3925 dynamically-compiled Mustache templates (currently uses lightncandy library).
3926 * Clickable anchors for each section heading in the content are now generated
3927 and appear in the gutter on hovering over the heading.
3928 * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink'
3929 hooks to allow extensions to override how links to pages are rendered within
3930 NS_CATEGORY
3931 * (T19665) Special:WantedPages only lists page which having at least one red
3932 link pointing to it.
3933 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
3934 used for conditional registration of API modules.
3935 * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
3936 links of a group of changes in EnhancedChangesList.
3937 * A full interface for StatsD metric reporting has been added to the context
3938 interface, reachable via IContextSource::getStats().
3939 * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
3940 proper, published library, which is now tagged as v1.0.0.
3941 * A new message (defaulting to blank), 'editnotice-notext', can be shown to
3942 users when they are editing if no edit notices apply to the page being edited.
3943 * (T94536) You can now make the sitenotice appear to logged-in users only by
3944 editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
3945 "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
3946 * Modifying the tagging of a revision or log entry is now available via
3947 Special:EditTags, generally accessed via the revision-deletion-like interface
3948 on history pages and Special:Log is likely to be more useful.
3949 * Added 'applychangetags' and 'changetags' user rights.
3950 * (T35235) LogFormatter subclasses are now responsible for formatting the
3951 parameters for API log event output. Extensions should implement the new
3952 getParametersForApi() method in their log formatters.
3953
3954 ==== External libraries ====
3955 * MediaWiki now requires certain external libraries to be installed. In the past
3956 these were bundled inside the Git repository of MediaWiki core, but now they
3957 need to be installed separately. For users using the tarball, this will be
3958 taken care of and no action will be required. Users using Git will either need
3959 to use composer to fetch dependencies or use the mediawiki/vendor repository
3960 which includes all dependencies for MediaWiki core and ones used in Wikimedia
3961 deployment. Detailed instructions can be found at:
3962 https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
3963 * The following libraries are now required:
3964 ** psr/log
3965 This library provides the interfaces set by the PSR-3 standard
3966 (http://www.php-fig.org/psr/psr-3/) which are used by MediaWiki internally
3967 via the MediaWiki\Logger\LoggerFactory class.
3968 See the structured logging RfC
3969 <https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging>
3970 for more background information.
3971 ** cssjanus/cssjanus
3972 This library was formerly bundled with MediaWiki core and has been removed.
3973 It automatically flips CSS for RTL support.
3974 ** leafo/lessphp
3975 This library was formerly bundled with MediaWiki core and has been removed.
3976 It compiles LESS files into CSS.
3977 ** wikimedia/cdb
3978 This library was formerly a part of MediaWiki core, and has been moved into a
3979 separate library. It provides CDB functions which are used in the Interwiki
3980 and Localization caches. More information about the library can be found at
3981 https://www.mediawiki.org/wiki/CDB.
3982 ** liuggio/statsd-php-client
3983 This library provides a StatsD client API for logging application metrics to
3984 a remote server.
3985
3986 === Bug fixes in 1.25 ===
3987 * (T73003) No additional code will be generated to try to load CSS-embedded
3988 SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
3989 * (T69021) On Special:BookSources, corrected validation of ISBNs (both
3990 10- and 13-digit forms) containing "X".
3991 * Page moving was refactored into a MovePage class. As part of that:
3992 ** The AbortMove hook was removed.
3993 ** MovePageIsValidMove is for extensions to specify whether a page
3994 cannot be moved for technical reasons, and should not be overridden.
3995 ** MovePageCheckPermissions is for checking whether the given user is
3996 allowed to make the move.
3997 ** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
3998 ** Title::moveTo() was deprecated. Use the MovePage class instead.
3999 ** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
4000 and MovePage::checkPermissions().
4001 * (T18530) Multiple autocomments are now formatted in an edit summary.
4002 * (T70361) Autocomments containing "/*" are parsed correctly.
4003 * The Special:WhatLinksHere page linked from 'Number of redirects to this page'
4004 on action=info about a file page does not list file links anymore.
4005 * (T78637) Search bar is not autofocused unless it is empty so that proper
4006 scrolling using arrow keys is possible.
4007 * (T50853) Database::makeList() modified to handle 'NULL' separately when
4008 building IN clause
4009 * (T85192) Captcha position modified in Usercreate template. As a result:
4010 ** extrafields parameter added to Usercreate.php to insert additional data
4011 ** 'extend' method added to QuickTemplate to append additional values to any
4012 field of data array
4013 * (T86974) Several Title methods now load from the database when necessary
4014 (instead of returning incorrect results) even when the page ID is known.
4015 * (T74070) Duplicate search for archived files on file upload now omits the
4016 extension.
4017 This requires the fa_sha1 field being populated.
4018 * Removed rel="archives" from the "View history" link, as it did not pass
4019 HTML validation.
4020 * $wgUseTidy is now set when parserTests are run with the tidy option to match
4021 output on wiki.
4022 * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed
4023 to it.
4024 * (T72109) mediawiki.language should respect $wgTranslateNumerals in
4025 convertNumber().
4026
4027 === Action API changes in 1.25 ===
4028 * (T67403) XML tag highlighting is now only performed for formats
4029 "xmlfm" and "wddxfm".
4030 * action=paraminfo supports generalized submodules (modules=query+value),
4031 querymodules and formatmodules are deprecated
4032 * action=paraminfo no longer outputs descriptions and other help text by
4033 default. If needed, it may be requested using the new 'helpformat' parameter.
4034 * action=help has been completely rewritten, and outputs help in HTML
4035 rather than plain text.
4036 * Hitting api.php without specifying an action now displays only the help for
4037 the main module, with links to submodule help.
4038 * API help is no longer displayed on errors.
4039 * 'uselang' is now a recognized API parameter; "uselang=user" may be used to
4040 explicitly select the language from the current user's preferences, and
4041 "uselang=content" may be used to select the wiki's content language.
4042 * Default output format for the API is now jsonfm.
4043 * Simplified continuation will return a "batchcomplete" property in the result
4044 when a batch of pages is complete.
4045 * Pretty-printed HTML output now has nicer formatting and (if available)
4046 better syntax highlighting.
4047 * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
4048 list=alldeletedrevisions.
4049 * prop=revisions will gracefully continue when given too many revids or titles,
4050 rather than just ignoring the extras.
4051 * prop=revisions will no longer die if rvcontentformat doesn't match a
4052 revision's content model; it will instead warn and omit the content.
4053 * If the user has the 'deletedhistory' right, action=query's revids parameter
4054 will now recognize deleted revids.
4055 * prop=revisions may be used as a generator, generating revids.
4056 * (T68776) format=json results will no longer be corrupted when
4057 $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
4058 error instead of returning invalid serialized data.
4059 * Generators may now return data for the generated pages when used with
4060 action=query.
4061 * Query page data for generator=search and generator=prefixsearch will now
4062 include an "index" field, which may be used by the client for sorting the
4063 search results.
4064 * ApiOpenSearch now supports XML output.
4065 * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
4066 in JSON format.
4067 * (T76051) list=tags will now continue correctly.
4068 * (T76052) list=tags can now indicate whether a tag is defined.
4069 * (T75522) list=prefixsearch now supports continuation
4070 * (T78737) action=expandtemplates can now return page properties.
4071 * (T78690) list=allimages now accepts multiple pipe-separated values
4072 for the 'aimime' parameter.
4073 * prop=info with inprop=protections will now return applicable protection types
4074 with the 'restrictiontypes' key.
4075 * (T85417) When resolving redirects, ApiPageSet will now add the targets of
4076 interwiki redirects to the list of interwiki titles.
4077 * (T85417) When outputting the list of redirect titles, a 'tointerwiki'
4078 property (like the existing 'tofragment' property) will be set.
4079 * Added action=managetags to allow for managing the list of
4080 user-modifiable change tags. Actually modifying the tagging of a revision or
4081 log entry is not implemented yet.
4082 * list=tags has additional properties to indicate 'active' status and tag