426eb17b90cc3c3d00ac35f50961db3addf93111
[lhc/web/wiklou.git] / HISTORY
1 Change notes from older releases. For current info see RELEASE-NOTES-1.34.
2
3 = MediaWiki 1.32 =
4
5 == MediaWiki 1.32.1 ==
6
7 === Changes since MediaWiki 1.32.0 ===
8 * (T213577) rdbms: avoid transaction status errors from ping() in rollback().
9 * rdbms: Pass required parameter.
10 * rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
11 * (T204531) rdbms: reduce LoadBalancer replication log spam.
12 * (T213489) Avoid session double-start in Setup.php.
13 * (T213717) Correct namespace 'Template' for gom-deva
14 * (T198054) Fix login page crash caused by unknown language via ?uselang
15 * (T215324) (T210937) list=users mistakenly reports user as missing.
16 * (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for
17 use with scripts like addWiki.php to avoid mismatched domain errors.
18 * (T208871) The hard-coded Google search form on the database error page was
19 removed.
20 * (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
21 * (T215566) Fix installer being unable to determine if the database exists
22 during a fresh installation.
23
24 == MediaWiki 1.32.0 ==
25
26 === Changes since MediaWiki 1.32.0-rc.2 ===
27 * (T188327) Fix slow queries in migrateActors.php.
28 * (T102320) Fix $magicWords for the Sanskrit language.
29
30 === Changes since MediaWiki 1.32.0-rc.1 ===
31 * Fix addition of ug_expiry column to user_groups table on MSSQL.
32 * (T210307) Fix the cache timestamp for forced updates.
33 * (T210621) User: Bypass repeatable-read when creating an actor_id.
34 * (T197535) Extensions can now specify PHP versions and PHP extensions they
35 depend on.
36 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
37 * (T212356) When using action=delete on pages with many revisions, the module
38 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
39 deletion will be processed via the job queue.
40 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
41 recentchanges.rc_cur_time from the PostgreSQL schema.
42
43 === Changes since MediaWiki 1.32.0-rc.0 ===
44 * (T209885) Prevent populateSearchIndex.php from breaking once actor migration
45 has been started.
46 * (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
47 if --lang is used with the command-line installer (install.php).
48
49 === Configuration changes in 1.32 ===
50
51 ==== New configuration ====
52 * $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
53 this setting. The default is 80, which matches the quality of JPEG thumbnails
54 previously generated by ImageMagick. The quality of JPEG thumbnails generated
55 by GD was previously 95, but now uses the $wgJpegQuality setting as well.
56 * $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
57 user is blocked. Doing so means that a blocked user, even after moving to a
58 new IP address, will still be blocked.
59 * $wgRawHtmlMessages – This new configuration setting is added for listing
60 messages which are displayed as raw HTML.
61 * $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
62 "Content Security Policy" for your wiki. This adds a defense-in-depth feature
63 to stop an attacker who has found a bug in the parser allowing them to insert
64 malicious attributes. Disabled by default. (T135963)
65 * $wgGroupPermissions – A new user group, 'interface-admin', is added for
66 controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
67 other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
68 by default.
69 * $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
70 granting the above rights.
71 * $wgDBDefaultGroup – A default database group for use by maintenance scripts.
72 * $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
73 enable client-side profiling of JavaScript modules; it is off by default.
74 * (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
75 setting allows sysadmins to gradually migrate the database table schema for
76 how change tags are stored.
77 * (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
78 allows sysadmins to enable the caching of Special:Tags via the new
79 change_tag_def table.
80
81 ==== Changed configuration ====
82 * $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
83 * $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
84 been increased from 3 to 7 days. (T194414)
85 * $wgGroupPermissions – The right to edit sitewide Javascript
86 (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
87 and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
88 'editinterface' is still necessary to edit such pages.
89 * $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
90 old and the new schema, but reading the new schema, so Multi-Content Revisions
91 (MCR) are now functional per default. The new default value of the setting is
92 SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
93 * $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
94 MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
95 SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
96 for intermediate stages of migration.
97 * $wgDBTableOptions – The default table options now use the binary charset. The
98 default was already overridden in the installer-generated LocalSettings.php,
99 and so is always set to binary after the installer UI option was removed. The
100 default value is only used when the installer installs an extension.
101 * $wgPopularPasswordFile — The location of the default popular passwords file
102 has been moved to be in line with other non-PHP files used by libraries and
103 classes.
104 * $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
105 potential privacy leaks by administrators. You can check
106 "MediaWiki:External image whitelist" on your wiki to see whether the feature
107 was ever used, and whether it needs to be re-enabled.
108
109 ==== Removed configuration ====
110 * $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
111 have been removed. (T115414)
112 * $wgSiteSupportPage – This setting, unused since 1.5, was removed.
113 * $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
114 * $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
115 The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
116 * $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
117 most extensions, is no longer set. Instead, you can modify the system
118 message `emailsender`.
119 * $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
120 were removed. RemexHtml, which is the default, should be used instead.
121 * (T181318) The $wgStyleVersion setting and its appendage to various script and
122 style URLs in OutputPage, deprecated in 1.31, was removed.
123 * (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
124 from ResourceLoader. Instead, use `@import` statements in LESS to import
125 files directly from nearby directories within the same project.
126 * (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
127 since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
128 the ResourceLoaderModule::getLessVars() method.
129 * $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
130 was removed.
131 * Two temporary variables for deploying the feature of filters on change lists,
132 $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
133 $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
134
135 === New features in 1.32 ===
136 * (T112474) Generalized the ResourceLoader mechanism for overriding modules
137 using a particular page during edit previews.
138 * (T12331) You can now log page creation events by setting $wgPageCreationLog
139 to true.
140 * Added 'ApiParseMakeOutputPage' hook.
141 * (T174313) Added checkbox on Special:ListUsers to display only users in
142 temporary user groups.
143 * (T152462) A cookie can now be set when an IP user is blocked to track that
144 user if they move to a new IP address. This is disabled by default.
145 * (T194950) Added 'ApiMaxLagInfo' hook.
146 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
147 reauthenticating.
148 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
149 getLoginSecurityLevel() returns non-false.
150 * The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
151 &$query and &$widthOption, allowing extensions even finer control over the
152 resulting HTML code.
153 * Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
154 if the [mark as patrolled] link should be shown at the footer of patrollable
155 pages.
156 * The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
157 is now passed by reference, allowing extensions to modify or even unset it.
158 * Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
159 modify the return value of OutputPage#getHeadLinksArray in order to add,
160 remove or otherwise alter the elements to be output in the page <head>.
161 * (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
162 additional links to the subtitle of a history page.
163 * The 'GetLinkColours' hook now receives an additional $title parameter,
164 the Title object of the page being parsed, on which the links will be shown.
165 * (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
166 render diffs between two Content objects, and DifferenceEngine::setRevisions()
167 to render diffs between two custom (potentially multi-content) revisions.
168 Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
169 * Added a temporary action=mcrundo to the web UI, as the normal undo logic
170 can't yet handle MCR and deadlines are forcing is to put off fixing that.
171 This action should be considered deprecated and should not be used directly.
172 * Extensions overriding ContentHandler::getUndoContent() will need to be
173 updated for the changed method signature.
174 * Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
175 from user. Unlike the 'UserGetRights' it will ensure that removed rights
176 will not be reinserted.
177 * (T197535) Extensions can now specify PHP versions and PHP extensions they
178 depend on.
179
180 === External library changes in 1.32 ===
181
182 ==== New external libraries ====
183 * Added pear/Net_SMTP v1.8.0.
184 * Added wikimedia/xmp-reader v0.6.0.
185
186 * Added cache/integration-tests v0.16.0 (dev-only).
187 * Added giorgiosironi/eris v0.10.0 (dev-only).
188 * Added seld/jsonlint v1.7.1 (dev-only).
189
190 * Added EasyDeflate (unversioned).
191
192 ==== Changed external libraries ====
193 * Updated OOUI from v0.26.3 to v0.29.2.
194 * Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
195 * Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
196 * Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
197 ** ScopedCallback objects can no longer be serialized.
198 * Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
199 * Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
200 * oyejorge/less.php replaced with our fork wikimedia/less.php
201 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
202
203 * Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
204 * Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
205 * Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
206
207 * Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
208 * Updated jquery from v3.2.1 to v3.3.1.
209 * Updated jquery.client from v2.0.0 to v2.0.1.
210 * Updated jquery.i18n from v1.0.4 to v1.0.5.
211 * Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
212 * Updated OOjs from v2.2.0 to v2.2.2.
213 * Updated qunitjs from v2.4.0 to v2.6.2.
214 * Updated sinonjs from v1.17.3 to v1.17.7.
215
216 ==== Removed external libraries ====
217 * pear/mail_mime-decode was removed.
218
219 === Bug fixes in 1.32 ===
220 * SpecialPage::execute() will now only call checkLoginSecurityLevel() if
221 getLoginSecurityLevel() returns non-false.
222 * (T43720, T46197) Improved page display title handling for category pages
223 * (T65080) Fixed resetting options of some types via API action=options.
224
225 === Action API changes in 1.32 ===
226 * Added templated parameters.
227 * A module can define a templated parameter like "{fruit}-quantity", where
228 the actual parameters recognized correspond to the values of a multi-valued
229 parameter. Then clients can make requests like
230 "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
231 * action=paraminfo will return templated parameter definitions separately
232 from normal parameters. All parameter definitions now include an "index"
233 key to allow clients to maintain parameter ordering when merging normal and
234 templated parameters.
235 * It is now an error to submit too many values for a multi-valued parameter.
236 This has generated a warning since MediaWiki 1.14.
237 * Assertion failures from the 'assert' and 'assertuser' parameters will no
238 longer use the action module's custom response format, for the few modules
239 that use custom formatters that handle errors.
240 * (T198935) User list preferences such as `email-blacklist` and similar
241 extension preferences are no longer represented as arrays when returned by
242 action=query&meta=userinfo&uiprop=options.
243 * 'missingparam' errors will now use the prefixed parameter name in the code
244 and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
245 than "nofoo" and "The 'foo' parameter must be set".
246 * action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
247 multi-content revision slots for which content should be returned. It also
248 has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
249 warning will be issued if rvprop=content or rvprop=contentmodel are used
250 without rvslots.
251 * The rvcontentformat parameter to action=query&prop=revisions has been
252 deprecated. Clients should be prepared to deal with the default format for
253 relevant models.
254 * Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
255 rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
256 rvprop=parsetree is forbidden with the new 'rvslots' parameter.
257 * action=query&prop=deletedrevisions, action=query&list=allrevisions, and
258 action=query&list=alldeletedrevisions are changed similarly to
259 &prop=revisions (see the three previous items).
260 * (T174032) action=compare now supports multi-content revisions.
261 * It has a 'slots' parameter to select diffing of individual slots. The
262 default behavior is to return one combined diff.
263 * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
264 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
265 are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
266 slots have text supplied and the corresponding templated parameters for
267 each slot.
268 * The behavior of 'fromsection' and 'tosection' of extracting one section's
269 content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
270 instead expand the given text as if for a section edit. This effectively
271 declines T183823 in favor of T185723.
272 * (T198214) The 'disabletidy' parameter to action=parse has been
273 deprecated; untidy output will not be supported by future wikitext
274 parsers.
275 * Added intestactionsdetail to action=query&prop=info to allow retrieving the
276 reasons an action is not allowed.
277 * Deprecated action=query&prop=info inprop=readable in favor of
278 intestactions=read.
279 * (T212356) When using action=delete on pages with many revisions, the module
280 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
281 deletion will be processed via the job queue.
282
283 === Action API internal changes in 1.32 ===
284 * Added 'ApiParseMakeOutputPage' hook.
285 * Parameter names may no longer contain '{' or '}', as these are now used for
286 templated parameters.
287 * (T194950) Added 'ApiMaxLagInfo' hook.
288 * The following methods now take a RevisionRecord rather than a Revision. No
289 external callers are known.
290 * ApiFeedContributions::feedItemAuthor()
291 * ApiFeedContributions::feedItemDesc()
292 * ApiQueryRevisionsBase::extractRevisionInfo()
293 * The following deprecated methods have been removed:
294 * ApiBase::profileIn() (deprecated in 1.25)
295 * ApiBase::profileOut() (deprecated in 1.25)
296 * ApiBase::safeProfileOut() (deprecated in 1.25)
297 * ApiBase::profileDBIn() (deprecated in 1.25)
298 * ApiBase::profileDBOut() (deprecated in 1.25)
299 * ApiBase::dieUsage() (deprecated in 1.29)
300 * ApiBase::dieUsageMsg() (deprecated in 1.29)
301 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
302 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
303 * ApiBase::parseMsg() (deprecated in 1.29)
304 * ApiBase::setWarning() (deprecated in 1.29)
305 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
306 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
307 * ApiUsageException::getCodeString() (deprecated in 1.29)
308 * ApiUsageException::getMessageArray() (deprecated in 1.29)
309 * Class UsageException, deprecated in 1.29, has been removed.
310 * ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
311 can now easily test $formatter->getFormat() === 'bc', and then call
312 $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
313
314 === Languages updated in 1.32 ===
315 MediaWiki supports over 350 languages. Many localisations are updated regularly.
316 Below only new and removed languages are listed, as well as changes to languages
317 because of Phabricator reports.
318
319 * (T193566) Added language support for Ambonese Malay (abs).
320 * (T194047) Added language support for Shawiya, Latin script (shy-latn).
321 * (T195940) Added language support for Batak Mandailing (btm).
322 * (T137491) Added language support for Standard Moroccan Amazigh (zgh).
323 * (T198132) Added language support for Manipuri (mni).
324 * (T201276) Added language support for Western Armenian (hyw).
325 * (T201583) Added language support for Mon (mnw).
326
327 === Breaking changes in 1.32 ===
328 * $wgRequestTime, deprecated in 1.25, was removed. Use
329 $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
330 * The MediaWikiI18N class, deprecated in 1.31, was removed.
331 * QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
332 Skin::msg() instead.
333 * wfInitShellLocale(), deprecated in 1.30, was removed.
334 * wfShellExecDisabled(), deprecated in 1.30, was removed.
335 * The type string for the parameter $lang of DateFormatter::getInstance,
336 deprecated in 1.31, was removed.
337 * The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
338 MediaWiki\Session\Token::SUFFIX instead.
339 * EditPage::isOouiEnabled() deprecated in 1.30, was removed.
340 * mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
341 instead.
342 * (T61113) The following methods and constants from the Revision class, which
343 were deprecated in 1.25, have now been removed:
344 * Revision::getRawUser()
345 * Revision::getRawUserText()
346 * Revision::getRawComment()
347 * window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
348 mw.msg() or mw.message() instead.
349 * mw.util.escapeId(), deprecated in 1.30, was removed. Use
350 mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
351 * mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
352 jquery.accessKeyLabel instead.
353 * The SqlDataUpdate class, deprecated in 1.28, has been removed.
354 * The Html5Internal and Html5Depurate tidy driver classes were removed, along
355 with the Balancer tidy implementation. Both implementations were experimental,
356 and were replaced by RemexHtml.
357 * (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
358 removed. Use JobQueueGroup::singleton()->push() instead.
359 * The jquery.footHovzer module, for mediawiki.debug, was removed.
360 * The es5-shim module, empty and deprecated since 1.29, was removed.
361 * the dom-level2-shim module, empty and deprecated since 1.29, was removed.
362 * the json module, empty and deprecated since 1.29, was removed.
363 * The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
364 removed. Use mediawiki.widgets.visibleLengthLimit instead.
365 * The jquery.farbtastic module, unused since 1.18, was removed.
366 * The 'jquery.expandableField' module, unused since 1.22, was removed.
367 * The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
368 any HTMLForm object rather than PreferencesForm.
369 * The non namespaced TimestampException class, deprecated in 1.29, was removed.
370 Use Wikimedia\Timestamp\TimestampException instead.
371 * The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
372 utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
373 The UtfNormal\Utils class from the utfnormal library should be used instead.
374 * The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
375 from the UtfNormal\Constants class from the utfnormal library should be used
376 * The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
377 only needed for PHP5 compatibility, have been removed. It now uses the boolean
378 values `true` and `false` respectively.
379 * The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
380 were removed. Use the ParserCache class instead.
381 * ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
382 instead.
383 * Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
384 deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
385 * (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
386 and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
387 is no longer loaded by default. The Vector and MonoBook skins have made a
388 minor change to implement the toggle feature with CSS instead. To restore
389 prior functionality, either explicitly load "jquery.mw-jump" in your skin
390 or refer to T195256 for details on how to make the same change.
391 * Hook 'EditPageBeforeEditChecks' was removed;
392 use 'EditPageGetCheckboxesDefinition' instead.
393 * Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
394 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
395 * Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
396 been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
397 instead.
398 * mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
399 CapsuleMultiselectWidget. The following methods may no longer be used:
400 * setItemsFromData: Use setValue instead
401 * getItemsData: Use getItems instead and get the data property
402 * Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
403 removed. Use addLink() instead.
404 * Another two OutputPage methods, setPageTitleActionText() and
405 getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
406 ten years). Use setHTMLTitle() directly.
407 * The return value of OutputPage::adaptCdnTTL() has been removed. The
408 value returned was misleading and probably not what any caller would
409 have wanted.
410 * All MagicWord static member variables have been removed. Use appropriate
411 hooks or MagicWordFactory methods instead.
412 * MagicWord::clearCache() has been removed. Instead, create a new
413 MagicWordFactory, such as by calling
414 resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
415 * mw.util.init() has been removed. This function is not needed anymore and was
416 a no-op function since 1.30.
417 * SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
418 instead.
419 * MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
420 $wgProfiler and $wgEnableProfileInfo.
421 * The mw.loader.addSource() is now considered a private method, and no longer
422 supports the `id, url` signature. Use the `Object` parameter instead.
423 * The backwards-compatibility code in HTMLForm to add a drop-down control to an
424 option that is not set to be a drop-down if the "mw-chosen" class is present,
425 is now removed.
426 * Several collations were removed. They were workarounds for bugs in the ICU
427 library and they are no longer needed (as of ICU 57.1):
428 * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
429 * 'xx-uca-et' (CollationEt) - use 'uca-et' instead
430 * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
431 * LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
432 that some MediaWiki-specific language codes, such as `simple`, are mapped
433 into valid BCP 47 codes (eg `en-simple`).
434 * The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
435 in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
436 The ChangesListSpecialPage code for these legacy hooks, and their use in
437 SpecialRecentchanges.php and SpecialWatchlist, was also removed:
438 * ChangesListSpecialPage->getCustomFilters()
439 * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
440 * ChangesListSpecialPage::customFilters
441 * The global function wfUseMW, deprecated since 1.26, has now been removed. Use
442 the "requires" property of static extension registration instead.
443 * $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
444 * The MailAddress constructor can no longer be called with a User object,
445 behaviour which has been deprecated since 1.24.
446 * LBFactory, deprecated since 1.28, has been removed. Instead, use
447 Wikimedia\Rdbms\LBFactory.
448 * The MimeMagic class, deprecated since 1.28 has been removed. Get a
449 MimeAnalyzer instance from MediaWikiServices instead.
450 * The '--tidy' option to maintenance/parse.php has been removed. Tidying
451 the output is now the default. Use '--no-tidy' to bypass the tidy
452 phase.
453 * The global function wfErrorLog, deprecated since 1.25, has now been removed.
454 Use MWLoggerLegacyLogger::emit or UDPTransport.
455 * The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
456 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
457 ChangesListSpecialPageQuery.
458 * The global function wfUsePHP, deprecated since 1.30, has now been removed. To
459 assert a newer version of PHP than MediaWiki does, use extension registration.
460 * The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
461 removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
462 * DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
463 * File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
464 * The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
465 the hook 'SkinEditSectionLinks' instead.
466 * The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
467 * The global function wfRunHooks, deprecated since 1.25, has now been removed.
468 Use Hooks::run().
469 * The hook 'UnknownAction', deprecated since 1.19, has now been removed.
470 * The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
471 the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
472 * The following deprecated API methods have been removed:
473 * ApiBase::profileIn() (deprecated in 1.25)
474 * ApiBase::profileOut() (deprecated in 1.25)
475 * ApiBase::safeProfileOut() (deprecated in 1.25)
476 * ApiBase::profileDBIn() (deprecated in 1.25)
477 * ApiBase::profileDBOut() (deprecated in 1.25)
478 * ApiBase::dieUsage() (deprecated in 1.29)
479 * ApiBase::dieUsageMsg() (deprecated in 1.29)
480 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
481 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
482 * ApiBase::parseMsg() (deprecated in 1.29)
483 * ApiBase::setWarning() (deprecated in 1.29)
484 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
485 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
486 * ApiUsageException::getCodeString() (deprecated in 1.29)
487 * ApiUsageException::getMessageArray() (deprecated in 1.29)
488 * Class UsageException, deprecated in 1.29, has been removed.
489 * MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
490 old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
491 been removed, and instead sysadmins will be required to choose one (or more)
492 of the several extensions available for this purpose if they need the
493 functionality. The MediaWiki "tarball" releases have included the replacement
494 extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
495 for many years now. As part of this, several parts of MediaWiki have been
496 removed or simplified:
497 * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
498 available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
499 hook, it will be shown; extensions should provide a specific user preference
500 to disable themselves as needed.
501 * The public methods Language::getImageFile() and ::getImageFiles(), and the
502 related specification of $imageFiles within individual languages' code file,
503 as well as the referenced static media assets, all of which were only used
504 inside MediaWiki itself for providing the icons for the old toolbar, have
505 been removed without explicit deprecation.
506 * The internal ResourceLoader module "mediawiki.toolbar", which is unused
507 except by MediaWiki itself and back-compatibility code, has been removed.
508 * The internal ResourceLoaderEditToolbarModule class has been removed.
509
510 === Deprecations in 1.32 ===
511 * HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
512 button is already marked as progressive.
513 * Skin::setupSkinUserCss() is deprecated. Adding of modules to load
514 has been centralised to Skin::getDefaultModules(), which is now capable
515 of queueing style modules as well.
516 * OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
517 deprecated. Use addModules() instead.
518 * Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
519 in extending classes is deprecated. Extend related doSearch* methods
520 instead.
521 * The following 'mediawiki.api' plugin modules were merged into mediawiki.api
522 and deprecated: mediawiki.api.category, mediawiki.api.edit,
523 mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
524 mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
525 mediawiki.api.messages, and mediawiki.api.rollback.
526 * ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
527 to use it.
528 * WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
529 with the 'unwatch' action parameter instead.
530 * IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
531 constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
532 * Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
533 * The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
534 * The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
535 of the namespaced classes provided by the wikimedia/xmp-reader library.
536 * SearchResultSet::{next,rewind} are deprecated. Calling code should
537 use foreach on the SearchResultSet, or the extractResults method. Extending
538 code should override extractResults.
539 * Instantiating SearchResultSet directly is deprecated. SearchEngine
540 implementations must subclass SearchResultSet for their purposes.
541 * SearchResult::setExtensionData argument has been changed from accepting an
542 array to accepting a Closure that returns the array when called.
543 * Class CryptRand, everything in MWCryptRand except generateHex() and function
544 MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
545 random_bytes() to generate cryptographically secure random byte sequences.
546 * Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
547 instead.
548 * Language::markNoConversion() is deprecated. It confused readers because
549 it had unexpected behavior (only marking text if it looked like a URL)
550 and was only used in a single place in the code. Use
551 LanguageConverter::markNoConversion() instead.
552 * (T197492) Language::truncate() was soft deprecated in 1.31 and is
553 hard deprecated in this release. It has been split into two similar
554 methods, Language::truncateForVisual() and Language::truncateForDatabase(),
555 which measure length in characters and bytes, respectively. Use
556 Language::truncateForVisual() when possible to provide equity to users
557 of multibyte scripts.
558 * (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
559 context title is unset is now deprecated; anything creating an EditPage
560 instance should set the context title via ::setContextTitle().
561 * The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
562 * ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
563 are deprecated. These concepts are obsolete and have no replacement.
564 * String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
565 * The following methods of OutputPage are now deprecated in favour
566 of using showFatalError directly: OutputPage::showFileDeleteError()
567 OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
568 OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
569 * The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
570 classes are now deprecated. Use a Closure instead.
571 * (T194263) ContentHandler::makeParserOptions() is deprecated. Use
572 WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
573 * (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
574 MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
575 the Parsoid v3 API in May 2015.
576 * $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
577 $formDescriptor instead.
578 * SearchEngine::transformSearchTerm( $term ) should no longer be called prior
579 to running searchText. This method was mainly implemented to support the
580 'prefix' URI param in SpecialSearch, but there are no reasons to expose this
581 logic as it should be handled internally by SearchEngine implementations
582 supporting this feature. SearchEngine implementations should no longer
583 override this methods.
584 * SearchEngine::replacePrefixes( $query ) should no longer be called prior
585 to running searchText/searchTitle.
586 * (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
587 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
588 * Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
589 use array_filter() directly.
590 * The $wgShowSQLErrors global is deprecated and nonfunctional.
591 Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
592 * The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
593 Set $wgShowExceptionDetails instead.
594 * Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
595 mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
596 mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
597 getOldRevision() / getNewRevision() for the first four (note that the
598 revision ones return a RevisionRecord, not a Revision), do your own lookup
599 for page/content.
600 * The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
601 just enable the PHP extension, and it will be autodetected.
602 * (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
603 setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
604 are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
605 subclass it to customize diff rendering); to diff custom (e.g. unsaved)
606 content, use setRevisions(). Subclassing DifferenceEngine should only be done
607 to customize page-level diff properties (such as the navigation header).
608 * The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
609 * All MagicWord static methods are now deprecated. Use the MagicWordFactory
610 methods instead.
611 * PasswordFactory::init is deprecated. To get a password factory with the
612 standard configuration, use
613 MediaWikiServices::getInstance()->getPasswordFactory.
614 * $wgContLang is deprecated, use
615 MediaWikiServices::getInstance()->getContentLanguage() instead.
616 * $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
617 instead.
618 * wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
619 instead.
620 * wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
621 * All SpecialPageFactory static methods are deprecated. Instead, call the
622 methods on a SpecialPageFactory instance, which may be obtained from
623 MediaWikiServices.
624 * mw.user.stickyRandomId was renamed to the more explicit
625 mw.user.getPageviewToken to better capture its function.
626 * Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
627 Content object should be passed instead.
628 * (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
629 previously used by OOUI HTMLForm fields, are now deprecated. Use
630 'help', 'help-message', 'help-messages' instead.
631 * (T197179) HTMLFormField::getNotices() is now deprecated.
632 * The jquery.localize module is now deprecated. Use jquery.i18n instead.
633 * The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
634 or overriding ContentHandler::getSecondaryDataUpdates (T194038).
635 * The WikiPageDeletionUpdates hook was deprecated in favor of
636 PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
637 (T194038).
638 * Content::getSecondaryDataUpdates has been deprecated in favor of
639 ContentHandler::getSecondaryDataUpdates() for overriding by extensions
640 (T194038).
641 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
642 * Content::getDeletionUpdates has been deprecated in favor of
643 ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
644 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
645 * (T198214) Old Tidy-related configuration settings, which were soft-deprecated
646 in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
647 $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
648 $wgTidyConfig instead.
649 * All Tidy configurations other than Remex have been hard deprecated;
650 future parsers will not emit compatible output for these configurations.
651 In particular, running MediaWiki with tidy disabled has been deprecated.
652 * (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
653 and OutputPage::addWikiTextTitle() have been deprecated, since they
654 can result in untidy output. In addition OutputPage::addWikiTextTidy()
655 and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
656 methods consistent. Use OutputPage::addWikiTextAsInterface() or
657 OutputPage::addWikiTextAsContent() instead, which ensures the output is
658 tidy and clarifies whether content-language specific postprocessing should
659 be done on the text.
660 * OutputPage::parse() and OutputPage::parseInline() have been deprecated
661 due to untidy output and inconsistent handling of wrapper divs and
662 interface/content language defaults. Use OutputPage::parseAsContent(),
663 OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
664 as appropriate.
665 * QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
666 as they promote bad practises. I18n messages should always be properly
667 escaped.
668 * Skin::getDynamicStylesheetQuery() has been deprecated. It always
669 returns action=raw&ctype=text/css which callers should use directly.
670 * Class LegacyFormatter is deprecated.
671 * Use of CommentStore::insertWithTempTable() with 'img_description' is
672 deprecated. Use CommentStore::insert() instead.
673 * Language::setCode is deprecated as public function. Use Language::factory
674 to create a new Language object with a different language code.
675 * Several classes have been moved from the MediaWiki\Storage\ namespace to the
676 MediaWiki\Revision\ namespace. The old class names are aliased for
677 compatibility, but are deprecated. Classes are IncompleteRevisionException,
678 MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
679 RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
680 RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
681 SuppressedDataException.
682 * When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
683 option, it is now deprecated to give its contents (the 'default' option)
684 as a string. They should be given as a OOUI\FieldLayout object instead.
685 Notably, this affects fields defined in the 'GetPreferences' hook, because
686 Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
687 * In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
688 deprecated. For the $lang parameter, types other than Language are
689 deprecated.
690 * The $wgUseKeyHeader configuration option and the
691 OutputPage::getKeyHeader() method have been deprecated; the relevant
692 draft IETF spec expired without becoming a standard.
693 * Deprecated API action=query&prop=info inprop=readable in favor of
694 intestactions=read.
695
696 === Other changes in 1.32 ===
697 * (T198811) The following tables have had their UNIQUE indexes turned into
698 proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
699 protected_titles and site_identifiers.
700 * OOUI HTMLForm will now display help text inline after the input field,
701 rather than in a popup. Previous behavior can be restored by using
702 `'help-inline' => false`.
703 * The archive table's ar_rev_id field is now unique.
704 * Special:BotPasswords now requires reauthentication.
705 * (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
706 storage layer and have basic support for display. No user interface exists
707 yet for creating or managing content in slots beides the main slot. See
708 <https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
709 information.
710 * The image_comment_temp database table has been removed. Since all access
711 should be mediated by the CommentStore class, this change shouldn't affect
712 external code.
713 * (T206147) Database::close() will no longer commit any open transactions.
714 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
715 recentchanges.rc_cur_time from the PostgreSQL schema.
716
717 = MediaWiki 1.31 =
718
719 == MediaWiki 1.31.1 ==
720
721 This is a security and maintenance release of the MediaWiki 1.31 branch.
722
723 === Changes since MediaWiki 1.31.0 ===
724 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
725 'newbie'.
726 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
727 account lock.
728 * (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
729 * (T197229) Bundle Nuke extension, it was accidentally omitted.
730 * (T193995) Fix undefined patchPath() method call in parser tests.
731 * (T198687) Fix various selectFields methods to use the string 'NULL', not null.
732 * Special:BotPasswords now requires reauthentication.
733 * (T191608, T187638) Add 'logid' parameter to Special:Log.
734 * (T193829) Indicate when a Bot Password needs reset.
735 * (T198037) GitInfo: Don't try shelling out if it's disabled.
736 * (T151415) Log email changes.
737 * (T197206) Fix performance regression when multiple DB used without caching.
738 * (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
739 * (T182377, T196793) Exif: Guard against uncountable tag values.
740 * (T200861) Fix total breakage of SQLite web upgrade.
741 * (T200864) Fix pingback over-reporting on non-MySQL databases
742 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
743 hooks.
744
745 == MediaWiki 1.31.0 ==
746
747 === Changes since MediaWiki 1.31.0-rc.2 ===
748 * (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
749 * (T196092) Hide MySQL binary/utf-8 charset option in the installer.
750 * (T196185) Don't allow setting $wgDBmysql5 in the installer.
751 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
752 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
753 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
754 hook.
755 * (T196672) The mtime of extension.json files is now able to be zero
756 * (T180403) Validate $length in padleft/padright parser functions.
757 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
758
759 === Changes since MediaWiki 1.31.0-rc.0 ===
760 * (T33223) Drop archive.ar_text and ar_flags.
761 * Add default edit rate limit of 90 edits/minute for all users.
762 * (T187645) Use codepoint as tiebreaker when getting first-letters in
763 IcuCollation.
764 * (T191947) Don't shell during the installer if shelling out is disabled.
765 * (T194319) Improve duplicate config setting exception as part of extension
766 registration.
767 * (T195211) Don't require trailing slash in PSR-4 autoloader directory.
768 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
769 * Do not incorrectly hide namespace input field in the installer.
770 * (T186456) Refactor checks looking for PEAR maik libraries to be clearer.
771
772 === Important pre-upgrade notes for 1.31 ===
773 * If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
774 schema changes, and cannot have downtime to run migrateArchiveText.php and
775 apply patch-drop-ar_text.sql manually, you'll have to apply a default value
776 to the ar_text and ar_flags columns of the archive table or make those
777 columns nullable before upgrading to MediaWiki 1.31.
778 maintenance/archives/patch-nullable-ar_text.sql shows how to do this for
779 MySQL.
780
781 === Configuration changes in 1.31 ===
782 * $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
783 a future version. The API is now considered to be stable, secure and
784 essential.
785 * $wgUsejQueryThree was removed, as it is now the default. This was documented
786 as a temporary variable during the migration period, deprecated since 1.29.
787 * $wgLogoHD has been updated to support svg images and uses $wgLogo where
788 possible for fallback images such as png.
789 * (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
790 have the right to mark things patrolled.
791 * Wikis that contain imported revisions or CentralAuth global blocks should run
792 maintenance/cleanupUsersWithNoId.php.
793 * The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
794 $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
795 * (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
796 are not using the latest version of the Referrer Policy specification.
797 * $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
798 first step of migration to human-readable section IDs that will later result
799 in 'html5' being the default mode.
800 * CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
801 as upstream is inactive and has no plans to move to PHP 7.
802 * The old CategorizedRecentChanges feature, including its related configuration
803 option $wgAllowCategorizedRecentChanges, has been removed.
804 * (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
805 for performance reasons, and installations with this setting will now work as
806 if it was configured with 'any'.
807 * (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
808 rather than being off by default. If you wish to disable HTML tidying
809 entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
810 Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
811 * $wgLogAutopatrol now defaults to false instead of true.
812 * $wgValidateAllHtml was removed and will be ignored.
813 * $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
814 1.25 release notes for more information.
815 * $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
816 framework that it enables. Some extensions mistakenly used this to check
817 whether any AJAX functionality at all should be enabled, further making this
818 problematic to retain.
819 * $wgDBmysql5 is now deprecated, and will be removed in a future version. It
820 has been marked as experimental ever since it was introduced.
821
822 === New features in 1.31 ===
823 * (T76554) User sub-pages named ….json are now protected in the same way that
824 ….js and ….css pages are, so that configuration options can safely be placed
825 there.
826 * Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
827 with parentheses for grouping.
828 * As a first pass in standardizing dialog boxes across the MediaWiki product,
829 Html class now provides helper methods for messageBox, successBox, errorBox
830 and warningBox generation.
831 * (T9240) Imports will now record unknown (and, optionally, known) usernames in
832 a format like "iw>Example".
833 * (T20209) Linker (used on history pages, log pages, and so on) will display
834 usernames formed like "iw>Example" as interwiki links, as if by wikitext like
835 [[iw:User:Example|iw>Example]].
836 * (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
837 users during an import.
838 * Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
839 the ParserOutput::getText() post-cache transformations.
840 * Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
841 initial page text for file uploads.
842 * (T181651) The info page for File pages now displays the file's base-16 SHA1
843 hash value in the table of basic information.
844 * Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
845 ParserOutput::getText() post-cache transformation. This may be disabled by
846 passing 'deduplicateStyles' => false to that method.
847 * The identity of the logged-in or IP "actor" for logged actions is being moved
848 into a new actor table, with the rows in tables such as revision and logging
849 referring to the actor ID instead of storing the user ID and name/IP in
850 every row.
851 * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
852 can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
853 soon as any necessary extensions are updated.
854 * Most code accessing rows for logged actions from the database should use
855 the relevant getQueryInfo() methods to get the information needed to build
856 the SQL query. The ActorMigration class may also be used to get feature
857 -flagged information needed to access actor-related fields during the
858 migration period.
859 * Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
860 section without having to roll back the whole transaction.
861 * Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
862 and non-MySQL ::replace() and ::upsert() no longer roll back the whole
863 transaction on failure.
864 * (T189785) Added a monthly heartbeat ping to the pingback feature.
865 * The CLI installer (maintenance/install.php) learned to detect and include
866 extensions. Pass --with-extensions to enable that feature.
867 * (T184791) rc_patrolled now has three states: "0" for unpatrolled,
868 "1" for manually patrolled and "2" for autopatrolled actions.
869 * Extensions can now set their type to "editor" if they provide an editor or
870 enhance the editing experience.
871 * Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
872 property in extension.json. See the documentation at
873 <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
874 for more details and an example.
875 * (T19099) Tabs which link to pages that don't exist (like those to uncreated
876 discussion pages) now have a tooltip to indicate state, not just colour.
877
878 === External library changes in 1.31 ===
879 * pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
880 suggested to required. These packages now must be installed via composer
881 and not via PEAR itself.
882
883 ==== Upgraded external libraries ====
884 * Updated jquery.chosen from v0.9.14 to v1.8.2.
885 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
886 * Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
887 * Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
888 * Updated wikimedia/relpath from 2.0.0 to 2.1.1.
889 * Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
890 * Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
891 * Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
892 * Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
893 * Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
894 * Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
895
896 ==== New external libraries ====
897 * Added wikimedia/object-factory 1.0.0
898
899 ==== Removed and replaced external libraries ====
900 * (T17845) The deprecated 'jquery.badge' module was removed.
901 * The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
902 text-overflow property instead.
903 * The deprecated 'jquery.placeholder' module was removed.
904 * The deprecated 'jquery.appear' module was removed. Use the
905 'mediawiki.viewport' module instead.
906 * mediawiki/at-ease was replaced with wikimedia/at-ease.
907
908 === Bug fixes in 1.31 ===
909 * (T90902) Non-breaking space in header ID breaks anchor.
910 * (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
911 space.
912 * (T2087, T10897, T87753, T174639) Whitespace created by category and language
913 links is now stripped rather than leaving blank lines in odd places.
914 * (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
915 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
916
917 === Action API changes in 1.31 ===
918 * (T185058) The 'name' value to tgprop for action=query&list=tags has been
919 removed. It has never made a difference in the output, the name was always
920 returned regardless.
921 * The 'watch' and 'unwatch' parameters for action=move have been removed. They
922 were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
923 'watchlist' instead.
924
925 === Action API internal changes in 1.31 ===
926 * ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
927 * ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
928 * ApiBase::getProfileTime, deprecated since 1.25, was removed.
929
930 === Languages updated in 1.31 ===
931 MediaWiki supports over 350 languages. Many localisations are updated
932 regularly. Below only new and removed languages are listed, as well as
933 changes to languages because of Phabricator reports.
934
935 * (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
936 * (T182305) New language support: Nyungar (nys).
937 * (T186359) New language support: Siberian Tatar [cебертатар] (sty).
938 * (T186635) New language support: Guianan Creole (gcr).
939 * (T186647) New language support: Kumyk [къумукъ] (kum).
940 * (T187750) New language support: Spanish formal address (es-formal).
941 * (T187824) New language support: Hungarian formal address (hu-formal).
942 * (T189127) New language support: Gorontalo (gor).
943
944 === Breaking changes in 1.31 ===
945 * MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
946 * The OutputPage class constructor now requires a context parameter.
947 Instantiating without context was deprecated in 1.18.
948 * The mw.page JavaScript singleton, deprecated in 1.30, was removed.
949 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
950 related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
951 * The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
952 ::onArticleEdit() methods, deprecated in 1.24, were removed.
953 * Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
954 removed. Use ExecutableFinder::findInDefaultPaths() instead.
955 * The deprecated MW_DIFF_VERSION constant was removed.
956 DifferenceEngine::MW_DIFF_VERSION should be used instead.
957 * Due to significant refactoring, method ContribsPager::getUserCond() that had
958 no access restriction has been removed.
959 * The Block class will no longer accept usable-but-missing usernames for
960 'byText' or ->setBlocker(). Callers should either ensure the blocker exists
961 locally or use a new interwiki-format username like "iw>Example".
962 * The following methods and constants from the WatchedItem class, which were
963 deprecated in 1.27, have been removed:
964 * WatchedItem::getTitle()
965 * WatchedItem::fromUserTitle()
966 * WatchedItem::addWatch()
967 * WatchedItem::removeWatch()
968 * WatchedItem::isWatched()
969 * WatchedItem::duplicateEntries()
970 * WatchedItem::IGNORE_USER_RIGHTS
971 * WatchedItem::CHECK_USER_RIGHTS
972 * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
973 * The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
974 $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
975 variable, has been deprecated since 1.27 and was removed as well.
976 * The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
977 $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
978 variable, has been deprecated since 1.27 and was removed as well.
979 * The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
980 HtmlFormatter\HtmlFormatter class should be used instead.
981 * The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
982 The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
983 default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
984 * The following properties of PreparedEdit were deprecated in 1.21 and have
985 been removed:
986 * PreparedEdit->newText
987 * PreparedEdit->oldText
988 * PreparedEdit->pst
989 * ParserOutput objects which are generated using a non-default value for
990 ParserOptions::setWrapOutputClass() can no longer be added to the parser
991 cache.
992 * The following deprecated methods from the OutputPage class have been removed:
993 * OutputPage::addExtensionStyle(); deprecated in 1.27
994 * OutputPage::getExtStyle(); deprecated in 1.27
995 * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
996 * OutputPage::setSquidMaxage(); deprecated in 1.27
997 * OutputPage::readOnlyPage(); deprecated in 1.25
998 * OutputPage::rateLimited(); deprecated in 1.25
999 * Additionally, the protected OutputPage::$mExtStyles array, only accessed
1000 through the above and with no known uses, was removed.
1001 * The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
1002 * The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
1003 were removed:
1004 * $isCssJsSubpage — use ::isUserConfigPage()
1005 * $isCssSubpage — use ::isUserCssConfigPage()
1006 * $isJsSubpage — use ::isUserJsConfigPage()
1007 * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
1008 * ::getSummaryInput() – use ::getSummaryInputWidget()
1009 * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
1010 * ::getCheckboxes() – use ::getCheckboxesWidget() or
1011 ::getCheckboxesDefinition()
1012 * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
1013 ::getCheckboxesDefinition()
1014 * ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
1015 * In User, the cookie-related methods which were wrappers for the functions on
1016 the response object, and were deprecated in 1.27, have been removed:
1017 * ::setCookie()
1018 * ::clearCookie()
1019 * ::setExtendedLoginCookie()
1020 Note that User::setCookies() remains, and is not deprecated.
1021 * Also in User, some auth-related methods which were deprecated in 1.27 have
1022 been removed:
1023 * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
1024 * ::getPasswordFactory() – create a PasswordFactory directly
1025 * ::passwordChangeInputAttribs()
1026 * The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
1027 been removed.
1028 * SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
1029 use ::getNames() instead.
1030 * OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
1031 can use ApiOpenSearch::getOpenSearchTemplate() instead.
1032 * The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
1033 Wikimedia\base_convert() directly.
1034 * Calling Database::begin() explicitly during an implicit transaction or when
1035 DBO_TRX is set results in an exception. Calling Database::commit() explicitly
1036 for an implicit transaction also results in an exception. Previously these
1037 were logged as errors. The startAtomic() and endAtomic() methods, or
1038 AtomicSectionUpdate should be used instead.
1039 * The global function wfOutputHandler() was removed, use the its replacement
1040 MediaWiki\OutputHandler::handle() instead. The global function was only
1041 sometimes defined. Its replacement is always available via the autoloader.
1042 * ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
1043 deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
1044 ::listSoftwareDefinedTags() instead.
1045 * Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
1046 use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
1047 * HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
1048 * The ProfileSection class, deprecated in 1.25 and unused, has been removed.
1049 * The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
1050 ResourceLoaderModule::getLessVars() to expose local variables instead of
1051 global ones.
1052 * As part of work to modernise user-generated content clean-up, a config option
1053 and some methods related to HTML validity were removed without deprecation.
1054 The public methods MWTidy::checkErrors() and the path through which it was
1055 called, TidyDriverBase::validate(), are removed, as are the testing methods
1056 MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
1057 The $wgValidateAllHtml configuration option is removed and will be ignored.
1058 * Execution of external programs using MediaWiki\Shell\Command now applies
1059 the RESTRICT_DEFAULT Firejail restriction by default.
1060 * The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
1061 deprecated in 1.26, were removed.
1062 * The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
1063 Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
1064
1065 === Deprecations in 1.31 ===
1066 * The Revision class was deprecated in favor of RevisionStore, BlobStore, and
1067 RevisionRecord and its subclasses.
1068 * The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
1069 * The global function wfCountDown is now deprecated in favor of
1070 Maintenance::countDown.
1071 * Several methods for returning lists of fields to select from the database
1072 have been deprecated in favor of similar methods that also return the tables
1073 to select from and the join conditions for those tables.
1074 * Block::selectFields() → Block::getQueryInfo()
1075 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1076 * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
1077 * LocalFile::selectFields() → LocalFile::getQueryInfo()
1078 * LocalFile::getCacheFields() with a prefix no longer works
1079 * LocalFile::getLazyCacheFields() with a prefix no longer works
1080 * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
1081 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1082 * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
1083 * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
1084 * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
1085 * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
1086 * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
1087 * Revision::selectFields() → Revision::getQueryInfo()
1088 * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
1089 * User::selectFields() → User::getQueryInfo()
1090 * WikiPage::selectFields() → WikiPage::getQueryInfo()
1091 * Revision::setUserIdAndName() was deprecated.
1092 * Access to TitleValue class properties was deprecated, the relevant getters
1093 should be used instead.
1094 * DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
1095 override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
1096 * Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
1097 Maintenance::fatalError() instead.
1098 * Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
1099 * The RevisionInsertComplete hook is now deprecated; use instead the hook
1100 RevisionRecordInserted. RevisionInsertComplete is still called, but the second
1101 and third parameter will always be null. Hard deprecation is scheduled for
1102 1.32.
1103 * The following methods that get and set ParserOutput state are deprecated.
1104 Callers should use the new stateless $options parameter to
1105 ParserOutput::getText() instead.
1106 * ParserOptions::getEditSection()
1107 * ParserOptions::setEditSection()
1108 * ParserOutput::getEditSectionTokens()
1109 * ParserOutput::setEditSectionTokens()
1110 * ParserOutput::getTOCEnabled()
1111 * ParserOutput::setTOCEnabled()
1112 * OutputPage::enableSectionEditLinks()
1113 * OutputPage::sectionEditLinksEnabled()
1114 * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
1115 are also deprecated.
1116 * License::getLicenses has been deprecated; use License::getLines instead.
1117 * QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
1118 Setting template variables by reference allowed violating the principle of
1119 data being immutable once added to the skin template. In practice, this method
1120 was not being used for that. Rather, setRef() existed as memory optimisation
1121 for PHP 4.
1122 * QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
1123 favour of Skin::msg() parameters.
1124 * MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
1125 wfMessage().
1126 * Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
1127 'unwrap' transform to ParserOutput::getText() instead.
1128 * \ObjectFactory (no namespace) is deprecated, the namespaced class
1129 \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
1130 used instead.
1131 * CommentStore::newKey is deprecated. Instead, get an instance from
1132 MediaWikiServices.
1133 * The following CommentStore methods have had their signatures changed to
1134 introduce a $key parameter, usage of the methods on instances retrieved from
1135 CommentStore::newKey will remain unchanged but deprecated:
1136 * CommentStore::getFields
1137 * CommentStore::getJoin
1138 * CommentStore::getComment
1139 * CommentStore::getCommentLegacy
1140 * CommentStore::insert
1141 * CommentStore::insertWithTemplate
1142 * The following methods in Title have been renamed, and the old ones are
1143 deprecated:
1144 * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
1145 * Title::isCssOrJsPage – use ::isSiteConfigPage
1146 * Title::isCssJsSubpage – use ::isUserConfigPage
1147 * Title::isCssSubpage – use ::isUserCssConfigPage
1148 * Title::isJsSubpage – use ::isUserJsConfigPage
1149 * The following methods related to caching of half-parsed HTML were deprecated:
1150 * Parser::serializeHalfParsedText()
1151 * Parser::unserializeHalfParsedText()
1152 * Parser::isValidHalfParsedText()
1153 * StripState::getSubState()
1154 * StripState::merge()
1155 * The DeferredStringifier class is deprecated, use Message::listParam() instead.
1156 * The type string for the parameter $lang of DateFormatter::getInstance is
1157 deprecated.
1158 * Wikimedia\Rdbms\SavepointPostgres is deprecated.
1159 * The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
1160 used instead.
1161 * The function wfShellWikiCmd() has been deprecated, use
1162 MediaWiki\Shell::makeScriptCommand().
1163 * In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
1164 will be allowed to provide any HTMLForm object rather than PreferencesForm.
1165
1166 === Other changes in 1.31 ===
1167 * Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
1168 * Browser support for Opera 12 and older was dropped entirely. Opera 15+
1169 continues at Grade A.
1170 * Multi-content-revision capability was introduced into the storage layer. See
1171 <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
1172 * The "free" CSS class is now only applied to unbracketed URLs in wikitext.
1173 Links written using square brackets will get the class "text" not "free".
1174 * RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
1175 wikitext table captions, wikitext table headings, wikitext table cells. HTML
1176 headings, HTML list items, HTML table captions, HTML table headings, HTML
1177 table cells will not have this trimming behavior.
1178
1179 == Compatibility ==
1180 MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
1181 supported, it is generally advised to use PHP 7.0.0 or later for long term
1182 support.
1183
1184 MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
1185 but support for them is somewhat less mature. There is experimental support for
1186 Oracle and Microsoft SQL Server.
1187
1188 The supported versions are:
1189
1190 * MySQL 5.5.8 or later
1191 * PostgreSQL 9.2 or later
1192 * SQLite 3.3.7 or later
1193 * Oracle 9.0.1 or later
1194 * Microsoft SQL Server 2005 (9.00.1399)
1195
1196 == Upgrading ==
1197 1.31 has several database changes since 1.30, and will not work without schema
1198 updates. Note that due to changes to some very large tables like the revision
1199 table, the schema update may take quite long (minutes on a medium sized site,
1200 many hours on a large site).
1201
1202 Don't forget to always back up your database before upgrading!
1203
1204 See the file UPGRADE for more detailed upgrade instructions, including
1205 important information when upgrading from versions prior to 1.11.
1206
1207 For notes on 1.30.x and older releases, see HISTORY.
1208
1209 == Online documentation ==
1210 Documentation for both end-users and site administrators is available on
1211 MediaWiki.org, and is covered under the GNU Free Documentation License (except
1212 for pages that explicitly state that their contents are in the public domain):
1213
1214 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
1215
1216 == Mailing list ==
1217 A mailing list is available for MediaWiki user support and discussion:
1218
1219 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
1220
1221 A low-traffic announcements-only list is also available:
1222
1223 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
1224
1225 It's highly recommended that you sign up for one of these lists if you're
1226 going to run a public MediaWiki, so you can be notified of security fixes.
1227
1228 == IRC help ==
1229 There's usually someone online in #mediawiki on irc.freenode.net.
1230
1231
1232 = MediaWiki 1.30 =
1233
1234 == MediaWiki 1.30.1 ==
1235
1236 This is a security and maintenance release of the MediaWiki 1.30 branch.
1237
1238 === Changes since MediaWiki 1.30.0 ===
1239 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1240 'newbie'.
1241 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1242 account lock.
1243 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
1244 array.
1245 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1246 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1247 include extensions. Pass --with-extensions to enable that feature.
1248 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1249 * (T167507) selenium: Run Chrome headlessly.
1250 * selenium: Pass -no-sandbox to Chrome under Docker.
1251 * (T179190) selenium: Move logic for running tests from package.json to
1252 selenium.sh
1253 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1254 * Add default edit rate limit of 90 edits/minute for all users.
1255 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
1256 * oojs/oojs-ui updated to remove an unnecessary dependancy.
1257 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1258 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
1259 hook.
1260 * (T196672) The mtime of extension.json files is now able to be zero
1261 * (T180403) Validate $length in padleft/padright parser functions.
1262 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1263 * (T193995) Fix undefined patchPath() method call in parser tests.
1264 * Special:BotPasswords now requires reauthentication.
1265 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1266 * (T193829) Indicate when a Bot Password needs reset.
1267 * (T151415) Log email changes.
1268 * (T200861) Fix total breakage of SQLite web upgrade.
1269 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
1270 hooks.
1271 * (T190539) Explicitly require Postgres 9.1.
1272 * (T118420) Unbreak Oracle installer.
1273
1274 == MediaWiki 1.30.0 ==
1275
1276 === Changes since MediaWiki 1.30.0-rc.0 ===
1277 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1278 * Add ip_changes to postgres/tables.sql.
1279 * Skip null shell parameters.
1280 * Add wfWaitForSlaves() to maintenance/migrateComments.php.
1281 * (T182245) Fix join conditions in ImageListPager.
1282 * (T178626) Revert #contentSub and #jump-to-nav margin changes.
1283
1284 === MySQL version requirement in 1.30 ===
1285 As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
1286 section).
1287
1288 === Configuration changes in 1.30 ===
1289 * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
1290 unexpected behavior when code uses locale-sensitive string comparisons. For
1291 example, the Scribunto extension considers "bar" < "Foo" in most locales
1292 since it ignores case.
1293 * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
1294 documentation of $wgShellLocale for details.
1295 * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
1296 deprecated and a no-op, as it is no longer needed.
1297 * $wgJobClasses may now specify callback functions as an alternative to plain
1298 class names. This is intended for extensions that want control over the
1299 instantiation of their jobs, to allow for proper dependency injection.
1300 * $wgResourceModules may now specify callback functions as an alternative
1301 to plain class names, using the 'factory' key in the module description
1302 array. This allows dependency injection to be used for ResourceLoader modules.
1303 * $wgExceptionHooks has been removed.
1304 * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
1305 of IP ranges that can be queried at Special:Contributions.
1306 * (T45547) $wgUsePigLatinVariant added (off by default).
1307 * (T152540) MediaWiki now supports a section ID escaping style that allows to
1308 display non-Latin characters verbatim on many modern browsers. This is
1309 controlled by the new configuration setting, $wgFragmentMode.
1310 * $wgExperimentalHtmlIds is now deprecated and will be removed in a future
1311 version, use $wgFragmentMode to migrate off it to a modern alternative.
1312 * $wgExternalInterwikiFragmentMode was introduced to control how fragments in
1313 sinterwikis going outside of current wiki farm are encoded.
1314 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of
1315 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0.
1316 MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if
1317 explicitly requested through the configuration parameter $wgDBservers.
1318 * $wgOOUIEditPage was removed, as it is now the default. This was documented as
1319 a temporary variable during the migration period.
1320
1321 === New features in 1.30 ===
1322 * (T37247) Output from Parser::parse() will now be wrapped in a div with
1323 class="mw-parser-output" by default. This may be changed or disabled using
1324 ParserOptions::setWrapOutputClass().
1325 * (T163562) Added ability to search for contributions within an IP ranges
1326 at Special:Contributions.
1327 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
1328 specific tags to be added by users.
1329 * Added a 'ParserOptionsRegister' hook to allow extensions to register
1330 additional parser options.
1331 * (T45547) Included Pig Latin, a language game in English, as a
1332 LanguageConverter variant. This allows English-speaking developers
1333 to develop and test LanguageConverter more easily. Pig Latin can be
1334 enabled by setting $wgUsePigLatinVariant to true.
1335 * Added RecentChangesPurgeRows hook to allow extensions to purge data that
1336 depends on the recentchanges table.
1337 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
1338 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
1339 'watchlistunwatchlinks' preference option is enabled). With JavaScript
1340 enabled, these links toggle so the user can also re-watch pages that have
1341 just been unwatched.
1342 * Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
1343 MediaHandlerFactory for parser tests.
1344 * Edit summaries, block reasons, and other "comments" are now stored in a
1345 separate database table. Use the CommentFormatter class to access them.
1346 ** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
1347 can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
1348 soon as any necessary extensions are updated.
1349 * (T138166) Added ability for users to prohibit other users from sending them
1350 emails with Special:Emailuser. Can be enabled by setting
1351 $wgEnableUserEmailBlacklist to true.
1352 * (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no
1353 effect. Instead, users using browsers that do not support Unicode will be
1354 unable to edit and should upgrade to a modern browser instead.
1355
1356 === External library changes in 1.30 ===
1357
1358 ==== Upgraded external libraries ====
1359 * Updated justinrainbow/json-schema from v3.0 to v5.2.
1360 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
1361 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
1362 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
1363 * Updated OOjs from v2.0.0 to v2.1.0.
1364 * Updated OOUI from v0.21.1 to v0.23.0.
1365 * Updated QUnit from v1.23.1 to v2.4.0.
1366 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
1367 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1368
1369 ==== New external libraries ====
1370 * The class \TestingAccessWrapper has been moved to the external library
1371 wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
1372 * Purtle, a fast, lightweight RDF generator.
1373
1374 ==== Removed and replaced external libraries ====
1375 * …
1376
1377 === Bug fixes in 1.30 ===
1378 * (T151633) Ordered list items use now Devanagari digits in Nepalese
1379 (thanks to Sfic)
1380
1381 === Action API changes in 1.30 ===
1382 * (T37247) action=parse output will be wrapped in a div with
1383 class="mw-parser-output" by default. This may be changed or disabled using
1384 the new 'wrapoutputclass' parameter.
1385 * When errorformat is not 'bc', abort reasons from action=login will be
1386 formatted as specified by the error formatter parameters.
1387 * action=compare can now handle arbitrary text, deleted revisions, and
1388 returning users and edit comments.
1389 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
1390 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
1391 parameters to prop=revisions are deprecated, as are the similarly named
1392 parameters to prop=deletedrevisions, list=allrevisions, and
1393 list=alldeletedrevisions. Use action=compare, action=parse, or
1394 action=expandtemplates instead.
1395
1396 === Action API internal changes in 1.30 ===
1397 * ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
1398 deprecated. The existing message should be split between "apihelp-*-summary"
1399 and "apihelp-*-extended-description".
1400 * (T123931) Individual values of multi-valued parameters can now be marked as
1401 deprecated.
1402
1403 === Languages updated in 1.30 ===
1404 MediaWiki supports over 350 languages. Many localisations are updated
1405 regularly. Below only new and removed languages are listed, as well as
1406 changes to languages because of Phabricator reports.
1407
1408 * Added: kbp (Kabɩyɛ / Kabiyè)
1409 * Added: skr (Saraiki, سرائیکی)
1410 * Added: tay (Tayal / Atayal)
1411 * Removed: tokipona (Toki Pona)
1412
1413 ==== Pig Latin added ====
1414 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
1415 for easier variant development and testing. Disabled by default. It can be
1416 enabled by setting $wgUsePigLatinVariant to true.
1417
1418 === Other changes in 1.30 ===
1419 * The use of an associative array for $wgProxyList, where the IP address is in
1420 the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
1421 Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
1422 * mw.user.bucket (deprecated in 1.23) was removed.
1423 * LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
1424 deprecated. There are no known callers.
1425 * File::getStreamHeaders() was deprecated.
1426 * MediaHandler::getStreamHeaders() was deprecated.
1427 * Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
1428 used instead.
1429 * MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
1430 should be used instead.
1431 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
1432 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
1433 deprecated in 1.24) were removed.
1434 * wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
1435 BagOStuff::makeGlobalKey() should be used instead.
1436 * (T146304) Preprocessor handling of LanguageConverter markup has been improved.
1437 As a result of the new uniform handling, '-{' may need to be escaped
1438 (for example, as '-<nowiki/>{') where it occurs inside template arguments
1439 or wikilinks.
1440 * (T163966) Page moves are now counted as edits for the purposes of
1441 autopromotion, i.e., they increment the user_editcount field in the database.
1442 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
1443 manipulating Special:Log and Special:NewPages lines.
1444 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
1445 PageHistoryLineEnding, ContributionsLineEnding and
1446 DeletedContributionsLineEnding hooks have an additional parameter, for
1447 manipulating HTML data attributes of RC/history lines.
1448 EnhancedChangesListModifyBlockLineData can do that via the
1449 $data['attribs'] subarray.
1450 * (T130632) The OutputPage::enableTOC() method was removed.
1451 * WikiPage::getParserOutput() will now throw an exception if passed
1452 ParserOptions that would pollute the parser cache. Callers should use
1453 WikiPage::makeParserOptions() to create the ParserOptions object and only
1454 change options that affect the parser cache key.
1455 * Article::viewRedirect() is deprecated.
1456 * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
1457 * DeprecatedGlobal no longer supports passing in a direct value, it requires a
1458 callable factory function or a class name.
1459 * The $parserMemc global, wfGetParserCacheStorage(), and
1460 ParserCache::singleton() are all deprecated. The main ParserCache instance
1461 should be obtained from MediaWikiServices instead. Access to the underlying
1462 BagOStuff is possible through the new ParserCache::getCacheStorage() method.
1463 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
1464 * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
1465 escapeIdForLink() or escapeIdForExternalInterwiki() instead.
1466 * Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
1467 Sanitizer functions or, if possible, Title::getFragmentForURL().
1468 * Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
1469 nothing and is deprecated.
1470 * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
1471 escapeIdForLink().
1472 * MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
1473 * WikiImporter now requires the second parameter to be an instance of the
1474 Config, class. Prior to that, the Config parameter was optional (a behavior
1475 deprecated in 1.25).
1476 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
1477 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
1478 any more.
1479 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
1480 The namespaced classes in the Cdb namespace should be used instead.
1481 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
1482 should be used instead.
1483 * RunningStat class (deprecated in 1.27) was removed. The namespaced
1484 RunningStat\RunningStat should be used instead.
1485 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were
1486 removed.
1487 The MemcachedClient class should be used instead.
1488 * EditPage underwent some refactoring and deprecations:
1489 * EditPage::isOouiEnabled() is deprecated and will always return true.
1490 * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated.
1491 Please use ::getSummaryInputWidget() instead.
1492 * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
1493 use ::getCheckboxesWidget() instead.
1494 * Creating an EditPage instance without calling EditPage::setContextTitle()
1495 should be avoided and will be deprecated in a future release.
1496 * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and
1497 no-ops.
1498 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are
1499 deprecated. The corresponding methods from Title should be used instead.
1500 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
1501 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The
1502 getters ::getArticle() and ::getTitle() should be used instead.
1503 * Trying to control or fake EditPage context by overriding $wgUser,
1504 $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The
1505 IContextSource returned from EditPage::getContext() must be modified
1506 instead.
1507 * Parser::getRandomString() (deprecated in 1.26) was removed.
1508 * Parser::uniqPrefix() (deprecated in 1.26) was removed.
1509 * Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
1510 $uniq_prefix was deprecated in 1.26 and has now been removed.
1511 * (T172514) The following tables have had their UNIQUE indexes turned into
1512 proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks,
1513 iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks,
1514 query_cache, site_stats, templatelinks, text, transcache, user_former_groups,
1515 user_properties.
1516 * IDatabase::nextSequenceValue() is no longer needed by any database backends
1517 (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
1518 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into
1519 a PRIMARY KEY.
1520 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
1521 page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
1522 user_properties.up_user have all been made unsigned on MySQL.
1523 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
1524 * wfUsePHP() is deprecated.
1525 * wfFixSessionID() was removed.
1526 * wfShellExec() and related functions are deprecated, use Shell::command(). This
1527 also slightly changes the behavior of how execution time limits are calculated
1528 when only some of defaults are overridden per-call. When in doubt, always
1529 override both wall clock and CPU time.
1530 * (T138166) SpecialEmailUser::getTarget() now requires a second argument, the
1531 sending user object. Using the method without the second argument is
1532 deprecated.
1533 * (T67297) Browsers that don't support Unicode will have their edits rejected.
1534 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a
1535 future release. For notifying the user of an event, the Notifications ("Echo")
1536 system should be used instead.
1537 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1538 browser sends non-standard url escaping.
1539 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1540
1541 = MediaWiki 1.29 =
1542
1543 == MediaWiki 1.29.3 ==
1544
1545 This is a security and maintenance release of the MediaWiki 1.29 branch.
1546
1547 === Changes since 1.29.2 ===
1548 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1549 'newbie'.
1550 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1551 account lock.
1552 * (T180551) Fix LanguageSrTest for language converter
1553 * (T180552) Fix langauge converter parser test with self-close tags
1554 * (T180537) Remove $wgAuth usage from wrapOldPasswords.php
1555 * (T180485) InputBox: Have inputbox langconvert certain attributes
1556 * (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
1557 * (T172927) Drop vendor from MW release branch
1558 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
1559 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1560 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1561 include extensions. Pass --with-extensions to enable that feature.
1562 * (T182381) Mask deprecated call in WatchedItemUnitTest
1563 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1564 * The karma qunit tests would fail on some configuration due to headers already
1565 sent. Check headers_sent() before sending cpPosTime headers
1566 * (T167507) selenium: Run Chrome headlessly.
1567 * selenium: Pass -no-sandbox to Chrome under Docker
1568 * (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
1569 * (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
1570 fails under SQLite.
1571 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1572 * (T179190) selenium: Move test running logic from package.json to selenium.sh.
1573 * (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
1574 * Add default edit rate limit of 90 edits/minute for all users.
1575 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1576 * (T196672) The mtime of extension.json files is now able to be zero
1577 * (T180403) Validate $length in padleft/padright parser functions.
1578 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1579 * (T194237) Special:BotPasswords now requires reauthentication.
1580 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1581 * (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
1582 * (T193829) Indicate when a Bot Password needs reset.
1583 * (T151415) Log email changes.
1584 * (T118420) Unbreak Oracle installer.
1585
1586 == MediaWiki 1.29.2 ==
1587
1588 This is a security and maintenance release of the MediaWiki 1.29 branch.
1589
1590 === Changes since 1.29.1 ===
1591 * (T166757) Avoid scoped lock errors in Category::refreshCounts() due to
1592 nesting.
1593 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
1594 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
1595 * Fixed login button label to accept RawMessage.
1596 * Fixed case of SpecialRecentChanges class usage.
1597 * (T174255) Declare uploadCount property in importDump.php.
1598 * (T163646) Pass a string not an int to mysql_real_escape_string().
1599 * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
1600 * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
1601 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1602 browser sends non-standard url escaping.
1603 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1604 * (T128209) SECURITY: Reflected File Download from api.php.
1605 * (T134100) SECURITY: Do not reveal if user exists during login failure.
1606 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
1607 * (T125163) SECURITY: Make anchor for headlines escape > and <.
1608 * (T180237) SECURITY: Protect vendor folder with .htaccess.
1609 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
1610 update.php.
1611 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
1612 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
1613 * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly
1614 fixed in all branches in the previous security release.
1615
1616 == MediaWiki 1.29.1 ==
1617
1618 This is a maintenance release of the MediaWiki 1.29 branch.
1619
1620 The SpamBlacklist and PdfHandler extensions were missing from the generated
1621 packages.
1622
1623 === Changes since 1.29.1 ===
1624 * (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
1625 * (T172061) Fix fatal when passing a category to refreshLinks.php.
1626
1627 == MediaWiki 1.29.0 ==
1628
1629 === Configuration changes in 1.29 ===
1630 * Default cookie expiration time has been reduced to 30 days. Login cookie
1631 expiration time is kept at 180 days.
1632 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
1633 determines whether to set a cookie when a user is autoblocked. Doing so means
1634 that a blocked user, even after logging out and moving to a new IP address,
1635 will still be blocked.
1636 * The resetpassword right and associated password reset capture feature has
1637 been removed.
1638 * The $error parameter to the EmailUser hook should be set to a Status object
1639 or boolean false. This should be compatible with at least MediaWiki 1.23 if
1640 not earlier. Returning a raw HTML string is now deprecated.
1641 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1642 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1643 code for ApiBase::parseMsg() will no longer work.
1644 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1645 result in a PHP fatal error.
1646 * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
1647 policies.
1648 * Subpages are now enabled by default in the Template namespace. Set
1649 $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
1650 * $wgRunJobsAsync is now false by default (T142751). This change only affects
1651 wikis with $wgJobRunRate > 0.
1652 * (T158474) "Unknown user" has been added to $wgReservedUsernames.
1653 * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single
1654 IPs.
1655 * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
1656 added to $wgExtraLanguageCodes instead.
1657 * (T161453) LocalisationCache will no longer use the temporary directory in it's
1658 fallback chain when trying to work out where to write the cache.
1659 * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
1660 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
1661
1662 === New features in 1.29 ===
1663 * (T5233) A cookie can now be set when a user is autoblocked, to track that user
1664 if they move to a new IP address. This is disabled by default.
1665 * Added ILocalizedException interface to standardize the use of localized
1666 exceptions, largely so the API can handle them more sensibly.
1667 * Blocks created automatically by MediaWiki, such as for configured proxies or
1668 dnsbls, are now indicated as such and use a new i18n message when displayed.
1669 * Added new $wgHTTPImportTimeout setting. Sets timeout for
1670 downloading the XML dump during a transwiki import in seconds.
1671 * Parser limit report is now available in machine-readable format to JavaScript
1672 via mw.config.get('wgPageParseReport').
1673 * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
1674 from certain IP ranges (e.g. private IPs).
1675 * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
1676 of the page being parsed.
1677 * HTML5 form validation attributes will no longer be suppressed. Originally
1678 browsers had poor support for them, but modern browsers handle them fine.
1679 This might affect some forms that used them and only worked because the
1680 attributes were not actually being set.
1681 * Expiry times can now be specified when users are added to user groups.
1682 * Completely new user interface for the RecentChanges page, which
1683 structures filters into user-friendly groups. This has corresponding
1684 changes to how filters are registered by core and extensions.
1685 * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
1686 Because this change can cause problems for extensions and on-wiki
1687 scripts depending on the exact HTML, the old version is still available
1688 and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
1689 This will be removed later and OOjs UI will become the only option.
1690 To make testing easier, users can also force either mode by adding
1691 &ooui=true or &ooui=false to the action=edit URL.
1692
1693 === External library changes in 1.29 ===
1694
1695 ==== Upgraded external libraries ====
1696 * Updated QUnit from v1.22.0 to v1.23.1.
1697 * Updated cssjanus from v1.1.2 to v1.2.0.
1698 * Updated psr/log from v1.0.0 to v1.0.2.
1699 * Update Moment.js from v2.8.4 to v2.15.0.
1700 * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
1701 * Updated monolog from v1.18.2 to 1.22.1.
1702 * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
1703 * Updated OOjs from v1.1.10 to v2.0.0.
1704 * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
1705
1706 ==== New external libraries ====
1707 * Added wikimedia/timestamp v1.0.0.
1708 * Added wikimedia/remex-html v1.0.1.
1709
1710 ==== Removed and replaced external libraries ====
1711
1712 === Bug fixes in 1.29 ===
1713 * (T62604) Core parser functions returning a number now format the number
1714 according to the page content language, not wiki content language.
1715 * (T27187) Search suggestions based on jquery.suggestions will now correctly
1716 only highlight prefix matches in the results.
1717 * (T157035) "new mw.Uri()" was ignoring options when using default URI.
1718 * Special:Allpages can no longer be filtered by redirect in miser mode.
1719 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
1720 installed.
1721 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
1722 redirect to interwiki links.
1723 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
1724 $wgAdvancedSearchHighlighting is true.
1725 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
1726 their values out of the logs.
1727 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
1728 CSRF token.
1729 * (T156184) SECURITY: Escape content model/format url parameter in message.
1730 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
1731 declaration.
1732 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
1733 directory in it's fallback chain when trying to work out where to write the
1734 cache.
1735 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
1736 inclusion syntax's link parameter.
1737 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
1738 against it.
1739
1740 === Action API changes in 1.29 ===
1741 * Submitting sensitive authentication request parameters to action=login,
1742 action=clientlogin, action=createaccount, action=linkaccount, and
1743 action=changeauthenticationdata in the query string is now an error. They
1744 should be submitted in the POST body instead.
1745 * The capture option for action=resetpassword has been removed
1746 * action=clearhasmsg now requires a POST.
1747 * (T47843) API errors and warnings may be requested in non-English languages
1748 using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
1749 * API error codes may have changed. Most notably, errors from modules using
1750 parameter prefixes (e.g. all query submodules) will no longer be prefixed.
1751 * ApiPageSet-using modules will report the 'invalidreason' using the specified
1752 'errorformat'.
1753 * action=emailuser may return a "Warnings" status, and now returns 'warnings'
1754 and 'errors' subelements (as applicable) instead of 'message'.
1755 * action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
1756 * action=move now reports errors when moving the talk page as an array under
1757 key 'talkmove-errors', rather than using 'talkmove-error-code' and
1758 'talkmove-error-info'. The format for subpage move errors has also changed.
1759 * action=revisiondelete no longer includes a "rendered" property on warnings
1760 and errors for each item. Use errorformat=wikitext if you're wanting parsed
1761 output.
1762 * action=rollback no longer returns a "messageHtml" property. Use
1763 errorformat=html if you're wanting HTML formatting of error messages.
1764 * action=upload now reports optional stash failures as an array under key
1765 'stasherrors' rather than a 'stashfailed' text string.
1766 * action=watch reports 'errors' and 'warnings' instead of a single 'error', and
1767 no longer returns a 'message' on success.
1768 * Added action=validatepassword to validate passwords for the account creation
1769 and password change forms.
1770 * action=purge now requires a POST.
1771 * There is a new `languagevariants` siprop for action=query&meta=siteinfo,
1772 which returns a list of languages with active LanguageConverter instances.
1773 * action=query&query=allpages will no longer filter redirects using a database
1774 query in miser mode. This may result in less results being returned than were
1775 requested.
1776
1777 === Action API internal changes in 1.29 ===
1778 * New methods were added to ApiBase to handle errors and warnings using i18n
1779 keys. Methods for using hard-coded English messages were deprecated:
1780 * ApiBase::dieUsage() was deprecated
1781 * ApiBase::dieUsageMsg() was deprecated
1782 * ApiBase::dieUsageMsgOrDebug() was deprecated
1783 * ApiBase::getErrorFromStatus() was deprecated
1784 * ApiBase::parseMsg() was deprecated
1785 * ApiBase::setWarning() was deprecated
1786 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1787 result in a PHP fatal error.
1788 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1789 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1790 code for ApiBase::parseMsg() will no longer work.
1791 * UsageException is deprecated in favor of ApiUsageException. For the time
1792 being ApiUsageException is a subclass of UsageException to allow things that
1793 catch only UsageException to still function properly.
1794 * If, for some strange reason, code was using an ApiErrorFormatter instead of
1795 ApiErrorFormatter_BackCompat, note that the result format has changed and
1796 various methods now take a module path rather than a module name.
1797 * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
1798 from the message key, and maps some message keys for backwards compatibility.
1799 * API parameters may now be marked as "sensitive" to keep their values out of
1800 the logs.
1801
1802 === Languages updated in 1.29 ===
1803
1804 MediaWiki supports over 350 languages. Many localisations are updated
1805 regularly. Below only new and removed languages are listed, as well as
1806 changes to languages because of Phabricator reports.
1807
1808 * Based as always on linguistic studies on intelligibility and language
1809 knowledge by geography, language fallbacks have been expanded. When a
1810 translation is missing in the user's preferred interface language, the
1811 corresponding translation for the fallback language will be used instead.
1812 English will only be used as last resort when there are no translations.
1813 Some configurations (such as date formats and gender namespaces) have also
1814 been updated when using the fallback language's configuration was inadequate.
1815 The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
1816 ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
1817 sh → bs, sr-el, hr.
1818 * (T137376) New language support: Atikamekw (atj).
1819 * (T163600) New language support: Dinka (din).
1820 * (T155957) Talk Namespaces for Javanese language (jv) have been updated.
1821
1822 ==== No fallback for Ukrainian ====
1823 * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
1824 language will now use the default fallback language: English. When a
1825 translation to Ukrainian is not available, an English string will be shown.
1826
1827 === Other changes in 1.29 ===
1828 * Database::getSearchEngine() (deprecated in 1.28) was removed. Use
1829 SearchEngineFactory::getSearchEngineClass() instead.
1830 * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
1831 required as all sessions are stored in Object Cache now.
1832 * MWHttpRequest::execute() should be considered to return a StatusValue; the
1833 Status return type is deprecated.
1834 * User::edits() (deprecated in 1.21) was removed.
1835 * Xml::escapeJsString() (deprecated in 1.21) was removed.
1836 * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
1837 were removed.
1838 * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
1839 were removed.
1840 * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use
1841 ArticleContentViewCustom instead.
1842 * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
1843 * Class RevisiondeleteAction (deprecated in 1.25) was removed.
1844 * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
1845 * WikiPage::getText() (deprecated in 1.21) was removed.
1846 * Article::fetchContent() (deprecated in 1.21) was removed.
1847 * User::getPassword() (deprecated in 1.27) was removed.
1848 * User::getTemporaryPassword() (deprecated in 1.27) was removed.
1849 * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
1850 * Class FSRepo (deprecated in 1.19) was removed.
1851 * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
1852 \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId()
1853 instead.
1854 * Class ImageGallery (deprecated in 1.22) was removed.
1855 Use ImageGalleryBase::factory instead.
1856 * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class
1857 instead.
1858 * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
1859 emit warnings). Create a subclass of Action and add it to $wgActions instead.
1860 * WikiRevision::getText() (deprecated since 1.21) is no longer marked
1861 deprecated.
1862 * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
1863 * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
1864 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
1865 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
1866 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
1867 * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
1868 and outdated lists of errors/warnings returned by the API, are now deprecated.
1869 * wiki.phtml entry point was removed. Refer to index.php instead. If you want
1870 "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can
1871 be done by enabling mod_rewrite and adding the following rules to your
1872 configuration:
1873
1874 RewriteEngine On
1875 RewriteBase /
1876 RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
1877 * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
1878 Use ArticleAfterFetchContentObject instead.
1879 * Hook ArticleInsertComplete (deprecated in 1.21) was removed.
1880 Use PageContentInsertComplete instead.
1881 * Hook ArticleSave (deprecated in 1.21) was removed.
1882 Use PageContentSave instead.
1883 * Hook ArticleSaveComplete (deprecated in 1.21) was removed.
1884 Use PageContentSaveComplete instead.
1885 * Hook EditFilterMerged (deprecated in 1.21) was removed.
1886 Use EditFilterMergedContent instead.
1887 * Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
1888 Use EditPageGetPreviewContent instead.
1889 * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
1890 Use ContentHandlerDefaultModelFor instead.
1891 * Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
1892 Use ContentHandlerDefaultModelFor instead.
1893 * Article::getContent() (deprecated in 1.21) was removed.
1894 * Revision::getText() (deprecated in 1.21) was removed.
1895 * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
1896 * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
1897 * Article::doEditContent() was marked as deprecated, to be removed in 1.30
1898 or later.
1899 * ContentHandler::runLegacyHooks() was removed.
1900 * refreshLinks.php now can be limited to a particular category with
1901 --category=... or a tracking category with --tracking-category=...
1902 * User-like objects that are passed to SpecialUserRights and its subclasses are
1903 now required to have a getGroupMemberships() method. See UserRightsProxy for
1904 an example.
1905 * User::$mGroups (instance variable) was marked private. Use User::getGroups()
1906 instead.
1907 * User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
1908 User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
1909 Use equivalent methods on the UserGroupMembership class.
1910 * Maintenance scripts and tests that call User::addGroup() must now ensure that
1911 User objects have been added to the database prior to calling addGroup().
1912 * Protected function UsersPager::getGroups() was removed, and protected function
1913 UsersPager::buildGroupLink() was changed from a static to an instance method.
1914 * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
1915 see docs/hooks.txt.
1916 * User::crypt() (deprecated in 1.24) was removed.
1917 * User::comparePasswords() (deprecated in 1.24) was removed.
1918 * ArchivedFile::getUserText() (deprecated in 1.23) was removed.
1919 * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
1920 * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
1921 and subclasses. It should only break if you call buildMainQueryConds
1922 (changed to buildQuery with new signature) or doMainQuery (new
1923 signature). Subclasses are likely to call at least doMainQuery
1924 (possibly both), but other classes might too, because they were
1925 public.
1926 Also, some related hooks were deprecated, but this is not yet a
1927 breaking change.
1928 * Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
1929 * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
1930 * WikiRevision::$fileIsTemp was deprecated.
1931 * WikiRevision::$importer was deprecated.
1932 * WikiRevision::$user was deprecated.
1933 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
1934 WikiPage::PURGE_* constants are deprecated, and the functions will always
1935 return false. They were a hack for an issue that has since been fixed.
1936 * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
1937 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
1938 if you don't actually care about checkboxes and just want to add some HTML
1939 to the page.
1940 * Selflinks are now rendered as href-less <a> tags with the class mw-selflink
1941 rather than <strong> tags. The old class name, "selflink", was deprecated
1942 and will be removed in a future release. (T160480)
1943 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
1944 * Browser support for non-ES5 JavaScript browsers, including Android 2,
1945 Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
1946 * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
1947 is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
1948 webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
1949 opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
1950 ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
1951 addClickHandler, removeHandler, getElementsByClassName, getInnerText,
1952 setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
1953 mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
1954 escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
1955 tooltipAccessKeyRegexp, updateTooltipAccessKeys.
1956 * The ID of the <li> element containing the login link has changed from
1957 'pt-login' to 'pt-login-private' in private wikis.
1958 * The old, neglected "bulletin board style toolbar" in the edit form is now
1959 deprecated (T30856). This old code dates from 2006, and was replaced in the
1960 MediaWiki release tarball and in Wikimedia production by the WikiEditor
1961 extension in 2010. It is only shown to users if no other editor was
1962 installed, and leads to confusion.
1963 * (T92459) Loading ResourceLoader modules containing JavaScript through
1964 addModuleStyles() is deprecated and will log a warning server-side.
1965
1966 = MediaWiki 1.28 =
1967
1968 == MediaWiki 1.28.3 ==
1969
1970 This is a security and maintenance release of the MediaWiki 1.28 branch.
1971
1972 === Changes since 1.28.2 ==
1973 * (T168856) Allow SVGs created by Dia to be uploaded.
1974 * (T157545) Add missing doUpdates() call to refreshLinks.php.
1975 * (T165714) (T100085) Better handling of jobs execution in post-connection
1976 shutdown.
1977 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of
1978 Database->onTransactionIdle.
1979 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
1980 * (T149454) Restore erroneously removed realTableName call from
1981 DatabasePostgres.
1982 * (T167798) Fix phrase search and highlighting for phrase queries.
1983 * (T151136) Provide credits information to callbacks in extension registration.
1984 * (T160462) Allow namespaces defined in extension.json to be overwritten
1985 locally.
1986 * (T168337) Fix ErrorPageError to work from non-UI contexts.
1987 * (T143788) Backports for PHP 7.0 and 7.1 support.
1988 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
1989 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
1990 * (T174255) Declare uploadCount property in importDump.php.
1991 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to
1992 v4.8.36.
1993 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1994 browser sends non-standard url escaping.
1995 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1996 * (T128209) SECURITY: Reflected File Download from api.php.
1997 * (T134100) SECURITY: Do not reveal if user exists during login failure.
1998 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
1999 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2000 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2001 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2002 update.php.
2003 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2004 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2005
2006 == MediaWiki 1.28.2 ==
2007
2008 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2009 included in the tarball version of MediaWiki 1.28.1. The version included had a
2010 serious security issue in it (T158689). There was also some minor code fixes in
2011 MediaWiki itself since 1.28.1, but none of them were security relevant.
2012
2013 == MediaWiki 1.28.1 ==
2014
2015 This is a security and maintenance release of the MediaWiki 1.28 branch.
2016
2017 === Changes since 1.28.0 ===
2018
2019 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2020 wikis with $wgJobRunRate > 0.
2021 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki
2022 has more than one database server setup.
2023 * (T152717) Better escaping for PHP mail() command,
2024 * (T154670) A missing method causing the MySQL installer to fatal in rare
2025 circumstances was restored.
2026 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
2027 * (T158766) Avoid SQL error on MSSQL when using selectRowCount().
2028 * (T145635) Fix too long index error when installing with MSSQL.
2029 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2030 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2031 installed.
2032 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28
2033 installs.
2034 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2035 redirect to interwiki links.
2036 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2037 $wgAdvancedSearchHighlighting is true.
2038 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2039 their values out of the logs.
2040 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2041 CSRF token.
2042 * (T156184) SECURITY: Escape content model/format url parameter in message.
2043 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2044 declaration.
2045 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2046 directory in it's fallback chain when trying to work out where to write the
2047 cache.
2048 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2049 inclusion syntax's link parameter.
2050 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2051 against it.
2052
2053 == MediaWiki 1.28 ==
2054
2055 === Changes since 1.28.0-rc1 ===
2056 * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
2057 errors.
2058 * (T148956) Only apply wgDBschema to postgres/mssql.
2059 * (T145991) Introduce separate log action for deleting pages on move.
2060 * (T141474) (T110464) Bypass login page if no user input is required.
2061
2062 === Changes since 1.28.0-rc0 ===
2063 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
2064 comment to a machine-readable JavaScript config option 'wgPageParseReport'
2065 have been undone. They caused the human-readable limit report to be shown
2066 incompletely or not at all. ParserOutput::setLimitReportData() and
2067 getLimitReportData() behave as they did in MediaWiki 1.27 again.
2068 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
2069 the text of subheadings on a category page when creating it. This wasn't
2070 working correctly.
2071 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
2072 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
2073 loops in some clients and in some server configurations. This undoes a change
2074 made in MediaWiki 1.26.
2075 * (T149759) manifest_version: 2 was removed.
2076
2077 === Configuration changes in 1.28 ===
2078 * $wgSend404Code now affects status code of action=history if the page is not
2079 there.
2080 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2081 made by MediaWiki via a proxy. Relying on the http_proxy environment
2082 variable is no longer supported.
2083 * The load.php entry point now enforces the existing policy of not allowing
2084 access to session data, which includes the session user and the session
2085 user's language. If such access is attempted, an exception will be thrown.
2086 * The number of internal PBKDF2 iterations used to derive the session secret
2087 is configurable via $wgSessionPbkdf2Iterations.
2088 * Upload dialog's file upload log comment can now be configured separately for
2089 local and foreign uploads.
2090 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
2091 signifies local uploads. A value of `[]` (empty array) now means that
2092 no upload targets are allowed, effectively disabling the upload dialog.
2093 * The deprecated $wgEditEncoding variable has been removed; it was only used
2094 for Esperanto language character conversion. You are now recommended to use
2095 input methods provided by the UniversalLanguageSelector extension.
2096 * When $wgPingback is true, MediaWiki will periodically ping
2097 https://www.mediawiki.org/beacon with basic information about the local
2098 MediaWiki installation. This data includes, for example, the type of system,
2099 PHP version, and chosen database backend. This behavior is off by default.
2100 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
2101 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
2102 if false, the default, they will be "Save page"/"Save changes".
2103 * The 'editcontentmodel' permission is now granted to all logged-in users
2104 ('user').
2105 instead of just administrators ('sysop'). Documentation for this feature is
2106 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
2107 * $wgRevisionCacheExpiry is now set to one week by default instead of being
2108 disabled.
2109 * Magic links are now disabled by default, and can be re-enabled by modifying
2110 the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are
2111 manually enabled, a tracking category will be added to help identify usage and
2112 make it easier to migrate away from. If you depend upon magic link
2113 functionality, it is requested that you comment on
2114 <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links>
2115 and explain your use case(s).
2116 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
2117 in upcoming Content-Security-Policy feature's reporting.
2118
2119 === New features in 1.28 ===
2120 * User::isBot() method for checking if an account is a bot role account.
2121 * Added a new 'slideshow' mode for galleries.
2122 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
2123 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2124 interact with API parsing.
2125 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
2126 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
2127 and the file description page, but does not run for uploads to stash.
2128 * (T141604) Extensions can now provide a better error message when their
2129 maintenance scripts are run without the extension being installed.
2130 * (T8948) Numeric sorting in categories is now supported by setting
2131 $wgCategoryCollation to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you
2132 can't use UCA collations, a 'numeric' collation is also available. If
2133 migrating from another collation, you will need to run the updateCollation.php
2134 maintenance script.
2135 * Two new codes have been added to #time parser function: "xit" for days in
2136 current month, and "xiz" for days passed in the year, both in Iranian
2137 calendar.
2138 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
2139 appropriate for sending multi-valued parameters. This defaults to true when
2140 the mw.Api instance seems to be for the local wiki.
2141 * After a client performs an action which alters a database that has replica
2142 databases, MediaWiki will wait for the replica databases to synchronize with
2143 the master database while it renders the HTML output. However, if the output
2144 is a redirect to another wiki on the wiki farm with a different domain,
2145 MediaWiki will instead alter the redirect URL to include a ?cpPosTime
2146 parameter that triggers the database synchronization when the URL is followed
2147 by the client. The same-domain case uses a new cpPosTime cookie.
2148 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2149 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2150 'show' parameters to existing API query modules.
2151
2152 === External library changes in 1.28 ===
2153
2154 ==== Upgraded external libraries ====
2155 * Updated es5-shim from v4.1.5 to v4.5.8
2156 * Updated composer/semver from v1.4.1 to v1.4.2
2157 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
2158
2159 ==== New external libraries ====
2160 * Added wikimedia/scoped-callback v1.0.0
2161 * Added wikimedia/wait-condition-loop v1.0.1
2162
2163 === Bug fixes in 1.28 ===
2164 * (T146496) action=history pages should return 404 HTTP error code if the page
2165 does not exist
2166 * (T137264) SECURITY: XSS in unclosed internal links
2167 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2168 * (T133147) SECURITY: Require login to preview user CSS pages
2169 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2170 the top file
2171 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2172 permissions
2173 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2174 * (T139670) Move 'UserGetRights' call before application of
2175 Session::getAllowedUserRights()
2176
2177 === Action API changes in 1.28 ===
2178 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
2179 the value of $wgMaxArticleSize.
2180 * Property 'modulemessages' from action=parse&prop=modules was removed
2181 (deprecated since 1.26).
2182 * The following response properties from action=login, deprecated in 1.27, are
2183 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
2184 to properly manage session state.
2185 * Submitting the lgtoken and lgpassword parameters in the query string to
2186 action=login is now deprecated and outputs a warning. They should be submitted
2187 in the POST body instead.
2188 * Submitting sensitive authentication request parameters to action=clientlogin,
2189 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2190 in the query string is now deprecated and outputs a warning. They should be
2191 submitted in the POST body instead.
2192 * (T141960) Multi-valued parameters may now be separated using U+001F
2193 (Unit Separator) instead of the pipe character. This will be useful if some of
2194 the multiple values need to contain pipes, e.g. for action=options.
2195 * The API will now warn if input is not NFC-normalized Unicode or if it
2196 contains invalid characters.
2197 * The 'normalized' list output by action=query and other modules that use
2198 ApiPageSet may contain entries where the 'from' value is percent-encoded as
2199 the raw value cannot be represented in a valid API response. These are
2200 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
2201 * (T28680) action=paraminfo can now return info about all submodules of a
2202 module without listing them all explicitly.
2203 * (T146770) It is now possible to assert that the current user is a specific
2204 named user, using the 'assertuser' parameter.
2205 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
2206 the 'TitleIsAlwaysKnown' hook) are output in various modules.
2207
2208 === Action API internal changes in 1.28 ===
2209 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2210 interact with ApiParse and ApiExpandTemplates.
2211 * (T139565) SECURITY: API: Generate head items in the context of the given title
2212 * (T115333) SECURITY: Check read permission when loading page content in
2213 ApiParse
2214 * ApiBase::getResultData() was removed (deprecated since 1.25)
2215 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
2216 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
2217 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
2218 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
2219 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
2220 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
2221 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
2222 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
2223 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
2224 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
2225 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
2226 * ApiMain::setHelp() was removed (deprecated since 1.25)
2227 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
2228 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
2229 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
2230 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
2231 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
2232 * ApiResult::endContinuation() was removed (deprecated since 1.25)
2233 * ApiResult::getData() was removed (deprecated since 1.25)
2234 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
2235 * ApiResult::setContent() was removed (deprecated since 1.25)
2236 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
2237 * ApiResult::setElement() was removed (deprecated since 1.25)
2238 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
2239 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
2240 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
2241 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
2242 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
2243 * ApiResult::setRawMode() was removed (deprecated since 1.25)
2244 * ApiResult::size() was removed (deprecated since 1.25)
2245 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2246 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2247 'show' parameters to existing API query modules. A query module can enable
2248 these hooks by passing an array for $hookData to ApiQueryBase::select() and
2249 by calling ApiQueryBase->processRow() before adding a row's data to the
2250 result.
2251
2252 === Languages updated in 1.28 ===
2253
2254 MediaWiki supports over 375 languages. Many localisations are updated
2255 regularly. Below only new and removed languages are listed, as well as
2256 changes to languages because of Phabricator reports.
2257
2258 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
2259 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
2260 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
2261 Saiddzone Saimawnkham, Saosukham, and Sengwan.
2262 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
2263 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator
2264 Ilja.mos.
2265
2266 === Other changes in 1.28 ===
2267 * (T128697) Improved handling of large diffs.
2268 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
2269 use or update a custom session provider if needed.
2270 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
2271 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
2272 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
2273 * The 'UserLoginComplete' hook has a new parameter to differentiate between
2274 actual login and visiting the login page while already logged in.
2275 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
2276 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
2277 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
2278 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
2279 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
2280 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
2281 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
2282 respectively. See docs/hooks.txt for the specific changes needed for those
2283 hooks.
2284 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
2285 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
2286 * Skin::commentBlock() (use Linker::commentBlock() instead)
2287 * Skin::generateRollback() (use Linker::generateRollback() instead)
2288 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
2289 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
2290 * Skin::userLink() (use Linker::userLink() instead)
2291 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
2292 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
2293 disabled.
2294 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
2295 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
2296 Use ...->stashFile()->getFileKey() instead.
2297 * "Public domain" was removed as a wiki license option from the installer, in
2298 favour of CC-0.
2299 * AuthenticationRequest::$required is now changed from REQUIRED to
2300 PRIMARY_REQUIRED on requests needed by primary providers even if all primaries
2301 need them.
2302 Primary providers are discouraged from returning multiple REQUIRED requests.
2303 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
2304 will no longer be automatically infused. You should call `OO.ui.infuse()`
2305 on them yourself from your JavaScript code.
2306 * parserTests.php has moved to tests/parser/parserTests.php
2307 * The command line options specific to parser tests have been removed from
2308 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
2309 Instead of --keep-uploads, use the same option to parserTests.php, but you
2310 must specify a directory with --upload-dir.
2311 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
2312 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
2313 migrate to using the same functions on a ProxyLookup instance, obtainable from
2314 MediaWikiServices.
2315 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave,
2316 ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText,
2317 EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation
2318 warnings if used.
2319 * (T68404) CSS3 attr() function with url type is no longer allowed
2320 in inline styles.
2321 * Database::getSearchEngine() is deprecated, use
2322 SearchEngineFactory::getSearchEngineClass instead.
2323
2324 == Compatibility ==
2325
2326 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
2327 HHVM 3.6.5 or later.
2328
2329 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
2330 support for them is somewhat less mature. There is experimental support for
2331 Oracle and Microsoft SQL Server.
2332
2333 The supported versions are:
2334
2335 * MySQL 5.0.3 or later
2336 * PostgreSQL 8.3 or later
2337 * SQLite 3.3.7 or later
2338 * Oracle 9.0.1 or later
2339 * Microsoft SQL Server 2005 (9.00.1399)
2340
2341 == Upgrading ==
2342
2343 1.28 has several database changes since 1.27, and will not work without schema
2344 updates. Note that due to changes to some very large tables like the revision
2345 table, the schema update may take quite long (minutes on a medium sized site,
2346 many hours on a large site).
2347
2348 If upgrading from before 1.11, and you are using a wiki as a commons
2349 repository, make sure that it is updated as well. Otherwise, errors may arise
2350 due to database schema changes.
2351
2352 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
2353 new database fields are filled with data.
2354
2355 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
2356 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
2357 with MediaWiki 1.21.
2358
2359 Don't forget to always back up your database before upgrading!
2360
2361 See the file UPGRADE for more detailed upgrade instructions.
2362
2363 For notes on 1.27.x and older releases, see HISTORY.
2364
2365 == Online documentation ==
2366
2367 Documentation for both end-users and site administrators is available on
2368 MediaWiki.org, and is covered under the GNU Free Documentation License (except
2369 for pages that explicitly state that their contents are in the public domain):
2370
2371 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
2372
2373 == Mailing list ==
2374
2375 A mailing list is available for MediaWiki user support and discussion:
2376
2377 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
2378
2379 A low-traffic announcements-only list is also available:
2380
2381 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
2382
2383 It's highly recommended that you sign up for one of these lists if you're
2384 going to run a public MediaWiki, so you can be notified of security fixes.
2385
2386 == IRC help ==
2387
2388 There's usually someone online in #mediawiki on irc.freenode.net.
2389
2390 = MediaWiki 1.27 =
2391
2392 == MediaWiki 1.27.5 ==
2393
2394 This is a security and maintenance release of the MediaWiki 1.27 branch.
2395
2396 === Changes since 1.27.4 ===
2397 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
2398 'newbie'.
2399 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
2400 account lock.
2401 * Upgraded Moment.js from v2.8.4 to v2.19.3.
2402 * (T160298) Fixed Special:ActiveUsers due to bad backport.
2403 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
2404 array.
2405 * Updated list of SPDX licenses for extensions.
2406 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
2407 include extensions. Pass --with-extensions to enable that feature.
2408 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
2409 * Add default edit rate limit of 90 edits/minute for all users.
2410 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
2411 * (T196672) The mtime of extension.json files is now able to be zero.
2412 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
2413 hook.
2414 * (T180403) Validate $length in padleft/padright parser functions.
2415 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
2416 * Special:BotPasswords now requires reauthentication.
2417 * (T191608, T187638) Add 'logid' parameter to Special:Log.
2418 * (T193829) Indicate when a Bot Password needs reset.
2419 * (T151415) Log email changes.
2420 * (T118420) Unbreak Oracle installer.
2421
2422 == MediaWiki 1.27.4 ==
2423 This is a security and maintenance release of the MediaWiki 1.27 branch.
2424
2425 === Changes since 1.27.3 ===
2426 * (T100085) Better handling of jobs execution in post-connection shutdown.
2427 * (T141604) Support conditionally registered namespaces.
2428 * (T167798) Fix highlighting for phrase queries and phrase search.
2429 * (T151136) Provide credits information to callbacks.
2430 * (T160462) Allow namespaces defined in extension.json to be overwritten
2431 locally.
2432 * (T168856) Allow SVGs created by Dia to be uploaded.
2433 * (T144705) (T148662) Password reset link is no longer shown when no reset
2434 options are available.
2435 * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
2436 * (T66795) $wgUserEmailUseReplyTo is now true by default to work around
2437 restrictive DMARC policies.
2438 * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and
2439 core.
2440 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
2441 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
2442 * (T142304) Allow putting the app ID in the password for bot passwords.
2443 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
2444 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
2445 browser sends non-standard url escaping.
2446 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
2447 * (T128209) SECURITY: Reflected File Download from api.php.
2448 * (T134100) SECURITY: Do not reveal if user exists during login failure.
2449 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
2450 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2451 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2452 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2453 update.php.
2454 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2455 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2456
2457 == MediaWiki 1.27.3 ==
2458 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2459 included in the tarball version of MediaWiki 1.27.2. The version included had a
2460 serious security issue in it (T158689). There was also some minor code fixes in
2461 MediaWiki itself since 1.27.2, but none of them were security relevant.
2462
2463 === Changes since 1.27.2 ===
2464 * (T145664) Fix broken wincache merge() implementation
2465 * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
2466 * (T153505) Fix php warnings on php 7.1 due to use of &$this
2467
2468 == MediaWiki 1.27.2 ==
2469 This is a security and maintenance release of the MediaWiki 1.27 branch.
2470
2471 ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
2472 deprecated (rather than already removed) in the RELEASE-NOTES at the point
2473 1.27.0 was released.
2474
2475 === Changes since 1.27.1 ===
2476
2477 * (T68404) CSS3 attr() function with url type argument is no longer allowed
2478 in inline styles.
2479 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2480 wikis with $wgJobRunRate > 0.
2481 * (T152717) Better escaping for PHP mail() command
2482 * Submitting the lgtoken and lgpassword parameters in the query string to
2483 action=login is now deprecated and outputs a warning. They should be submitted
2484 in the POST body instead.
2485 * Submitting sensitive authentication request parameters to action=clientlogin,
2486 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2487 in the query string is now deprecated and outputs a warning. They should be
2488 submitted in the POST body instead.
2489 * (T158766) Avoid SQL error on MSSQL when using selectRowCount()
2490 * (T145635) Fix too long index error when installing with MSSQL.
2491 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2492 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2493 installed.
2494 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2495 redirect to interwiki links.
2496 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2497 $wgAdvancedSearchHighlighting is true.
2498 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2499 their values out of the logs.
2500 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2501 CSRF token.
2502 * (T156184) SECURITY: Escape content model/format url parameter in message.
2503 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2504 declaration.
2505 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2506 directory in it's fallback chain when trying to work out where to write the
2507 cache.
2508 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2509 inclusion syntax's link parameter.
2510 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2511 against it.
2512
2513 == MediaWiki 1.27.1 ==
2514
2515 This is a maintenance release of the MediaWiki 1.27 branch.
2516
2517 === Changes since 1.27.0 ===
2518 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2519 made by MediaWiki via a proxy. Relying on the http_proxy environment
2520 variable is no longer supported.
2521 * (T139565) SECURITY: API: Generate head items in the context of the given title
2522 * (T137264) SECURITY: XSS in unclosed internal links
2523 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2524 * (T133147) SECURITY: Require login to preview user CSS pages
2525 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2526 the top file
2527 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2528 permissions
2529 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2530 * (T115333) SECURITY: Check read permission when loading page content in
2531 ApiParse
2532 * (T57548) Remove support for $wgWellFormedXml = false, all output is now well
2533 formed
2534 * (T139670) Move 'UserGetRights' call before application of
2535 Session::getAllowedUserRights()
2536
2537 == MediaWiki 1.27.0 ==
2538
2539 === PHP version requirement in 1.27 ===
2540 As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
2541 section). Additionally, the following PHP extensions are required:
2542 * ctype
2543 * iconv
2544 * json
2545 * mbstring (new requirement in 1.27)
2546 * xml
2547 The following PHP extensions are strongly recommended:
2548 * openssl
2549
2550 === Configuration changes in 1.27 ===
2551 * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
2552 now always enabled. If you use RDFa on your wiki, you now have to explicitly
2553 set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
2554 * $wgUseLinkNamespaceDBFields was removed.
2555 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
2556 $wgResourceLoaderMinifierMaxLineLength, because there was little value in
2557 making the behavior configurable. The default values (`false` for the former,
2558 1000 for the latter) are now hard-coded.
2559 * $wgDebugDumpSqlLength was removed (deprecated in 1.24).
2560 * $wgDebugDBTransactions was removed (deprecated in 1.20).
2561 * $wgUseXVO has been removed, as it provides functionality only used by
2562 custom Wikimedia patches against Squid 2.x that probably noone uses in
2563 production anymore. There is now $wgUseKeyHeader that provides similar
2564 functionality but instead of the MediaWiki-specific X-Vary-Options header,
2565 uses the draft Key header standard.
2566 * $wgScriptExtension (and support for '.php5' entry points) was removed. See the
2567 deprecation notice in the release notes for version 1.25 for advice on how to
2568 preserve support for '.php5' entry points via URL rewriting.
2569 * Password handling via the User object has been deprecated and partially
2570 removed, pending the future introduction of AuthManager. In particular:
2571 ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
2572 getPasswordExpired() have been removed. They were unused outside of core.
2573 ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
2574 now private and will be removed in the future.
2575 ** The getPassword() and getTemporaryPassword() methods now throw
2576 BadMethodCallException and will be removed in the future.
2577 ** The ability to pass 'password' and 'newpassword' to createNew() has been
2578 removed. The only users of it seem to have been using it to set invalid
2579 passwords, and so shouldn't be greatly affected.
2580 ** setPassword(), setInternalPassword(), and setNewpassword() have been
2581 deprecated, pending the introduction of AuthManager.
2582 ** User::randomPassword() is deprecated in favor of a new method
2583 PasswordFactory::generateRandomPasswordString()
2584 ** User::getPasswordFactory() is deprecated, callers should just create a
2585 PasswordFactory themselves.
2586 ** A new constructor, User::newSystemUser(), has been added to simplify the
2587 creation of passwordless "system" users for logged actions.
2588 * $wgMaxSquidPurgeTitles was removed.
2589 * $wgAjaxWatch was removed. This is now enabled by default.
2590 * $wgUseInstantCommons now hotlinks Commons images by default instead of
2591 downloading originals and thumbnailing them locally. This allows wikis to save
2592 on CPU and bandwidth while reducing time to first byte for pages, even without
2593 a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
2594 * (T27397) WebP is enabled by default as an uploadable filetype.
2595 * (T48998) $wgArticlePath must now be either a full url, or start with a "/".
2596 * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
2597 * Deprecated API formats dbg, txt, and yaml have been removed.
2598 * CLDRPluralRule* classes have been replaced with
2599 wikimedia/cldr-plural-rule-parser.
2600 * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
2601 $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
2602 $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
2603 * For proper operation of LocalIdLookup with shared user tables, ensure that
2604 $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
2605 that all others are sharing from and that $wgLocalDatabases is set to the
2606 full list of sharing wikis on all those wikis.
2607 * Massive overhaul to session handling:
2608 ** $wgSessionsInObjectCache is no longer supported and must be true, due to
2609 MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
2610 used.
2611 ** ObjectCacheSessionHandler is removed, replaced with
2612 MediaWiki\Session\PhpSessionHandler.
2613 ** PHP session handling in general ($_SESSION, session_id(), and so on) is
2614 deprecated. Use MediaWiki\Session\SessionManager instead. A new config
2615 variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
2616 issue a deprecation warning or to cause most PHP session handling to throw
2617 exceptions.
2618 ** Deprecated UserSetCookies hook. Session-handling extensions should generally
2619 be creating a custom subclass of CookieSessionProvider. Other extensions
2620 messing with cookies can no longer count on user data being saved in cookies
2621 versus other methods.
2622 ** Deprecated UserLoadFromSession hook, extensions should create a
2623 MediaWiki\Session\SessionProvider.
2624 ** The User cannot be loaded from session until after Setup.php completes.
2625 Attempts to do so will be ignored and the User will remain unloaded.
2626 ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
2627 the MediaWiki\Session\Token class.
2628 * MediaWiki will now auto-create users as necessary, removing the need for
2629 extensions to do so. An 'autocreateaccount' right is added to allow
2630 auto-creation when 'createaccount' is not granted to all users.
2631 * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
2632 * Most cookie-handling methods in User are deprecated.
2633 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
2634 experimental feature that has never worked.
2635 * Login and createaccount tokens now vary by timestamp.
2636 * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
2637 return a MediaWiki\Session\Token, and tokens must be checked using that
2638 class's methods.
2639 * $wgEnotifUseJobQ was removed and the job queue is always used.
2640 * The functionality of the ApiSandbox extension has been merged into core. The
2641 extension should no longer be used.
2642 * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
2643 Extensions, skins, gadgets and scripts that use the mediawiki.util module must
2644 express a dependency on it.
2645 * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
2646 Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
2647 module should express a dependency on it.
2648 * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
2649 $wgFooterIcons['copyright']['copyright'] instead.
2650 * If the openssl and mcrypt PHP extensions are both unavailable, secure
2651 session storage (used for login) will raise an exception. This exception may
2652 be bypassed by setting $wgSessionInsecureSecrets = true.
2653 * Massive overhaul to authentication:
2654 ** AuthPlugin and AuthPluginUser are deprecated.
2655 ** LoginForm and associated templates are deprecated. Extensions which called
2656 static LoginForm methods should be converted into authentication providers.
2657 ** The following hooks are deprecated:
2658 *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2659 *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2660 *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2661 *** AddNewAccount (use LocalUserCreated instead)
2662 *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider
2663 instead)
2664 *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
2665 *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider
2666 instead)
2667 *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2668 instead)
2669 *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2670 instead)
2671 ** The following hooks are removed:
2672 *** AbortChangePassword
2673 *** LoginPasswordResetMessage
2674 *** PrefsPasswordAudit
2675 ** The UserLoginComplete hook will no longer be called for all logins, only for
2676 those via the web UI. Use UserLoggedIn if you need to do something on all
2677 logins.
2678 ** $wgRequirePasswordforEmailChange is removed.
2679
2680 === New features in 1.27 ===
2681 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
2682 sticks to the primary DC (via cookies) after they make changes to the site.
2683 * Added a new hook, 'UserMailerTransformContent', to transform the contents
2684 of an email. This is similar to the EmailUser hook but applies to all mail
2685 sent via UserMailer.
2686 * Added a new hook, 'UserMailerTransformMessage', to transform the contents
2687 of an emai after MIME encoding.
2688 * Added a new hook, 'UserMailerSplitTo', to control which users have to be
2689 emailed separately (ie. there is a single address in the To: field) so
2690 user-specific changes to the email can be applied safely.
2691 * $wgCdnMaxageLagged was added, which limits the CDN cache TTL
2692 when any load balancer uses a DB that is lagged beyond the 'max lag'
2693 setting in the relevant section of $wgLBFactoryConf.
2694 * User::newSystemUser() may be used to simplify the creation of passwordless
2695 "system" users for logged actions from scripts and extensions.
2696 * Extensions can now return detailed error information via the API when
2697 preventing user actions using 'getUserPermissionsErrors' and similar hooks
2698 by using ApiMessage instances instead of strings for the $result value.
2699 * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
2700 becomes too high.
2701 * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
2702 and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
2703 cross-browser-compatible FlexBox rules. Users will still need to add fallback
2704 float rules or the like for compatibility with IE9- separately.
2705 * Added MWTimestamp::getTimezoneString() which returns the localized timezone
2706 string, if available. To localize this string, see the comments of
2707 $wgLocaltimezone in includes/DefaultSettings.php.
2708 * Added CentralIdLookup, a service that allows extensions needing a concept of
2709 "central" users to get that without having to know about specific central
2710 authentication extensions.
2711 * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
2712 Regular web request transactions that takes longer than this are aborted.
2713 * Added a new hook, 'TitleMoveCompleting', which runs before a page move is
2714 committed.
2715 * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
2716 from CDN to mitigate DB replication lag and WAN cache purge lag.
2717 * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
2718 if it is available.
2719 * It is now possible to patrol file uploads (both for new files and new versions
2720 of existing files). Special:NewFiles has gained an option to filter by patrol
2721 status. This functionality can be disabled using $wgUseFilePatrol.
2722 * MediaWiki\Session infrastructure allows for easier use of session mechanisms
2723 other than the usual cookies.
2724 ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
2725 custom session metadata.
2726 * Added MWGrants and associated configuration settings $wgGrantPermissions and
2727 $wgGrantPermissionGroups to hold configuration for authentication features
2728 such as OAuth that want to allow restricting the user rights a user may make
2729 use of.
2730 ** If you're already using the OAuth extension, these new variables are
2731 identical to (and will replace) $wgMWOAuthGrantPermissions and
2732 $wgMWOAuthGrantPermissionGroups.
2733 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
2734 to assert that the request comes from a particular IP range.
2735 * Added bot passwords, a rights-restricted login mechanism for API-using bots.
2736 * Whitelisted the following HTML attributes for all elements in wikitext:
2737 aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
2738 * Removed "presentation" restriction on the HTML role attribute in wikitext.
2739 All values are now allowed for the role attribute.
2740 * $wgContentHandlers now also supports callbacks to create an instance of the
2741 appropriate ContentHandler subclass.
2742 * Added $wgAuthenticationTokenVersion, which if non-null prevents the
2743 user_token database field from being exposed in cookies. Setting this would
2744 be a good idea, but will log out all current sessions.
2745 * $wgEventRelayerConfig was added, for managing PubSub event relay
2746 configuration, specifically for reliable CDN url purges.
2747 * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
2748 MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
2749 generated 24-character string. This request ID is used to annotate log records
2750 and error messages. It is available client-side via
2751 mw.config.get( 'wgRequestId' ).
2752 The request ID supplants exception IDs. Accordingly,
2753 MWExceptionHandler::getLogId() is deprecated.
2754 * (T33313) Add a preference for watching uploads by default, also applies
2755 to API-based upload tools.
2756 * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
2757 thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
2758 savings versus the previous behavior on many files.
2759 * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
2760 configuration of multiple authentication pieces that was possible with
2761 AuthPlugin. For example, it's now easy to plug in second-factor
2762 authentication, or add additional checks to the login process, or to support
2763 multiple login methods at once, or to support non-password-based login
2764 methods.
2765 ** Providers are configured via the global setting $wgAuthManagerConfig.
2766 ** A global, $wgDisableAuthManager, is temporarily available to disable
2767 AuthManager until extensions are ready to support it.
2768 ** New hook, AuthChangeFormFields, to adjust the form fields on
2769 AuthManager-related special pages.
2770 ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
2771 AuthManager-related authentication requests.
2772 ** New hook, ChangeAuthenticationDataAudit, for additional logging of
2773 AuthManager-related authentication data changes.
2774 ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
2775 for requiring a recent login before taking security-sensitive operations
2776 like changing a password.
2777 ** Two new globals, $wgChangeCredentialsBlacklist and
2778 $wgRemoveCredentialsBlacklist can be used to prevent the web UI and the API
2779 changing certain authentication data.
2780 * The file upload dialog (available if you install WikiEditor or VisualEditor)
2781 can now be configured using $wgUploadDialog.
2782
2783 === External library changes in 1.27 ===
2784
2785 ==== Upgraded external libraries ====
2786 * Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
2787 * Updated composer/semver from v1.0.0 to v1.2.0.
2788 * Updated liuggio/statsd-php-client to 1.0.18.
2789 * Updated QUnit from v1.18.0 to v1.22.0.
2790
2791 ==== New external libraries ====
2792 * Added wikimedia/base-convert v1.0.1.
2793 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
2794 * Added wikimedia/relpath v1.0.3.
2795 * Added wikimedia/running-stat v1.1.0.
2796 * Added wikimedia/php-session-serializer v1.0.3.
2797
2798 ==== Removed and replaced external libraries ====
2799
2800 === Bug fixes in 1.27 ===
2801 * Special:Upload will now display correct maximum allowed file size when running
2802 under HHVM (T116347).
2803 * (T54077) The APIEditBeforeSave hook will once again give only the content of
2804 the section being edited, rather than the whole revision. This reverts the
2805 change made in MediaWiki 1.22.
2806
2807 === Action API changes in 1.27 ===
2808 * Added list=allrevisions.
2809 * generator=recentchanges now has the option to generate revids.
2810 * ApiPageSet::setRedirectMergePolicy() was added. This allows generator
2811 modules to define how generator data for a redirect source gets merged
2812 into the redirect destination.
2813 * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
2814 "was-deleted" warning.
2815 * Added difftotextpst to query=revisions which preforms a pre-save transform on
2816 the text before diffing it.
2817 * Deprecated formats dbg, txt, and yaml have been removed.
2818 * (T47988) The protect log event details now use new-style formatting.
2819 * The following response properties from action=login are deprecated, and may
2820 be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
2821 handle cookies to properly manage session state.
2822 * action=login transparently allows login using bot passwords. Clients should
2823 merely need to change the username and password used after setting up a bot
2824 password.
2825 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
2826 * Several changes when $wgDisableAuthManager is false:
2827 ** action=login is deprecated for uses other than bot passwords.
2828 ** list=users can now indicate if a missing username is creatable.
2829 ** action=createaccount is changed in a non-backwards-compatible manner.
2830 ** Added action=query&meta=authmanagerinfo.
2831 ** Added action=clientlogin to be used to log into the main account instead of
2832 action=login.
2833 ** Added action=linkaccount.
2834 ** Added action=unlinkaccount.
2835 ** Added action=changeauthenticationdata.
2836 ** Added action=removeauthenticationdata.
2837 ** Added action=resetpassword.
2838
2839 === Action API internal changes in 1.27 ===
2840 * ApiQueryORM removed.
2841 * The following classes have been removed:
2842 ** ApiFormatDbg
2843 ** ApiFormatTxt
2844 ** ApiFormatYaml
2845 * ApiBase::addTokenProperties() was removed (deprecated since 1.24).
2846 * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
2847 * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
2848 * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated
2849 since 1.24).
2850 * ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
2851 * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated
2852 since 1.24).
2853 * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated
2854 since 1.24).
2855 * ApiBase::getResultProperties() was removed (deprecated since 1.24).
2856 * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
2857 * ApiBase::parseErrors() was removed (deprecated since 1.24).
2858 * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
2859 ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
2860 * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
2861 * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
2862 * ApiQuery::getGenerators() was removed (deprecated since 1.21).
2863 * ApiQuery::getModules() was removed (deprecated since 1.21).
2864 * ApiQuery::getModuleType() was removed (deprecated since 1.21).
2865 * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
2866 * ApiMain::getModules() was removed (deprecated since 1.21).
2867 * ApiBase::getVersion() was removed (deprecated since 1.21).
2868 * ApiMain::getShowVersions() was removed (deprecated in 1.21).
2869 * ApiMain::addModule() was removed (deprecated in 1.21).
2870 * ApiMain::addFormat() was removed (deprecated in 1.21).
2871 * ApiMain::getFormats() was removed (deprecated in 1.21).
2872 * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
2873 * ApiCreateAccount was removed.
2874
2875 === Languages updated in 1.27 ===
2876
2877 MediaWiki supports over 350 languages. Many localisations are updated
2878 regularly. Below only new and removed languages are listed, as well as
2879 changes to languages because of Phabricator reports.
2880
2881 * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
2882 * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
2883
2884 === Other changes in 1.27 ===
2885 * Added dependency injection (DI) infrastructure, see docs/injection.txt for
2886 details.
2887 It is planned to incrementally move MediaWiki code towards using DI, using the
2888 service locator (SL) pattern as a stepping stone.
2889 * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
2890 * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
2891 ignore the 2nd and 3rd arguments (formerly $id and $commit).
2892 * Removed "loaderScripts" option from ResourceLoaderFileModule class.
2893 * Removed ORM-like wrapper added in 1.20.
2894 * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
2895 (deprecated in 1.26).
2896 * WikiPage::doQuickEdit() was removed (deprecated since 1.21).
2897 * Removed SiteObject and SiteArray classes (deprecated in 1.21).
2898 * MessageBlobStore::getInstance() was removed (deprecated since 1.25).
2899 * (T84937) Free external links ("autolinked" urls) will now be terminated
2900 by &nbsp; and HTML entity encodings of &nbsp, <, and >.
2901 * (T36948) The default file revert message's timestamp is now in
2902 $wgLocaltimezone, instead of UTC.
2903 * The default name of the 'suppress' group page has been changed from
2904 'Project:Oversight' to 'Project:Suppress'.
2905 * DatabaseBase::resultObject() is now protected (use outside Database classes
2906 not necessary since 1.11).
2907 * Calling ResourceLoaderFileModule::readStyleFiles() without a
2908 ResourceLoaderContext instance is deprecated.
2909 * ResourceLoader::getLessCompiler() now takes an optional parameter of
2910 additional LESS variables to set for the compiler.
2911 * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
2912 instead.
2913 * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
2914 were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
2915 * Removed msg_resource_links database table and associated code.
2916 * Removed msg_resource database table and associated code.
2917 * Skin::getNamespaceNotice() was removed.
2918 * wfIsConfiguredProxy() was removed (deprecated since 1.24).
2919 * wfDebugTimer() was removed (deprecated since 1.25).
2920 * wfIsTrustedProxy() was removed (deprecated since 1.24).
2921 * wfGetIP() was removed (deprecated since 1.19).
2922 * MWHookException was removed.
2923 * OutputPage::appendSubtitle() was removed (deprecated since 1.19).
2924 * OutputPage::loginToUse() was removed (deprecated since 1.19).
2925 * Article::loadContent() was removed (deprecated since 1.19).
2926 * User::editToken() was removed (deprecated since 1.19).
2927 * Removed --force-normal option of dumpBackup.php, as it no longer served
2928 any useful purpose since 1.22.
2929 * The functions processOption() and processArgs() on the BackupDumper and
2930 TextPassDumper classes have been removed.
2931 * The maintenance/backupTextPass.inc file was deleted. You should include
2932 maintenance/dumpTextPass.php instead.
2933 * WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
2934 * wfEmptyMsg() was removed (deprecated since 1.18).
2935 * OutputPage::permissionRequired() was removed (deprecated since 1.18).
2936 * OutputPage::blockedPage() was removed (deprecated since 1.18).
2937 * User::getSkin() was removed (deprecated since 1.18).
2938 * OutputPage::includeJQuery() was removed (deprecated since 1.17).
2939 * WikiPage::updateRestrictions() was removed (deprecated since 1.19).
2940 * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
2941 * LogPage::logName() was removed (deprecated since 1.19).
2942 * LogPage::logHeader() was removed (deprecated since 1.19).
2943 * wfCheckLimits() was removed (deprecated since 1.24).
2944 * Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
2945 * Linker::makeLinkObj() was removed (deprecated since 1.16).
2946 * wfMsgForContentNoTrans() was removed (deprecated since 1.18).
2947 * ChangesList::usePatrol was removed (deprecated since 1.22).
2948 * wfMsgNoTrans() was removed (deprecated since 1.18).
2949 * Linker::makeImageLink2 was removed (deprecated since 1.20).
2950 * Title::userIsWatching() was removed (deprecated since 1.20).
2951 * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
2952 database function directly instead.
2953 * wfMsg() was removed (deprecated since 1.18).
2954 * wfMsgForContent() was removed (deprecated since 1.18).
2955 * wfMsgReal() was removed (deprecated since 1.18).
2956 * wfMsgGetKey() was removed (deprecated since 1.18).
2957 * wfMsgHtml() was removed (deprecated since 1.18).
2958 * wfMsgWikiHtml() was removed (deprecated since 1.18).
2959 * wfMsgExt() was removed (deprecated since 1.18).
2960 * Language::armourMath() was removed (deprecated since 1.22).
2961 * LanguageConverter::armourMath() was removed (deprecated since 1.22).
2962 * FakeConverter::armourMath() was removed (deprecated since 1.22).
2963 * The unused jquery.validate ResourceLoader module was removed.
2964 * FileRepo::getRootUrl() was removed (deprecated since 1.20).
2965 * User::generateToken() was removed (deprecated since 1.20).
2966 * WikiPage::getRawText() was removed (deprecated since 1.21).
2967 * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
2968 * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
2969 * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
2970 * Gallery images with multiple caption pipes no longer concatenate them all
2971 together but instead pick the final one, similar to image syntax.
2972 * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
2973 rather than consume everything until the end of the page.
2974 * New maintenance script resetUserEmail.php allows sysadmins to reset user
2975 emails in case a user forgot password/account was stolen.
2976 * wfCheckEntropy() was removed (deprecated in 1.27).
2977 * Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
2978 * ContentHandler::supportsCategories method added. Default is true.
2979 CategoryMembershipChangeJob updates are skipped for content that
2980 does not support categories.
2981 * wikidiff difference engine is no longer supported, anyone still using it are
2982 encouraged to upgrade to wikidiff2 which is actively maintained and has better
2983 package availability.
2984 * Database logic was removed from WatchedItem and a WatchedItemStore was
2985 created:
2986 ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were
2987 deprecated. User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were
2988 introduced.
2989 ** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
2990 ** WatchedItem::resetNotificationTimestamp was deprecated.
2991 ** WatchedItem::batchAddWatch was deprecated.
2992 ** WatchedItem::addWatch was deprecated.
2993 ** WatchedItem::removeWatch was deprecated.
2994 ** WatchedItem::isWatched was deprecated.
2995 ** WatchedItem::duplicateEntries was deprecated.
2996 ** EmailNotification::updateWatchlistTimestamp was deprecated.
2997 ** User::getWatchedItem was removed.
2998 * Unit tests don't work with external PHPUnit anymore, Composer is now the only
2999 supported way. Run `composer install` to install it and other dev dependencies
3000 to run unit tests.
3001 * wl_id field added to the watchlist table.
3002 * Revision::getRawText() was removed (deprecated since 1.21).
3003 * WikiPage::replaceSection() was removed (deprecated since 1.21).
3004 * Article::replaceSection() was removed (deprecated since 1.21).
3005 * Language::getLangObj() was removed (deprecated since 1.24).
3006 * Language::getLanguageName() was removed (deprecated since 1.20).
3007 * Language::getLanguageNames() was removed (deprecated since 1.20).
3008 * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
3009 * Language::specialPage() was removed (deprecated since 1.24).
3010 * MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
3011 * OutputPage::getHeadItems() was removed (deprecated since 1.24).
3012 * OutputPage::getScript() was removed (deprecated since 1.24).
3013 * OutputPage::out() was removed (deprecated since 1.22).
3014 * OutputPage::setAllowedModules() was removed (deprecated since 1.24).
3015 * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
3016 * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
3017 * Title::newFromRedirect() was removed (deprecated since 1.21).
3018 * Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
3019 * Skin::getCommonStylePath() was removed (deprecated since 1.24).
3020 * Skin::newFromKey() was removed (deprecated since 1.24).
3021 * Skin::getUsableSkins() was removed (deprecated since 1.23).
3022 * LoadBalancer::pickRandom() was removed (deprecated in 1.21).
3023 * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated
3024 since 1.21).
3025 * DifferenceEngine::setText() was removed (deprecated in 1.21).
3026 * Title::newFromRedirectArray() was removed (deprecated in 1.21).
3027 * UserMailer::send() no longer accepts $replyto as the 5th argument and
3028 $contentType as the 6th. These must be passed in the options array now.
3029 * Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
3030 * Skin::accesskey was removed (deprecated since 1.21).
3031 * Skin::blockLink was removed (deprecated since 1.21).
3032 * Skin::buildRollbackLink was removed (deprecated since 1.21).
3033 * Skin::emailLink was removed (deprecated since 1.21).
3034 * Skin::formatComment was removed (deprecated since 1.21).
3035 * Skin::formatHiddenCategories was removed (deprecated since 1.21).
3036 * Skin::formatLinksInComment was removed (deprecated since 1.21).
3037 * Skin::formatRevisionSize was removed (deprecated since 1.21).
3038 * Skin::formatSize was removed (deprecated since 1.21).
3039 * Skin::formatTemplates was removed (deprecated since 1.21).
3040 * Skin::generateTOC was removed (deprecated since 1.21).
3041 * Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
3042 * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
3043 * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
3044 * Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
3045 * Skin::getLinkColour was removed (deprecated since 1.21).
3046 * Skin::getRevDeleteLink was removed (deprecated since 1.21).
3047 * Skin::getRollbackEditCount was removed (deprecated since 1.21).
3048 * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
3049 * Skin::makeCommentLink was removed (deprecated since 1.21).
3050 * Skin::makeExternalImage was removed (deprecated since 1.21).
3051 * Skin::makeExternalLink was removed (deprecated since 1.21).
3052 * Skin::makeHeadline was removed (deprecated since 1.21).
3053 * Skin::makeImageLink was removed (deprecated since 1.21).
3054 * Skin::makeMediaLinkFile was removed (deprecated since 1.21).
3055 * Skin::makeMediaLinkObj was removed (deprecated since 1.21).
3056 * Skin::makeSelfLinkObj was removed (deprecated since 1.21).
3057 * Skin::makeThumbLink2 was removed (deprecated since 1.21).
3058 * Skin::makeThumbLinkObj was removed (deprecated since 1.21).
3059 * Skin::normaliseSpecialPage was removed (deprecated since 1.21).
3060 * Skin::normalizeSubpageLink was removed (deprecated since 1.21).
3061 * Skin::processResponsiveImages was removed (deprecated since 1.21).
3062 * Skin::revComment was removed (deprecated since 1.21).
3063 * Skin::revDeleteLink was removed (deprecated since 1.21).
3064 * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
3065 * Skin::revUserLink was removed (deprecated since 1.21).
3066 * Skin::revUserTools was removed (deprecated since 1.21).
3067 * Skin::specialLink was removed (deprecated since 1.21).
3068 * Skin::splitTrail was removed (deprecated since 1.21).
3069 * Skin::titleAttrib was removed (deprecated since 1.21).
3070 * Skin::tocIndent was removed (deprecated since 1.21).
3071 * Skin::tocLine was removed (deprecated since 1.21).
3072 * Skin::tocLineEnd was removed (deprecated since 1.21).
3073 * Skin::tocList was removed (deprecated since 1.21).
3074 * Skin::tocUnindent was removed (deprecated since 1.21).
3075 * Skin::tooltip was removed (deprecated since 1.21).
3076 * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
3077 * Skin::userTalkLink was removed (deprecated since 1.21).
3078 * Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
3079 * wikidiff3 is now the default and only PHP diff engine. It provides improved
3080 diff performance on complex changes. $wgExternalDiffEngine = 'wikidiff3'
3081 therefore makes no difference now. Users are still recommended to use
3082 wikidiff2 if possible, though.
3083 * User::addNewUserLogEntry() was deprecated.
3084 * User::addNewUserLogEntryAutoCreate() was deprecated.
3085 * User::isPasswordReminderThrottled() was deprecated.
3086 * Bot-oriented parameters to Special:UserLogin (wpCookieCheck,
3087 wpSkipCookieCheck) were removed.
3088 * Installer can now be customized without patching MediaWiki code, see
3089 mw-config/overrides/README for details.
3090
3091 === Compatibility ===
3092
3093 MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
3094 HHVM 3.6.5 or later.
3095
3096 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
3097 support for them is somewhat less mature. There is experimental support for
3098 Oracle and Microsoft SQL Server.
3099
3100 The supported versions are:
3101
3102 * MySQL 5.0.3 or later
3103 * PostgreSQL 8.3 or later
3104 * SQLite 3.3.7 or later
3105 * Oracle 9.0.1 or later
3106 * Microsoft SQL Server 2005 (9.00.1399)
3107
3108 === Upgrading ===
3109
3110 1.27 has several database changes since 1.26, and will not work without schema
3111 updates. Note that due to changes to some very large tables like the revision
3112 table, the schema update may take quite long (minutes on a medium sized site,
3113 many hours on a large site).
3114
3115 If upgrading from before 1.11, and you are using a wiki as a commons
3116 repository, make sure that it is updated as well. Otherwise, errors may arise
3117 due to database schema changes.
3118
3119 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
3120 new database fields are filled with data.
3121
3122 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
3123 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
3124 with MediaWiki 1.21.
3125
3126 Don't forget to always back up your database before upgrading!
3127
3128 See the file UPGRADE for more detailed upgrade instructions.
3129
3130 For notes on 1.26.x and older releases, see HISTORY.
3131
3132
3133 = MediaWiki 1.26 =
3134
3135 == MediaWiki 1.26.4 ==
3136
3137 This is a maintenance release of the MediaWiki 1.26 branch.
3138
3139 === Changes since 1.26.3 ===
3140 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
3141 made by MediaWiki via a proxy. Relying on the http_proxy environment
3142 variable is no longer supported.
3143 * (T124163) Fixed fatal error in DifferenceEngine under HHVM.
3144 * (T139565) SECURITY: API: Generate head items in the context of the given title
3145 * (T137264) SECURITY: XSS in unclosed internal links
3146 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
3147 * (T133147) SECURITY: Require login to preview user CSS pages
3148 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
3149 the top file
3150 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
3151 permissions
3152 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
3153 * (T115333) SECURITY: Check read permission when loading page content in
3154 ApiParse
3155 * Remove support for $wgWellFormedXml = false, all output is now well formed
3156
3157 == MediaWiki 1.26.3 ==
3158
3159 This is a maintenance release of the MediaWiki 1.26 branch.
3160
3161 === Changes since 1.26.2 ===
3162 * (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
3163 * (T123166) Fix fatal error when importing pages to titles which cannot be
3164 created, such as invalid titles or titles the user is not allowed to edit.
3165 * (T122056) Old tokens are remaining valid within a new session
3166 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3167 * (T123653) Cross-domain policy regexp is too narrow
3168 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3169 m modifier in regex
3170 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3171 * (T125283) Users occasionally logged in as different users after
3172 SessionManager deployment
3173 * (T103239) Patrol allows click catching and patrolling of any page
3174 * (T122807) [tracking] Check php crypto primatives
3175 * (T98313) Graphs can leak tokens, leading to CSRF
3176 * (T130947) Diff generation should use PoolCounter
3177 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3178 * (T132874) API action=move is not rate limited
3179 * (T110143) strip markers can be used to get around html attribute escaping in
3180 (many?) parser tags
3181 * (T116030) Increase pbkdf2 parameter strengths
3182 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3183 * (T126685) Globally throttle password attempts
3184
3185 == MediaWiki 1.26.2 ==
3186
3187 This is a maintenance release of the MediaWiki 1.26 branch.
3188
3189 === Changes since 1.26.1 ===
3190 * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
3191
3192 == MediaWiki 1.26.1 ==
3193
3194 This is a maintenance release of the MediaWiki 1.26 branch.
3195
3196 === Changes since 1.26.0 ===
3197 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3198 that do not begin with a slash. This enabled trivial XSS attacks.
3199 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3200 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3201 error.
3202 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3203 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3204 with '@' as file uploads
3205 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3206 longer be shorter than $wgMinimalPasswordLength
3207 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3208 result in improper blocks being issued
3209 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3210 and related pages no longer use HTTP redirects and are now redirected by
3211 MediaWiki
3212 * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
3213 * Fixed stray literal \n in Special:Search.
3214 * Fix issue that breaks HHVM Repo Authorative mode.
3215 * (T120267) Work around APCu memory corruption bug
3216
3217 == MediaWiki 1.26.0 ==
3218
3219 === Configuration changes in 1.26 ===
3220 * $wgPasswordResetRoutes['email'] = true by default.
3221 * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
3222 instead if you want to disable the parser cache.
3223 * New-style continuation is now the default for API action=continue. Clients may
3224 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3225 new style is encouraged as it's harder to implement incorrectly.
3226 * Deprecated API formats dump and wddx have been completely removed.
3227 * (T7645) The "Signature" button on the edit toolbar is now hidden by default
3228 in non-talk namespaces. A new configuration variable,
3229 $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
3230 the "Signature" button on the edit toolbar will be displayed.
3231 * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
3232 feature that was never enabled by default.
3233 * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
3234 This experimental feature was never enabled by default and is obsolete as of
3235 MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
3236 * $wgMasterWaitTimeout was removed (deprecated in 1.24).
3237 * Fields in ParserOptions are now private. Use the accessors instead.
3238 * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
3239 in extension.json) have been removed, after being deprecated in 1.24.
3240 * $wgAlwaysUseTidy has been removed.
3241 * ResetSessionID hook has been removed. Nothing seems to use it.
3242 * Certain AuthPlugin methods are deprecated in favor of new hooks:
3243 ** AuthPlugin::initUser() is replaced by LocalUserCreated.
3244 ** AuthPlugin::updateUser() is replaced by UserLoggedIn.
3245 ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
3246 ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
3247 ** AuthPluginUser::isHidden() is replaced by UserIsHidden.
3248 ** AuthPluginUser::isLocked() is replaced by UserIsLocked.
3249 * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
3250 * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
3251 the passed User object.
3252 * $wgBlockAllowsUTEdit is now set to true by default. This allows
3253 blocked users to edit their talk pages unless explicitly disabled
3254 when they are being blocked.
3255
3256 === New features in 1.26 ===
3257 * (T51506) Now action=info gives estimates of actual watchers for a page.
3258 See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
3259 to learn how to configure if needed.
3260 * Change tags can now be hidden in the interface by disabling the associated
3261 "tag-<id>" interface message.
3262 * ':' (colon) is now invalid in usernames for new accounts. Existing accounts
3263 are not affected.
3264 * Added a new hook, 'LogException', to log exceptions in nonstandard ways.
3265 * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
3266 search results are rendered. The initial use case is to append a "give us
3267 feedback" link beneath the search results.
3268 * Added a new hook, 'RejectParserCacheValue', which allows extensions to
3269 reject an otherwise-successful parser cache lookup. The intent is to allow
3270 extensions to manage the eviction of archaic HTML output from the cache.
3271 * (T68699) The expiration of the UserID and Token login cookies
3272 ($wgExtendedLoginCookieExpiration) can be configured independently of the
3273 expiration of all other cookies ($wgCookieExpiration).
3274 * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
3275 if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
3276 of WebP images still disabled by default. Add $wgFileExtensions[] =
3277 'webp'; to LocalSettings.php to enable uploading of WebP images.
3278 * Added new hooks 'EnhancedChangesListModifyLineData' &
3279 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
3280 lines in enhanced recentchanges and watchlist.
3281 * Caches that need purging ability now use the WANObjectCache interface.
3282 This corresponds to a new $wgMainWANCache setting, which defaults to using
3283 the $wgMainCacheType settings.
3284 * Callers needing fast light-weight data stores use $wgMainStash to select
3285 the store type from $wgObjectCaches. The default is the local database.
3286 * Interface message overrides in the MediaWiki namespace will now be cached in
3287 memcached and APC (if available), rather than memcached and local files.
3288 * Added a new hook, 'RandomPageQuery', to allow modification of the query used
3289 by Special:Random to select random pages.
3290 * $wgTransactionalTimeLimit was added, which controls the request time limit
3291 for potentially slow POST requests that need to be as atomic as possible.
3292 * ResourceLoader now loads all scripts asynchronously. The top-queue and
3293 startup modules are no longer synchronously loaded.
3294 * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
3295 page. During the deprecation period, the styles will only be loaded on pages
3296 which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
3297 only be loaded if explicitly required.
3298 * If search returns zero results and current search engine has a "did you mean"
3299 suggestion, results for suggestion will be shown. Can be disabled by setting
3300 $wgSearchRunSuggestedQuery to false.
3301 * Added several JavaScript libraries for uploading files to MediaWiki
3302 from the client-side. See documentation for mw.Upload and its
3303 subclasses for more information.
3304 * Added OOUI dialogs and layout for file upload interfaces. See
3305 documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
3306 subclasses for more information.
3307
3308 === extension.json changes in 1.26 ===
3309 * (T99344) The extension.json schema is now versioned. All extensions
3310 and skins should set a "manifest_version" property corresponding to
3311 the schema version they were written for. The only supported version
3312 currently is "1".
3313 * (T102523) The error message if a non-array attribute is set was improved.
3314 * (T107646) Configuration settings can now specify how they should be merged,
3315 which is necessary for arrays using integer keys.
3316 * (T110389) Adding namespaces through extension.json now actually works
3317 * $wgNamespaceProtection can now be set in extension.json.
3318 * $wgCapitalLinkOverrides can now be set in extension.json.
3319 * (T97186) Extensions using a custom prefix for their configuration settings
3320 can now set a "_prefix" key to override the default of "wg".
3321 * (T99084) Extensions can now specify what MediaWiki core versions they
3322 depend upon.
3323 * (T105236) The extension.json schema now validates custom classes in
3324 the "ResourceModules" property properly.
3325
3326 === External library changes in 1.26 ===
3327 ==== Upgraded external libraries ====
3328 * Updated es5-shim from v4.0.0 to v4.1.5.
3329 * Updated json2 from revision 2014-02-04 to 2015-05-03.
3330 * Updated Sinon.JS from 1.10.3 to 1.15.4.
3331 * Updated jQuery Client from v1.0.0 to v2.0.0.
3332 * Updated QUnit from v1.17.1 to v1.18.0.
3333 * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
3334 * Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
3335 * Updated wikimedia/cdb from v1.0.1 to v1.3.0.
3336 * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
3337 * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
3338 * Updated zordius/lightncandy from v0.18 to v0.21.
3339
3340 ==== New external libraries ====
3341 * Added composer/semver v1.0.0.
3342 * Added mediawiki/at-ease v1.1.0.
3343 * Added wikimedia/assert v0.2.2.
3344 * Added wikimedia/ip-set v1.0.1.
3345 * Added wikimedia/wrappedstring v2.0.0.
3346
3347 ==== Removed and replaced external libraries ====
3348 * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
3349
3350 === Bug fixes in 1.26 ===
3351 * (T53283) load.php sometimes sends 304 response without full headers
3352 * (T65198) Talk page tabs now have a "rel=discussion" attribute
3353 * (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
3354 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3355 value if set to an empty string.
3356
3357 === Action API changes in 1.26 ===
3358 * New-style continuation is now the default for action=continue. Clients may
3359 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3360 new style is encouraged as it's harder to implement incorrectly.
3361 * Deprecated API formats dump and wddx have been completely removed.
3362 * API action=query&list=tags: The displayname can now be boolean false if the
3363 tag is meant to be hidden from user interfaces.
3364 * action=import no longer allows both the namespace= and rootpage= parameters
3365 to be set. If they are both set, the value of rootpage= will be ignored.
3366 * prop=revision output in enum mode is now sorted by timestamp rather than
3367 revision ID. This usually won't make any difference.
3368 * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
3369 with formatversion=2.
3370 * Various other output from meta=siteinfo will now always be arrays instead of
3371 sometimes being numerically-indexed objects with formatversion=2.
3372 * When errors about users being blocked are returned, they now include
3373 information about the relevant block.
3374 * (T99926) list=random has higher limits, in line with other API modules.
3375 * list=random's rnredirect parameter is deprecated in favor of a new
3376 rnfilterredir parameter that also allows for listing both redirects and
3377 non-redirects.
3378 * list=random now supports continuation.
3379 * API responses to GET requests may now include ETag and Last-Modified headers,
3380 and will honor corresponding If-None-Match and If-Modified-Since on such
3381 requests.
3382
3383 === Action API internal changes in 1.26 ===
3384 * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
3385 into the value when the value is an assoc.
3386 * API action modules may now provide values for the RFC 7232 ETag and
3387 Last-Modified headers. The API will check these against If-None-Match and
3388 If-Modified-Since request headers on GET requests and avoid executing the
3389 module when appropriate.
3390
3391 === Languages updated in 1.26 ===
3392
3393 MediaWiki supports over 350 languages. Many localisations are updated
3394 regularly. Below only new and removed languages are listed, as well as
3395 changes to languages because of Phabricator reports.
3396
3397 * Languages added:
3398 ** ase (American sign language), thanks to translator Icemandeaf
3399 ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
3400 मेश सिंह बोहरा, and राम प्रसाद जोशी
3401 ** luz (لئری دوٙمینی / Southern Luri)
3402 ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin
3403 Natoi, Ilja.mos, and Mashoi7
3404
3405 === Other changes in 1.26 ===
3406 * ChangeTags::tagDescription() will return false if the interface message
3407 for the tag is disabled.
3408 * Added PageHistoryPager::doBatchLookups hook.
3409 * Added $wikiId parameter to FormatAutocomments hook.
3410 * Added ParserCacheSaveComplete to ParserCache
3411 * supportsDirectEditing and supportsDirectApiEditing methods added to
3412 ContentHandler, to provide a way for ApiEditPage and EditPage to check
3413 if direct editing of content is allowed. These methods return false,
3414 by default for the ContentHandler base class and true for TextContentHandler
3415 and it's derivative classes (everything in core). For Content types that
3416 do not support direct editing, an alternative mechanism should be provided
3417 for editing, such as action overrides or specific api modules.
3418 * mediaWiki.confirmCloseWindow now returns an object of functions, instead of
3419 one function. The callback can't be called directly any more. The callback
3420 function is replaced with confirmCloseWindow.release().
3421 * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
3422 ResourceLoaderModule::getDependencies(). Extension classes that override that
3423 method should be updated. If they aren't updated, PHP Strict standards
3424 warnings will appear when E_STRICT error reporting is enabled. Note: in the
3425 near future, this parameter will probably become non-optional.
3426 * Removed maintenance script deleteImageMemcached.php.
3427 * MWFunction::newObj() was removed (deprecated in 1.25).
3428 ObjectFactory::getObjectFromSpec() should be used instead.
3429 * The parser will no longer randomize the string it uses to mark the place of
3430 items that were stripped during parsing. It will use a fixed string instead.
3431 This causes the parser to re-use the regular expressions it uses to search
3432 and replace markers rather than generate novel expressions on each parse.
3433 Re-using regular expressions will improve performance on HHVM and the
3434 forthcoming PHP 7. The interfaces changes accompanying this change are:
3435 - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
3436 - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
3437 $prefix argument for StripState::_construct() are deprecated and their
3438 value is ignored.
3439 * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate
3440 library, mediawiki/at-ease, and are now deprecated. Callers should use
3441 MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
3442 * The Block class constructor now takes an associative array of parameters
3443 instead of many optional positional arguments. Calling the constructor the old
3444 way will issue a deprecation warning.
3445 * The jquery.mwExtension module was deprecated.
3446 * $wgSpecialPageGroups was removed (deprecated in 1.21).
3447 * SpecialPageFactory::setGroup was removed (deprecated in 1.21).
3448 * SpecialPageFactory::getGroup was removed (deprecated in 1.21).
3449 * DatabaseBase::ignoreErrors() is now protected.
3450 * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
3451 a lengthy deprecation period.
3452 * The ScopedPHPTimeout class was removed.
3453 * Removed maintenance script fixSlaveDesync.php.
3454 * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
3455 are deprecated. Applications using those can work via the OAuth
3456 extension instead. New tokens types should not be added.
3457 * DatabaseBase::errorCount() was removed (unused).
3458 * $wgDeferredUpdateList was removed.
3459 * DeferredUpdates::addHTMLCacheUpdate() was removed.
3460
3461 = MediaWiki 1.25 =
3462
3463 == MediaWiki 1.25.6 ==
3464
3465 This is a maintenance release of the MediaWiki 1.25 branch.
3466
3467 === Changes since 1.25.5 ===
3468 * (T123166) Fix fatal error when importing pages to titles which cannot be
3469 created, such as invalid titles or titles the user is not allowed to edit.
3470 * (T122056) Old tokens are remaining valid within a new session
3471 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3472 * (T123653) Cross-domain policy regexp is too narrow
3473 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3474 m modifier in regex
3475 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3476 * (T125283) Users occasionally logged in as different users after
3477 SessionManager deployment
3478 * (T103239) Patrol allows click catching and patrolling of any page
3479 * (T122807) [tracking] Check php crypto primatives
3480 * (T98313) Graphs can leak tokens, leading to CSRF
3481 * (T130947) Diff generation should use PoolCounter
3482 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3483 * (T132874) API action=move is not rate limited
3484 * (T110143) strip markers can be used to get around html attribute escaping in
3485 (many?) parser tags
3486 * (T116030) Increase pbkdf2 parameter strengths
3487 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3488 * (T126685) Globally throttle password attempts
3489
3490 == MediaWiki 1.25.5 ==
3491
3492 This is a maintenance release of the MediaWiki 1.25 branch.
3493
3494 === Changes since 1.25.4 ===
3495 * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
3496
3497 == MediaWiki 1.25.4 ==
3498
3499 This is a security and maintenance release of the MediaWiki 1.25 branch.
3500
3501 === Changes since 1.25.3 ===
3502 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3503 that do not begin with a slash. This enabled trivial XSS attacks.
3504 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3505 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3506 error.
3507 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3508 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3509 with '@' as file uploads
3510 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3511 longer be shorter than $wgMinimalPasswordLength
3512 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3513 result in improper blocks being issued
3514 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3515 and related pages no longer use HTTP redirects and are now redirected by
3516 MediaWiki
3517 * (T103237) $wgUseGzip had no effect when using file cache.
3518 * (T114606) mw.notify was not correctly fixed to the page if
3519 initialized while not at the top of the page.
3520 * Fix issue that breaks HHVM Repo Authorative mode.
3521
3522 == MediaWiki 1.25.3 ==
3523
3524 This is a security and maintenance release of the MediaWiki 1.25 branch.
3525
3526 === Changes since 1.25.2 ===
3527
3528 * (T98975) Fix having multiple callbacks for a single hook.
3529 * (T107632) maintenance/refreshLinks.php did not always remove all links
3530 pointing to nonexistent pages.
3531 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3532 value if set to an empty string.
3533 * (T62174) Provide fallbacks for use of mb_convert_encoding() in
3534 HtmlFormatter. It was causing an error when accessing the api help page
3535 if the mbstring PHP extension was not installed.
3536 * (T105896) Confirmation emails would sometimes contain invalid codes.
3537 * (T105597) Fixed edit stash inclusion queries.
3538 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
3539 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
3540 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
3541 first
3542 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
3543
3544 == MediaWiki 1.25.2 ==
3545
3546 This is a security and maintenance release of the MediaWiki 1.25 branch.
3547
3548 === Changes since 1.25.1 ===
3549
3550 * (T94116) SECURITY: Compare API watchlist token in constant time
3551 * (T97391) SECURITY: Escape error message strings in thumb.php
3552 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
3553 Special:DeletedContributions
3554 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
3555 policy of Wikimedia Commons.
3556 * (T100767) Setting a configuration setting for skin or extension to
3557 false in LocalSettings.php was not working.
3558 * (T100635) API action=opensearch json output no longer breaks when
3559 $wgDebugToolbar is enabled.
3560 * (T102522) Using an extension.json or skin.json file which has
3561 a "manifest_version" property for 1.26 compatability will no longer
3562 trigger warnings.
3563 * (T86156) Running updateSearchIndex.php will not throw an error as
3564 page_restrictions has been added to the locked table list.
3565 * Special:Version would throw notices if using SVN due to an incorrectly
3566 named variable. Add an additional check that an index is defined.
3567
3568 == MediaWiki 1.25.1 ==
3569
3570 This is a bug fix release of the MediaWiki 1.25 branch.
3571
3572 === Changes since 1.25 ===
3573 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
3574
3575 == MediaWiki 1.25.0 ==
3576
3577 === Configuration changes in 1.25 ===
3578 * $wgPageShowWatchingUsers was removed.
3579 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
3580 * $wgAntiLockFlags was removed.
3581 * $wgJavaScriptTestConfig was removed.
3582 * Edit tokens returned from User::getEditToken may change on every call. Token
3583 validity must be checked by passing the user-supplied token to
3584 User::matchEditToken rather than by testing for equality with a
3585 newly-generated token.
3586 * (T74951) The UserGetLanguageObject hook may be passed any IContextSource
3587 for its $context parameter. Formerly it was documented as receiving a
3588 RequestContext specifically.
3589 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
3590 See StartProfiler.sample for details.
3591 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3592 might be a flash policy directive configurable.
3593 * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
3594 longer be used. If extracts and page images are desired, the TextExtracts and
3595 PageImages extensions are required.
3596 * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
3597 * Edits are now prepared via AJAX as users type edit summaries. This behavior
3598 can be disabled via $wgAjaxEditStash.
3599 * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
3600 with the jQuery Migrate library, as indicated when this option was provided in
3601 MediaWiki 1.24.
3602 * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
3603 StartProfiler.php config is updated to reflect this. Xhprof is available
3604 for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
3605 * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
3606 rather than 'rsvg'.
3607 * Default value of $wgSVGConverters['ImageMagick'] now uses transparent
3608 background with white fallback color, rather than just white background.
3609 * MediaWikiBagOStuff class removed, make sure any object cache config
3610 uses SqlBagOStuff instead.
3611 * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
3612 job queues. This means that mediawiki/services/jobrunner service has to
3613 be installed and running for any such queues to work.
3614 * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
3615 compatibility, any 'view' event triggers will still trigger on 'edit'.
3616 * $wgExtensionDirectory was added for when your extensions directory is
3617 somewhere other than $IP/extensions (as $wgStyleDirectory does with the skins
3618 directory).
3619
3620 === New features in 1.25 ===
3621 * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
3622 for plural forms in Russian, Prussian, Tagalog, Manx and several languages
3623 that fall back to Russian.
3624 * (T60139) ResourceLoaderFileModule now supports language fallback
3625 for 'languageScripts'.
3626 * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify
3627 the parser output for a content object before links update.
3628 * (T37785) Enhanced recent changes and extended watchlist are now default.
3629 Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
3630 and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions
3631 * (T69341) SVG images will no longer be base64-encoded when being embedded
3632 in CSS. This results in slight size increase before gzip compression (due to
3633 percent-encoding), but up to 20% decrease after it.
3634 * Update jStorage to v0.4.12.
3635 * MediaWiki now natively supports page status indicators: icons (or short text
3636 snippets) usually displayed in the top-right corner of the page. They have
3637 been in use on Wikipedia for a long time, implemented using templates and CSS
3638 absolute positioning.
3639 - Basic wikitext syntax:
3640 <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
3641 - Usage instructions:
3642 https://www.mediawiki.org/wiki/Help:Page_status_indicators
3643 - Adjusting custom skins to support indicators:
3644 https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
3645 * Edit tokens may now be time-limited: passing a maximum age to
3646 User::matchEditToken will reject any older tokens.
3647 * The debug logging internals have been overhauled, and are now using the
3648 PSR-3 interfaces.
3649 * Update CSSJanus to v1.1.1.
3650 * Update lessphp to v0.5.0.
3651 * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
3652 and images for ApiOpenSearch output. The semantics are identical to the
3653 "OpenSearchXml" hook provided by the OpenSearchXml extension.
3654 * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
3655 this allows for pagination of prefix results. Extensions using this hook
3656 should implement supporting behavior. Not doing so can result in undefined
3657 behavior from API clients trying to continue through prefix results.
3658 * Update jQuery from v1.11.1 to v1.11.3.
3659 * External libraries installed via composer will now be displayed
3660 on Special:Version in their own section. Extensions or skins that are
3661 installed via composer will not be shown in this section as it is assumed
3662 they will add the proper credits to the skins or extensions section. They
3663 can also be accessed through the API via the new siprop=libraries to
3664 ApiQuerySiteInfo.
3665 * Update QUnit from v1.14.0 to v1.16.0.
3666 * Update Moment.js from v2.8.3 to v2.8.4.
3667 * Special:Tags now allows for manipulating the list of user-modifiable change
3668 tags.
3669 * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
3670 and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
3671 tags.
3672 * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
3673 "active" formerly conflated by the 'ListDefinedTags' hook.
3674 * Added TemplateParser class that provides a server-side interface to cachable
3675 dynamically-compiled Mustache templates (currently uses lightncandy library).
3676 * Clickable anchors for each section heading in the content are now generated
3677 and appear in the gutter on hovering over the heading.
3678 * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink'
3679 hooks to allow extensions to override how links to pages are rendered within
3680 NS_CATEGORY
3681 * (T19665) Special:WantedPages only lists page which having at least one red
3682 link pointing to it.
3683 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
3684 used for conditional registration of API modules.
3685 * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
3686 links of a group of changes in EnhancedChangesList.
3687 * A full interface for StatsD metric reporting has been added to the context
3688 interface, reachable via IContextSource::getStats().
3689 * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
3690 proper, published library, which is now tagged as v1.0.0.
3691 * A new message (defaulting to blank), 'editnotice-notext', can be shown to
3692 users when they are editing if no edit notices apply to the page being edited.
3693 * (T94536) You can now make the sitenotice appear to logged-in users only by
3694 editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
3695 "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
3696 * Modifying the tagging of a revision or log entry is now available via
3697 Special:EditTags, generally accessed via the revision-deletion-like interface
3698 on history pages and Special:Log is likely to be more useful.
3699 * Added 'applychangetags' and 'changetags' user rights.
3700 * (T35235) LogFormatter subclasses are now responsible for formatting the
3701 parameters for API log event output. Extensions should implement the new
3702 getParametersForApi() method in their log formatters.
3703
3704 ==== External libraries ====
3705 * MediaWiki now requires certain external libraries to be installed. In the past
3706 these were bundled inside the Git repository of MediaWiki core, but now they
3707 need to be installed separately. For users using the tarball, this will be
3708 taken care of and no action will be required. Users using Git will either need
3709 to use composer to fetch dependencies or use the mediawiki/vendor repository
3710 which includes all dependencies for MediaWiki core and ones used in Wikimedia
3711 deployment. Detailed instructions can be found at:
3712 https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
3713 * The following libraries are now required:
3714 ** psr/log
3715 This library provides the interfaces set by the PSR-3 standard
3716 (http://www.php-fig.org/psr/psr-3/) which are used by MediaWiki internally
3717 via the MediaWiki\Logger\LoggerFactory class.
3718 See the structured logging RfC
3719 <https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging>
3720 for more background information.
3721 ** cssjanus/cssjanus
3722 This library was formerly bundled with MediaWiki core and has been removed.
3723 It automatically flips CSS for RTL support.
3724 ** leafo/lessphp
3725 This library was formerly bundled with MediaWiki core and has been removed.
3726 It compiles LESS files into CSS.
3727 ** wikimedia/cdb
3728 This library was formerly a part of MediaWiki core, and has been moved into a
3729 separate library. It provides CDB functions which are used in the Interwiki
3730 and Localization caches. More information about the library can be found at
3731 https://www.mediawiki.org/wiki/CDB.
3732 ** liuggio/statsd-php-client
3733 This library provides a StatsD client API for logging application metrics to
3734 a remote server.
3735
3736 === Bug fixes in 1.25 ===
3737 * (T73003) No additional code will be generated to try to load CSS-embedded
3738 SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
3739 * (T69021) On Special:BookSources, corrected validation of ISBNs (both
3740 10- and 13-digit forms) containing "X".
3741 * Page moving was refactored into a MovePage class. As part of that:
3742 ** The AbortMove hook was removed.
3743 ** MovePageIsValidMove is for extensions to specify whether a page
3744 cannot be moved for technical reasons, and should not be overridden.
3745 ** MovePageCheckPermissions is for checking whether the given user is
3746 allowed to make the move.
3747 ** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
3748 ** Title::moveTo() was deprecated. Use the MovePage class instead.
3749 ** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
3750 and MovePage::checkPermissions().
3751 * (T18530) Multiple autocomments are now formatted in an edit summary.
3752 * (T70361) Autocomments containing "/*" are parsed correctly.
3753 * The Special:WhatLinksHere page linked from 'Number of redirects to this page'
3754 on action=info about a file page does not list file links anymore.
3755 * (T78637) Search bar is not autofocused unless it is empty so that proper
3756 scrolling using arrow keys is possible.
3757 * (T50853) Database::makeList() modified to handle 'NULL' separately when
3758 building IN clause
3759 * (T85192) Captcha position modified in Usercreate template. As a result:
3760 ** extrafields parameter added to Usercreate.php to insert additional data
3761 ** 'extend' method added to QuickTemplate to append additional values to any
3762 field of data array
3763 * (T86974) Several Title methods now load from the database when necessary
3764 (instead of returning incorrect results) even when the page ID is known.
3765 * (T74070) Duplicate search for archived files on file upload now omits the
3766 extension.
3767 This requires the fa_sha1 field being populated.
3768 * Removed rel="archives" from the "View history" link, as it did not pass
3769 HTML validation.
3770 * $wgUseTidy is now set when parserTests are run with the tidy option to match
3771 output on wiki.
3772 * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed
3773 to it.
3774 * (T72109) mediawiki.language should respect $wgTranslateNumerals in
3775 convertNumber().
3776
3777 === Action API changes in 1.25 ===
3778 * (T67403) XML tag highlighting is now only performed for formats
3779 "xmlfm" and "wddxfm".
3780 * action=paraminfo supports generalized submodules (modules=query+value),
3781 querymodules and formatmodules are deprecated
3782 * action=paraminfo no longer outputs descriptions and other help text by
3783 default. If needed, it may be requested using the new 'helpformat' parameter.
3784 * action=help has been completely rewritten, and outputs help in HTML
3785 rather than plain text.
3786 * Hitting api.php without specifying an action now displays only the help for
3787 the main module, with links to submodule help.
3788 * API help is no longer displayed on errors.
3789 * 'uselang' is now a recognized API parameter; "uselang=user" may be used to
3790 explicitly select the language from the current user's preferences, and
3791 "uselang=content" may be used to select the wiki's content language.
3792 * Default output format for the API is now jsonfm.
3793 * Simplified continuation will return a "batchcomplete" property in the result
3794 when a batch of pages is complete.
3795 * Pretty-printed HTML output now has nicer formatting and (if available)
3796 better syntax highlighting.
3797 * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
3798 list=alldeletedrevisions.
3799 * prop=revisions will gracefully continue when given too many revids or titles,
3800 rather than just ignoring the extras.
3801 * prop=revisions will no longer die if rvcontentformat doesn't match a
3802 revision's content model; it will instead warn and omit the content.
3803 * If the user has the 'deletedhistory' right, action=query's revids parameter
3804 will now recognize deleted revids.
3805 * prop=revisions may be used as a generator, generating revids.
3806 * (T68776) format=json results will no longer be corrupted when
3807 $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
3808 error instead of returning invalid serialized data.
3809 * Generators may now return data for the generated pages when used with
3810 action=query.
3811 * Query page data for generator=search and generator=prefixsearch will now
3812 include an "index" field, which may be used by the client for sorting the
3813 search results.
3814 * ApiOpenSearch now supports XML output.
3815 * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
3816 in JSON format.
3817 * (T76051) list=tags will now continue correctly.
3818 * (T76052) list=tags can now indicate whether a tag is defined.
3819 * (T75522) list=prefixsearch now supports continuation
3820 * (T78737) action=expandtemplates can now return page properties.
3821 * (T78690) list=allimages now accepts multiple pipe-separated values
3822 for the 'aimime' parameter.
3823 * prop=info with inprop=protections will now return applicable protection types
3824 with the 'restrictiontypes' key.
3825 * (T85417) When resolving redirects, ApiPageSet will now add the targets of
3826 interwiki redirects to the list of interwiki titles.
3827 * (T85417) When outputting the list of redirect titles, a 'tointerwiki'
3828 property (like the existing 'tofragment' property) will be set.
3829 * Added action=managetags to allow for managing the list of
3830 user-modifiable change tags. Actually modifying the tagging of a revision or
3831 log entry is not implemented yet.
3832 * list=tags has additional properties to indicate 'active' status and tag
3833 sources.
3834 * siprop=libraries was added to ApiQuerySiteInfo to list installed external
3835 libraries.
3836 * (T88010) Added action=checktoken, to test a CSRF token's validity.
3837 * (T88010) Added intestactions to prop=info, to allow querying of
3838 Title::userCan() via the API.
3839 * Default type param for query list=watchlist and list=recentchanges has
3840 been changed from all types (e.g. including 'external') to 'edit|new|log'.
3841 * Added formatversion to format=json. Still "experimental" as further changes
3842 to the output formatting might still be made.
3843 * (T73020) Log event details are now always under a 'params' subkey for
3844 list=logevents, and a 'logparams' subkey for list=watchlist and
3845 list=recentchanges.
3846 * Log event details are changing formatting:
3847 * block events now report flags as an array rather than as a comma-separated
3848 list.
3849 * patrol events now report the 'auto' flag as a boolean (absent/empty string
3850 for BC formats) rather than as an integer.
3851 * rights events now report the old and new group lists as arrays rather than
3852 as comma-separated lists.
3853 * merge events use new-style formatting.
3854 * delete/event and delete/revision events use new-style formatting.
3855 * The root node and various other nodes will now always be an object in formats
3856 such as json that distinguish between arrays and objects.
3857 * Except for action=opensearch where the spec requires an array.
3858
3859 === Action API internal changes in 1.25 ===
3860 * ApiHelp has been rewritten to support i18n and paginated HTML output.
3861 Most existing modules should continue working without changes, but should do
3862 the following:
3863 * Add an i18n message "apihelp-{$moduleName}-description" to replace
3864 getDescription().
3865 * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
3866 to replace getParamDescription(). If necessary, the settings array returned
3867 by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
3868 message.
3869 * Implement getExamplesMessages() to replace getExamples().
3870 * Modules with submodules (like action=query) must have their submodules
3871 override ApiBase::getParent() to return the correct parent object.
3872 * The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
3873 and will have no effect for modules using i18n messages. Use
3874 'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
3875 * Api formatters will no longer be asked to display the help screen on errors.
3876 * ApiMain::getCredits() was removed. The credits are available in the
3877 'api-credits' i18n message.
3878 * ApiFormatBase has been changed to support i18n and syntax highlighting via
3879 extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
3880 has been removed.
3881 * ApiFormatBase now always buffers. Output is done when
3882 ApiFormatBase::closePrinter is called.
3883 * Much of the logic in ApiQueryRevisions has been split into
3884 ApiQueryRevisionsBase.
3885 * The 'revids' parameter supplied by ApiPageSet will now count deleted
3886 revisions as "good" if the user has the 'deletedhistory' right. New methods
3887 ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
3888 provided to access just the live or just the deleted revids.
3889 * Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
3890 to allow generators to include data in the action=query result.
3891 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
3892 used for conditional registration of API modules.
3893 * Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
3894 the current request was sent with the 'callback' parameter (or any future
3895 method that breaks the same-origin policy).
3896 * Profiling methods in ApiBase are deprecated and no longer need to be called.
3897 * ApiResult was greatly overhauled. See inline documentation for details.
3898 * ApiResult will automatically convert objects to strings or arrays (depending
3899 on whether a __toString() method exists on the object), and will refuse to
3900 add unsupported value types.
3901 * An informal interface, ApiSerializable, exists to override the default
3902 object conversion.
3903 * ApiResult/ApiFormatBase "raw mode" is deprecated.
3904 * ApiFormatXml now assumes defaults and so on instead of throwing errors when
3905 metadata isn't set.
3906 * (T35235) LogFormatter subclasses are now responsible for formatting log event
3907 parameters for the API.
3908 * Many modules have changed result data formats. While this shouldn't affect
3909 clients not using the experimental formatversion=2, code using
3910 ApiResult::getResultData() without the transformations for backwards
3911 compatibility may need updating, as will code that wasn't following the old
3912 conventions for API boolean output.
3913 * The following methods have been deprecated and may be removed in a future
3914 release:
3915 * ApiBase::getDescription
3916 * ApiBase::getParamDescription
3917 * ApiBase::getExamples
3918 * ApiBase::makeHelpMsg
3919 * ApiBase::makeHelpArrayToString
3920 * ApiBase::makeHelpMsgParameters
3921 * ApiBase::getModuleProfileName
3922 * ApiBase::profileIn
3923 * ApiBase::profileOut
3924 * ApiBase::safeProfileOut
3925 * ApiBase::getProfileTime
3926 * ApiBase::profileDBIn
3927 * ApiBase::profileDBOut
3928 * ApiBase::getProfileDBTime
3929 * ApiBase::getResultData
3930 * ApiFormatBase::setUnescapeAmps
3931 * ApiFormatBase::getWantsHelp
3932 * ApiFormatBase::setHelp
3933 * ApiFormatBase::formatHTML
3934 * ApiFormatBase::setBufferResult
3935 * ApiFormatBase::getDescription
3936 * ApiFormatBase::getNeedsRawData
3937 * ApiMain::setHelp
3938 * ApiMain::reallyMakeHelpMsg
3939 * ApiMain::makeHelpMsgHeader
3940 * ApiResult::setRawMode
3941 * ApiResult::getIsRawMode
3942 * ApiResult::getData
3943 * ApiResult::setElement
3944 * ApiResult::setContent
3945 * ApiResult::setIndexedTagName_recursive
3946 * ApiResult::setIndexedTagName_internal
3947 * ApiResult::setParsedLimit
3948 * ApiResult::beginContinuation
3949 * ApiResult::setContinueParam
3950 * ApiResult::setGeneratorContinueParam
3951 * ApiResult::endContinuation
3952 * ApiResult::size
3953 * ApiResult::convertStatusToArray
3954 * ApiQueryImageInfo::getPropertyDescriptions
3955 * ApiQueryLogEvents::addLogParams
3956 * The following classes have been deprecated and may be removed in a future
3957 release:
3958 * ApiQueryDeletedrevs
3959
3960 === Languages updated in 1.25 ===
3961
3962 MediaWiki supports over 350 languages. Many localisations are updated
3963 regularly. Below only new and removed languages are listed, as well as
3964 changes to languages because of Bugzilla reports.
3965
3966 * Languages added:
3967 ** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
3968 ** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
3969 Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
3970 ** ses (Koyraboro Senni), thanks to translator Songhay.
3971 * (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
3972 interface language to kk where unexpected.
3973 * The Chinese conversion table was substantially updated to fix a lot of
3974 bugs and ensure better reading experience for different variants.
3975
3976 === Other changes in 1.25 ===
3977 * (T45591) Links to MediaWiki.org translatable help were added to indicators,
3978 mostly in special pages. Local custom target titles can be placed in the
3979 relevant '(namespace-X|action name|special page name)-helppage' system
3980 message. Extensions can use the addHelpLink() function to do the same.
3981 * The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
3982 removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
3983 migration guide for creators and users of custom skins that relied on it.
3984 * Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
3985 available on Special:Upload.
3986 * (T58257) Set site logo from mediawiki.skinning.interface module instead of
3987 inline styles in the HTML.
3988 * Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
3989 * Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
3990 * Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
3991 * Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
3992 * Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since
3993 1.20)
3994 * Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
3995 since 1.20)
3996 * Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
3997 since 1.20)
3998 * Removed 'jquery.json' module. (deprecated since 1.24)
3999 Use the 'json' module and global JSON object instead.
4000 * Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
4001 Also, the former will now throw an MWException if called with one or more
4002 arguments.
4003 * Removed hitcounters and associated code.
4004 * The "temp" zone of the upload respository is now considered private. If it
4005 already exists (such as under the images/ directory), please make sure that
4006 the directory is not web readable (e.g. via a .htaccess file).
4007 * BREAKING CHANGE: In the XML dump format used by Special:Export and
4008 dumpBackup.php, the <model> and <format> tags now apprear before the <text>
4009 tag, instead of after the <text> and <sha1> tags.
4010 The new schema version is 0.10, the new schema URI is:
4011 https://www.mediawiki.org/xml/export-0.10.xsd
4012 * MWFunction::call() and MWFunction::callArray() were removed, having being
4013 deprecated in 1.22.
4014 * Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
4015 and getInternalLinkAttributes methods in Linker, and removed
4016 getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
4017 * Removed Sites class, which was deprecated in 1.21 and replaced by
4018 SiteSQLStore.
4019 * Added wgRelevantArticleId to the client-side config, for use on special pages.
4020 * Deprecated the TitleIsCssOrJsPage hook. Superseded by the
4021 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
4022 * Deprecated the TitleIsWikitextPage hook. Superseded by the
4023 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
4024 * Changed parsing of variables in schema (.sql) files:
4025 ** The substituted values are no longer parsed. (Formerly, several passes
4026 were made for each variable, so depending on the order in which variables
4027 were defined, variables might have been found inside encoded values. This
4028 is no longer the case.)
4029 ** Variables are no longer string encoded when the /*$var*/ syntax is used.
4030 If string encoding is necessary, use the '{$var}' syntax instead.
4031 ** Variable names must only consist of one or more of the characters
4032 "A-Za-z0-9_".
4033 ** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
4034 does not exist yet variable B does, the latter may not be replaced.
4035 However, this difference is unlikely to arise in practice.
4036 * (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
4037 characters on both sides.
4038 * The FormatAutocomments hook will now receive $pre and $post as booleans,
4039 rather than as strings that must be prepended or appended to $comment.
4040 * (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
4041 newlines; but they can contain &nbsp; and other non-newline whitespace.
4042 * The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
4043 toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
4044 relied on this behavior, update your scripts' dependencies.
4045 * HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
4046 * HTMLForm::isVForm() is now deprecated.
4047 * You can no longer do this:
4048 $form = new HTMLForm( … );
4049 $form->setDisplayFormat( 'vform' ); // throws exception
4050 Instead, do this:
4051 $form = HTMLForm::factory( 'vform', … );
4052 * Deprecated Revision methods getRawUser(), getRawUserText() and
4053 getRawComment().
4054 * BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
4055 The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
4056 * (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
4057 renders them incorrectly when combined with border-radius or background-size.
4058 * Removed maintenance script dumpSisterSites.php.
4059 * DatabaseBase class constructors must be called using the array argument style.
4060 Ideally, DatabaseBase:factory() should be used instead in most cases.
4061 * Deprecated ParserOutput::addSecondaryDataUpdate and
4062 ParserOutput::getSecondaryDataUpdates.
4063 This is a hard deprecation, with getSecondaryDataUpdates returning an empty
4064 array and addSecondaryDataUpdate throwing an exception. These functions will
4065 be removed in 1.26, since they interfere with caching of ParserOutput objects.
4066 * Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject
4067 custom updates.
4068 * Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to
4069 perform updates when a page is re-rendered.
4070 * EditPage::attemptSave has been modified not to call handleStatus itself and
4071 instead just returns the Status object. Extension calling it should be aware
4072 of this.
4073 * Removed class DBObject. (unused since 1.10)
4074 * wfDiff() is deprecated.
4075 * The -m (maximum replication lag) option of refreshLinks.php was removed.
4076 It had no effect since MediaWiki 1.18 and should be removed from any cron
4077 jobs or similar scripts you may have set up.
4078 * (T85864) The following messages no longer support raw html: redirectto,
4079 thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
4080 retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
4081 protect-summary-cascade
4082 * All BloomCache related code has been removed. This was largely experimental.
4083 * $wgResourceModuleSkinStyles no longer supports per-module local or remote
4084 paths. They can only be set for the entire skin.
4085 * Removed global function swap(). (deprecated since 1.24)
4086 * Deprecated the ".php5" file extension entry points and the $wgScriptExtension
4087 configuration variable. Refer to the ".php" files instead. If you want
4088 ".php5" URLs to continue to work, set up redirects. In Apache, this can be
4089 done by enabling mod_rewrite and adding the following rules to your
4090 configuration:
4091
4092 RewriteEngine On
4093 RewriteBase /
4094 RewriteRule ^(.*)\.php5 $1.php [R=301,L]
4095
4096 * The global importScriptURI and importStylesheetURI functions, as well as the
4097 loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
4098 warnings through mw.log.warn when accessed.
4099
4100 = MediaWiki 1.24 =
4101
4102 == MediaWiki 1.24.6 ==
4103
4104 This is a maintenance release of the MediaWiki 1.24 branch.
4105
4106 === Changes since 1.24.5 ===
4107 * (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
4108
4109 == MediaWiki 1.24.5 ==
4110
4111 This is a security and maintenance release of the MediaWiki 1.23 branch.
4112
4113 === Changes since 1.24.4 ===
4114 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
4115 that do not begin with a slash. This enabled trivial XSS attacks.
4116 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
4117 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
4118 error.
4119 * (T119309) SECURITY: Use hash_compare() for edit token comparison
4120 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
4121 with '@' as file uploads
4122 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
4123 longer be shorter than $wgMinimalPasswordLength
4124 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
4125 result in improper blocks being issued
4126 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
4127 and related pages no longer use HTTP redirects and are now redirected by
4128 MediaWiki
4129 * (T103237) $wgUseGzip had no effect when using file cache.
4130
4131 == MediaWiki 1.24.4 ==
4132
4133 This is a security and maintenance release of the MediaWiki 1.24 branch.
4134
4135 === Changes since 1.24.3 ===
4136
4137 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
4138 * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
4139 update.php to fix.
4140 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
4141 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
4142 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
4143 first
4144 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
4145
4146 == MediaWiki 1.24.3 ==
4147
4148 This is a security and maintenance release of the MediaWiki 1.24 branch.
4149
4150 === Changes since 1.24.2 ===
4151
4152 * (T94116) SECURITY: Compare API watchlist token in constant time
4153 * (T97391) SECURITY: Escape error message strings in thumb.php
4154 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
4155 Special:DeletedContributions
4156 * Update jQuery from v1.11.2 to v1.11.3.
4157 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
4158 policy of Wikimedia Commons.
4159
4160 == MediaWiki 1.24.2 ==
4161
4162 This is a security and maintenance release of the MediaWiki 1.24 branch.
4163
4164 === Changes since 1.24.1 ===
4165
4166 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
4167 to prevent various DoS attacks.
4168 * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
4169 likelihood of DoS.
4170 * (T88310) SECURITY: Always expand xml entities when checking SVG's.
4171 * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
4172 * (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
4173 * (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
4174 using PBKDF2.
4175 * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
4176 prevent XSS and protect viewer's privacy.
4177 * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
4178 loading these special pages when $wgAutoloadAttemptLowercase is false.
4179 * (bug T70087) Fix Special:ActiveUsers page for installations using
4180 PostgreSQL.
4181 * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
4182 and running update.php to fix.
4183
4184 == MediaWiki 1.24.1 ==
4185
4186 This is a security and maintenance release of the MediaWiki 1.24 branch.
4187
4188 === Changes since 1.24.0 ===
4189
4190 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
4191 could lead to xss. Permission to edit MediaWiki namespace is required to
4192 exploit this.
4193 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
4194 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
4195 part of its name.
4196 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
4197 * Fixed a couple of entries in RELEASE-NOTES-1.24.
4198 * (bug T76168) OutputPage: Add accessors for some protected properties.
4199 * (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
4200
4201 == MediaWiki 1.24.0 ==
4202
4203 === Configuration changes in 1.24 ===
4204 * MediaWiki will no longer run if register_globals is enabled. It has been
4205 deprecated for 5 years now, and was removed in PHP 5.4. For more information
4206 about why, see <https://www.mediawiki.org/wiki/register_globals>.
4207 * MediaWiki now requires PHP's iconv extension. openSUSE users may need to
4208 install the php5-iconv package. Users of other systems may need to add
4209 extension=iconv.so to php.ini or recompile PHP without --without-iconv.
4210 * MediaWiki will no longer function if magic quotes are enabled. It has
4211 been deprecated for 5 years now, and was removed in PHP 5.4.
4212 * The server's canonical hostname is available as $wgServerName, which is
4213 exposed in both mw.config and ApiQuerySiteInfo.
4214 * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
4215 for using the old schema of the page_props table, in case the respective
4216 schema update was not applied.
4217 * $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
4218 user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
4219 if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
4220 * $wgMasterWaitTimeout has been deprecated.
4221 * $wgDBClusterTimeout has been removed.
4222 * $wgProxyKey has been removed. It is no longer used by MediaWiki core.
4223 Ensure $wgSecretKey is set in LocalSettings.php.
4224 * $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
4225 contains an array of interwiki prefixes that should be treated as language
4226 prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
4227 to true).
4228 * $wgParserTestRemote has been removed.
4229 * $wgCountTotalSearchHits has been removed. If you're concerned about efficiency
4230 of search, you should use something like CirrusSearch instead of built in
4231 search.
4232 * Users in the 'sysop' group have access to Special:MergeHistory by default.
4233 * $wgFileStore was removed after having been deprecated in 1.17. Alternative
4234 configurations are $wgDeletedDirectory and $wgHashedUploadDirectory.
4235 * The deprecated $wgUseCommaCount variable has been removed.
4236 * $wgEnableSorbs and $wgSorbsUrl have been removed.
4237 * The UserCryptPassword and UserComparePassword hooks are no longer called.
4238 Any extensions using them must be updated to use the Password Hashing API.
4239 * $wgCompiledFiles has been removed.
4240 * $wgSortSpecialPages was removed, the listing on Special:SpecialPages is
4241 now always sorted.
4242 * $wgSpecialPages may now use callback functions as an alternative to plain
4243 class names. This allows more control over constructor parameters.
4244 * $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed.
4245 * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort
4246 and $wgRC2UDPPrefix have been removed.
4247 * The default password type for MediaWiki has been changed from MD5 to PBKDF2.
4248 Password hashes will automatically be updated as users log in. If necessary,
4249 the old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'.
4250 In addition, there is a maintenance script wrapOldPassword.php that can wrap
4251 all passwords in PBKDF2 (or the hashing algorithm of your choice) if you don't
4252 want to wait for your users to log in.
4253 * $wgImportSources can now either be a regular array, or an associative map
4254 specifying subprojects on the interwiki map of the target wiki, or a mix of
4255 the two. Existing configurations will still work.
4256 * Users must be able to edit through a page's protection to be able to delete
4257 it.
4258 * The default thumb size ($wgDefaultUserOptions['thumbsize']) is now 300px, up
4259 from 180px. If you have altered the number of entries in $wgThumbLimits for
4260 your wiki, you may need to adjust your default user settings to compensate for
4261 the index change.
4262 * $wgDeferredUpdateList is now deprecated, you should use
4263 DeferredUpdates::addUpdate() instead.
4264 * $wgCanonicalLanguageLinks has been removed. Per Google recommendations, we
4265 will not send a rel=canonical pointing to a variant-neutral page, however
4266 we will send rel=alternate.
4267 * $wgResourceLoaderLESSFunctions has been deprecated and will be removed in the
4268 future.
4269 * $wgGoToEdit has been removed. Use the SpecialSearchNogomatch hook for similar
4270 functionality.
4271
4272 === New features in 1.24 ===
4273 * Added new hook WatchlistEditorBeforeFormRender, allowing subscribers to
4274 manipulate the list of pages and/or preload lots of data at once.
4275 * Added new argument &$link in hook WatchlistEditorBuildRemoveLine, allowing the
4276 link to the title to be changed.
4277 * Added a new hook, "WhatLinksHereProps", to allow extensions to annotate
4278 WhatLinksHere entries.
4279 * Added a new hook, "ContentGetParserOutput", to customize parser output for
4280 a given content object.
4281 * Deprecated the hook "ShowRawCssJs", use "ContentGetParserOutput" instead.
4282 * HTMLForm's HTMLTextField now supports the 'url' type.
4283 * HTMLForm fields may now be dynamically hidden based on the values of other
4284 fields in the form.
4285 * HTMLForm now supports multiple copies of an input field or set of input
4286 fields, e.g. the form may request "one or more usernames" without having to
4287 have the user enter delimited list of names into a text field.
4288 * Added a new hook, "SidebarBeforeOutput", to allow to edit the structure of
4289 the sidebar just before its display.
4290 * (bug 49156) Added the mediawiki.cookie ResourceLoader module, which wraps
4291 jquery.cookie so that getting/setting a cookie is syntactically and
4292 functionally similar to using the WebRequest::getCookie() and
4293 WebResponse::setcookie() methods.
4294 * (bug 44740) jQuery upgraded from 1.8.3 to 1.11.1. A new configuration option,
4295 $wgIncludejQueryMigrate, also loads the jQuery Migrate hack to let extensions
4296 and gadgets use the long-deprecated functions that were removed in jQuery 1.9.
4297 This option is turned off by default, and will be removed in MediaWiki 1.25.
4298 * (bug 47076) jQuery UI upgraded from 1.8.24 to 1.9.2.
4299 * Changes to content typography (fonts, etc.). See
4300 https://www.mediawiki.org/wiki/Typography_refresh for further information.
4301 * WikitextContent will now render redirects with the expected "redirect"
4302 header, rather than as an ordered list. Code calling Article::viewRedirect
4303 can probably be changed to no longer special-case redirects.
4304 * Header font set to a serif font stack. See
4305 https://www.mediawiki.org/wiki/Typography_refresh for further information.
4306 * (bug 65567) Added a new hook, "BeforeHttpsRedirect", to allow cancellation of
4307 the HTTP to HTTPS redirect due to forceHTTPS cookie, userRequires, etc. This
4308 is only for page views, since this hook doesn't affect UserLogin, OAuth,
4309 CentralAuth, etc. ATTENTION: This hook is likely to be removed soon due to
4310 overall design of the system.
4311 * (bug 17367) It is now possible to add pages to your watchlist from
4312 Special:UnwatchedPages without reloading the special page.
4313 * New methods setVolatile and isVolatile are added to PPFrame, so that
4314 extensions such as Cite.php can mark that their output is volatile and
4315 shouldn't be cached.
4316 * (bug 52817) Advanced search options are now saved on the search page itself,
4317 rather than in a dedicated pane in the preferences panel.
4318 * (bug 44591) The dropdown actions menu (little triangle next to page tabs) in
4319 the Vector skin has gained a label that should make it more discoverable.
4320 * MWCryptHKDF added for fast, cryptographically secure random number generation
4321 that won't deplete openssl's entropy pool.
4322 * ResourceLoader: File modules can now provide a skip function that uses an
4323 inline feature test to bypass loading of the module.
4324 * (bug 20210) Special pages may now provide autocompletion of their subpage
4325 names in search suggestions. Right now the only useful implementation is in
4326 Special:Log, but more are to come.
4327 * Special:MostLinkedTemplates is no longer limited to transclusions from the
4328 Template namespace.
4329 * Skins can now use 'remoteSkinPath' when defining ResourceLoader modules.
4330 This works the same as 'remoteExtPath' but is relative to the skins/ folder
4331 instead of the extensions/ folder.
4332 * Added the json2.js polyfill for the ES5 JSON.stringify and JSON.parse methods.
4333 Exposed as module "json" with a skip function to optimise loading.
4334 * Extensions and skins may now use 'namemsg' in $wgExtensionCredits in addition
4335 to 'name', to allow for the name to be localizable. 'name' should still be
4336 specified for backwards-compatibility and to define the path Special:Version
4337 uses to find extension license information.
4338 * Browser tests are now included to verify basic wiki functionality in developer
4339 environments. For details on running tests, see
4340 tests/browser/README.mediawiki.
4341 * Upgrade jStorage to v0.4.10.
4342 * {{!}} is now a magic word that produces the | character. This removes the need
4343 for Template:! for purposes such as passing pipes inside of parameters.
4344 * (bug 20790) The block log snippet on Special:Contributions and while
4345 editing user and user talk pages now works for IP range blocks.
4346 * (bug 9360) Added ability to change the page language for MediaWiki pages using
4347 Special:PageLanguage. All pages are set to wiki language by default.
4348 The feature needs to be enabled with $wgPageLanguageUseDB=true and
4349 permission needs to be set for 'pagelang'.
4350 * Upgrade Moment.js to v2.8.3.
4351 * (bug 67042) Added support for the HTML5 <rtc> tag for East Asian typography.
4352 * Upgrade Sinon.JS to 1.10.3.
4353 * Added the es5-shim polyfill for older or non-compliant javascript engines.
4354 * Upgrade jQuery Cookie to v1.3.1.
4355 * (bug 20476) Add a "viewsuppressed" user right to be able to view
4356 suppressed content but not suppress it ("suppressrevision" right).
4357 * (bug 66440) The MediaWiki web installer will now allow you to choose the skins
4358 to enable (from the ones included in download tarball) and decide which one
4359 should be the default.
4360 * (bug 68085, 68802) Links like [[localInterwikiPrefix:languageCode:pageTitle]],
4361 where localInterwikiPrefix is a member of the $wgLocalInterwikis array, will
4362 no longer be displayed in the sidebar when $wgInterwikiMagic is true. In a
4363 similar way, links like [[localInterwikiPrefix:File:Image.png]] and
4364 [[localInterwikiPrefix:Category:Hello]] will now render as regular links, and
4365 will not include the file or add the page to the category.
4366 * New special page, MyLanguage, to redirect users to subpages with localised
4367 versions of a page. (Integrated from Extension:Translate)
4368 * MediaWiki now supports multiple password types, including bcrypt and PBKDF2.
4369 The default type can be changed with $wgPasswordDefault and the type
4370 configurations can be changed with $wgPasswordConfig.
4371 * Skins can now define custom styles for default ResourceLoader modules using
4372 the $wgResourceModuleSkinStyles global. See the Vector skin for examples.
4373 * (bug 4488) There is now a preference to watch pages where the user has
4374 rollbacked an edit by default.
4375 * (bug 15484) Users will now be redirected to the login page when they need to
4376 log in, rather than being shown a page asking them to log in and having to
4377 click another link to actually get to the login page.
4378 * A JsonContent and JsonContentHandler were added for extensions to extend.
4379 * (bug 35045) Redirects to sections will now update the URL in browser's address
4380 bar using the HTML5 History API. When [[Dog]] redirects to [[Animals#Dog]],
4381 the user will now see "Animals#Dog" in their browser instead of "Dog#Dog".
4382 * API token handling has been rewritten. Any API module using tokens will need
4383 to be updated. See the entry below under "Action API internal changes".
4384 * Added HTMLAutoCompleteSelectField.
4385 * Added a new hook, "SkinPreloadExistence", to allow extensions to add titles to
4386 link existence cache before the page is rendered.
4387 * Config::set() was moved to its own interface, MutableConfig.
4388 GlobalVarConfig::set() is now deprecated, does not implement MutableConfig.
4389 * A MutableConfig named HashConfig was added, that stores an array of
4390 configuration settings.
4391 * (bug 69418) A MultiConfig implementation was added that supports fallback
4392 to multiple Config instances.
4393 * Update CSSJanus to v1.1.0.
4394 * Added FormatJson::parse() returning status with result or localized error
4395 message
4396 * Added DeletedContribsPager::reallyDoQuery hook allowing extensions to data to
4397 Special:DeletedContributions
4398 * Added DeletedContributionsLineEnding hook allowing extensions to format
4399 Special:DeletedContributions lines
4400 * (T69525) You can now make MediaWiki speed up its thumbnail rendering by using
4401 intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target
4402 thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will
4403 find the smallest bucket smaller than the original but larger than the target
4404 width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail,
4405 rather than the original, down to the target size at greater speed in return
4406 for minor loss of fidelity.
4407
4408 === Bug fixes in 1.24 ===
4409 * (bug 50572) MediaWiki:Blockip should support gender
4410 * (bug 49116) Footer copyright notice is now always displayed in user language
4411 rather than content language (same as copyright notice for editing interface).
4412 * (bug 62258) A bug was fixed in File::getUnscaledThumb when a height
4413 restriction was present in the parameters. Images with both the "frame"
4414 option and a size specification set will now always ignore the provided
4415 size and display an unscaled image, as the documentation has always
4416 claimed it would.
4417 * (bug 39035) Improved Vector skin performance by removing collapsibleNav,
4418 which used to collapse some sidebar elements by default.
4419 This removes -list id suffixes like p-lang-list: instead of using things like
4420 #p-lang-list, you can do #p-lang .body ul.
4421 * (bug 890) Links in Special:RecentChanges and Special:Watchlist no longer
4422 follow redirects to their target pages.
4423 * Parser now dies early if called recursively, instead of producing subtle bugs.
4424 * (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the
4425 remaining page content.
4426 * (bug 52587) Maintenance script deleteBatch.php no longer follows redirects
4427 in the file namespace and delete the file on the target page. It will still
4428 however delete the redirect page.
4429 * (bug 22683) {{msgnw:}} and other uses of PPFrame::RECOVER_ORIG will correctly
4430 recover the original code of extension tags.
4431 * (bug 65757) MSSQL: Update script drops unnamed constraints to be prepared
4432 for future updates. Because it's doing so heuristically, it may fail or drop
4433 wrong constraints.
4434 * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
4435 * $wgRunJobsAsync now works with private wikis (e.g. read requires login).
4436 * (bugs 57238, 65206) Blank pages can now be directly created.
4437 * (bug 69789) Title::getContentModel() now loads from the database when
4438 necessary instead of incorrectly returning the default content model.
4439 * (bug 69249) wfBaseConvert() now works around PHP Bug #50175 when using GMP.
4440 * (bug 57909) URLs in the externallinks table will no longer have certain
4441 characters decoded in the query string.
4442 * (bug 67368) LESS mixins like .background-image() correctly flip image
4443 references for RTL stylesheets now.
4444
4445 === Action API changes in 1.24 ===
4446 * action=parse API now supports prop=modules, which provides the list of
4447 ResourceLoader modules that should be used to enhance the parsed content.
4448 * action=query&meta=siteinfo&siprop=interwikimap returns a new "protorel"
4449 field which is true if protocol-relative urls can be used to access
4450 a particular interwiki map entry.
4451 * list=logevents now provides logpage, which is the page ID from the
4452 logging table, if ids are requested and the user has the permissions.
4453 * action=edit now requires that appendtext, prependtext, or section=new be used
4454 when using the 'redirect' parameter, to prevent clients accidentally
4455 overwriting the target page with the content of the redirect.
4456 * list=logevents will now return an error if both letitle and leprefix are
4457 specified.
4458 * list=logevents has a new parameter, lenamespace, to allow filtering by
4459 namespace.
4460 * action=expandtemplates has a new parameter, prop, and a new output format.
4461 The old format is still used if prop isn't provided, but this is deprecated.
4462 * meta=userinfo can now return the count of unread pages on the watchlist.
4463 * list=watchlist can now filter by unread status.
4464 * The deprecated action=parse&prop=languageshtml has been removed.
4465 * (bug 48071) action=setnotificationtimestamp no longer throws PHP or database
4466 errors when no pages are given.
4467 * (bug 60734) Actions that use ApiPageSet (e.g. purge, watch,
4468 setnotificationtimestamp) will now include continuation information when
4469 using a generator.
4470 * Removed 'props' and 'errors' from action=paraminfo, as they have extremely
4471 limited use and are generally inaccurate, unmaintained, and impossible to
4472 properly maintain.
4473 * Formats dbg, dump, txt, wddx, and yaml are now deprecated.
4474 * action=paraminfo now indicates when a parameter is specifying a submodule.
4475 * The iwurl parameter to prop=iwlinks is deprecated in favor of iwprop=url, for
4476 parallelism with prop=langlinks.
4477 * All tokens should be fetched from action=query&meta=tokens; all other methods
4478 of fetching tokens are deprecated. The value needed for meta=tokens's 'type'
4479 parameter for each module is documented in the action=help output and is
4480 returned from action=paraminfo.
4481 * New action ClearHasMsg that can be used to clear HasMsg flag.
4482 * The cmstartsortkey and cmendsortkey parameters to list=categorymembers are
4483 deprecated in favor of cmstarthexsortkey and cmendhexsortkey.
4484 * (bug 63326) Add blockedtimestamp field to output of blockinfo property for
4485 the list=allusers and list=users modules.
4486 * prop=imageinfo no longer requires iiurlwidth to be set when using iiurlparam.
4487 * Added prop=linkshere, prop=fileusage, and prop=transcludedin, which are
4488 roughly equivalent to list=backlinks, list=imageusage, and list=embeddedin
4489 but can work on a list of titles (including titles from a generator).
4490 * prop=redirects can now filter returned redirects by namespace.
4491
4492 === Action API internal changes in 1.24 ===
4493 * Methods for handling continuation are added to ApiResult, so actions other
4494 than query that use generators can easily support continuation.
4495 * $wgAPIModules (and the related $wgAPIFormatModules, $wgAPIMetaModules,
4496 $wgAPIPropModules, and $wgAPIListModules settings) now allow API modules
4497 to be specified using a "module spec" array instead of a plain class name.
4498 A "module spec" is an associative array containing at least the 'class' key
4499 for the module's class, and optionally a 'factory' key for the factory
4500 function to use for the module. This is intended for extensions that want
4501 control over the instantiation of their API modules, to allow for proper
4502 dependency injection.
4503 * A new param type 'submodule' is available. Parameters of this type will take
4504 the list of valid values from the module's ApiModuleManager for the group
4505 corresponding to the parameter name.
4506 * The 'APIGetPossibleErrors' and 'APIGetResultProperties' hooks are no longer
4507 used.
4508 * API token handling has been rewritten. Any API module using tokens will need
4509 to be updated:
4510 * ApiBase::needsToken now returns a token type instead of boolean true when a
4511 token is needed. Returning true will throw an exception. See documentation
4512 of that method for details.
4513 * Information for the 'token' parameter is automatically set by ApiBase
4514 getFinalParams and getFinalParamDescription.
4515 * ApiBase::getTokenSalt has been removed.
4516 * The hooks APIQueryInfoTokens, APIQueryRevisionsTokens,
4517 APIQueryRecentChangesTokens, APIQueryUsersTokens, and
4518 ApiTokensGetTokenTypes are deprecated, but are still called to support
4519 backwards-compatible token access.
4520 * ApiBase::validateLimit and ApiBase::validateTimestamp are now protected.
4521 * ApiQueryRedirects was removed; prop=redirects is now implemented by
4522 ApiQueryBacklinksProp along with the newly-added prop modules.
4523 * The following methods have been deprecated and may be removed in a future
4524 release:
4525 * ApiBase::getResultProperties
4526 * ApiBase::getFinalResultProperties
4527 * ApiBase::addTokenProperties
4528 * ApiBase::getRequireOnlyOneParameterErrorMessages
4529 * ApiBase::getRequireMaxOneParameterErrorMessages
4530 * ApiBase::getRequireAtLeastOneParameterErrorMessages
4531 * ApiBase::getTitleOrPageIdErrorMessage
4532 * ApiBase::getPossibleErrors
4533 * ApiBase::getFinalPossibleErrors
4534 * ApiBase::parseErrors
4535 * ApiQuery::setGeneratorContinue
4536 * ApiQueryBase::checkRowCount
4537 * ApiQueryBase::titleToKey
4538 * ApiQueryBase::keyToTitle
4539 * ApiQueryBase::keyPartToTitle
4540 * ApiQueryInfo::getTokenFunctions
4541 * ApiQueryInfo::resetTokenCache
4542 * ApiQueryInfo::getEditToken
4543 * ApiQueryInfo::getDeleteToken
4544 * ApiQueryInfo::getProtectToken
4545 * ApiQueryInfo::getMoveToken
4546 * ApiQueryInfo::getBlockToken
4547 * ApiQueryInfo::getUnblockToken
4548 * ApiQueryInfo::getEmailToken
4549 * ApiQueryInfo::getImportToken
4550 * ApiQueryInfo::getWatchToken
4551 * ApiQueryInfo::getOptionsToken
4552 * ApiQueryRecentChanges::getTokenFunctions
4553 * ApiQueryRecentChanges::getPatrolToken
4554 * ApiQueryRevisions::getTokenFunctions
4555 * ApiQueryRevisions::getRollbackToken
4556 * ApiQueryUsers::getTokenFunctions
4557 * ApiQueryUsers::getUserrightsToken
4558 * The following classes have been deprecated and may be removed in a future
4559 release:
4560 * ApiFormatDbg
4561 * ApiFormatDump
4562 * ApiFormatTxt
4563 * ApiFormatWddx
4564 * ApiFormatYaml
4565 * ApiTokens
4566 * The following class constants have been deprecated and may be removed in a
4567 future release:
4568 * ApiBase::PROP_ROOT
4569 * ApiBase::PROP_LIST
4570 * ApiBase::PROP_TYPE
4571 * ApiBase::PROP_NULLABLE
4572
4573 === Languages updated in 1.24 ===
4574
4575 MediaWiki supports over 350 languages. Many localisations are updated
4576 regularly. Below only new and removed languages are listed, as well as
4577 changes to languages because of Bugzilla reports.
4578
4579 === Other changes in 1.24 ===
4580 * The deprecated jquery.delayedBind ResourceLoader module was removed.
4581 * The deprecated function mw.util.toggleToc was removed.
4582 * The Special:Search hooks SpecialSearchGo and SpecialSearchResultsAppend
4583 were removed as they were unused.
4584 * (bug 65477) User::pingLimiter() now has an additional profile point varying
4585 by action being used.
4586 * mediawiki.util.$content no longer supports old versions of the Vector,
4587 Monobook, Modern and CologneBlue skins that don't yet implement the "mw-body"
4588 and/or "mw-body-primary" class name in their html.
4589 * Added pp_sortkey column to page_props table, so pages can be efficiently
4590 queried and sorted by property value (bug 58032).
4591 See $wgPagePropsHaveSortkey if you want to postpone the schema change.
4592 * BREAKING CHANGE: All four built-in MediaWiki skins (Vector, MonoBook, Modern
4593 and Cologne Blue) were moved out of MediaWiki core to their own respective
4594 repositories. They will be installed with the release tarball, but you must
4595 install them separately if installing MediaWiki from source code. A warning
4596 message displayed until you do it should guide you through the process. See
4597 also <https://www.mediawiki.org/wiki/Manual:Skin_configuration>.
4598 * BREAKING CHANGE: Skins built for MediaWiki 1.15 and earlier that do not use
4599 the "headelement" template key are no longer supported. Setting
4600 $useHeadElement = false; is no longer supported and will not cause old keys
4601 like "headlinks", "skinnameclass", etc. to be defined.
4602 * BREAKING CHANGE: The files commonElements.css, commonContent.css and
4603 commonInterface.css (in skins/common/) have been removed. Skins may no longer
4604 rely on their presence and include them in their style modules. ResourceLoader
4605 modules introduced in MediaWiki 1.23 should be loaded instead:
4606 - skins/common/commonElements.css → 'mediawiki.skinning.elements' module
4607 - skins/common/commonContent.css → 'mediawiki.skinning.content' module
4608 - skins/common/commonInterface.css → 'mediawiki.skinning.interface' module
4609 * The deprecated 'SpecialVersionExtensionTypes' hook was removed.
4610 * (bug 63891) Add 'X-Robots-Tag: noindex' header in action=render pages.
4611 * SpecialPage no longer supports the syntax for invoking wfSpecial*() functions.
4612 Special pages should subclass SpecialPage and implement the execute() method.
4613 * (bug 63755) The deprecated constants RC_MOVE and RC_MOVE_OVER_REDIRECT were
4614 removed.
4615 * Special:MostLinkedTemplates has been renamed to Special:MostTranscludedPages.
4616 * The skin autodiscovery mechanism has been deprecated and will be removed in
4617 MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
4618 for migration guide for creators and users of custom skins that relied on it.
4619 * ResourceLoaderFileModule#getAllStyleFiles now returns all style files and all
4620 skin style files used by the module.
4621 * Removed getLang() from IContextSource and subclasses. (deprecated since 1.19)
4622 * Removed setLang() from subclasses of IContextSource. (deprecated since 1.19)
4623 * Removed WebRequest::escapeAppendQuery(). (deprecated since 1.20)
4624 * Removed info(), purge(), revert() and rollback() from the Article class; they
4625 have since become subclasses of the Action class. (deprecated since 1.19)
4626 * SearchEngineReplacePrefixesComplete hook was removed.
4627 * The "jquery.json" module has been deprecated. Use the "json" module instead.
4628 * Removed HTMLForm::addJS(). (deprecated since 1.18)
4629 * Removed LogEventsList::showHeader(). (deprecated since 1.19)
4630 * Removed ImageGalleryBase::useSkin(). (deprecated since 1.18)
4631 * Removed DatabaseMysqlBase::getLagFromProcesslist(). (deprecated since 1.19)
4632 * Removed LoadBalancer::closeConnecton(). (deprecated since 1.18)
4633 * Removed ApiBase::createContext(). (deprecated since 1.19)
4634 * BREAKING CHANGE: The undocumented Special{$this->getName()}BeforeFormDisplay
4635 set of hooks has been removed and replaced by a single new hook
4636 SpecialPageBeforeFormDisplay.
4637 * (bug 65781) Removed block warning on included {{Special:Contributions}}
4638 * Removed Skin::makeGlobalVariablesScript(). (deprecated since 1.19)
4639 * Removed MWNamespace::isMain(). (deprecated since 1.19)
4640 * Removed Preferences::loadOldSearchNs(). (deprecated since 1.19)
4641 * Removed OutputPage::getStatusMessage(). (deprecated since 1.18)
4642 * Removed OutputPage::isUserJsAllowed(). (deprecated since 1.18)
4643 * Removed Title::updateTitleProtection(). (deprecated since 1.19)
4644 * Removed ParserOptions::setSkin(). (deprecated since 1.19)
4645 * Removed Title::escapeCanonicalURL(). (deprecated since 1.19)
4646 * Removed Title::escapeLocalURL(). (deprecated since 1.19)
4647 * Removed Title::escapeFullURL(). (deprecated since 1.19)
4648 * Removed User::isValidEmailAddr(). (deprecated since 1.18)
4649 * Removed Title::getEscapedText(). (deprecated since 1.19)
4650 * Removed Language::getFallbackLanguageCode(). (deprecated since 1.19)
4651 * Removed WikiPage::isBigDeletion(). (deprecated since 1.19)
4652 * Removed MWInit class which contained functions related to a now discontinued
4653 PHP compiler called hphpc. (deprecated since 1.22)
4654 * ApiResult::enableSizeCheck() and disableSizeCheck() are now obsolete.
4655 * Removed ResourceLoaderGetStartupModules hook. (deprecated since 1.23)
4656 * Removed getFormFields(), onSubmit() and onSuccess() from FormlessAction, as
4657 these were meant specifically for FormAction instead.
4658 * Removed Action::execute().
4659 * Removed AjaxAddScript which has been obsolete since ResourceLoader and
4660 is unused by any modern extension.
4661 * Removed maintenance/nextJobDB.php; no longer in use.
4662 * Removed global function wfViewPrevNext(). (deprecated since 1.19)
4663 * Removed global function xmlsafe() from Export.php. (moved to OAIRepo
4664 extension)
4665 * Removed Title::userCanRead(). (deprecated since 1.19)
4666 * Removed maintenance script importTextFile.php. Use edit.php script instead.
4667 * A _from_namespace field has been added to the templatelinks, pagelinks,
4668 and filelinks tables. Run update.php to apply this change to the schema.
4669 * Removed File::sha1Base36(). (deprecated since 1.19)
4670 * Removed File::getPropsFromPath(). (deprecated since 1.19)
4671 * Removed functions blockedPage(), noCreatePermission(), readOnlyPage() and
4672 userNotLoggedInPage() from EditPage.php. (deprecated since 1.19)
4673 * Removed functions getContent(), getPreloadedText(), mergeChangesInto() and
4674 setPreloadedText() from EditPage.php. (deprecated since 1.21)
4675 * Removed global functions wfArrayLookup(), wfArrayMerge(),
4676 wfDebugDieBacktrace() and wfTime(). (deprecated since 1.22)
4677 * Browser support for Internet Explorer 6 and 7 lowered from Grade A to Grade C,
4678 meaning that JavaScript is no longer executed in these browser versions.
4679 * Browser support for Opera 11 lowered from Grade A to Grade C.
4680 * Removed IEFixes module which existed purely to provide support for MSIE
4681 versions below 7 (conditionally loaded only for those browsers).
4682 * Deprecated SpecialPageFactory::getList() in favor of
4683 SpecialPageFactory::getNames()
4684 * Action::checkCanExecute() no longer has a return value.
4685 * Removed cleanupForIRC(), loadFromCurRow(), newFromCurRow(), notifyRC2UDP()
4686 and sendToUDP() from RecentChange.php. (deprecated since 1.22)
4687 * Removed EnhancedChangesList::arrow(), sideArrow(), downArrow(), spacerArrow().
4688 * Removed Xml::namespaceSelector(). (deprecated since 1.19)
4689 * Removed WikiPage::estimateRevisionCount(). (deprecated since 1.19)
4690 * MYSQL: Enum item added to "major MIME type" columns.
4691 Running update.php on MySQL < v5.1 may result in heavy processing.
4692 * RSS and Atom feeds generated by MediaWiki no longer include a fallback
4693 stylesheet. It was ignored by most browsers these days anyway.
4694 * SpecialSearchNoResults hook has been removed. SpecialSearchResults is now
4695 called unconditionally.
4696 * TablePager::getBody() is now 'final' and can't be overridden in subclasses.
4697 * TablePager::getBody() is deprecated, use getBodyOutput() or getFullOutput().
4698 * Added $outputPage parameter to the SkinTemplateGetLanguageLink hook.
4699 * log_page for move log entries store the original page ID, rather than that
4700 of the new redirect page. This is not retroactive.
4701 * LCStoreAccel was removed. $wgLocalisationCacheConf can no longer be set to
4702 use this store class.
4703 * Html::infoBox() no longer accepts paths relative to skins/common/images/.
4704 * Deprecated defunct Skin::getCommonStylePath().
4705 * Some extensions had their ResourceLoader modules depend on the "mediawiki"
4706 and "jquery" modules. In the past, this behavior was undefined, now it will
4707 throw an error.
4708 * Removed BagOStuff::replace(). (deprecated since 1.23)
4709 * In Linker.php, link(), linkText() and makeBrokenImageLinkObj() now display
4710 warnings if their first parameter is not a Title object. Also makeImageLink()
4711 now requires a Parser as its first parameter.
4712 * (bug 67368) LESS functions embed() and embeddable(), added in MediaWiki 1.23
4713 and broken by design, have been removed. Use appropriate LESS mixins instead.
4714 * Removed cssjanus.py from maintenance directory as it was unused.
4715 * Removed maintenance/purgeOldText.inc and the PurgeRedundantText() function
4716 it contained (superseded by Maintenance::purgeRedundantText() in 1.16).
4717 The purgeOldText.php maintenance script has been retained.
4718 * PHPUnit tests can be found by directory discovery, by adding the directory
4719 path from your UnitTestsList callback. Older versions of MediaWiki core will
4720 barf at this usage.
4721
4722 ==== Renamed classes ====
4723 * CLDRPluralRuleConverter_Expression to CLDRPluralRuleConverterExpression
4724 * CLDRPluralRuleConverter_Fragment to CLDRPluralRuleConverterFragment
4725 * CLDRPluralRuleConverter_Operator to CLDRPluralRuleConverterOperator
4726 * CLDRPluralRuleEvaluator_Range to CLDRPluralRuleEvaluatorRange
4727 * CSSJanus_Tokenizer to CSSJanusTokenizer
4728 * MediaWiki_I18N to MediaWikiI18N
4729 * Parser_DiffTest to ParserDiffTest
4730 * RevDel_ArchiveItem to RevDelArchiveItem
4731 * RevDel_ArchiveList to RevDelArchiveList
4732 * RevDel_ArchivedFileItem to RevDelArchivedFileItem
4733 * RevDel_ArchivedFileList to RevDelArchivedFileList
4734 * RevDel_ArchivedRevisionItem to RevDelArchivedRevisionItem
4735 * RevDel_FileItem to RevDelFileItem
4736 * RevDel_FileList to RevDelFileList
4737 * RevDel_Item to RevDelItem
4738 * RevDel_List to RevDelList
4739 * RevDel_LogItem to RevDelLogItem
4740 * RevDel_LogList to RevDelLogList
4741 * RevDel_RevisionItem to RevDelRevisionItem
4742 * RevDel_RevisionList to RevDelRevisionList
4743 * WebInstaller_Complete to WebInstallerComplete
4744 * WebInstaller_Copying to WebInstallerCopying
4745 * WebInstaller_DBConnect to WebInstallerDBConnect
4746 * WebInstaller_DBSettings to WebInstallerDBSettings
4747 * WebInstaller_Document to WebInstallerDocument
4748 * WebInstaller_ExistingWiki to WebInstallerExistingWiki
4749 * WebInstaller_Install to WebInstallerInstall
4750 * WebInstaller_Language to WebInstallerLanguage
4751 * WebInstaller_Name to WebInstallerName
4752 * WebInstaller_Options to WebInstallerOptions
4753 * WebInstaller_Readme to WebInstallerReadme
4754 * WebInstaller_ReleaseNotes to WebInstallerReleaseNotes
4755 * WebInstaller_Restart to WebInstallerRestart
4756 * WebInstaller_Upgrade to WebInstallerUpgrade
4757 * WebInstaller_UpgradeDoc to WebInstallerUpgradeDoc
4758 * WebInstaller_Welcome to WebInstallerWelcome
4759
4760 ==== Removed classes ====
4761 * IPBlockForm - Use SpecialBlock directly
4762 * WatchlistEditor - Use SpecialEditWatchlist directly
4763 * FormatExif - Use FormatMetadata directly
4764 * RevertFileAction - Use RevertAction directly
4765 * HistoryPage - Use HistoryAction directly
4766 * RawPage - Use RawAction directly
4767 * StubContLang - Use Language::factory() instead
4768 * XMLReader2 - Use XMLReader directly
4769 * ResourceLoaderLESSFunctions - No longer in use, not intended for public usage
4770
4771 ==== Removed files ====
4772 The skins/common/ directory, previously containing some assets intended to be
4773 used by skins and a number of legacy styles and scripts, has been removed. Its
4774 contents have been deleted or relocated into the resources/ directory. Full list
4775 of files that are no longer available follows.
4776
4777 * skins/common/ajax.js
4778 * skins/common/commonContent.css
4779 * skins/common/commonElements.css
4780 * skins/common/commonInterface.css
4781 * skins/common/commonPrint.css
4782 * skins/common/config-cc.css
4783 * skins/common/config.css
4784 * skins/common/config.js
4785 * skins/common/feed.css
4786 * skins/common/IEFixes.js
4787 * skins/common/oldshared.css
4788 * skins/common/protect.js
4789 * skins/common/shared.css
4790 * skins/common/upload.js
4791 * skins/common/wikibits.js
4792 * skins/common/images/add.png
4793 * skins/common/images/ajax-loader.gif
4794 * skins/common/images/arrow_disabled_first_25.png
4795 * skins/common/images/arrow_disabled_last_25.png
4796 * skins/common/images/arrow_disabled_left_25.png
4797 * skins/common/images/arrow_disabled_right_25.png
4798 * skins/common/images/arrow_first_25.png
4799 * skins/common/images/arrow_last_25.png
4800 * skins/common/images/arrow_left_25.png
4801 * skins/common/images/arrow_right_25.png
4802 * skins/common/images/Arr_.png
4803 * skins/common/images/Arr_d.png
4804 * skins/common/images/Arr_l.png
4805 * skins/common/images/Arr_r.png
4806 * skins/common/images/Arr_u.png
4807 * skins/common/images/bullet.gif
4808 * skins/common/images/button_bold.png
4809 * skins/common/images/button_extlink.png
4810 * skins/common/images/button_headline.png
4811 * skins/common/images/button_hr.png
4812 * skins/common/images/button_image.png
4813 * skins/common/images/button_italic.png
4814 * skins/common/images/button_link.png
4815 * skins/common/images/button_media.png
4816 * skins/common/images/button_nowiki.png
4817 * skins/common/images/button_sig.png
4818 * skins/common/images/button_template.png
4819 * skins/common/images/cc-0.png
4820 * skins/common/images/cc-by-nc-sa.png
4821 * skins/common/images/cc-by-sa.png
4822 * skins/common/images/cc-by.png
4823 * skins/common/images/Checker-16x16.png
4824 * skins/common/images/closewindow.png
4825 * skins/common/images/closewindow19x19.png
4826 * skins/common/images/critical-32.png
4827 * skins/common/images/diffunderline.gif
4828 * skins/common/images/download-32.png
4829 * skins/common/images/feed-icon.png
4830 * skins/common/images/feed-icon.svg
4831 * skins/common/images/gnu-fdl.png
4832 * skins/common/images/help-question-hover.gif
4833 * skins/common/images/help-question.gif
4834 * skins/common/images/info-32.png
4835 * skins/common/images/link_icon.gif
4836 * skins/common/images/magnify-clip-rtl.png
4837 * skins/common/images/magnify-clip.png
4838 * skins/common/images/mediawiki.png
4839 * skins/common/images/nextredirectltr.png
4840 * skins/common/images/nextredirectrtl.png
4841 * skins/common/images/poweredby_mediawiki_88x31.png
4842 * skins/common/images/public-domain.png
4843 * skins/common/images/question-small.png
4844 * skins/common/images/question.svg
4845 * skins/common/images/redirectltr.png
4846 * skins/common/images/redirectrtl.png
4847 * skins/common/images/remove.png
4848 * skins/common/images/spinner.gif
4849 * skins/common/images/tick-32.png
4850 * skins/common/images/tipsy-arrow.gif
4851 * skins/common/images/tooltip_icon.png
4852 * skins/common/images/warning-32.png
4853 * skins/common/images/wiki.png
4854 * skins/common/images/Zoom_sans.gif
4855 * skins/common/images/ar/button_bold.png
4856 * skins/common/images/ar/button_headline.png
4857 * skins/common/images/ar/button_italic.png
4858 * skins/common/images/ar/button_link.png
4859 * skins/common/images/ar/button_nowiki.png
4860 * skins/common/images/be-tarask/button_bold.png
4861 * skins/common/images/be-tarask/button_italic.png
4862 * skins/common/images/be-tarask/button_link.png
4863 * skins/common/images/cyrl/button_bold.png
4864 * skins/common/images/cyrl/button_italic.png
4865 * skins/common/images/cyrl/button_link.png
4866 * skins/common/images/de/button_bold.png
4867 * skins/common/images/de/button_italic.png
4868 * skins/common/images/fa/button_bold.png
4869 * skins/common/images/fa/button_headline.png
4870 * skins/common/images/fa/button_italic.png
4871 * skins/common/images/fa/button_link.png
4872 * skins/common/images/fa/button_nowiki.png
4873 * skins/common/images/icons/fileicon-c.png
4874 * skins/common/images/icons/fileicon-cpp.png
4875 * skins/common/images/icons/fileicon-deb.png
4876 * skins/common/images/icons/fileicon-djvu.png
4877 * skins/common/images/icons/fileicon-djvu.xcf
4878 * skins/common/images/icons/fileicon-dvi.png
4879 * skins/common/images/icons/fileicon-exe.png
4880 * skins/common/images/icons/fileicon-h.png
4881 * skins/common/images/icons/fileicon-html.png
4882 * skins/common/images/icons/fileicon-iso.png
4883 * skins/common/images/icons/fileicon-java.png
4884 * skins/common/images/icons/fileicon-mid.png
4885 * skins/common/images/icons/fileicon-mov.png
4886 * skins/common/images/icons/fileicon-o.png
4887 * skins/common/images/icons/fileicon-ogg.png
4888 * skins/common/images/icons/fileicon-ogg.xcf
4889 * skins/common/images/icons/fileicon-pdf.png
4890 * skins/common/images/icons/fileicon-ps.png
4891 * skins/common/images/icons/fileicon-psd.png
4892 * skins/common/images/icons/fileicon-rm.png
4893 * skins/common/images/icons/fileicon-rpm.png
4894 * skins/common/images/icons/fileicon-svg.png
4895 * skins/common/images/icons/fileicon-tar.png
4896 * skins/common/images/icons/fileicon-tex.png
4897 * skins/common/images/icons/fileicon-ttf.png
4898 * skins/common/images/icons/fileicon-txt.png
4899 * skins/common/images/icons/fileicon.png
4900 * skins/common/images/ksh/button_S_italic.png
4901
4902 = MediaWiki 1.23 =
4903
4904 == MediaWiki 1.23.17 ==
4905
4906 === Changes since 1.23.16 === <!--T:69-->
4907 * Fix syntax errors introduced in 1.23.16 when running PHP 5.3.
4908
4909 == MediaWiki 1.23.16 ==
4910 This is a security and maintenance release of the MediaWiki 1.23 branch.
4911
4912 === Changes since 1.23.15 ===
4913 * (T68404) CSS3 attr() function with url type is no longer allowed
4914 in inline styles.
4915 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
4916 * Submitting the lgtoken and lgpassword parameters in the query string to
4917 action=login is now deprecated and outputs a warning. They should be submitted
4918 in the POST body instead.
4919 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
4920 redirect to interwiki links.
4921 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
4922 $wgAdvancedSearchHighlighting is true.
4923 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
4924 their values out of the logs.
4925 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
4926 CSRF token.
4927 * (T156184) SECURITY: Escape content model/format url parameter in message.
4928 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
4929 declaration.
4930 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
4931 inclusion syntax's link parameter.
4932 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
4933 against it.
4934
4935 == MediaWiki 1.23.15 ==
4936
4937 This is a maintenance release of the MediaWiki 1.23 branch.
4938
4939 === Changes since 1.23.14 ===
4940 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests