Bring in HISTORY for 1.27.6/1.30.2/1.31.2/1.32.2
[lhc/web/wiklou.git] / HISTORY
1 Change notes from older releases. For current info see RELEASE-NOTES-1.34.
2
3 = MediaWiki 1.32 =
4
5 == MediaWiki 1.32.2 ==
6
7 This is a security and maintenance release of the MediaWiki 1.32 branch.
8
9 === Changes since MediaWiki 1.32.1 ===
10 * (T204423) Backport support for hyphenated DB names in JobQueueGroup.
11 * (T216968) Return pageid as int in both list=iwbacklinks and
12 list=langbacklinks.
13 * (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
14 * (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
15 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
16 $wgBlockDisablesLogin is true.
17 * (T216029) Chrome redirects to Special:BadTitle after editing a section with
18 a non-Latin name on a page with non-Latin characters in title.
19 * Unbreak language related maintenance scripts that use StaticArrayWriter.
20 * (T219728) Added support for new Japanese era name "Reiwa".
21 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
22 token.
23 * Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
24 * (T221045) Remove orphaned code from ConfigRepository.
25 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
26 saveFileDependencies().
27 * (T224374) Fix message parameters so that the message that says SQLite is
28 out of date makes sense.
29 * (T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to
30 connect to external server with local database name.
31 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
32 * (T208881) SECURITY: blacklist CSS var().
33 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
34 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
35 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
36 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
37 view the log type.
38 * (T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358.
39
40 == MediaWiki 1.32.1 ==
41
42 === Changes since MediaWiki 1.32.0 ===
43 * (T213577) rdbms: avoid transaction status errors from ping() in rollback().
44 * rdbms: Pass required parameter.
45 * rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
46 * (T204531) rdbms: reduce LoadBalancer replication log spam.
47 * (T213489) Avoid session double-start in Setup.php.
48 * (T213717) Correct namespace 'Template' for gom-deva
49 * (T198054) Fix login page crash caused by unknown language via ?uselang
50 * (T215324) (T210937) list=users mistakenly reports user as missing.
51 * (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for
52 use with scripts like addWiki.php to avoid mismatched domain errors.
53 * (T208871) The hard-coded Google search form on the database error page was
54 removed.
55 * (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
56 * (T215566) Fix installer being unable to determine if the database exists
57 during a fresh installation.
58
59 == MediaWiki 1.32.0 ==
60
61 === Changes since MediaWiki 1.32.0-rc.2 ===
62 * (T188327) Fix slow queries in migrateActors.php.
63 * (T102320) Fix $magicWords for the Sanskrit language.
64
65 === Changes since MediaWiki 1.32.0-rc.1 ===
66 * Fix addition of ug_expiry column to user_groups table on MSSQL.
67 * (T210307) Fix the cache timestamp for forced updates.
68 * (T210621) User: Bypass repeatable-read when creating an actor_id.
69 * (T197535) Extensions can now specify PHP versions and PHP extensions they
70 depend on.
71 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
72 * (T212356) When using action=delete on pages with many revisions, the module
73 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
74 deletion will be processed via the job queue.
75 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
76 recentchanges.rc_cur_time from the PostgreSQL schema.
77
78 === Changes since MediaWiki 1.32.0-rc.0 ===
79 * (T209885) Prevent populateSearchIndex.php from breaking once actor migration
80 has been started.
81 * (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
82 if --lang is used with the command-line installer (install.php).
83
84 === Configuration changes in 1.32 ===
85
86 ==== New configuration ====
87 * $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
88 this setting. The default is 80, which matches the quality of JPEG thumbnails
89 previously generated by ImageMagick. The quality of JPEG thumbnails generated
90 by GD was previously 95, but now uses the $wgJpegQuality setting as well.
91 * $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
92 user is blocked. Doing so means that a blocked user, even after moving to a
93 new IP address, will still be blocked.
94 * $wgRawHtmlMessages – This new configuration setting is added for listing
95 messages which are displayed as raw HTML.
96 * $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
97 "Content Security Policy" for your wiki. This adds a defense-in-depth feature
98 to stop an attacker who has found a bug in the parser allowing them to insert
99 malicious attributes. Disabled by default. (T135963)
100 * $wgGroupPermissions – A new user group, 'interface-admin', is added for
101 controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
102 other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
103 by default.
104 * $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
105 granting the above rights.
106 * $wgDBDefaultGroup – A default database group for use by maintenance scripts.
107 * $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
108 enable client-side profiling of JavaScript modules; it is off by default.
109 * (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
110 setting allows sysadmins to gradually migrate the database table schema for
111 how change tags are stored.
112 * (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
113 allows sysadmins to enable the caching of Special:Tags via the new
114 change_tag_def table.
115
116 ==== Changed configuration ====
117 * $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
118 * $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
119 been increased from 3 to 7 days. (T194414)
120 * $wgGroupPermissions – The right to edit sitewide Javascript
121 (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
122 and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
123 'editinterface' is still necessary to edit such pages.
124 * $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
125 old and the new schema, but reading the new schema, so Multi-Content Revisions
126 (MCR) are now functional per default. The new default value of the setting is
127 SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
128 * $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
129 MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
130 SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
131 for intermediate stages of migration.
132 * $wgDBTableOptions – The default table options now use the binary charset. The
133 default was already overridden in the installer-generated LocalSettings.php,
134 and so is always set to binary after the installer UI option was removed. The
135 default value is only used when the installer installs an extension.
136 * $wgPopularPasswordFile — The location of the default popular passwords file
137 has been moved to be in line with other non-PHP files used by libraries and
138 classes.
139 * $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
140 potential privacy leaks by administrators. You can check
141 "MediaWiki:External image whitelist" on your wiki to see whether the feature
142 was ever used, and whether it needs to be re-enabled.
143
144 ==== Removed configuration ====
145 * $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
146 have been removed. (T115414)
147 * $wgSiteSupportPage – This setting, unused since 1.5, was removed.
148 * $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
149 * $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
150 The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
151 * $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
152 most extensions, is no longer set. Instead, you can modify the system
153 message `emailsender`.
154 * $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
155 were removed. RemexHtml, which is the default, should be used instead.
156 * (T181318) The $wgStyleVersion setting and its appendage to various script and
157 style URLs in OutputPage, deprecated in 1.31, was removed.
158 * (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
159 from ResourceLoader. Instead, use `@import` statements in LESS to import
160 files directly from nearby directories within the same project.
161 * (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
162 since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
163 the ResourceLoaderModule::getLessVars() method.
164 * $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
165 was removed.
166 * Two temporary variables for deploying the feature of filters on change lists,
167 $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
168 $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
169
170 === New features in 1.32 ===
171 * (T112474) Generalized the ResourceLoader mechanism for overriding modules
172 using a particular page during edit previews.
173 * (T12331) You can now log page creation events by setting $wgPageCreationLog
174 to true.
175 * Added 'ApiParseMakeOutputPage' hook.
176 * (T174313) Added checkbox on Special:ListUsers to display only users in
177 temporary user groups.
178 * (T152462) A cookie can now be set when an IP user is blocked to track that
179 user if they move to a new IP address. This is disabled by default.
180 * (T194950) Added 'ApiMaxLagInfo' hook.
181 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
182 reauthenticating.
183 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
184 getLoginSecurityLevel() returns non-false.
185 * The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
186 &$query and &$widthOption, allowing extensions even finer control over the
187 resulting HTML code.
188 * Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
189 if the [mark as patrolled] link should be shown at the footer of patrollable
190 pages.
191 * The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
192 is now passed by reference, allowing extensions to modify or even unset it.
193 * Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
194 modify the return value of OutputPage#getHeadLinksArray in order to add,
195 remove or otherwise alter the elements to be output in the page <head>.
196 * (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
197 additional links to the subtitle of a history page.
198 * The 'GetLinkColours' hook now receives an additional $title parameter,
199 the Title object of the page being parsed, on which the links will be shown.
200 * (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
201 render diffs between two Content objects, and DifferenceEngine::setRevisions()
202 to render diffs between two custom (potentially multi-content) revisions.
203 Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
204 * Added a temporary action=mcrundo to the web UI, as the normal undo logic
205 can't yet handle MCR and deadlines are forcing is to put off fixing that.
206 This action should be considered deprecated and should not be used directly.
207 * Extensions overriding ContentHandler::getUndoContent() will need to be
208 updated for the changed method signature.
209 * Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
210 from user. Unlike the 'UserGetRights' it will ensure that removed rights
211 will not be reinserted.
212 * (T197535) Extensions can now specify PHP versions and PHP extensions they
213 depend on.
214
215 === External library changes in 1.32 ===
216
217 ==== New external libraries ====
218 * Added pear/Net_SMTP v1.8.0.
219 * Added wikimedia/xmp-reader v0.6.0.
220
221 * Added cache/integration-tests v0.16.0 (dev-only).
222 * Added giorgiosironi/eris v0.10.0 (dev-only).
223 * Added seld/jsonlint v1.7.1 (dev-only).
224
225 * Added EasyDeflate (unversioned).
226
227 ==== Changed external libraries ====
228 * Updated OOUI from v0.26.3 to v0.29.2.
229 * Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
230 * Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
231 * Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
232 ** ScopedCallback objects can no longer be serialized.
233 * Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
234 * Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
235 * oyejorge/less.php replaced with our fork wikimedia/less.php
236 * Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
237
238 * Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
239 * Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
240 * Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
241
242 * Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
243 * Updated jquery from v3.2.1 to v3.3.1.
244 * Updated jquery.client from v2.0.0 to v2.0.1.
245 * Updated jquery.i18n from v1.0.4 to v1.0.5.
246 * Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
247 * Updated OOjs from v2.2.0 to v2.2.2.
248 * Updated qunitjs from v2.4.0 to v2.6.2.
249 * Updated sinonjs from v1.17.3 to v1.17.7.
250
251 ==== Removed external libraries ====
252 * pear/mail_mime-decode was removed.
253
254 === Bug fixes in 1.32 ===
255 * SpecialPage::execute() will now only call checkLoginSecurityLevel() if
256 getLoginSecurityLevel() returns non-false.
257 * (T43720, T46197) Improved page display title handling for category pages
258 * (T65080) Fixed resetting options of some types via API action=options.
259
260 === Action API changes in 1.32 ===
261 * Added templated parameters.
262 * A module can define a templated parameter like "{fruit}-quantity", where
263 the actual parameters recognized correspond to the values of a multi-valued
264 parameter. Then clients can make requests like
265 "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
266 * action=paraminfo will return templated parameter definitions separately
267 from normal parameters. All parameter definitions now include an "index"
268 key to allow clients to maintain parameter ordering when merging normal and
269 templated parameters.
270 * It is now an error to submit too many values for a multi-valued parameter.
271 This has generated a warning since MediaWiki 1.14.
272 * Assertion failures from the 'assert' and 'assertuser' parameters will no
273 longer use the action module's custom response format, for the few modules
274 that use custom formatters that handle errors.
275 * (T198935) User list preferences such as `email-blacklist` and similar
276 extension preferences are no longer represented as arrays when returned by
277 action=query&meta=userinfo&uiprop=options.
278 * 'missingparam' errors will now use the prefixed parameter name in the code
279 and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
280 than "nofoo" and "The 'foo' parameter must be set".
281 * action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
282 multi-content revision slots for which content should be returned. It also
283 has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
284 warning will be issued if rvprop=content or rvprop=contentmodel are used
285 without rvslots.
286 * The rvcontentformat parameter to action=query&prop=revisions has been
287 deprecated. Clients should be prepared to deal with the default format for
288 relevant models.
289 * Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
290 rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
291 rvprop=parsetree is forbidden with the new 'rvslots' parameter.
292 * action=query&prop=deletedrevisions, action=query&list=allrevisions, and
293 action=query&list=alldeletedrevisions are changed similarly to
294 &prop=revisions (see the three previous items).
295 * (T174032) action=compare now supports multi-content revisions.
296 * It has a 'slots' parameter to select diffing of individual slots. The
297 default behavior is to return one combined diff.
298 * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
299 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
300 are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
301 slots have text supplied and the corresponding templated parameters for
302 each slot.
303 * The behavior of 'fromsection' and 'tosection' of extracting one section's
304 content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
305 instead expand the given text as if for a section edit. This effectively
306 declines T183823 in favor of T185723.
307 * (T198214) The 'disabletidy' parameter to action=parse has been
308 deprecated; untidy output will not be supported by future wikitext
309 parsers.
310 * Added intestactionsdetail to action=query&prop=info to allow retrieving the
311 reasons an action is not allowed.
312 * Deprecated action=query&prop=info inprop=readable in favor of
313 intestactions=read.
314 * (T212356) When using action=delete on pages with many revisions, the module
315 may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
316 deletion will be processed via the job queue.
317
318 === Action API internal changes in 1.32 ===
319 * Added 'ApiParseMakeOutputPage' hook.
320 * Parameter names may no longer contain '{' or '}', as these are now used for
321 templated parameters.
322 * (T194950) Added 'ApiMaxLagInfo' hook.
323 * The following methods now take a RevisionRecord rather than a Revision. No
324 external callers are known.
325 * ApiFeedContributions::feedItemAuthor()
326 * ApiFeedContributions::feedItemDesc()
327 * ApiQueryRevisionsBase::extractRevisionInfo()
328 * The following deprecated methods have been removed:
329 * ApiBase::profileIn() (deprecated in 1.25)
330 * ApiBase::profileOut() (deprecated in 1.25)
331 * ApiBase::safeProfileOut() (deprecated in 1.25)
332 * ApiBase::profileDBIn() (deprecated in 1.25)
333 * ApiBase::profileDBOut() (deprecated in 1.25)
334 * ApiBase::dieUsage() (deprecated in 1.29)
335 * ApiBase::dieUsageMsg() (deprecated in 1.29)
336 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
337 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
338 * ApiBase::parseMsg() (deprecated in 1.29)
339 * ApiBase::setWarning() (deprecated in 1.29)
340 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
341 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
342 * ApiUsageException::getCodeString() (deprecated in 1.29)
343 * ApiUsageException::getMessageArray() (deprecated in 1.29)
344 * Class UsageException, deprecated in 1.29, has been removed.
345 * ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
346 can now easily test $formatter->getFormat() === 'bc', and then call
347 $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
348
349 === Languages updated in 1.32 ===
350 MediaWiki supports over 350 languages. Many localisations are updated regularly.
351 Below only new and removed languages are listed, as well as changes to languages
352 because of Phabricator reports.
353
354 * (T193566) Added language support for Ambonese Malay (abs).
355 * (T194047) Added language support for Shawiya, Latin script (shy-latn).
356 * (T195940) Added language support for Batak Mandailing (btm).
357 * (T137491) Added language support for Standard Moroccan Amazigh (zgh).
358 * (T198132) Added language support for Manipuri (mni).
359 * (T201276) Added language support for Western Armenian (hyw).
360 * (T201583) Added language support for Mon (mnw).
361
362 === Breaking changes in 1.32 ===
363 * $wgRequestTime, deprecated in 1.25, was removed. Use
364 $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
365 * The MediaWikiI18N class, deprecated in 1.31, was removed.
366 * QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
367 Skin::msg() instead.
368 * wfInitShellLocale(), deprecated in 1.30, was removed.
369 * wfShellExecDisabled(), deprecated in 1.30, was removed.
370 * The type string for the parameter $lang of DateFormatter::getInstance,
371 deprecated in 1.31, was removed.
372 * The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
373 MediaWiki\Session\Token::SUFFIX instead.
374 * EditPage::isOouiEnabled() deprecated in 1.30, was removed.
375 * mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
376 instead.
377 * (T61113) The following methods and constants from the Revision class, which
378 were deprecated in 1.25, have now been removed:
379 * Revision::getRawUser()
380 * Revision::getRawUserText()
381 * Revision::getRawComment()
382 * window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
383 mw.msg() or mw.message() instead.
384 * mw.util.escapeId(), deprecated in 1.30, was removed. Use
385 mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
386 * mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
387 jquery.accessKeyLabel instead.
388 * The SqlDataUpdate class, deprecated in 1.28, has been removed.
389 * The Html5Internal and Html5Depurate tidy driver classes were removed, along
390 with the Balancer tidy implementation. Both implementations were experimental,
391 and were replaced by RemexHtml.
392 * (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
393 removed. Use JobQueueGroup::singleton()->push() instead.
394 * The jquery.footHovzer module, for mediawiki.debug, was removed.
395 * The es5-shim module, empty and deprecated since 1.29, was removed.
396 * the dom-level2-shim module, empty and deprecated since 1.29, was removed.
397 * the json module, empty and deprecated since 1.29, was removed.
398 * The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
399 removed. Use mediawiki.widgets.visibleLengthLimit instead.
400 * The jquery.farbtastic module, unused since 1.18, was removed.
401 * The 'jquery.expandableField' module, unused since 1.22, was removed.
402 * The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
403 any HTMLForm object rather than PreferencesForm.
404 * The non namespaced TimestampException class, deprecated in 1.29, was removed.
405 Use Wikimedia\Timestamp\TimestampException instead.
406 * The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
407 utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
408 The UtfNormal\Utils class from the utfnormal library should be used instead.
409 * The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
410 from the UtfNormal\Constants class from the utfnormal library should be used
411 * The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
412 only needed for PHP5 compatibility, have been removed. It now uses the boolean
413 values `true` and `false` respectively.
414 * The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
415 were removed. Use the ParserCache class instead.
416 * ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
417 instead.
418 * Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
419 deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
420 * (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
421 and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
422 is no longer loaded by default. The Vector and MonoBook skins have made a
423 minor change to implement the toggle feature with CSS instead. To restore
424 prior functionality, either explicitly load "jquery.mw-jump" in your skin
425 or refer to T195256 for details on how to make the same change.
426 * Hook 'EditPageBeforeEditChecks' was removed;
427 use 'EditPageGetCheckboxesDefinition' instead.
428 * Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
429 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
430 * Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
431 been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
432 instead.
433 * mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
434 CapsuleMultiselectWidget. The following methods may no longer be used:
435 * setItemsFromData: Use setValue instead
436 * getItemsData: Use getItems instead and get the data property
437 * Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
438 removed. Use addLink() instead.
439 * Another two OutputPage methods, setPageTitleActionText() and
440 getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
441 ten years). Use setHTMLTitle() directly.
442 * The return value of OutputPage::adaptCdnTTL() has been removed. The
443 value returned was misleading and probably not what any caller would
444 have wanted.
445 * All MagicWord static member variables have been removed. Use appropriate
446 hooks or MagicWordFactory methods instead.
447 * MagicWord::clearCache() has been removed. Instead, create a new
448 MagicWordFactory, such as by calling
449 resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
450 * mw.util.init() has been removed. This function is not needed anymore and was
451 a no-op function since 1.30.
452 * SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
453 instead.
454 * MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
455 $wgProfiler and $wgEnableProfileInfo.
456 * The mw.loader.addSource() is now considered a private method, and no longer
457 supports the `id, url` signature. Use the `Object` parameter instead.
458 * The backwards-compatibility code in HTMLForm to add a drop-down control to an
459 option that is not set to be a drop-down if the "mw-chosen" class is present,
460 is now removed.
461 * Several collations were removed. They were workarounds for bugs in the ICU
462 library and they are no longer needed (as of ICU 57.1):
463 * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
464 * 'xx-uca-et' (CollationEt) - use 'uca-et' instead
465 * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
466 * LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
467 that some MediaWiki-specific language codes, such as `simple`, are mapped
468 into valid BCP 47 codes (eg `en-simple`).
469 * The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
470 in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
471 The ChangesListSpecialPage code for these legacy hooks, and their use in
472 SpecialRecentchanges.php and SpecialWatchlist, was also removed:
473 * ChangesListSpecialPage->getCustomFilters()
474 * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
475 * ChangesListSpecialPage::customFilters
476 * The global function wfUseMW, deprecated since 1.26, has now been removed. Use
477 the "requires" property of static extension registration instead.
478 * $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
479 * The MailAddress constructor can no longer be called with a User object,
480 behaviour which has been deprecated since 1.24.
481 * LBFactory, deprecated since 1.28, has been removed. Instead, use
482 Wikimedia\Rdbms\LBFactory.
483 * The MimeMagic class, deprecated since 1.28 has been removed. Get a
484 MimeAnalyzer instance from MediaWikiServices instead.
485 * The '--tidy' option to maintenance/parse.php has been removed. Tidying
486 the output is now the default. Use '--no-tidy' to bypass the tidy
487 phase.
488 * The global function wfErrorLog, deprecated since 1.25, has now been removed.
489 Use MWLoggerLegacyLogger::emit or UDPTransport.
490 * The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
491 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
492 ChangesListSpecialPageQuery.
493 * The global function wfUsePHP, deprecated since 1.30, has now been removed. To
494 assert a newer version of PHP than MediaWiki does, use extension registration.
495 * The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
496 removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
497 * DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
498 * File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
499 * The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
500 the hook 'SkinEditSectionLinks' instead.
501 * The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
502 * The global function wfRunHooks, deprecated since 1.25, has now been removed.
503 Use Hooks::run().
504 * The hook 'UnknownAction', deprecated since 1.19, has now been removed.
505 * The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
506 the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
507 * The following deprecated API methods have been removed:
508 * ApiBase::profileIn() (deprecated in 1.25)
509 * ApiBase::profileOut() (deprecated in 1.25)
510 * ApiBase::safeProfileOut() (deprecated in 1.25)
511 * ApiBase::profileDBIn() (deprecated in 1.25)
512 * ApiBase::profileDBOut() (deprecated in 1.25)
513 * ApiBase::dieUsage() (deprecated in 1.29)
514 * ApiBase::dieUsageMsg() (deprecated in 1.29)
515 * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
516 * ApiBase::getErrorFromStatus() (deprecated in 1.29)
517 * ApiBase::parseMsg() (deprecated in 1.29)
518 * ApiBase::setWarning() (deprecated in 1.29)
519 * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
520 * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
521 * ApiUsageException::getCodeString() (deprecated in 1.29)
522 * ApiUsageException::getMessageArray() (deprecated in 1.29)
523 * Class UsageException, deprecated in 1.29, has been removed.
524 * MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
525 old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
526 been removed, and instead sysadmins will be required to choose one (or more)
527 of the several extensions available for this purpose if they need the
528 functionality. The MediaWiki "tarball" releases have included the replacement
529 extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
530 for many years now. As part of this, several parts of MediaWiki have been
531 removed or simplified:
532 * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
533 available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
534 hook, it will be shown; extensions should provide a specific user preference
535 to disable themselves as needed.
536 * The public methods Language::getImageFile() and ::getImageFiles(), and the
537 related specification of $imageFiles within individual languages' code file,
538 as well as the referenced static media assets, all of which were only used
539 inside MediaWiki itself for providing the icons for the old toolbar, have
540 been removed without explicit deprecation.
541 * The internal ResourceLoader module "mediawiki.toolbar", which is unused
542 except by MediaWiki itself and back-compatibility code, has been removed.
543 * The internal ResourceLoaderEditToolbarModule class has been removed.
544
545 === Deprecations in 1.32 ===
546 * HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
547 button is already marked as progressive.
548 * Skin::setupSkinUserCss() is deprecated. Adding of modules to load
549 has been centralised to Skin::getDefaultModules(), which is now capable
550 of queueing style modules as well.
551 * OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
552 deprecated. Use addModules() instead.
553 * Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
554 in extending classes is deprecated. Extend related doSearch* methods
555 instead.
556 * The following 'mediawiki.api' plugin modules were merged into mediawiki.api
557 and deprecated: mediawiki.api.category, mediawiki.api.edit,
558 mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
559 mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
560 mediawiki.api.messages, and mediawiki.api.rollback.
561 * ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
562 to use it.
563 * WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
564 with the 'unwatch' action parameter instead.
565 * IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
566 constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
567 * Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
568 * The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
569 * The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
570 of the namespaced classes provided by the wikimedia/xmp-reader library.
571 * SearchResultSet::{next,rewind} are deprecated. Calling code should
572 use foreach on the SearchResultSet, or the extractResults method. Extending
573 code should override extractResults.
574 * Instantiating SearchResultSet directly is deprecated. SearchEngine
575 implementations must subclass SearchResultSet for their purposes.
576 * SearchResult::setExtensionData argument has been changed from accepting an
577 array to accepting a Closure that returns the array when called.
578 * Class CryptRand, everything in MWCryptRand except generateHex() and function
579 MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
580 random_bytes() to generate cryptographically secure random byte sequences.
581 * Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
582 instead.
583 * Language::markNoConversion() is deprecated. It confused readers because
584 it had unexpected behavior (only marking text if it looked like a URL)
585 and was only used in a single place in the code. Use
586 LanguageConverter::markNoConversion() instead.
587 * (T197492) Language::truncate() was soft deprecated in 1.31 and is
588 hard deprecated in this release. It has been split into two similar
589 methods, Language::truncateForVisual() and Language::truncateForDatabase(),
590 which measure length in characters and bytes, respectively. Use
591 Language::truncateForVisual() when possible to provide equity to users
592 of multibyte scripts.
593 * (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
594 context title is unset is now deprecated; anything creating an EditPage
595 instance should set the context title via ::setContextTitle().
596 * The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
597 * ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
598 are deprecated. These concepts are obsolete and have no replacement.
599 * String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
600 * The following methods of OutputPage are now deprecated in favour
601 of using showFatalError directly: OutputPage::showFileDeleteError()
602 OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
603 OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
604 * The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
605 classes are now deprecated. Use a Closure instead.
606 * (T194263) ContentHandler::makeParserOptions() is deprecated. Use
607 WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
608 * (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
609 MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
610 the Parsoid v3 API in May 2015.
611 * $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
612 $formDescriptor instead.
613 * SearchEngine::transformSearchTerm( $term ) should no longer be called prior
614 to running searchText. This method was mainly implemented to support the
615 'prefix' URI param in SpecialSearch, but there are no reasons to expose this
616 logic as it should be handled internally by SearchEngine implementations
617 supporting this feature. SearchEngine implementations should no longer
618 override this methods.
619 * SearchEngine::replacePrefixes( $query ) should no longer be called prior
620 to running searchText/searchTitle.
621 * (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
622 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
623 * Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
624 use array_filter() directly.
625 * The $wgShowSQLErrors global is deprecated and nonfunctional.
626 Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
627 * The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
628 Set $wgShowExceptionDetails instead.
629 * Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
630 mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
631 mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
632 getOldRevision() / getNewRevision() for the first four (note that the
633 revision ones return a RevisionRecord, not a Revision), do your own lookup
634 for page/content.
635 * The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
636 just enable the PHP extension, and it will be autodetected.
637 * (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
638 setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
639 are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
640 subclass it to customize diff rendering); to diff custom (e.g. unsaved)
641 content, use setRevisions(). Subclassing DifferenceEngine should only be done
642 to customize page-level diff properties (such as the navigation header).
643 * The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
644 * All MagicWord static methods are now deprecated. Use the MagicWordFactory
645 methods instead.
646 * PasswordFactory::init is deprecated. To get a password factory with the
647 standard configuration, use
648 MediaWikiServices::getInstance()->getPasswordFactory.
649 * $wgContLang is deprecated, use
650 MediaWikiServices::getInstance()->getContentLanguage() instead.
651 * $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
652 instead.
653 * wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
654 instead.
655 * wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
656 * All SpecialPageFactory static methods are deprecated. Instead, call the
657 methods on a SpecialPageFactory instance, which may be obtained from
658 MediaWikiServices.
659 * mw.user.stickyRandomId was renamed to the more explicit
660 mw.user.getPageviewToken to better capture its function.
661 * Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
662 Content object should be passed instead.
663 * (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
664 previously used by OOUI HTMLForm fields, are now deprecated. Use
665 'help', 'help-message', 'help-messages' instead.
666 * (T197179) HTMLFormField::getNotices() is now deprecated.
667 * The jquery.localize module is now deprecated. Use jquery.i18n instead.
668 * The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
669 or overriding ContentHandler::getSecondaryDataUpdates (T194038).
670 * The WikiPageDeletionUpdates hook was deprecated in favor of
671 PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
672 (T194038).
673 * Content::getSecondaryDataUpdates has been deprecated in favor of
674 ContentHandler::getSecondaryDataUpdates() for overriding by extensions
675 (T194038).
676 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
677 * Content::getDeletionUpdates has been deprecated in favor of
678 ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
679 Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
680 * (T198214) Old Tidy-related configuration settings, which were soft-deprecated
681 in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
682 $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
683 $wgTidyConfig instead.
684 * All Tidy configurations other than Remex have been hard deprecated;
685 future parsers will not emit compatible output for these configurations.
686 In particular, running MediaWiki with tidy disabled has been deprecated.
687 * (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
688 and OutputPage::addWikiTextTitle() have been deprecated, since they
689 can result in untidy output. In addition OutputPage::addWikiTextTidy()
690 and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
691 methods consistent. Use OutputPage::addWikiTextAsInterface() or
692 OutputPage::addWikiTextAsContent() instead, which ensures the output is
693 tidy and clarifies whether content-language specific postprocessing should
694 be done on the text.
695 * OutputPage::parse() and OutputPage::parseInline() have been deprecated
696 due to untidy output and inconsistent handling of wrapper divs and
697 interface/content language defaults. Use OutputPage::parseAsContent(),
698 OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
699 as appropriate.
700 * QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
701 as they promote bad practises. I18n messages should always be properly
702 escaped.
703 * Skin::getDynamicStylesheetQuery() has been deprecated. It always
704 returns action=raw&ctype=text/css which callers should use directly.
705 * Class LegacyFormatter is deprecated.
706 * Use of CommentStore::insertWithTempTable() with 'img_description' is
707 deprecated. Use CommentStore::insert() instead.
708 * Language::setCode is deprecated as public function. Use Language::factory
709 to create a new Language object with a different language code.
710 * Several classes have been moved from the MediaWiki\Storage\ namespace to the
711 MediaWiki\Revision\ namespace. The old class names are aliased for
712 compatibility, but are deprecated. Classes are IncompleteRevisionException,
713 MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
714 RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
715 RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
716 SuppressedDataException.
717 * When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
718 option, it is now deprecated to give its contents (the 'default' option)
719 as a string. They should be given as a OOUI\FieldLayout object instead.
720 Notably, this affects fields defined in the 'GetPreferences' hook, because
721 Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
722 * In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
723 deprecated. For the $lang parameter, types other than Language are
724 deprecated.
725 * The $wgUseKeyHeader configuration option and the
726 OutputPage::getKeyHeader() method have been deprecated; the relevant
727 draft IETF spec expired without becoming a standard.
728 * Deprecated API action=query&prop=info inprop=readable in favor of
729 intestactions=read.
730
731 === Other changes in 1.32 ===
732 * (T198811) The following tables have had their UNIQUE indexes turned into
733 proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
734 protected_titles and site_identifiers.
735 * OOUI HTMLForm will now display help text inline after the input field,
736 rather than in a popup. Previous behavior can be restored by using
737 `'help-inline' => false`.
738 * The archive table's ar_rev_id field is now unique.
739 * Special:BotPasswords now requires reauthentication.
740 * (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
741 storage layer and have basic support for display. No user interface exists
742 yet for creating or managing content in slots beides the main slot. See
743 <https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
744 information.
745 * The image_comment_temp database table has been removed. Since all access
746 should be mediated by the CommentStore class, this change shouldn't affect
747 external code.
748 * (T206147) Database::close() will no longer commit any open transactions.
749 * (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
750 recentchanges.rc_cur_time from the PostgreSQL schema.
751
752 = MediaWiki 1.31 =
753
754 == MediaWiki 1.31.2 ==
755
756 This is a security and maintenance release of the MediaWiki 1.31 branch.
757
758 Required PHP version has been increased from 7.0.0 to 7.0.13.
759
760 === Changes since MediaWiki 1.31.1 ===
761 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
762 all titles when asked for none.
763 * (T205967) Fix syntax error typo in postgres database upgrade file.
764 * (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies.
765 * (T206765) Load installer i18n when running update.php.
766 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
767 libraries.
768 [Also in the bundled composer /vendor directory.]
769 * Various PHP 7.2 and 7.3 compatibility fixes:
770 * (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some
771 scenarios instead of "break".
772 * (T206976, T206977) Also in the bundled LocalisationUpdate and
773 ParserFunctions extensions.
774 * (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may
775 not be set.
776 * (T215632) FormatMetadata and UploadStash regexes fixed to be PHP
777 7.3-compatible.
778 * Fix PHP warnings "preg_replace(): [...] invalid range in character class.
779 * Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable.
780 * Suppress "Headers already sent" in PHP 7.2 too.
781 * (T206476) Output only to stderr in unit tests.
782 * (T207112) Add session_write_close() calls to SessionManager tests.
783 * oyejorge/less.php replaced with our fork wikimedia/less.php
784 * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0.
785 * (T213489) Avoid session double-start in Setup.php.
786 * (T206975) Switch to our fork of less.php.
787 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
788 * (T201781) Database: Allow selectFieldValues() to accept SQL fragments.
789 * (T205765) installer: Don't link to the obsolete "Extension Matrix" page.
790 * (T206013) Update ImportableUploadRevisionImporter for interwiki usernames.
791 * (T207541) Pass an email address, not a MailAddress, to mail().
792 * (T207603) SECURITY: User JS may no longer be loaded with mime type
793 text/javascript if there is no account associated with the username.
794 * (T112937, T113042) SECURITY: Do not allow loading pages raw with a
795 text/javascript MIME
796 type if non-admins can edit the page.
797 * (T17491) <ins>/<del> elements can be phrasing or flow.
798 * (T200827) RemexCompatMunger: Don't call endTag() in case B/b
799 * (T207088) Upgrade wikimedia/remex-html to 2.0.1.
800 [Also in the bundled composer /vendor directory.]
801 * (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0.
802 [Also in the bundled composer /vendor directory.]
803 * (T199494) Fix notices in maintenance/removeUnusuedAccounts.php.
804 * Require ext-fileinfo in composer.json, per PHPVersionCheck.
805 * (T176390) Bundled LocalisationUpdate extension: Handle exceptions from
806 GitHubFetcher.
807 * (T208255) Completion search should not change the search query.
808 * (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis.
809 * (T185049) LogFormatter: Fail softer when trying to link an invalid titles.
810 * (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
811 if --lang is used with the command-line installer (install.php).
812 * (T211061) ImageListPager: Actor migration for buildQueryConds().
813 * (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
814 * Fix addition of ug_expiry column to user_groups table on MSSQL.
815 * (T204767) Add join conditions to ActiveUsersPager.
816 * (T210621) User: Bypass repeatable-read when creating an actor_id.
817 * (T204531) rdbms: reduce LoadBalancer replication log spam.
818 * (T195525) Fix db error outage page.
819 * (T208871) The hard-coded Google search form on the database error page was
820 removed.
821 * (T176097) Fix flaky MessageBlobStoreTest assertion failures.
822 * (T209423) Update required PHP version to 7.0.13.
823 * (T209885) Prevent populateSearchIndex.php from breaking once actor migration
824 has been started.
825 * (T216968) Return pageid as int in both list=iwbacklinks and
826 list=langbacklinks.
827 * (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
828 * (T204423) Backport support for hyphenated DB names in JobQueueGroup.
829 * (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
830 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
831 $wgBlockDisablesLogin is true.
832 * (T216029) Chrome redirects to Special:BadTitle after editing a section with
833 a non-Latin name on a page with non-Latin characters in title.
834 * (T219728) Added support for new Japanese era name "Reiwa".
835 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
836 token.
837 * Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
838 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
839 saveFileDependencies().
840 * (T224374) Fix message parameters so that the message that says SQLite is out
841 of date makes sense.
842 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
843 reauthenticating.
844 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
845 getLoginSecurityLevel() returns non-false.
846 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
847 * (T208881) SECURITY: blacklist CSS var().
848 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
849 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
850 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
851 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
852 view the log type.
853 * (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358.
854
855 == MediaWiki 1.31.1 ==
856
857 This is a security and maintenance release of the MediaWiki 1.31 branch.
858
859 === Changes since MediaWiki 1.31.0 ===
860 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
861 'newbie'.
862 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
863 account lock.
864 * (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
865 * (T197229) Bundle Nuke extension, it was accidentally omitted.
866 * (T193995) Fix undefined patchPath() method call in parser tests.
867 * (T198687) Fix various selectFields methods to use the string 'NULL', not null.
868 * Special:BotPasswords now requires reauthentication.
869 * (T191608, T187638) Add 'logid' parameter to Special:Log.
870 * (T193829) Indicate when a Bot Password needs reset.
871 * (T198037) GitInfo: Don't try shelling out if it's disabled.
872 * (T151415) Log email changes.
873 * (T197206) Fix performance regression when multiple DB used without caching.
874 * (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
875 * (T182377, T196793) Exif: Guard against uncountable tag values.
876 * (T200861) Fix total breakage of SQLite web upgrade.
877 * (T200864) Fix pingback over-reporting on non-MySQL databases
878 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
879 hooks.
880
881 == MediaWiki 1.31.0 ==
882
883 === Changes since MediaWiki 1.31.0-rc.2 ===
884 * (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
885 * (T196092) Hide MySQL binary/utf-8 charset option in the installer.
886 * (T196185) Don't allow setting $wgDBmysql5 in the installer.
887 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
888 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
889 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
890 hook.
891 * (T196672) The mtime of extension.json files is now able to be zero
892 * (T180403) Validate $length in padleft/padright parser functions.
893 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
894
895 === Changes since MediaWiki 1.31.0-rc.0 ===
896 * (T33223) Drop archive.ar_text and ar_flags.
897 * Add default edit rate limit of 90 edits/minute for all users.
898 * (T187645) Use codepoint as tiebreaker when getting first-letters in
899 IcuCollation.
900 * (T191947) Don't shell during the installer if shelling out is disabled.
901 * (T194319) Improve duplicate config setting exception as part of extension
902 registration.
903 * (T195211) Don't require trailing slash in PSR-4 autoloader directory.
904 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
905 * Do not incorrectly hide namespace input field in the installer.
906 * (T186456) Refactor checks looking for PEAR maik libraries to be clearer.
907
908 === Important pre-upgrade notes for 1.31 ===
909 * If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
910 schema changes, and cannot have downtime to run migrateArchiveText.php and
911 apply patch-drop-ar_text.sql manually, you'll have to apply a default value
912 to the ar_text and ar_flags columns of the archive table or make those
913 columns nullable before upgrading to MediaWiki 1.31.
914 maintenance/archives/patch-nullable-ar_text.sql shows how to do this for
915 MySQL.
916
917 === Configuration changes in 1.31 ===
918 * $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
919 a future version. The API is now considered to be stable, secure and
920 essential.
921 * $wgUsejQueryThree was removed, as it is now the default. This was documented
922 as a temporary variable during the migration period, deprecated since 1.29.
923 * $wgLogoHD has been updated to support svg images and uses $wgLogo where
924 possible for fallback images such as png.
925 * (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
926 have the right to mark things patrolled.
927 * Wikis that contain imported revisions or CentralAuth global blocks should run
928 maintenance/cleanupUsersWithNoId.php.
929 * The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
930 $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
931 * (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
932 are not using the latest version of the Referrer Policy specification.
933 * $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
934 first step of migration to human-readable section IDs that will later result
935 in 'html5' being the default mode.
936 * CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
937 as upstream is inactive and has no plans to move to PHP 7.
938 * The old CategorizedRecentChanges feature, including its related configuration
939 option $wgAllowCategorizedRecentChanges, has been removed.
940 * (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
941 for performance reasons, and installations with this setting will now work as
942 if it was configured with 'any'.
943 * (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
944 rather than being off by default. If you wish to disable HTML tidying
945 entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
946 Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
947 * $wgLogAutopatrol now defaults to false instead of true.
948 * $wgValidateAllHtml was removed and will be ignored.
949 * $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
950 1.25 release notes for more information.
951 * $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
952 framework that it enables. Some extensions mistakenly used this to check
953 whether any AJAX functionality at all should be enabled, further making this
954 problematic to retain.
955 * $wgDBmysql5 is now deprecated, and will be removed in a future version. It
956 has been marked as experimental ever since it was introduced.
957
958 === New features in 1.31 ===
959 * (T76554) User sub-pages named ….json are now protected in the same way that
960 ….js and ….css pages are, so that configuration options can safely be placed
961 there.
962 * Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
963 with parentheses for grouping.
964 * As a first pass in standardizing dialog boxes across the MediaWiki product,
965 Html class now provides helper methods for messageBox, successBox, errorBox
966 and warningBox generation.
967 * (T9240) Imports will now record unknown (and, optionally, known) usernames in
968 a format like "iw>Example".
969 * (T20209) Linker (used on history pages, log pages, and so on) will display
970 usernames formed like "iw>Example" as interwiki links, as if by wikitext like
971 [[iw:User:Example|iw>Example]].
972 * (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
973 users during an import.
974 * Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
975 the ParserOutput::getText() post-cache transformations.
976 * Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
977 initial page text for file uploads.
978 * (T181651) The info page for File pages now displays the file's base-16 SHA1
979 hash value in the table of basic information.
980 * Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
981 ParserOutput::getText() post-cache transformation. This may be disabled by
982 passing 'deduplicateStyles' => false to that method.
983 * The identity of the logged-in or IP "actor" for logged actions is being moved
984 into a new actor table, with the rows in tables such as revision and logging
985 referring to the actor ID instead of storing the user ID and name/IP in
986 every row.
987 * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
988 can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
989 soon as any necessary extensions are updated.
990 * Most code accessing rows for logged actions from the database should use
991 the relevant getQueryInfo() methods to get the information needed to build
992 the SQL query. The ActorMigration class may also be used to get feature
993 -flagged information needed to access actor-related fields during the
994 migration period.
995 * Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
996 section without having to roll back the whole transaction.
997 * Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
998 and non-MySQL ::replace() and ::upsert() no longer roll back the whole
999 transaction on failure.
1000 * (T189785) Added a monthly heartbeat ping to the pingback feature.
1001 * The CLI installer (maintenance/install.php) learned to detect and include
1002 extensions. Pass --with-extensions to enable that feature.
1003 * (T184791) rc_patrolled now has three states: "0" for unpatrolled,
1004 "1" for manually patrolled and "2" for autopatrolled actions.
1005 * Extensions can now set their type to "editor" if they provide an editor or
1006 enhance the editing experience.
1007 * Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
1008 property in extension.json. See the documentation at
1009 <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
1010 for more details and an example.
1011 * (T19099) Tabs which link to pages that don't exist (like those to uncreated
1012 discussion pages) now have a tooltip to indicate state, not just colour.
1013
1014 === External library changes in 1.31 ===
1015 * pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
1016 suggested to required. These packages now must be installed via composer
1017 and not via PEAR itself.
1018
1019 ==== Upgraded external libraries ====
1020 * Updated jquery.chosen from v0.9.14 to v1.8.2.
1021 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1022 * Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
1023 * Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
1024 * Updated wikimedia/relpath from 2.0.0 to 2.1.1.
1025 * Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
1026 * Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
1027 * Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
1028 * Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
1029 * Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
1030 * Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
1031
1032 ==== New external libraries ====
1033 * Added wikimedia/object-factory 1.0.0
1034
1035 ==== Removed and replaced external libraries ====
1036 * (T17845) The deprecated 'jquery.badge' module was removed.
1037 * The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
1038 text-overflow property instead.
1039 * The deprecated 'jquery.placeholder' module was removed.
1040 * The deprecated 'jquery.appear' module was removed. Use the
1041 'mediawiki.viewport' module instead.
1042 * mediawiki/at-ease was replaced with wikimedia/at-ease.
1043
1044 === Bug fixes in 1.31 ===
1045 * (T90902) Non-breaking space in header ID breaks anchor.
1046 * (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
1047 space.
1048 * (T2087, T10897, T87753, T174639) Whitespace created by category and language
1049 links is now stripped rather than leaving blank lines in odd places.
1050 * (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
1051 * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
1052
1053 === Action API changes in 1.31 ===
1054 * (T185058) The 'name' value to tgprop for action=query&list=tags has been
1055 removed. It has never made a difference in the output, the name was always
1056 returned regardless.
1057 * The 'watch' and 'unwatch' parameters for action=move have been removed. They
1058 were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
1059 'watchlist' instead.
1060
1061 === Action API internal changes in 1.31 ===
1062 * ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
1063 * ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
1064 * ApiBase::getProfileTime, deprecated since 1.25, was removed.
1065
1066 === Languages updated in 1.31 ===
1067 MediaWiki supports over 350 languages. Many localisations are updated
1068 regularly. Below only new and removed languages are listed, as well as
1069 changes to languages because of Phabricator reports.
1070
1071 * (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
1072 * (T182305) New language support: Nyungar (nys).
1073 * (T186359) New language support: Siberian Tatar [cебертатар] (sty).
1074 * (T186635) New language support: Guianan Creole (gcr).
1075 * (T186647) New language support: Kumyk [къумукъ] (kum).
1076 * (T187750) New language support: Spanish formal address (es-formal).
1077 * (T187824) New language support: Hungarian formal address (hu-formal).
1078 * (T189127) New language support: Gorontalo (gor).
1079
1080 === Breaking changes in 1.31 ===
1081 * MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
1082 * The OutputPage class constructor now requires a context parameter.
1083 Instantiating without context was deprecated in 1.18.
1084 * The mw.page JavaScript singleton, deprecated in 1.30, was removed.
1085 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
1086 related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
1087 * The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
1088 ::onArticleEdit() methods, deprecated in 1.24, were removed.
1089 * Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
1090 removed. Use ExecutableFinder::findInDefaultPaths() instead.
1091 * The deprecated MW_DIFF_VERSION constant was removed.
1092 DifferenceEngine::MW_DIFF_VERSION should be used instead.
1093 * Due to significant refactoring, method ContribsPager::getUserCond() that had
1094 no access restriction has been removed.
1095 * The Block class will no longer accept usable-but-missing usernames for
1096 'byText' or ->setBlocker(). Callers should either ensure the blocker exists
1097 locally or use a new interwiki-format username like "iw>Example".
1098 * The following methods and constants from the WatchedItem class, which were
1099 deprecated in 1.27, have been removed:
1100 * WatchedItem::getTitle()
1101 * WatchedItem::fromUserTitle()
1102 * WatchedItem::addWatch()
1103 * WatchedItem::removeWatch()
1104 * WatchedItem::isWatched()
1105 * WatchedItem::duplicateEntries()
1106 * WatchedItem::IGNORE_USER_RIGHTS
1107 * WatchedItem::CHECK_USER_RIGHTS
1108 * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
1109 * The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
1110 $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
1111 variable, has been deprecated since 1.27 and was removed as well.
1112 * The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
1113 $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
1114 variable, has been deprecated since 1.27 and was removed as well.
1115 * The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
1116 HtmlFormatter\HtmlFormatter class should be used instead.
1117 * The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
1118 The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
1119 default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
1120 * The following properties of PreparedEdit were deprecated in 1.21 and have
1121 been removed:
1122 * PreparedEdit->newText
1123 * PreparedEdit->oldText
1124 * PreparedEdit->pst
1125 * ParserOutput objects which are generated using a non-default value for
1126 ParserOptions::setWrapOutputClass() can no longer be added to the parser
1127 cache.
1128 * The following deprecated methods from the OutputPage class have been removed:
1129 * OutputPage::addExtensionStyle(); deprecated in 1.27
1130 * OutputPage::getExtStyle(); deprecated in 1.27
1131 * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
1132 * OutputPage::setSquidMaxage(); deprecated in 1.27
1133 * OutputPage::readOnlyPage(); deprecated in 1.25
1134 * OutputPage::rateLimited(); deprecated in 1.25
1135 * Additionally, the protected OutputPage::$mExtStyles array, only accessed
1136 through the above and with no known uses, was removed.
1137 * The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
1138 * The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
1139 were removed:
1140 * $isCssJsSubpage — use ::isUserConfigPage()
1141 * $isCssSubpage — use ::isUserCssConfigPage()
1142 * $isJsSubpage — use ::isUserJsConfigPage()
1143 * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
1144 * ::getSummaryInput() – use ::getSummaryInputWidget()
1145 * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
1146 * ::getCheckboxes() – use ::getCheckboxesWidget() or
1147 ::getCheckboxesDefinition()
1148 * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
1149 ::getCheckboxesDefinition()
1150 * ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
1151 * In User, the cookie-related methods which were wrappers for the functions on
1152 the response object, and were deprecated in 1.27, have been removed:
1153 * ::setCookie()
1154 * ::clearCookie()
1155 * ::setExtendedLoginCookie()
1156 Note that User::setCookies() remains, and is not deprecated.
1157 * Also in User, some auth-related methods which were deprecated in 1.27 have
1158 been removed:
1159 * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
1160 * ::getPasswordFactory() – create a PasswordFactory directly
1161 * ::passwordChangeInputAttribs()
1162 * The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
1163 been removed.
1164 * SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
1165 use ::getNames() instead.
1166 * OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
1167 can use ApiOpenSearch::getOpenSearchTemplate() instead.
1168 * The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
1169 Wikimedia\base_convert() directly.
1170 * Calling Database::begin() explicitly during an implicit transaction or when
1171 DBO_TRX is set results in an exception. Calling Database::commit() explicitly
1172 for an implicit transaction also results in an exception. Previously these
1173 were logged as errors. The startAtomic() and endAtomic() methods, or
1174 AtomicSectionUpdate should be used instead.
1175 * The global function wfOutputHandler() was removed, use the its replacement
1176 MediaWiki\OutputHandler::handle() instead. The global function was only
1177 sometimes defined. Its replacement is always available via the autoloader.
1178 * ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
1179 deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
1180 ::listSoftwareDefinedTags() instead.
1181 * Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
1182 use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
1183 * HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
1184 * The ProfileSection class, deprecated in 1.25 and unused, has been removed.
1185 * The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
1186 ResourceLoaderModule::getLessVars() to expose local variables instead of
1187 global ones.
1188 * As part of work to modernise user-generated content clean-up, a config option
1189 and some methods related to HTML validity were removed without deprecation.
1190 The public methods MWTidy::checkErrors() and the path through which it was
1191 called, TidyDriverBase::validate(), are removed, as are the testing methods
1192 MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
1193 The $wgValidateAllHtml configuration option is removed and will be ignored.
1194 * Execution of external programs using MediaWiki\Shell\Command now applies
1195 the RESTRICT_DEFAULT Firejail restriction by default.
1196 * The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
1197 deprecated in 1.26, were removed.
1198 * The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
1199 Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
1200
1201 === Deprecations in 1.31 ===
1202 * The Revision class was deprecated in favor of RevisionStore, BlobStore, and
1203 RevisionRecord and its subclasses.
1204 * The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
1205 * The global function wfCountDown is now deprecated in favor of
1206 Maintenance::countDown.
1207 * Several methods for returning lists of fields to select from the database
1208 have been deprecated in favor of similar methods that also return the tables
1209 to select from and the join conditions for those tables.
1210 * Block::selectFields() → Block::getQueryInfo()
1211 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1212 * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
1213 * LocalFile::selectFields() → LocalFile::getQueryInfo()
1214 * LocalFile::getCacheFields() with a prefix no longer works
1215 * LocalFile::getLazyCacheFields() with a prefix no longer works
1216 * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
1217 * RecentChange::selectFields() → RecentChange::getQueryInfo()
1218 * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
1219 * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
1220 * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
1221 * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
1222 * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
1223 * Revision::selectFields() → Revision::getQueryInfo()
1224 * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
1225 * User::selectFields() → User::getQueryInfo()
1226 * WikiPage::selectFields() → WikiPage::getQueryInfo()
1227 * Revision::setUserIdAndName() was deprecated.
1228 * Access to TitleValue class properties was deprecated, the relevant getters
1229 should be used instead.
1230 * DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
1231 override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
1232 * Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
1233 Maintenance::fatalError() instead.
1234 * Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
1235 * The RevisionInsertComplete hook is now deprecated; use instead the hook
1236 RevisionRecordInserted. RevisionInsertComplete is still called, but the second
1237 and third parameter will always be null. Hard deprecation is scheduled for
1238 1.32.
1239 * The following methods that get and set ParserOutput state are deprecated.
1240 Callers should use the new stateless $options parameter to
1241 ParserOutput::getText() instead.
1242 * ParserOptions::getEditSection()
1243 * ParserOptions::setEditSection()
1244 * ParserOutput::getEditSectionTokens()
1245 * ParserOutput::setEditSectionTokens()
1246 * ParserOutput::getTOCEnabled()
1247 * ParserOutput::setTOCEnabled()
1248 * OutputPage::enableSectionEditLinks()
1249 * OutputPage::sectionEditLinksEnabled()
1250 * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
1251 are also deprecated.
1252 * License::getLicenses has been deprecated; use License::getLines instead.
1253 * QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
1254 Setting template variables by reference allowed violating the principle of
1255 data being immutable once added to the skin template. In practice, this method
1256 was not being used for that. Rather, setRef() existed as memory optimisation
1257 for PHP 4.
1258 * QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
1259 favour of Skin::msg() parameters.
1260 * MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
1261 wfMessage().
1262 * Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
1263 'unwrap' transform to ParserOutput::getText() instead.
1264 * \ObjectFactory (no namespace) is deprecated, the namespaced class
1265 \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
1266 used instead.
1267 * CommentStore::newKey is deprecated. Instead, get an instance from
1268 MediaWikiServices.
1269 * The following CommentStore methods have had their signatures changed to
1270 introduce a $key parameter, usage of the methods on instances retrieved from
1271 CommentStore::newKey will remain unchanged but deprecated:
1272 * CommentStore::getFields
1273 * CommentStore::getJoin
1274 * CommentStore::getComment
1275 * CommentStore::getCommentLegacy
1276 * CommentStore::insert
1277 * CommentStore::insertWithTemplate
1278 * The following methods in Title have been renamed, and the old ones are
1279 deprecated:
1280 * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
1281 * Title::isCssOrJsPage – use ::isSiteConfigPage
1282 * Title::isCssJsSubpage – use ::isUserConfigPage
1283 * Title::isCssSubpage – use ::isUserCssConfigPage
1284 * Title::isJsSubpage – use ::isUserJsConfigPage
1285 * The following methods related to caching of half-parsed HTML were deprecated:
1286 * Parser::serializeHalfParsedText()
1287 * Parser::unserializeHalfParsedText()
1288 * Parser::isValidHalfParsedText()
1289 * StripState::getSubState()
1290 * StripState::merge()
1291 * The DeferredStringifier class is deprecated, use Message::listParam() instead.
1292 * The type string for the parameter $lang of DateFormatter::getInstance is
1293 deprecated.
1294 * Wikimedia\Rdbms\SavepointPostgres is deprecated.
1295 * The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
1296 used instead.
1297 * The function wfShellWikiCmd() has been deprecated, use
1298 MediaWiki\Shell::makeScriptCommand().
1299 * In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
1300 will be allowed to provide any HTMLForm object rather than PreferencesForm.
1301
1302 === Other changes in 1.31 ===
1303 * Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
1304 * Browser support for Opera 12 and older was dropped entirely. Opera 15+
1305 continues at Grade A.
1306 * Multi-content-revision capability was introduced into the storage layer. See
1307 <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
1308 * The "free" CSS class is now only applied to unbracketed URLs in wikitext.
1309 Links written using square brackets will get the class "text" not "free".
1310 * RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
1311 wikitext table captions, wikitext table headings, wikitext table cells. HTML
1312 headings, HTML list items, HTML table captions, HTML table headings, HTML
1313 table cells will not have this trimming behavior.
1314
1315 == Compatibility ==
1316 MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
1317 supported, it is generally advised to use PHP 7.0.0 or later for long term
1318 support.
1319
1320 MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
1321 but support for them is somewhat less mature. There is experimental support for
1322 Oracle and Microsoft SQL Server.
1323
1324 The supported versions are:
1325
1326 * MySQL 5.5.8 or later
1327 * PostgreSQL 9.2 or later
1328 * SQLite 3.3.7 or later
1329 * Oracle 9.0.1 or later
1330 * Microsoft SQL Server 2005 (9.00.1399)
1331
1332 == Upgrading ==
1333 1.31 has several database changes since 1.30, and will not work without schema
1334 updates. Note that due to changes to some very large tables like the revision
1335 table, the schema update may take quite long (minutes on a medium sized site,
1336 many hours on a large site).
1337
1338 Don't forget to always back up your database before upgrading!
1339
1340 See the file UPGRADE for more detailed upgrade instructions, including
1341 important information when upgrading from versions prior to 1.11.
1342
1343 For notes on 1.30.x and older releases, see HISTORY.
1344
1345 == Online documentation ==
1346 Documentation for both end-users and site administrators is available on
1347 MediaWiki.org, and is covered under the GNU Free Documentation License (except
1348 for pages that explicitly state that their contents are in the public domain):
1349
1350 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
1351
1352 == Mailing list ==
1353 A mailing list is available for MediaWiki user support and discussion:
1354
1355 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
1356
1357 A low-traffic announcements-only list is also available:
1358
1359 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
1360
1361 It's highly recommended that you sign up for one of these lists if you're
1362 going to run a public MediaWiki, so you can be notified of security fixes.
1363
1364 == IRC help ==
1365 There's usually someone online in #mediawiki on irc.freenode.net.
1366
1367
1368 = MediaWiki 1.30 =
1369
1370 == MediaWiki 1.30.2 ==
1371
1372 This is a security and maintenance release of the MediaWiki 1.30 branch.
1373
1374 === Changes since MediaWiki 1.30.1 ===
1375 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
1376 all titles when asked for none.
1377 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
1378 libraries.
1379 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
1380 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
1381 * (T207603) SECURITY: User JS may no longer be loaded with mime type
1382 text/javascript if there is no account associated with the username.
1383 * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
1384 type if non-admins can edit the page.
1385 * (T207541) Pass email address to mail().
1386 * Fix addition of ug_expiry column to user_groups table on MSSQL.
1387 * (T204531) rdbms: reduce LoadBalancer replication log spam.
1388 * (T213489) Avoid session double-start in Setup.php.
1389 * (T195525) Fix db error outage page.
1390 * (T208871) The hard-coded Google search form on the database error page was
1391 removed.
1392 * (T216968) Return pageid as int in both list=iwbacklinks and
1393 list=langbacklinks.
1394 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
1395 $wgBlockDisablesLogin is true.
1396 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
1397 token.
1398 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
1399 saveFileDependencies().
1400 * (T224374) Fix message parameters so that the message that says SQLite is out
1401 of date makes sense.
1402 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
1403 reauthenticating.
1404 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
1405 getLoginSecurityLevel() returns non-false.
1406 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
1407 * (T208881) SECURITY: blacklist CSS var().
1408 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
1409 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
1410 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
1411 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
1412 view the log type.
1413 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
1414
1415 == MediaWiki 1.30.1 ==
1416
1417 This is a security and maintenance release of the MediaWiki 1.30 branch.
1418
1419 === Changes since MediaWiki 1.30.0 ===
1420 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1421 'newbie'.
1422 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1423 account lock.
1424 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
1425 array.
1426 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1427 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1428 include extensions. Pass --with-extensions to enable that feature.
1429 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1430 * (T167507) selenium: Run Chrome headlessly.
1431 * selenium: Pass -no-sandbox to Chrome under Docker.
1432 * (T179190) selenium: Move logic for running tests from package.json to
1433 selenium.sh
1434 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1435 * Add default edit rate limit of 90 edits/minute for all users.
1436 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
1437 * oojs/oojs-ui updated to remove an unnecessary dependancy.
1438 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1439 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
1440 hook.
1441 * (T196672) The mtime of extension.json files is now able to be zero
1442 * (T180403) Validate $length in padleft/padright parser functions.
1443 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1444 * (T193995) Fix undefined patchPath() method call in parser tests.
1445 * Special:BotPasswords now requires reauthentication.
1446 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1447 * (T193829) Indicate when a Bot Password needs reset.
1448 * (T151415) Log email changes.
1449 * (T200861) Fix total breakage of SQLite web upgrade.
1450 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
1451 hooks.
1452 * (T190539) Explicitly require Postgres 9.1.
1453 * (T118420) Unbreak Oracle installer.
1454
1455 == MediaWiki 1.30.0 ==
1456
1457 === Changes since MediaWiki 1.30.0-rc.0 ===
1458 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1459 * Add ip_changes to postgres/tables.sql.
1460 * Skip null shell parameters.
1461 * Add wfWaitForSlaves() to maintenance/migrateComments.php.
1462 * (T182245) Fix join conditions in ImageListPager.
1463 * (T178626) Revert #contentSub and #jump-to-nav margin changes.
1464
1465 === MySQL version requirement in 1.30 ===
1466 As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
1467 section).
1468
1469 === Configuration changes in 1.30 ===
1470 * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
1471 unexpected behavior when code uses locale-sensitive string comparisons. For
1472 example, the Scribunto extension considers "bar" < "Foo" in most locales
1473 since it ignores case.
1474 * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
1475 documentation of $wgShellLocale for details.
1476 * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
1477 deprecated and a no-op, as it is no longer needed.
1478 * $wgJobClasses may now specify callback functions as an alternative to plain
1479 class names. This is intended for extensions that want control over the
1480 instantiation of their jobs, to allow for proper dependency injection.
1481 * $wgResourceModules may now specify callback functions as an alternative
1482 to plain class names, using the 'factory' key in the module description
1483 array. This allows dependency injection to be used for ResourceLoader modules.
1484 * $wgExceptionHooks has been removed.
1485 * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
1486 of IP ranges that can be queried at Special:Contributions.
1487 * (T45547) $wgUsePigLatinVariant added (off by default).
1488 * (T152540) MediaWiki now supports a section ID escaping style that allows to
1489 display non-Latin characters verbatim on many modern browsers. This is
1490 controlled by the new configuration setting, $wgFragmentMode.
1491 * $wgExperimentalHtmlIds is now deprecated and will be removed in a future
1492 version, use $wgFragmentMode to migrate off it to a modern alternative.
1493 * $wgExternalInterwikiFragmentMode was introduced to control how fragments in
1494 sinterwikis going outside of current wiki farm are encoded.
1495 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of
1496 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0.
1497 MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if
1498 explicitly requested through the configuration parameter $wgDBservers.
1499 * $wgOOUIEditPage was removed, as it is now the default. This was documented as
1500 a temporary variable during the migration period.
1501
1502 === New features in 1.30 ===
1503 * (T37247) Output from Parser::parse() will now be wrapped in a div with
1504 class="mw-parser-output" by default. This may be changed or disabled using
1505 ParserOptions::setWrapOutputClass().
1506 * (T163562) Added ability to search for contributions within an IP ranges
1507 at Special:Contributions.
1508 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
1509 specific tags to be added by users.
1510 * Added a 'ParserOptionsRegister' hook to allow extensions to register
1511 additional parser options.
1512 * (T45547) Included Pig Latin, a language game in English, as a
1513 LanguageConverter variant. This allows English-speaking developers
1514 to develop and test LanguageConverter more easily. Pig Latin can be
1515 enabled by setting $wgUsePigLatinVariant to true.
1516 * Added RecentChangesPurgeRows hook to allow extensions to purge data that
1517 depends on the recentchanges table.
1518 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
1519 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
1520 'watchlistunwatchlinks' preference option is enabled). With JavaScript
1521 enabled, these links toggle so the user can also re-watch pages that have
1522 just been unwatched.
1523 * Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
1524 MediaHandlerFactory for parser tests.
1525 * Edit summaries, block reasons, and other "comments" are now stored in a
1526 separate database table. Use the CommentFormatter class to access them.
1527 ** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
1528 can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
1529 soon as any necessary extensions are updated.
1530 * (T138166) Added ability for users to prohibit other users from sending them
1531 emails with Special:Emailuser. Can be enabled by setting
1532 $wgEnableUserEmailBlacklist to true.
1533 * (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no
1534 effect. Instead, users using browsers that do not support Unicode will be
1535 unable to edit and should upgrade to a modern browser instead.
1536
1537 === External library changes in 1.30 ===
1538
1539 ==== Upgraded external libraries ====
1540 * Updated justinrainbow/json-schema from v3.0 to v5.2.
1541 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
1542 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
1543 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
1544 * Updated OOjs from v2.0.0 to v2.1.0.
1545 * Updated OOUI from v0.21.1 to v0.23.0.
1546 * Updated QUnit from v1.23.1 to v2.4.0.
1547 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
1548 * Upgraded Moment.js from v2.15.0 to v2.19.3.
1549
1550 ==== New external libraries ====
1551 * The class \TestingAccessWrapper has been moved to the external library
1552 wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
1553 * Purtle, a fast, lightweight RDF generator.
1554
1555 ==== Removed and replaced external libraries ====
1556 * …
1557
1558 === Bug fixes in 1.30 ===
1559 * (T151633) Ordered list items use now Devanagari digits in Nepalese
1560 (thanks to Sfic)
1561
1562 === Action API changes in 1.30 ===
1563 * (T37247) action=parse output will be wrapped in a div with
1564 class="mw-parser-output" by default. This may be changed or disabled using
1565 the new 'wrapoutputclass' parameter.
1566 * When errorformat is not 'bc', abort reasons from action=login will be
1567 formatted as specified by the error formatter parameters.
1568 * action=compare can now handle arbitrary text, deleted revisions, and
1569 returning users and edit comments.
1570 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
1571 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
1572 parameters to prop=revisions are deprecated, as are the similarly named
1573 parameters to prop=deletedrevisions, list=allrevisions, and
1574 list=alldeletedrevisions. Use action=compare, action=parse, or
1575 action=expandtemplates instead.
1576
1577 === Action API internal changes in 1.30 ===
1578 * ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
1579 deprecated. The existing message should be split between "apihelp-*-summary"
1580 and "apihelp-*-extended-description".
1581 * (T123931) Individual values of multi-valued parameters can now be marked as
1582 deprecated.
1583
1584 === Languages updated in 1.30 ===
1585 MediaWiki supports over 350 languages. Many localisations are updated
1586 regularly. Below only new and removed languages are listed, as well as
1587 changes to languages because of Phabricator reports.
1588
1589 * Added: kbp (Kabɩyɛ / Kabiyè)
1590 * Added: skr (Saraiki, سرائیکی)
1591 * Added: tay (Tayal / Atayal)
1592 * Removed: tokipona (Toki Pona)
1593
1594 ==== Pig Latin added ====
1595 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
1596 for easier variant development and testing. Disabled by default. It can be
1597 enabled by setting $wgUsePigLatinVariant to true.
1598
1599 === Other changes in 1.30 ===
1600 * The use of an associative array for $wgProxyList, where the IP address is in
1601 the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
1602 Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
1603 * mw.user.bucket (deprecated in 1.23) was removed.
1604 * LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
1605 deprecated. There are no known callers.
1606 * File::getStreamHeaders() was deprecated.
1607 * MediaHandler::getStreamHeaders() was deprecated.
1608 * Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
1609 used instead.
1610 * MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
1611 should be used instead.
1612 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
1613 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
1614 deprecated in 1.24) were removed.
1615 * wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
1616 BagOStuff::makeGlobalKey() should be used instead.
1617 * (T146304) Preprocessor handling of LanguageConverter markup has been improved.
1618 As a result of the new uniform handling, '-{' may need to be escaped
1619 (for example, as '-<nowiki/>{') where it occurs inside template arguments
1620 or wikilinks.
1621 * (T163966) Page moves are now counted as edits for the purposes of
1622 autopromotion, i.e., they increment the user_editcount field in the database.
1623 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
1624 manipulating Special:Log and Special:NewPages lines.
1625 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
1626 PageHistoryLineEnding, ContributionsLineEnding and
1627 DeletedContributionsLineEnding hooks have an additional parameter, for
1628 manipulating HTML data attributes of RC/history lines.
1629 EnhancedChangesListModifyBlockLineData can do that via the
1630 $data['attribs'] subarray.
1631 * (T130632) The OutputPage::enableTOC() method was removed.
1632 * WikiPage::getParserOutput() will now throw an exception if passed
1633 ParserOptions that would pollute the parser cache. Callers should use
1634 WikiPage::makeParserOptions() to create the ParserOptions object and only
1635 change options that affect the parser cache key.
1636 * Article::viewRedirect() is deprecated.
1637 * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
1638 * DeprecatedGlobal no longer supports passing in a direct value, it requires a
1639 callable factory function or a class name.
1640 * The $parserMemc global, wfGetParserCacheStorage(), and
1641 ParserCache::singleton() are all deprecated. The main ParserCache instance
1642 should be obtained from MediaWikiServices instead. Access to the underlying
1643 BagOStuff is possible through the new ParserCache::getCacheStorage() method.
1644 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
1645 * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
1646 escapeIdForLink() or escapeIdForExternalInterwiki() instead.
1647 * Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
1648 Sanitizer functions or, if possible, Title::getFragmentForURL().
1649 * Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
1650 nothing and is deprecated.
1651 * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
1652 escapeIdForLink().
1653 * MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
1654 * WikiImporter now requires the second parameter to be an instance of the
1655 Config, class. Prior to that, the Config parameter was optional (a behavior
1656 deprecated in 1.25).
1657 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
1658 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
1659 any more.
1660 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
1661 The namespaced classes in the Cdb namespace should be used instead.
1662 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
1663 should be used instead.
1664 * RunningStat class (deprecated in 1.27) was removed. The namespaced
1665 RunningStat\RunningStat should be used instead.
1666 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were
1667 removed.
1668 The MemcachedClient class should be used instead.
1669 * EditPage underwent some refactoring and deprecations:
1670 * EditPage::isOouiEnabled() is deprecated and will always return true.
1671 * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated.
1672 Please use ::getSummaryInputWidget() instead.
1673 * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
1674 use ::getCheckboxesWidget() instead.
1675 * Creating an EditPage instance without calling EditPage::setContextTitle()
1676 should be avoided and will be deprecated in a future release.
1677 * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and
1678 no-ops.
1679 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are
1680 deprecated. The corresponding methods from Title should be used instead.
1681 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
1682 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The
1683 getters ::getArticle() and ::getTitle() should be used instead.
1684 * Trying to control or fake EditPage context by overriding $wgUser,
1685 $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The
1686 IContextSource returned from EditPage::getContext() must be modified
1687 instead.
1688 * Parser::getRandomString() (deprecated in 1.26) was removed.
1689 * Parser::uniqPrefix() (deprecated in 1.26) was removed.
1690 * Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
1691 $uniq_prefix was deprecated in 1.26 and has now been removed.
1692 * (T172514) The following tables have had their UNIQUE indexes turned into
1693 proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks,
1694 iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks,
1695 query_cache, site_stats, templatelinks, text, transcache, user_former_groups,
1696 user_properties.
1697 * IDatabase::nextSequenceValue() is no longer needed by any database backends
1698 (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
1699 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into
1700 a PRIMARY KEY.
1701 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
1702 page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
1703 user_properties.up_user have all been made unsigned on MySQL.
1704 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
1705 * wfUsePHP() is deprecated.
1706 * wfFixSessionID() was removed.
1707 * wfShellExec() and related functions are deprecated, use Shell::command(). This
1708 also slightly changes the behavior of how execution time limits are calculated
1709 when only some of defaults are overridden per-call. When in doubt, always
1710 override both wall clock and CPU time.
1711 * (T138166) SpecialEmailUser::getTarget() now requires a second argument, the
1712 sending user object. Using the method without the second argument is
1713 deprecated.
1714 * (T67297) Browsers that don't support Unicode will have their edits rejected.
1715 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a
1716 future release. For notifying the user of an event, the Notifications ("Echo")
1717 system should be used instead.
1718 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1719 browser sends non-standard url escaping.
1720 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1721
1722 = MediaWiki 1.29 =
1723
1724 == MediaWiki 1.29.3 ==
1725
1726 This is a security and maintenance release of the MediaWiki 1.29 branch.
1727
1728 === Changes since 1.29.2 ===
1729 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
1730 'newbie'.
1731 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
1732 account lock.
1733 * (T180551) Fix LanguageSrTest for language converter
1734 * (T180552) Fix langauge converter parser test with self-close tags
1735 * (T180537) Remove $wgAuth usage from wrapOldPasswords.php
1736 * (T180485) InputBox: Have inputbox langconvert certain attributes
1737 * (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
1738 * (T172927) Drop vendor from MW release branch
1739 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
1740 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
1741 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
1742 include extensions. Pass --with-extensions to enable that feature.
1743 * (T182381) Mask deprecated call in WatchedItemUnitTest
1744 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
1745 * The karma qunit tests would fail on some configuration due to headers already
1746 sent. Check headers_sent() before sending cpPosTime headers
1747 * (T167507) selenium: Run Chrome headlessly.
1748 * selenium: Pass -no-sandbox to Chrome under Docker
1749 * (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
1750 * (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
1751 fails under SQLite.
1752 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
1753 * (T179190) selenium: Move test running logic from package.json to selenium.sh.
1754 * (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
1755 * Add default edit rate limit of 90 edits/minute for all users.
1756 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
1757 * (T196672) The mtime of extension.json files is now able to be zero
1758 * (T180403) Validate $length in padleft/padright parser functions.
1759 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
1760 * (T194237) Special:BotPasswords now requires reauthentication.
1761 * (T191608, T187638) Add 'logid' parameter to Special:Log.
1762 * (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
1763 * (T193829) Indicate when a Bot Password needs reset.
1764 * (T151415) Log email changes.
1765 * (T118420) Unbreak Oracle installer.
1766
1767 == MediaWiki 1.29.2 ==
1768
1769 This is a security and maintenance release of the MediaWiki 1.29 branch.
1770
1771 === Changes since 1.29.1 ===
1772 * (T166757) Avoid scoped lock errors in Category::refreshCounts() due to
1773 nesting.
1774 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
1775 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
1776 * Fixed login button label to accept RawMessage.
1777 * Fixed case of SpecialRecentChanges class usage.
1778 * (T174255) Declare uploadCount property in importDump.php.
1779 * (T163646) Pass a string not an int to mysql_real_escape_string().
1780 * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
1781 * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
1782 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
1783 browser sends non-standard url escaping.
1784 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1785 * (T128209) SECURITY: Reflected File Download from api.php.
1786 * (T134100) SECURITY: Do not reveal if user exists during login failure.
1787 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
1788 * (T125163) SECURITY: Make anchor for headlines escape > and <.
1789 * (T180237) SECURITY: Protect vendor folder with .htaccess.
1790 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
1791 update.php.
1792 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
1793 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
1794 * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly
1795 fixed in all branches in the previous security release.
1796
1797 == MediaWiki 1.29.1 ==
1798
1799 This is a maintenance release of the MediaWiki 1.29 branch.
1800
1801 The SpamBlacklist and PdfHandler extensions were missing from the generated
1802 packages.
1803
1804 === Changes since 1.29.1 ===
1805 * (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
1806 * (T172061) Fix fatal when passing a category to refreshLinks.php.
1807
1808 == MediaWiki 1.29.0 ==
1809
1810 === Configuration changes in 1.29 ===
1811 * Default cookie expiration time has been reduced to 30 days. Login cookie
1812 expiration time is kept at 180 days.
1813 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
1814 determines whether to set a cookie when a user is autoblocked. Doing so means
1815 that a blocked user, even after logging out and moving to a new IP address,
1816 will still be blocked.
1817 * The resetpassword right and associated password reset capture feature has
1818 been removed.
1819 * The $error parameter to the EmailUser hook should be set to a Status object
1820 or boolean false. This should be compatible with at least MediaWiki 1.23 if
1821 not earlier. Returning a raw HTML string is now deprecated.
1822 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1823 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1824 code for ApiBase::parseMsg() will no longer work.
1825 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1826 result in a PHP fatal error.
1827 * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
1828 policies.
1829 * Subpages are now enabled by default in the Template namespace. Set
1830 $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
1831 * $wgRunJobsAsync is now false by default (T142751). This change only affects
1832 wikis with $wgJobRunRate > 0.
1833 * (T158474) "Unknown user" has been added to $wgReservedUsernames.
1834 * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single
1835 IPs.
1836 * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
1837 added to $wgExtraLanguageCodes instead.
1838 * (T161453) LocalisationCache will no longer use the temporary directory in it's
1839 fallback chain when trying to work out where to write the cache.
1840 * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
1841 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
1842
1843 === New features in 1.29 ===
1844 * (T5233) A cookie can now be set when a user is autoblocked, to track that user
1845 if they move to a new IP address. This is disabled by default.
1846 * Added ILocalizedException interface to standardize the use of localized
1847 exceptions, largely so the API can handle them more sensibly.
1848 * Blocks created automatically by MediaWiki, such as for configured proxies or
1849 dnsbls, are now indicated as such and use a new i18n message when displayed.
1850 * Added new $wgHTTPImportTimeout setting. Sets timeout for
1851 downloading the XML dump during a transwiki import in seconds.
1852 * Parser limit report is now available in machine-readable format to JavaScript
1853 via mw.config.get('wgPageParseReport').
1854 * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
1855 from certain IP ranges (e.g. private IPs).
1856 * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
1857 of the page being parsed.
1858 * HTML5 form validation attributes will no longer be suppressed. Originally
1859 browsers had poor support for them, but modern browsers handle them fine.
1860 This might affect some forms that used them and only worked because the
1861 attributes were not actually being set.
1862 * Expiry times can now be specified when users are added to user groups.
1863 * Completely new user interface for the RecentChanges page, which
1864 structures filters into user-friendly groups. This has corresponding
1865 changes to how filters are registered by core and extensions.
1866 * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
1867 Because this change can cause problems for extensions and on-wiki
1868 scripts depending on the exact HTML, the old version is still available
1869 and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
1870 This will be removed later and OOjs UI will become the only option.
1871 To make testing easier, users can also force either mode by adding
1872 &ooui=true or &ooui=false to the action=edit URL.
1873
1874 === External library changes in 1.29 ===
1875
1876 ==== Upgraded external libraries ====
1877 * Updated QUnit from v1.22.0 to v1.23.1.
1878 * Updated cssjanus from v1.1.2 to v1.2.0.
1879 * Updated psr/log from v1.0.0 to v1.0.2.
1880 * Update Moment.js from v2.8.4 to v2.15.0.
1881 * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
1882 * Updated monolog from v1.18.2 to 1.22.1.
1883 * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
1884 * Updated OOjs from v1.1.10 to v2.0.0.
1885 * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
1886
1887 ==== New external libraries ====
1888 * Added wikimedia/timestamp v1.0.0.
1889 * Added wikimedia/remex-html v1.0.1.
1890
1891 ==== Removed and replaced external libraries ====
1892
1893 === Bug fixes in 1.29 ===
1894 * (T62604) Core parser functions returning a number now format the number
1895 according to the page content language, not wiki content language.
1896 * (T27187) Search suggestions based on jquery.suggestions will now correctly
1897 only highlight prefix matches in the results.
1898 * (T157035) "new mw.Uri()" was ignoring options when using default URI.
1899 * Special:Allpages can no longer be filtered by redirect in miser mode.
1900 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
1901 installed.
1902 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
1903 redirect to interwiki links.
1904 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
1905 $wgAdvancedSearchHighlighting is true.
1906 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
1907 their values out of the logs.
1908 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
1909 CSRF token.
1910 * (T156184) SECURITY: Escape content model/format url parameter in message.
1911 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
1912 declaration.
1913 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
1914 directory in it's fallback chain when trying to work out where to write the
1915 cache.
1916 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
1917 inclusion syntax's link parameter.
1918 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
1919 against it.
1920
1921 === Action API changes in 1.29 ===
1922 * Submitting sensitive authentication request parameters to action=login,
1923 action=clientlogin, action=createaccount, action=linkaccount, and
1924 action=changeauthenticationdata in the query string is now an error. They
1925 should be submitted in the POST body instead.
1926 * The capture option for action=resetpassword has been removed
1927 * action=clearhasmsg now requires a POST.
1928 * (T47843) API errors and warnings may be requested in non-English languages
1929 using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
1930 * API error codes may have changed. Most notably, errors from modules using
1931 parameter prefixes (e.g. all query submodules) will no longer be prefixed.
1932 * ApiPageSet-using modules will report the 'invalidreason' using the specified
1933 'errorformat'.
1934 * action=emailuser may return a "Warnings" status, and now returns 'warnings'
1935 and 'errors' subelements (as applicable) instead of 'message'.
1936 * action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
1937 * action=move now reports errors when moving the talk page as an array under
1938 key 'talkmove-errors', rather than using 'talkmove-error-code' and
1939 'talkmove-error-info'. The format for subpage move errors has also changed.
1940 * action=revisiondelete no longer includes a "rendered" property on warnings
1941 and errors for each item. Use errorformat=wikitext if you're wanting parsed
1942 output.
1943 * action=rollback no longer returns a "messageHtml" property. Use
1944 errorformat=html if you're wanting HTML formatting of error messages.
1945 * action=upload now reports optional stash failures as an array under key
1946 'stasherrors' rather than a 'stashfailed' text string.
1947 * action=watch reports 'errors' and 'warnings' instead of a single 'error', and
1948 no longer returns a 'message' on success.
1949 * Added action=validatepassword to validate passwords for the account creation
1950 and password change forms.
1951 * action=purge now requires a POST.
1952 * There is a new `languagevariants` siprop for action=query&meta=siteinfo,
1953 which returns a list of languages with active LanguageConverter instances.
1954 * action=query&query=allpages will no longer filter redirects using a database
1955 query in miser mode. This may result in less results being returned than were
1956 requested.
1957
1958 === Action API internal changes in 1.29 ===
1959 * New methods were added to ApiBase to handle errors and warnings using i18n
1960 keys. Methods for using hard-coded English messages were deprecated:
1961 * ApiBase::dieUsage() was deprecated
1962 * ApiBase::dieUsageMsg() was deprecated
1963 * ApiBase::dieUsageMsgOrDebug() was deprecated
1964 * ApiBase::getErrorFromStatus() was deprecated
1965 * ApiBase::parseMsg() was deprecated
1966 * ApiBase::setWarning() was deprecated
1967 * ApiBase::$messageMap is no longer public. Code attempting to access it will
1968 result in a PHP fatal error.
1969 * The $message parameter to the ApiCheckCanExecute hook should be set to an
1970 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
1971 code for ApiBase::parseMsg() will no longer work.
1972 * UsageException is deprecated in favor of ApiUsageException. For the time
1973 being ApiUsageException is a subclass of UsageException to allow things that
1974 catch only UsageException to still function properly.
1975 * If, for some strange reason, code was using an ApiErrorFormatter instead of
1976 ApiErrorFormatter_BackCompat, note that the result format has changed and
1977 various methods now take a module path rather than a module name.
1978 * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
1979 from the message key, and maps some message keys for backwards compatibility.
1980 * API parameters may now be marked as "sensitive" to keep their values out of
1981 the logs.
1982
1983 === Languages updated in 1.29 ===
1984
1985 MediaWiki supports over 350 languages. Many localisations are updated
1986 regularly. Below only new and removed languages are listed, as well as
1987 changes to languages because of Phabricator reports.
1988
1989 * Based as always on linguistic studies on intelligibility and language
1990 knowledge by geography, language fallbacks have been expanded. When a
1991 translation is missing in the user's preferred interface language, the
1992 corresponding translation for the fallback language will be used instead.
1993 English will only be used as last resort when there are no translations.
1994 Some configurations (such as date formats and gender namespaces) have also
1995 been updated when using the fallback language's configuration was inadequate.
1996 The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
1997 ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
1998 sh → bs, sr-el, hr.
1999 * (T137376) New language support: Atikamekw (atj).
2000 * (T163600) New language support: Dinka (din).
2001 * (T155957) Talk Namespaces for Javanese language (jv) have been updated.
2002
2003 ==== No fallback for Ukrainian ====
2004 * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
2005 language will now use the default fallback language: English. When a
2006 translation to Ukrainian is not available, an English string will be shown.
2007
2008 === Other changes in 1.29 ===
2009 * Database::getSearchEngine() (deprecated in 1.28) was removed. Use
2010 SearchEngineFactory::getSearchEngineClass() instead.
2011 * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
2012 required as all sessions are stored in Object Cache now.
2013 * MWHttpRequest::execute() should be considered to return a StatusValue; the
2014 Status return type is deprecated.
2015 * User::edits() (deprecated in 1.21) was removed.
2016 * Xml::escapeJsString() (deprecated in 1.21) was removed.
2017 * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
2018 were removed.
2019 * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
2020 were removed.
2021 * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use
2022 ArticleContentViewCustom instead.
2023 * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
2024 * Class RevisiondeleteAction (deprecated in 1.25) was removed.
2025 * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
2026 * WikiPage::getText() (deprecated in 1.21) was removed.
2027 * Article::fetchContent() (deprecated in 1.21) was removed.
2028 * User::getPassword() (deprecated in 1.27) was removed.
2029 * User::getTemporaryPassword() (deprecated in 1.27) was removed.
2030 * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
2031 * Class FSRepo (deprecated in 1.19) was removed.
2032 * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
2033 \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId()
2034 instead.
2035 * Class ImageGallery (deprecated in 1.22) was removed.
2036 Use ImageGalleryBase::factory instead.
2037 * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class
2038 instead.
2039 * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
2040 emit warnings). Create a subclass of Action and add it to $wgActions instead.
2041 * WikiRevision::getText() (deprecated since 1.21) is no longer marked
2042 deprecated.
2043 * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
2044 * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
2045 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
2046 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
2047 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
2048 * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
2049 and outdated lists of errors/warnings returned by the API, are now deprecated.
2050 * wiki.phtml entry point was removed. Refer to index.php instead. If you want
2051 "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can
2052 be done by enabling mod_rewrite and adding the following rules to your
2053 configuration:
2054
2055 RewriteEngine On
2056 RewriteBase /
2057 RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
2058 * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
2059 Use ArticleAfterFetchContentObject instead.
2060 * Hook ArticleInsertComplete (deprecated in 1.21) was removed.
2061 Use PageContentInsertComplete instead.
2062 * Hook ArticleSave (deprecated in 1.21) was removed.
2063 Use PageContentSave instead.
2064 * Hook ArticleSaveComplete (deprecated in 1.21) was removed.
2065 Use PageContentSaveComplete instead.
2066 * Hook EditFilterMerged (deprecated in 1.21) was removed.
2067 Use EditFilterMergedContent instead.
2068 * Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
2069 Use EditPageGetPreviewContent instead.
2070 * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
2071 Use ContentHandlerDefaultModelFor instead.
2072 * Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
2073 Use ContentHandlerDefaultModelFor instead.
2074 * Article::getContent() (deprecated in 1.21) was removed.
2075 * Revision::getText() (deprecated in 1.21) was removed.
2076 * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
2077 * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
2078 * Article::doEditContent() was marked as deprecated, to be removed in 1.30
2079 or later.
2080 * ContentHandler::runLegacyHooks() was removed.
2081 * refreshLinks.php now can be limited to a particular category with
2082 --category=... or a tracking category with --tracking-category=...
2083 * User-like objects that are passed to SpecialUserRights and its subclasses are
2084 now required to have a getGroupMemberships() method. See UserRightsProxy for
2085 an example.
2086 * User::$mGroups (instance variable) was marked private. Use User::getGroups()
2087 instead.
2088 * User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
2089 User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
2090 Use equivalent methods on the UserGroupMembership class.
2091 * Maintenance scripts and tests that call User::addGroup() must now ensure that
2092 User objects have been added to the database prior to calling addGroup().
2093 * Protected function UsersPager::getGroups() was removed, and protected function
2094 UsersPager::buildGroupLink() was changed from a static to an instance method.
2095 * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
2096 see docs/hooks.txt.
2097 * User::crypt() (deprecated in 1.24) was removed.
2098 * User::comparePasswords() (deprecated in 1.24) was removed.
2099 * ArchivedFile::getUserText() (deprecated in 1.23) was removed.
2100 * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
2101 * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
2102 and subclasses. It should only break if you call buildMainQueryConds
2103 (changed to buildQuery with new signature) or doMainQuery (new
2104 signature). Subclasses are likely to call at least doMainQuery
2105 (possibly both), but other classes might too, because they were
2106 public.
2107 Also, some related hooks were deprecated, but this is not yet a
2108 breaking change.
2109 * Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
2110 * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
2111 * WikiRevision::$fileIsTemp was deprecated.
2112 * WikiRevision::$importer was deprecated.
2113 * WikiRevision::$user was deprecated.
2114 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
2115 WikiPage::PURGE_* constants are deprecated, and the functions will always
2116 return false. They were a hack for an issue that has since been fixed.
2117 * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
2118 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
2119 if you don't actually care about checkboxes and just want to add some HTML
2120 to the page.
2121 * Selflinks are now rendered as href-less <a> tags with the class mw-selflink
2122 rather than <strong> tags. The old class name, "selflink", was deprecated
2123 and will be removed in a future release. (T160480)
2124 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2125 * Browser support for non-ES5 JavaScript browsers, including Android 2,
2126 Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
2127 * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
2128 is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
2129 webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
2130 opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
2131 ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
2132 addClickHandler, removeHandler, getElementsByClassName, getInnerText,
2133 setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
2134 mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
2135 escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
2136 tooltipAccessKeyRegexp, updateTooltipAccessKeys.
2137 * The ID of the <li> element containing the login link has changed from
2138 'pt-login' to 'pt-login-private' in private wikis.
2139 * The old, neglected "bulletin board style toolbar" in the edit form is now
2140 deprecated (T30856). This old code dates from 2006, and was replaced in the
2141 MediaWiki release tarball and in Wikimedia production by the WikiEditor
2142 extension in 2010. It is only shown to users if no other editor was
2143 installed, and leads to confusion.
2144 * (T92459) Loading ResourceLoader modules containing JavaScript through
2145 addModuleStyles() is deprecated and will log a warning server-side.
2146
2147 = MediaWiki 1.28 =
2148
2149 == MediaWiki 1.28.3 ==
2150
2151 This is a security and maintenance release of the MediaWiki 1.28 branch.
2152
2153 === Changes since 1.28.2 ==
2154 * (T168856) Allow SVGs created by Dia to be uploaded.
2155 * (T157545) Add missing doUpdates() call to refreshLinks.php.
2156 * (T165714) (T100085) Better handling of jobs execution in post-connection
2157 shutdown.
2158 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of
2159 Database->onTransactionIdle.
2160 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
2161 * (T149454) Restore erroneously removed realTableName call from
2162 DatabasePostgres.
2163 * (T167798) Fix phrase search and highlighting for phrase queries.
2164 * (T151136) Provide credits information to callbacks in extension registration.
2165 * (T160462) Allow namespaces defined in extension.json to be overwritten
2166 locally.
2167 * (T168337) Fix ErrorPageError to work from non-UI contexts.
2168 * (T143788) Backports for PHP 7.0 and 7.1 support.
2169 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
2170 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
2171 * (T174255) Declare uploadCount property in importDump.php.
2172 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to
2173 v4.8.36.
2174 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
2175 browser sends non-standard url escaping.
2176 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
2177 * (T128209) SECURITY: Reflected File Download from api.php.
2178 * (T134100) SECURITY: Do not reveal if user exists during login failure.
2179 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
2180 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2181 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2182 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2183 update.php.
2184 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2185 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2186
2187 == MediaWiki 1.28.2 ==
2188
2189 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2190 included in the tarball version of MediaWiki 1.28.1. The version included had a
2191 serious security issue in it (T158689). There was also some minor code fixes in
2192 MediaWiki itself since 1.28.1, but none of them were security relevant.
2193
2194 == MediaWiki 1.28.1 ==
2195
2196 This is a security and maintenance release of the MediaWiki 1.28 branch.
2197
2198 === Changes since 1.28.0 ===
2199
2200 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2201 wikis with $wgJobRunRate > 0.
2202 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki
2203 has more than one database server setup.
2204 * (T152717) Better escaping for PHP mail() command,
2205 * (T154670) A missing method causing the MySQL installer to fatal in rare
2206 circumstances was restored.
2207 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
2208 * (T158766) Avoid SQL error on MSSQL when using selectRowCount().
2209 * (T145635) Fix too long index error when installing with MSSQL.
2210 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2211 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2212 installed.
2213 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28
2214 installs.
2215 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2216 redirect to interwiki links.
2217 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2218 $wgAdvancedSearchHighlighting is true.
2219 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2220 their values out of the logs.
2221 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2222 CSRF token.
2223 * (T156184) SECURITY: Escape content model/format url parameter in message.
2224 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2225 declaration.
2226 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2227 directory in it's fallback chain when trying to work out where to write the
2228 cache.
2229 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2230 inclusion syntax's link parameter.
2231 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2232 against it.
2233
2234 == MediaWiki 1.28 ==
2235
2236 === Changes since 1.28.0-rc1 ===
2237 * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
2238 errors.
2239 * (T148956) Only apply wgDBschema to postgres/mssql.
2240 * (T145991) Introduce separate log action for deleting pages on move.
2241 * (T141474) (T110464) Bypass login page if no user input is required.
2242
2243 === Changes since 1.28.0-rc0 ===
2244 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
2245 comment to a machine-readable JavaScript config option 'wgPageParseReport'
2246 have been undone. They caused the human-readable limit report to be shown
2247 incompletely or not at all. ParserOutput::setLimitReportData() and
2248 getLimitReportData() behave as they did in MediaWiki 1.27 again.
2249 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
2250 the text of subheadings on a category page when creating it. This wasn't
2251 working correctly.
2252 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
2253 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
2254 loops in some clients and in some server configurations. This undoes a change
2255 made in MediaWiki 1.26.
2256 * (T149759) manifest_version: 2 was removed.
2257
2258 === Configuration changes in 1.28 ===
2259 * $wgSend404Code now affects status code of action=history if the page is not
2260 there.
2261 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2262 made by MediaWiki via a proxy. Relying on the http_proxy environment
2263 variable is no longer supported.
2264 * The load.php entry point now enforces the existing policy of not allowing
2265 access to session data, which includes the session user and the session
2266 user's language. If such access is attempted, an exception will be thrown.
2267 * The number of internal PBKDF2 iterations used to derive the session secret
2268 is configurable via $wgSessionPbkdf2Iterations.
2269 * Upload dialog's file upload log comment can now be configured separately for
2270 local and foreign uploads.
2271 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
2272 signifies local uploads. A value of `[]` (empty array) now means that
2273 no upload targets are allowed, effectively disabling the upload dialog.
2274 * The deprecated $wgEditEncoding variable has been removed; it was only used
2275 for Esperanto language character conversion. You are now recommended to use
2276 input methods provided by the UniversalLanguageSelector extension.
2277 * When $wgPingback is true, MediaWiki will periodically ping
2278 https://www.mediawiki.org/beacon with basic information about the local
2279 MediaWiki installation. This data includes, for example, the type of system,
2280 PHP version, and chosen database backend. This behavior is off by default.
2281 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
2282 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
2283 if false, the default, they will be "Save page"/"Save changes".
2284 * The 'editcontentmodel' permission is now granted to all logged-in users
2285 ('user').
2286 instead of just administrators ('sysop'). Documentation for this feature is
2287 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
2288 * $wgRevisionCacheExpiry is now set to one week by default instead of being
2289 disabled.
2290 * Magic links are now disabled by default, and can be re-enabled by modifying
2291 the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are
2292 manually enabled, a tracking category will be added to help identify usage and
2293 make it easier to migrate away from. If you depend upon magic link
2294 functionality, it is requested that you comment on
2295 <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links>
2296 and explain your use case(s).
2297 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
2298 in upcoming Content-Security-Policy feature's reporting.
2299
2300 === New features in 1.28 ===
2301 * User::isBot() method for checking if an account is a bot role account.
2302 * Added a new 'slideshow' mode for galleries.
2303 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
2304 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2305 interact with API parsing.
2306 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
2307 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
2308 and the file description page, but does not run for uploads to stash.
2309 * (T141604) Extensions can now provide a better error message when their
2310 maintenance scripts are run without the extension being installed.
2311 * (T8948) Numeric sorting in categories is now supported by setting
2312 $wgCategoryCollation to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you
2313 can't use UCA collations, a 'numeric' collation is also available. If
2314 migrating from another collation, you will need to run the updateCollation.php
2315 maintenance script.
2316 * Two new codes have been added to #time parser function: "xit" for days in
2317 current month, and "xiz" for days passed in the year, both in Iranian
2318 calendar.
2319 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
2320 appropriate for sending multi-valued parameters. This defaults to true when
2321 the mw.Api instance seems to be for the local wiki.
2322 * After a client performs an action which alters a database that has replica
2323 databases, MediaWiki will wait for the replica databases to synchronize with
2324 the master database while it renders the HTML output. However, if the output
2325 is a redirect to another wiki on the wiki farm with a different domain,
2326 MediaWiki will instead alter the redirect URL to include a ?cpPosTime
2327 parameter that triggers the database synchronization when the URL is followed
2328 by the client. The same-domain case uses a new cpPosTime cookie.
2329 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2330 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2331 'show' parameters to existing API query modules.
2332
2333 === External library changes in 1.28 ===
2334
2335 ==== Upgraded external libraries ====
2336 * Updated es5-shim from v4.1.5 to v4.5.8
2337 * Updated composer/semver from v1.4.1 to v1.4.2
2338 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
2339
2340 ==== New external libraries ====
2341 * Added wikimedia/scoped-callback v1.0.0
2342 * Added wikimedia/wait-condition-loop v1.0.1
2343
2344 === Bug fixes in 1.28 ===
2345 * (T146496) action=history pages should return 404 HTTP error code if the page
2346 does not exist
2347 * (T137264) SECURITY: XSS in unclosed internal links
2348 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2349 * (T133147) SECURITY: Require login to preview user CSS pages
2350 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2351 the top file
2352 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2353 permissions
2354 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2355 * (T139670) Move 'UserGetRights' call before application of
2356 Session::getAllowedUserRights()
2357
2358 === Action API changes in 1.28 ===
2359 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
2360 the value of $wgMaxArticleSize.
2361 * Property 'modulemessages' from action=parse&prop=modules was removed
2362 (deprecated since 1.26).
2363 * The following response properties from action=login, deprecated in 1.27, are
2364 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
2365 to properly manage session state.
2366 * Submitting the lgtoken and lgpassword parameters in the query string to
2367 action=login is now deprecated and outputs a warning. They should be submitted
2368 in the POST body instead.
2369 * Submitting sensitive authentication request parameters to action=clientlogin,
2370 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2371 in the query string is now deprecated and outputs a warning. They should be
2372 submitted in the POST body instead.
2373 * (T141960) Multi-valued parameters may now be separated using U+001F
2374 (Unit Separator) instead of the pipe character. This will be useful if some of
2375 the multiple values need to contain pipes, e.g. for action=options.
2376 * The API will now warn if input is not NFC-normalized Unicode or if it
2377 contains invalid characters.
2378 * The 'normalized' list output by action=query and other modules that use
2379 ApiPageSet may contain entries where the 'from' value is percent-encoded as
2380 the raw value cannot be represented in a valid API response. These are
2381 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
2382 * (T28680) action=paraminfo can now return info about all submodules of a
2383 module without listing them all explicitly.
2384 * (T146770) It is now possible to assert that the current user is a specific
2385 named user, using the 'assertuser' parameter.
2386 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
2387 the 'TitleIsAlwaysKnown' hook) are output in various modules.
2388
2389 === Action API internal changes in 1.28 ===
2390 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
2391 interact with ApiParse and ApiExpandTemplates.
2392 * (T139565) SECURITY: API: Generate head items in the context of the given title
2393 * (T115333) SECURITY: Check read permission when loading page content in
2394 ApiParse
2395 * ApiBase::getResultData() was removed (deprecated since 1.25)
2396 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
2397 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
2398 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
2399 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
2400 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
2401 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
2402 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
2403 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
2404 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
2405 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
2406 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
2407 * ApiMain::setHelp() was removed (deprecated since 1.25)
2408 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
2409 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
2410 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
2411 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
2412 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
2413 * ApiResult::endContinuation() was removed (deprecated since 1.25)
2414 * ApiResult::getData() was removed (deprecated since 1.25)
2415 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
2416 * ApiResult::setContent() was removed (deprecated since 1.25)
2417 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
2418 * ApiResult::setElement() was removed (deprecated since 1.25)
2419 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
2420 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
2421 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
2422 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
2423 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
2424 * ApiResult::setRawMode() was removed (deprecated since 1.25)
2425 * ApiResult::size() was removed (deprecated since 1.25)
2426 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
2427 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
2428 'show' parameters to existing API query modules. A query module can enable
2429 these hooks by passing an array for $hookData to ApiQueryBase::select() and
2430 by calling ApiQueryBase->processRow() before adding a row's data to the
2431 result.
2432
2433 === Languages updated in 1.28 ===
2434
2435 MediaWiki supports over 375 languages. Many localisations are updated
2436 regularly. Below only new and removed languages are listed, as well as
2437 changes to languages because of Phabricator reports.
2438
2439 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
2440 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
2441 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
2442 Saiddzone Saimawnkham, Saosukham, and Sengwan.
2443 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
2444 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator
2445 Ilja.mos.
2446
2447 === Other changes in 1.28 ===
2448 * (T128697) Improved handling of large diffs.
2449 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
2450 use or update a custom session provider if needed.
2451 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
2452 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
2453 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
2454 * The 'UserLoginComplete' hook has a new parameter to differentiate between
2455 actual login and visiting the login page while already logged in.
2456 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
2457 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
2458 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
2459 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
2460 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
2461 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
2462 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
2463 respectively. See docs/hooks.txt for the specific changes needed for those
2464 hooks.
2465 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
2466 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
2467 * Skin::commentBlock() (use Linker::commentBlock() instead)
2468 * Skin::generateRollback() (use Linker::generateRollback() instead)
2469 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
2470 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
2471 * Skin::userLink() (use Linker::userLink() instead)
2472 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
2473 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
2474 disabled.
2475 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
2476 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
2477 Use ...->stashFile()->getFileKey() instead.
2478 * "Public domain" was removed as a wiki license option from the installer, in
2479 favour of CC-0.
2480 * AuthenticationRequest::$required is now changed from REQUIRED to
2481 PRIMARY_REQUIRED on requests needed by primary providers even if all primaries
2482 need them.
2483 Primary providers are discouraged from returning multiple REQUIRED requests.
2484 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
2485 will no longer be automatically infused. You should call `OO.ui.infuse()`
2486 on them yourself from your JavaScript code.
2487 * parserTests.php has moved to tests/parser/parserTests.php
2488 * The command line options specific to parser tests have been removed from
2489 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
2490 Instead of --keep-uploads, use the same option to parserTests.php, but you
2491 must specify a directory with --upload-dir.
2492 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
2493 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
2494 migrate to using the same functions on a ProxyLookup instance, obtainable from
2495 MediaWikiServices.
2496 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave,
2497 ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText,
2498 EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation
2499 warnings if used.
2500 * (T68404) CSS3 attr() function with url type is no longer allowed
2501 in inline styles.
2502 * Database::getSearchEngine() is deprecated, use
2503 SearchEngineFactory::getSearchEngineClass instead.
2504
2505 == Compatibility ==
2506
2507 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
2508 HHVM 3.6.5 or later.
2509
2510 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
2511 support for them is somewhat less mature. There is experimental support for
2512 Oracle and Microsoft SQL Server.
2513
2514 The supported versions are:
2515
2516 * MySQL 5.0.3 or later
2517 * PostgreSQL 8.3 or later
2518 * SQLite 3.3.7 or later
2519 * Oracle 9.0.1 or later
2520 * Microsoft SQL Server 2005 (9.00.1399)
2521
2522 == Upgrading ==
2523
2524 1.28 has several database changes since 1.27, and will not work without schema
2525 updates. Note that due to changes to some very large tables like the revision
2526 table, the schema update may take quite long (minutes on a medium sized site,
2527 many hours on a large site).
2528
2529 If upgrading from before 1.11, and you are using a wiki as a commons
2530 repository, make sure that it is updated as well. Otherwise, errors may arise
2531 due to database schema changes.
2532
2533 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
2534 new database fields are filled with data.
2535
2536 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
2537 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
2538 with MediaWiki 1.21.
2539
2540 Don't forget to always back up your database before upgrading!
2541
2542 See the file UPGRADE for more detailed upgrade instructions.
2543
2544 For notes on 1.27.x and older releases, see HISTORY.
2545
2546 == Online documentation ==
2547
2548 Documentation for both end-users and site administrators is available on
2549 MediaWiki.org, and is covered under the GNU Free Documentation License (except
2550 for pages that explicitly state that their contents are in the public domain):
2551
2552 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
2553
2554 == Mailing list ==
2555
2556 A mailing list is available for MediaWiki user support and discussion:
2557
2558 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
2559
2560 A low-traffic announcements-only list is also available:
2561
2562 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
2563
2564 It's highly recommended that you sign up for one of these lists if you're
2565 going to run a public MediaWiki, so you can be notified of security fixes.
2566
2567 == IRC help ==
2568
2569 There's usually someone online in #mediawiki on irc.freenode.net.
2570
2571 = MediaWiki 1.27 =
2572
2573 == MediaWiki 1.27.6 ==
2574
2575 This is a security and maintenance release of the MediaWiki 1.27 branch.
2576
2577 === Changes since MediaWiki 1.27.6 ===
2578 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
2579 all titles when asked for none.
2580 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
2581 libraries.
2582 * (T207241) Augment precision of updatelist time.
2583 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
2584 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
2585 * (T207603) SECURITY: User JS may no longer be loaded with mime type
2586 text/javascript if there is no account associated with the username.
2587 * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
2588 type if non-admins can edit the page.
2589 * (T207541) Pass email address to mail().
2590 * (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
2591 * (T213359) Update mediawiki/mediawiki-codesniffer to 0.8.1.
2592 * (T208871) The hard-coded Google search form on the database error page was
2593 removed.
2594 * (T216968) Return pageid as int in both list=iwbacklinks and
2595 list=langbacklinks.
2596 * (T218608) Fix an issue that prevents Extension:OAuth working when
2597 $wgBlockDisablesLogin is true.
2598 * (T219728) Added support for new Japanese era name "Reiwa".
2599 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf
2600 token.
2601 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
2602 reauthenticating.
2603 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
2604 getLoginSecurityLevel() returns non-false.
2605 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
2606 * (T208881) SECURITY: blacklist CSS var().
2607 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
2608 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
2609 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
2610 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
2611 view the log type.
2612 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
2613
2614 == MediaWiki 1.27.5 ==
2615
2616 This is a security and maintenance release of the MediaWiki 1.27 branch.
2617
2618 === Changes since 1.27.4 ===
2619 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
2620 'newbie'.
2621 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
2622 account lock.
2623 * Upgraded Moment.js from v2.8.4 to v2.19.3.
2624 * (T160298) Fixed Special:ActiveUsers due to bad backport.
2625 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
2626 array.
2627 * Updated list of SPDX licenses for extensions.
2628 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
2629 include extensions. Pass --with-extensions to enable that feature.
2630 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
2631 * Add default edit rate limit of 90 edits/minute for all users.
2632 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
2633 * (T196672) The mtime of extension.json files is now able to be zero.
2634 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
2635 hook.
2636 * (T180403) Validate $length in padleft/padright parser functions.
2637 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
2638 * Special:BotPasswords now requires reauthentication.
2639 * (T191608, T187638) Add 'logid' parameter to Special:Log.
2640 * (T193829) Indicate when a Bot Password needs reset.
2641 * (T151415) Log email changes.
2642 * (T118420) Unbreak Oracle installer.
2643
2644 == MediaWiki 1.27.4 ==
2645 This is a security and maintenance release of the MediaWiki 1.27 branch.
2646
2647 === Changes since 1.27.3 ===
2648 * (T100085) Better handling of jobs execution in post-connection shutdown.
2649 * (T141604) Support conditionally registered namespaces.
2650 * (T167798) Fix highlighting for phrase queries and phrase search.
2651 * (T151136) Provide credits information to callbacks.
2652 * (T160462) Allow namespaces defined in extension.json to be overwritten
2653 locally.
2654 * (T168856) Allow SVGs created by Dia to be uploaded.
2655 * (T144705) (T148662) Password reset link is no longer shown when no reset
2656 options are available.
2657 * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
2658 * (T66795) $wgUserEmailUseReplyTo is now true by default to work around
2659 restrictive DMARC policies.
2660 * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and
2661 core.
2662 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
2663 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
2664 * (T142304) Allow putting the app ID in the password for bot passwords.
2665 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
2666 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
2667 browser sends non-standard url escaping.
2668 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
2669 * (T128209) SECURITY: Reflected File Download from api.php.
2670 * (T134100) SECURITY: Do not reveal if user exists during login failure.
2671 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
2672 * (T125163) SECURITY: Make anchor for headlines escape > and <.
2673 * (T180237) SECURITY: Protect vendor folder with .htaccess.
2674 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
2675 update.php.
2676 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
2677 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
2678
2679 == MediaWiki 1.27.3 ==
2680 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
2681 included in the tarball version of MediaWiki 1.27.2. The version included had a
2682 serious security issue in it (T158689). There was also some minor code fixes in
2683 MediaWiki itself since 1.27.2, but none of them were security relevant.
2684
2685 === Changes since 1.27.2 ===
2686 * (T145664) Fix broken wincache merge() implementation
2687 * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
2688 * (T153505) Fix php warnings on php 7.1 due to use of &$this
2689
2690 == MediaWiki 1.27.2 ==
2691 This is a security and maintenance release of the MediaWiki 1.27 branch.
2692
2693 ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
2694 deprecated (rather than already removed) in the RELEASE-NOTES at the point
2695 1.27.0 was released.
2696
2697 === Changes since 1.27.1 ===
2698
2699 * (T68404) CSS3 attr() function with url type argument is no longer allowed
2700 in inline styles.
2701 * $wgRunJobsAsync is now false by default (T142751). This change only affects
2702 wikis with $wgJobRunRate > 0.
2703 * (T152717) Better escaping for PHP mail() command
2704 * Submitting the lgtoken and lgpassword parameters in the query string to
2705 action=login is now deprecated and outputs a warning. They should be submitted
2706 in the POST body instead.
2707 * Submitting sensitive authentication request parameters to action=clientlogin,
2708 action=createaccount, action=linkaccount, and action=changeauthenticationdata
2709 in the query string is now deprecated and outputs a warning. They should be
2710 submitted in the POST body instead.
2711 * (T158766) Avoid SQL error on MSSQL when using selectRowCount()
2712 * (T145635) Fix too long index error when installing with MSSQL.
2713 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
2714 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
2715 installed.
2716 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
2717 redirect to interwiki links.
2718 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
2719 $wgAdvancedSearchHighlighting is true.
2720 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
2721 their values out of the logs.
2722 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
2723 CSRF token.
2724 * (T156184) SECURITY: Escape content model/format url parameter in message.
2725 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
2726 declaration.
2727 * (T161453) SECURITY: LocalisationCache will no longer use the temporary
2728 directory in it's fallback chain when trying to work out where to write the
2729 cache.
2730 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
2731 inclusion syntax's link parameter.
2732 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected
2733 against it.
2734
2735 == MediaWiki 1.27.1 ==
2736
2737 This is a maintenance release of the MediaWiki 1.27 branch.
2738
2739 === Changes since 1.27.0 ===
2740 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
2741 made by MediaWiki via a proxy. Relying on the http_proxy environment
2742 variable is no longer supported.
2743 * (T139565) SECURITY: API: Generate head items in the context of the given title
2744 * (T137264) SECURITY: XSS in unclosed internal links
2745 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
2746 * (T133147) SECURITY: Require login to preview user CSS pages
2747 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
2748 the top file
2749 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
2750 permissions
2751 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
2752 * (T115333) SECURITY: Check read permission when loading page content in
2753 ApiParse
2754 * (T57548) Remove support for $wgWellFormedXml = false, all output is now well
2755 formed
2756 * (T139670) Move 'UserGetRights' call before application of
2757 Session::getAllowedUserRights()
2758
2759 == MediaWiki 1.27.0 ==
2760
2761 === PHP version requirement in 1.27 ===
2762 As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
2763 section). Additionally, the following PHP extensions are required:
2764 * ctype
2765 * iconv
2766 * json
2767 * mbstring (new requirement in 1.27)
2768 * xml
2769 The following PHP extensions are strongly recommended:
2770 * openssl
2771
2772 === Configuration changes in 1.27 ===
2773 * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
2774 now always enabled. If you use RDFa on your wiki, you now have to explicitly
2775 set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
2776 * $wgUseLinkNamespaceDBFields was removed.
2777 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
2778 $wgResourceLoaderMinifierMaxLineLength, because there was little value in
2779 making the behavior configurable. The default values (`false` for the former,
2780 1000 for the latter) are now hard-coded.
2781 * $wgDebugDumpSqlLength was removed (deprecated in 1.24).
2782 * $wgDebugDBTransactions was removed (deprecated in 1.20).
2783 * $wgUseXVO has been removed, as it provides functionality only used by
2784 custom Wikimedia patches against Squid 2.x that probably noone uses in
2785 production anymore. There is now $wgUseKeyHeader that provides similar
2786 functionality but instead of the MediaWiki-specific X-Vary-Options header,
2787 uses the draft Key header standard.
2788 * $wgScriptExtension (and support for '.php5' entry points) was removed. See the
2789 deprecation notice in the release notes for version 1.25 for advice on how to
2790 preserve support for '.php5' entry points via URL rewriting.
2791 * Password handling via the User object has been deprecated and partially
2792 removed, pending the future introduction of AuthManager. In particular:
2793 ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
2794 getPasswordExpired() have been removed. They were unused outside of core.
2795 ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
2796 now private and will be removed in the future.
2797 ** The getPassword() and getTemporaryPassword() methods now throw
2798 BadMethodCallException and will be removed in the future.
2799 ** The ability to pass 'password' and 'newpassword' to createNew() has been
2800 removed. The only users of it seem to have been using it to set invalid
2801 passwords, and so shouldn't be greatly affected.
2802 ** setPassword(), setInternalPassword(), and setNewpassword() have been
2803 deprecated, pending the introduction of AuthManager.
2804 ** User::randomPassword() is deprecated in favor of a new method
2805 PasswordFactory::generateRandomPasswordString()
2806 ** User::getPasswordFactory() is deprecated, callers should just create a
2807 PasswordFactory themselves.
2808 ** A new constructor, User::newSystemUser(), has been added to simplify the
2809 creation of passwordless "system" users for logged actions.
2810 * $wgMaxSquidPurgeTitles was removed.
2811 * $wgAjaxWatch was removed. This is now enabled by default.
2812 * $wgUseInstantCommons now hotlinks Commons images by default instead of
2813 downloading originals and thumbnailing them locally. This allows wikis to save
2814 on CPU and bandwidth while reducing time to first byte for pages, even without
2815 a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
2816 * (T27397) WebP is enabled by default as an uploadable filetype.
2817 * (T48998) $wgArticlePath must now be either a full url, or start with a "/".
2818 * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
2819 * Deprecated API formats dbg, txt, and yaml have been removed.
2820 * CLDRPluralRule* classes have been replaced with
2821 wikimedia/cldr-plural-rule-parser.
2822 * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
2823 $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
2824 $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
2825 * For proper operation of LocalIdLookup with shared user tables, ensure that
2826 $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
2827 that all others are sharing from and that $wgLocalDatabases is set to the
2828 full list of sharing wikis on all those wikis.
2829 * Massive overhaul to session handling:
2830 ** $wgSessionsInObjectCache is no longer supported and must be true, due to
2831 MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
2832 used.
2833 ** ObjectCacheSessionHandler is removed, replaced with
2834 MediaWiki\Session\PhpSessionHandler.
2835 ** PHP session handling in general ($_SESSION, session_id(), and so on) is
2836 deprecated. Use MediaWiki\Session\SessionManager instead. A new config
2837 variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
2838 issue a deprecation warning or to cause most PHP session handling to throw
2839 exceptions.
2840 ** Deprecated UserSetCookies hook. Session-handling extensions should generally
2841 be creating a custom subclass of CookieSessionProvider. Other extensions
2842 messing with cookies can no longer count on user data being saved in cookies
2843 versus other methods.
2844 ** Deprecated UserLoadFromSession hook, extensions should create a
2845 MediaWiki\Session\SessionProvider.
2846 ** The User cannot be loaded from session until after Setup.php completes.
2847 Attempts to do so will be ignored and the User will remain unloaded.
2848 ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
2849 the MediaWiki\Session\Token class.
2850 * MediaWiki will now auto-create users as necessary, removing the need for
2851 extensions to do so. An 'autocreateaccount' right is added to allow
2852 auto-creation when 'createaccount' is not granted to all users.
2853 * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
2854 * Most cookie-handling methods in User are deprecated.
2855 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
2856 experimental feature that has never worked.
2857 * Login and createaccount tokens now vary by timestamp.
2858 * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
2859 return a MediaWiki\Session\Token, and tokens must be checked using that
2860 class's methods.
2861 * $wgEnotifUseJobQ was removed and the job queue is always used.
2862 * The functionality of the ApiSandbox extension has been merged into core. The
2863 extension should no longer be used.
2864 * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
2865 Extensions, skins, gadgets and scripts that use the mediawiki.util module must
2866 express a dependency on it.
2867 * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
2868 Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
2869 module should express a dependency on it.
2870 * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
2871 $wgFooterIcons['copyright']['copyright'] instead.
2872 * If the openssl and mcrypt PHP extensions are both unavailable, secure
2873 session storage (used for login) will raise an exception. This exception may
2874 be bypassed by setting $wgSessionInsecureSecrets = true.
2875 * Massive overhaul to authentication:
2876 ** AuthPlugin and AuthPluginUser are deprecated.
2877 ** LoginForm and associated templates are deprecated. Extensions which called
2878 static LoginForm methods should be converted into authentication providers.
2879 ** The following hooks are deprecated:
2880 *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2881 *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2882 *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
2883 *** AddNewAccount (use LocalUserCreated instead)
2884 *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider
2885 instead)
2886 *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
2887 *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider
2888 instead)
2889 *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2890 instead)
2891 *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type
2892 instead)
2893 ** The following hooks are removed:
2894 *** AbortChangePassword
2895 *** LoginPasswordResetMessage
2896 *** PrefsPasswordAudit
2897 ** The UserLoginComplete hook will no longer be called for all logins, only for
2898 those via the web UI. Use UserLoggedIn if you need to do something on all
2899 logins.
2900 ** $wgRequirePasswordforEmailChange is removed.
2901
2902 === New features in 1.27 ===
2903 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
2904 sticks to the primary DC (via cookies) after they make changes to the site.
2905 * Added a new hook, 'UserMailerTransformContent', to transform the contents
2906 of an email. This is similar to the EmailUser hook but applies to all mail
2907 sent via UserMailer.
2908 * Added a new hook, 'UserMailerTransformMessage', to transform the contents
2909 of an emai after MIME encoding.
2910 * Added a new hook, 'UserMailerSplitTo', to control which users have to be
2911 emailed separately (ie. there is a single address in the To: field) so
2912 user-specific changes to the email can be applied safely.
2913 * $wgCdnMaxageLagged was added, which limits the CDN cache TTL
2914 when any load balancer uses a DB that is lagged beyond the 'max lag'
2915 setting in the relevant section of $wgLBFactoryConf.
2916 * User::newSystemUser() may be used to simplify the creation of passwordless
2917 "system" users for logged actions from scripts and extensions.
2918 * Extensions can now return detailed error information via the API when
2919 preventing user actions using 'getUserPermissionsErrors' and similar hooks
2920 by using ApiMessage instances instead of strings for the $result value.
2921 * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
2922 becomes too high.
2923 * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
2924 and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
2925 cross-browser-compatible FlexBox rules. Users will still need to add fallback
2926 float rules or the like for compatibility with IE9- separately.
2927 * Added MWTimestamp::getTimezoneString() which returns the localized timezone
2928 string, if available. To localize this string, see the comments of
2929 $wgLocaltimezone in includes/DefaultSettings.php.
2930 * Added CentralIdLookup, a service that allows extensions needing a concept of
2931 "central" users to get that without having to know about specific central
2932 authentication extensions.
2933 * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
2934 Regular web request transactions that takes longer than this are aborted.
2935 * Added a new hook, 'TitleMoveCompleting', which runs before a page move is
2936 committed.
2937 * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
2938 from CDN to mitigate DB replication lag and WAN cache purge lag.
2939 * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
2940 if it is available.
2941 * It is now possible to patrol file uploads (both for new files and new versions
2942 of existing files). Special:NewFiles has gained an option to filter by patrol
2943 status. This functionality can be disabled using $wgUseFilePatrol.
2944 * MediaWiki\Session infrastructure allows for easier use of session mechanisms
2945 other than the usual cookies.
2946 ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
2947 custom session metadata.
2948 * Added MWGrants and associated configuration settings $wgGrantPermissions and
2949 $wgGrantPermissionGroups to hold configuration for authentication features
2950 such as OAuth that want to allow restricting the user rights a user may make
2951 use of.
2952 ** If you're already using the OAuth extension, these new variables are
2953 identical to (and will replace) $wgMWOAuthGrantPermissions and
2954 $wgMWOAuthGrantPermissionGroups.
2955 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
2956 to assert that the request comes from a particular IP range.
2957 * Added bot passwords, a rights-restricted login mechanism for API-using bots.
2958 * Whitelisted the following HTML attributes for all elements in wikitext:
2959 aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
2960 * Removed "presentation" restriction on the HTML role attribute in wikitext.
2961 All values are now allowed for the role attribute.
2962 * $wgContentHandlers now also supports callbacks to create an instance of the
2963 appropriate ContentHandler subclass.
2964 * Added $wgAuthenticationTokenVersion, which if non-null prevents the
2965 user_token database field from being exposed in cookies. Setting this would
2966 be a good idea, but will log out all current sessions.
2967 * $wgEventRelayerConfig was added, for managing PubSub event relay
2968 configuration, specifically for reliable CDN url purges.
2969 * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
2970 MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
2971 generated 24-character string. This request ID is used to annotate log records
2972 and error messages. It is available client-side via
2973 mw.config.get( 'wgRequestId' ).
2974 The request ID supplants exception IDs. Accordingly,
2975 MWExceptionHandler::getLogId() is deprecated.
2976 * (T33313) Add a preference for watching uploads by default, also applies
2977 to API-based upload tools.
2978 * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
2979 thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
2980 savings versus the previous behavior on many files.
2981 * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
2982 configuration of multiple authentication pieces that was possible with
2983 AuthPlugin. For example, it's now easy to plug in second-factor
2984 authentication, or add additional checks to the login process, or to support
2985 multiple login methods at once, or to support non-password-based login
2986 methods.
2987 ** Providers are configured via the global setting $wgAuthManagerConfig.
2988 ** A global, $wgDisableAuthManager, is temporarily available to disable
2989 AuthManager until extensions are ready to support it.
2990 ** New hook, AuthChangeFormFields, to adjust the form fields on
2991 AuthManager-related special pages.
2992 ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
2993 AuthManager-related authentication requests.
2994 ** New hook, ChangeAuthenticationDataAudit, for additional logging of
2995 AuthManager-related authentication data changes.
2996 ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
2997 for requiring a recent login before taking security-sensitive operations
2998 like changing a password.
2999 ** Two new globals, $wgChangeCredentialsBlacklist and
3000 $wgRemoveCredentialsBlacklist can be used to prevent the web UI and the API
3001 changing certain authentication data.
3002 * The file upload dialog (available if you install WikiEditor or VisualEditor)
3003 can now be configured using $wgUploadDialog.
3004
3005 === External library changes in 1.27 ===
3006
3007 ==== Upgraded external libraries ====
3008 * Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
3009 * Updated composer/semver from v1.0.0 to v1.2.0.
3010 * Updated liuggio/statsd-php-client to 1.0.18.
3011 * Updated QUnit from v1.18.0 to v1.22.0.
3012
3013 ==== New external libraries ====
3014 * Added wikimedia/base-convert v1.0.1.
3015 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
3016 * Added wikimedia/relpath v1.0.3.
3017 * Added wikimedia/running-stat v1.1.0.
3018 * Added wikimedia/php-session-serializer v1.0.3.
3019
3020 ==== Removed and replaced external libraries ====
3021
3022 === Bug fixes in 1.27 ===
3023 * Special:Upload will now display correct maximum allowed file size when running
3024 under HHVM (T116347).
3025 * (T54077) The APIEditBeforeSave hook will once again give only the content of
3026 the section being edited, rather than the whole revision. This reverts the
3027 change made in MediaWiki 1.22.
3028
3029 === Action API changes in 1.27 ===
3030 * Added list=allrevisions.
3031 * generator=recentchanges now has the option to generate revids.
3032 * ApiPageSet::setRedirectMergePolicy() was added. This allows generator
3033 modules to define how generator data for a redirect source gets merged
3034 into the redirect destination.
3035 * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
3036 "was-deleted" warning.
3037 * Added difftotextpst to query=revisions which preforms a pre-save transform on
3038 the text before diffing it.
3039 * Deprecated formats dbg, txt, and yaml have been removed.
3040 * (T47988) The protect log event details now use new-style formatting.
3041 * The following response properties from action=login are deprecated, and may
3042 be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
3043 handle cookies to properly manage session state.
3044 * action=login transparently allows login using bot passwords. Clients should
3045 merely need to change the username and password used after setting up a bot
3046 password.
3047 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
3048 * Several changes when $wgDisableAuthManager is false:
3049 ** action=login is deprecated for uses other than bot passwords.
3050 ** list=users can now indicate if a missing username is creatable.
3051 ** action=createaccount is changed in a non-backwards-compatible manner.
3052 ** Added action=query&meta=authmanagerinfo.
3053 ** Added action=clientlogin to be used to log into the main account instead of
3054 action=login.
3055 ** Added action=linkaccount.
3056 ** Added action=unlinkaccount.
3057 ** Added action=changeauthenticationdata.
3058 ** Added action=removeauthenticationdata.
3059 ** Added action=resetpassword.
3060
3061 === Action API internal changes in 1.27 ===
3062 * ApiQueryORM removed.
3063 * The following classes have been removed:
3064 ** ApiFormatDbg
3065 ** ApiFormatTxt
3066 ** ApiFormatYaml
3067 * ApiBase::addTokenProperties() was removed (deprecated since 1.24).
3068 * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
3069 * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
3070 * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated
3071 since 1.24).
3072 * ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
3073 * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated
3074 since 1.24).
3075 * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated
3076 since 1.24).
3077 * ApiBase::getResultProperties() was removed (deprecated since 1.24).
3078 * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
3079 * ApiBase::parseErrors() was removed (deprecated since 1.24).
3080 * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
3081 ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
3082 * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
3083 * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
3084 * ApiQuery::getGenerators() was removed (deprecated since 1.21).
3085 * ApiQuery::getModules() was removed (deprecated since 1.21).
3086 * ApiQuery::getModuleType() was removed (deprecated since 1.21).
3087 * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
3088 * ApiMain::getModules() was removed (deprecated since 1.21).
3089 * ApiBase::getVersion() was removed (deprecated since 1.21).
3090 * ApiMain::getShowVersions() was removed (deprecated in 1.21).
3091 * ApiMain::addModule() was removed (deprecated in 1.21).
3092 * ApiMain::addFormat() was removed (deprecated in 1.21).
3093 * ApiMain::getFormats() was removed (deprecated in 1.21).
3094 * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
3095 * ApiCreateAccount was removed.
3096
3097 === Languages updated in 1.27 ===
3098
3099 MediaWiki supports over 350 languages. Many localisations are updated
3100 regularly. Below only new and removed languages are listed, as well as
3101 changes to languages because of Phabricator reports.
3102
3103 * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
3104 * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
3105
3106 === Other changes in 1.27 ===
3107 * Added dependency injection (DI) infrastructure, see docs/injection.txt for
3108 details.
3109 It is planned to incrementally move MediaWiki code towards using DI, using the
3110 service locator (SL) pattern as a stepping stone.
3111 * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
3112 * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
3113 ignore the 2nd and 3rd arguments (formerly $id and $commit).
3114 * Removed "loaderScripts" option from ResourceLoaderFileModule class.
3115 * Removed ORM-like wrapper added in 1.20.
3116 * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
3117 (deprecated in 1.26).
3118 * WikiPage::doQuickEdit() was removed (deprecated since 1.21).
3119 * Removed SiteObject and SiteArray classes (deprecated in 1.21).
3120 * MessageBlobStore::getInstance() was removed (deprecated since 1.25).
3121 * (T84937) Free external links ("autolinked" urls) will now be terminated
3122 by &nbsp; and HTML entity encodings of &nbsp, <, and >.
3123 * (T36948) The default file revert message's timestamp is now in
3124 $wgLocaltimezone, instead of UTC.
3125 * The default name of the 'suppress' group page has been changed from
3126 'Project:Oversight' to 'Project:Suppress'.
3127 * DatabaseBase::resultObject() is now protected (use outside Database classes
3128 not necessary since 1.11).
3129 * Calling ResourceLoaderFileModule::readStyleFiles() without a
3130 ResourceLoaderContext instance is deprecated.
3131 * ResourceLoader::getLessCompiler() now takes an optional parameter of
3132 additional LESS variables to set for the compiler.
3133 * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
3134 instead.
3135 * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
3136 were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
3137 * Removed msg_resource_links database table and associated code.
3138 * Removed msg_resource database table and associated code.
3139 * Skin::getNamespaceNotice() was removed.
3140 * wfIsConfiguredProxy() was removed (deprecated since 1.24).
3141 * wfDebugTimer() was removed (deprecated since 1.25).
3142 * wfIsTrustedProxy() was removed (deprecated since 1.24).
3143 * wfGetIP() was removed (deprecated since 1.19).
3144 * MWHookException was removed.
3145 * OutputPage::appendSubtitle() was removed (deprecated since 1.19).
3146 * OutputPage::loginToUse() was removed (deprecated since 1.19).
3147 * Article::loadContent() was removed (deprecated since 1.19).
3148 * User::editToken() was removed (deprecated since 1.19).
3149 * Removed --force-normal option of dumpBackup.php, as it no longer served
3150 any useful purpose since 1.22.
3151 * The functions processOption() and processArgs() on the BackupDumper and
3152 TextPassDumper classes have been removed.
3153 * The maintenance/backupTextPass.inc file was deleted. You should include
3154 maintenance/dumpTextPass.php instead.
3155 * WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
3156 * wfEmptyMsg() was removed (deprecated since 1.18).
3157 * OutputPage::permissionRequired() was removed (deprecated since 1.18).
3158 * OutputPage::blockedPage() was removed (deprecated since 1.18).
3159 * User::getSkin() was removed (deprecated since 1.18).
3160 * OutputPage::includeJQuery() was removed (deprecated since 1.17).
3161 * WikiPage::updateRestrictions() was removed (deprecated since 1.19).
3162 * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
3163 * LogPage::logName() was removed (deprecated since 1.19).
3164 * LogPage::logHeader() was removed (deprecated since 1.19).
3165 * wfCheckLimits() was removed (deprecated since 1.24).
3166 * Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
3167 * Linker::makeLinkObj() was removed (deprecated since 1.16).
3168 * wfMsgForContentNoTrans() was removed (deprecated since 1.18).
3169 * ChangesList::usePatrol was removed (deprecated since 1.22).
3170 * wfMsgNoTrans() was removed (deprecated since 1.18).
3171 * Linker::makeImageLink2 was removed (deprecated since 1.20).
3172 * Title::userIsWatching() was removed (deprecated since 1.20).
3173 * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
3174 database function directly instead.
3175 * wfMsg() was removed (deprecated since 1.18).
3176 * wfMsgForContent() was removed (deprecated since 1.18).
3177 * wfMsgReal() was removed (deprecated since 1.18).
3178 * wfMsgGetKey() was removed (deprecated since 1.18).
3179 * wfMsgHtml() was removed (deprecated since 1.18).
3180 * wfMsgWikiHtml() was removed (deprecated since 1.18).
3181 * wfMsgExt() was removed (deprecated since 1.18).
3182 * Language::armourMath() was removed (deprecated since 1.22).
3183 * LanguageConverter::armourMath() was removed (deprecated since 1.22).
3184 * FakeConverter::armourMath() was removed (deprecated since 1.22).
3185 * The unused jquery.validate ResourceLoader module was removed.
3186 * FileRepo::getRootUrl() was removed (deprecated since 1.20).
3187 * User::generateToken() was removed (deprecated since 1.20).
3188 * WikiPage::getRawText() was removed (deprecated since 1.21).
3189 * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
3190 * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
3191 * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
3192 * Gallery images with multiple caption pipes no longer concatenate them all
3193 together but instead pick the final one, similar to image syntax.
3194 * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
3195 rather than consume everything until the end of the page.
3196 * New maintenance script resetUserEmail.php allows sysadmins to reset user
3197 emails in case a user forgot password/account was stolen.
3198 * wfCheckEntropy() was removed (deprecated in 1.27).
3199 * Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
3200 * ContentHandler::supportsCategories method added. Default is true.
3201 CategoryMembershipChangeJob updates are skipped for content that
3202 does not support categories.
3203 * wikidiff difference engine is no longer supported, anyone still using it are
3204 encouraged to upgrade to wikidiff2 which is actively maintained and has better
3205 package availability.
3206 * Database logic was removed from WatchedItem and a WatchedItemStore was
3207 created:
3208 ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were
3209 deprecated. User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were
3210 introduced.
3211 ** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
3212 ** WatchedItem::resetNotificationTimestamp was deprecated.
3213 ** WatchedItem::batchAddWatch was deprecated.
3214 ** WatchedItem::addWatch was deprecated.
3215 ** WatchedItem::removeWatch was deprecated.
3216 ** WatchedItem::isWatched was deprecated.
3217 ** WatchedItem::duplicateEntries was deprecated.
3218 ** EmailNotification::updateWatchlistTimestamp was deprecated.
3219 ** User::getWatchedItem was removed.
3220 * Unit tests don't work with external PHPUnit anymore, Composer is now the only
3221 supported way. Run `composer install` to install it and other dev dependencies
3222 to run unit tests.
3223 * wl_id field added to the watchlist table.
3224 * Revision::getRawText() was removed (deprecated since 1.21).
3225 * WikiPage::replaceSection() was removed (deprecated since 1.21).
3226 * Article::replaceSection() was removed (deprecated since 1.21).
3227 * Language::getLangObj() was removed (deprecated since 1.24).
3228 * Language::getLanguageName() was removed (deprecated since 1.20).
3229 * Language::getLanguageNames() was removed (deprecated since 1.20).
3230 * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
3231 * Language::specialPage() was removed (deprecated since 1.24).
3232 * MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
3233 * OutputPage::getHeadItems() was removed (deprecated since 1.24).
3234 * OutputPage::getScript() was removed (deprecated since 1.24).
3235 * OutputPage::out() was removed (deprecated since 1.22).
3236 * OutputPage::setAllowedModules() was removed (deprecated since 1.24).
3237 * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
3238 * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
3239 * Title::newFromRedirect() was removed (deprecated since 1.21).
3240 * Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
3241 * Skin::getCommonStylePath() was removed (deprecated since 1.24).
3242 * Skin::newFromKey() was removed (deprecated since 1.24).
3243 * Skin::getUsableSkins() was removed (deprecated since 1.23).
3244 * LoadBalancer::pickRandom() was removed (deprecated in 1.21).
3245 * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated
3246 since 1.21).
3247 * DifferenceEngine::setText() was removed (deprecated in 1.21).
3248 * Title::newFromRedirectArray() was removed (deprecated in 1.21).
3249 * UserMailer::send() no longer accepts $replyto as the 5th argument and
3250 $contentType as the 6th. These must be passed in the options array now.
3251 * Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
3252 * Skin::accesskey was removed (deprecated since 1.21).
3253 * Skin::blockLink was removed (deprecated since 1.21).
3254 * Skin::buildRollbackLink was removed (deprecated since 1.21).
3255 * Skin::emailLink was removed (deprecated since 1.21).
3256 * Skin::formatComment was removed (deprecated since 1.21).
3257 * Skin::formatHiddenCategories was removed (deprecated since 1.21).
3258 * Skin::formatLinksInComment was removed (deprecated since 1.21).
3259 * Skin::formatRevisionSize was removed (deprecated since 1.21).
3260 * Skin::formatSize was removed (deprecated since 1.21).
3261 * Skin::formatTemplates was removed (deprecated since 1.21).
3262 * Skin::generateTOC was removed (deprecated since 1.21).
3263 * Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
3264 * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
3265 * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
3266 * Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
3267 * Skin::getLinkColour was removed (deprecated since 1.21).
3268 * Skin::getRevDeleteLink was removed (deprecated since 1.21).
3269 * Skin::getRollbackEditCount was removed (deprecated since 1.21).
3270 * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
3271 * Skin::makeCommentLink was removed (deprecated since 1.21).
3272 * Skin::makeExternalImage was removed (deprecated since 1.21).
3273 * Skin::makeExternalLink was removed (deprecated since 1.21).
3274 * Skin::makeHeadline was removed (deprecated since 1.21).
3275 * Skin::makeImageLink was removed (deprecated since 1.21).
3276 * Skin::makeMediaLinkFile was removed (deprecated since 1.21).
3277 * Skin::makeMediaLinkObj was removed (deprecated since 1.21).
3278 * Skin::makeSelfLinkObj was removed (deprecated since 1.21).
3279 * Skin::makeThumbLink2 was removed (deprecated since 1.21).
3280 * Skin::makeThumbLinkObj was removed (deprecated since 1.21).
3281 * Skin::normaliseSpecialPage was removed (deprecated since 1.21).
3282 * Skin::normalizeSubpageLink was removed (deprecated since 1.21).
3283 * Skin::processResponsiveImages was removed (deprecated since 1.21).
3284 * Skin::revComment was removed (deprecated since 1.21).
3285 * Skin::revDeleteLink was removed (deprecated since 1.21).
3286 * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
3287 * Skin::revUserLink was removed (deprecated since 1.21).
3288 * Skin::revUserTools was removed (deprecated since 1.21).
3289 * Skin::specialLink was removed (deprecated since 1.21).
3290 * Skin::splitTrail was removed (deprecated since 1.21).
3291 * Skin::titleAttrib was removed (deprecated since 1.21).
3292 * Skin::tocIndent was removed (deprecated since 1.21).
3293 * Skin::tocLine was removed (deprecated since 1.21).
3294 * Skin::tocLineEnd was removed (deprecated since 1.21).
3295 * Skin::tocList was removed (deprecated since 1.21).
3296 * Skin::tocUnindent was removed (deprecated since 1.21).
3297 * Skin::tooltip was removed (deprecated since 1.21).
3298 * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
3299 * Skin::userTalkLink was removed (deprecated since 1.21).
3300 * Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
3301 * wikidiff3 is now the default and only PHP diff engine. It provides improved
3302 diff performance on complex changes. $wgExternalDiffEngine = 'wikidiff3'
3303 therefore makes no difference now. Users are still recommended to use
3304 wikidiff2 if possible, though.
3305 * User::addNewUserLogEntry() was deprecated.
3306 * User::addNewUserLogEntryAutoCreate() was deprecated.
3307 * User::isPasswordReminderThrottled() was deprecated.
3308 * Bot-oriented parameters to Special:UserLogin (wpCookieCheck,
3309 wpSkipCookieCheck) were removed.
3310 * Installer can now be customized without patching MediaWiki code, see
3311 mw-config/overrides/README for details.
3312
3313 === Compatibility ===
3314
3315 MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
3316 HHVM 3.6.5 or later.
3317
3318 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
3319 support for them is somewhat less mature. There is experimental support for
3320 Oracle and Microsoft SQL Server.
3321
3322 The supported versions are:
3323
3324 * MySQL 5.0.3 or later
3325 * PostgreSQL 8.3 or later
3326 * SQLite 3.3.7 or later
3327 * Oracle 9.0.1 or later
3328 * Microsoft SQL Server 2005 (9.00.1399)
3329
3330 === Upgrading ===
3331
3332 1.27 has several database changes since 1.26, and will not work without schema
3333 updates. Note that due to changes to some very large tables like the revision
3334 table, the schema update may take quite long (minutes on a medium sized site,
3335 many hours on a large site).
3336
3337 If upgrading from before 1.11, and you are using a wiki as a commons
3338 repository, make sure that it is updated as well. Otherwise, errors may arise
3339 due to database schema changes.
3340
3341 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
3342 new database fields are filled with data.
3343
3344 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
3345 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
3346 with MediaWiki 1.21.
3347
3348 Don't forget to always back up your database before upgrading!
3349
3350 See the file UPGRADE for more detailed upgrade instructions.
3351
3352 For notes on 1.26.x and older releases, see HISTORY.
3353
3354
3355 = MediaWiki 1.26 =
3356
3357 == MediaWiki 1.26.4 ==
3358
3359 This is a maintenance release of the MediaWiki 1.26 branch.
3360
3361 === Changes since 1.26.3 ===
3362 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
3363 made by MediaWiki via a proxy. Relying on the http_proxy environment
3364 variable is no longer supported.
3365 * (T124163) Fixed fatal error in DifferenceEngine under HHVM.
3366 * (T139565) SECURITY: API: Generate head items in the context of the given title
3367 * (T137264) SECURITY: XSS in unclosed internal links
3368 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
3369 * (T133147) SECURITY: Require login to preview user CSS pages
3370 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
3371 the top file
3372 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
3373 permissions
3374 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
3375 * (T115333) SECURITY: Check read permission when loading page content in
3376 ApiParse
3377 * Remove support for $wgWellFormedXml = false, all output is now well formed
3378
3379 == MediaWiki 1.26.3 ==
3380
3381 This is a maintenance release of the MediaWiki 1.26 branch.
3382
3383 === Changes since 1.26.2 ===
3384 * (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
3385 * (T123166) Fix fatal error when importing pages to titles which cannot be
3386 created, such as invalid titles or titles the user is not allowed to edit.
3387 * (T122056) Old tokens are remaining valid within a new session
3388 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3389 * (T123653) Cross-domain policy regexp is too narrow
3390 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3391 m modifier in regex
3392 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3393 * (T125283) Users occasionally logged in as different users after
3394 SessionManager deployment
3395 * (T103239) Patrol allows click catching and patrolling of any page
3396 * (T122807) [tracking] Check php crypto primatives
3397 * (T98313) Graphs can leak tokens, leading to CSRF
3398 * (T130947) Diff generation should use PoolCounter
3399 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3400 * (T132874) API action=move is not rate limited
3401 * (T110143) strip markers can be used to get around html attribute escaping in
3402 (many?) parser tags
3403 * (T116030) Increase pbkdf2 parameter strengths
3404 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3405 * (T126685) Globally throttle password attempts
3406
3407 == MediaWiki 1.26.2 ==
3408
3409 This is a maintenance release of the MediaWiki 1.26 branch.
3410
3411 === Changes since 1.26.1 ===
3412 * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
3413
3414 == MediaWiki 1.26.1 ==
3415
3416 This is a maintenance release of the MediaWiki 1.26 branch.
3417
3418 === Changes since 1.26.0 ===
3419 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3420 that do not begin with a slash. This enabled trivial XSS attacks.
3421 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3422 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3423 error.
3424 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3425 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3426 with '@' as file uploads
3427 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3428 longer be shorter than $wgMinimalPasswordLength
3429 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3430 result in improper blocks being issued
3431 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3432 and related pages no longer use HTTP redirects and are now redirected by
3433 MediaWiki
3434 * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
3435 * Fixed stray literal \n in Special:Search.
3436 * Fix issue that breaks HHVM Repo Authorative mode.
3437 * (T120267) Work around APCu memory corruption bug
3438
3439 == MediaWiki 1.26.0 ==
3440
3441 === Configuration changes in 1.26 ===
3442 * $wgPasswordResetRoutes['email'] = true by default.
3443 * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
3444 instead if you want to disable the parser cache.
3445 * New-style continuation is now the default for API action=continue. Clients may
3446 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3447 new style is encouraged as it's harder to implement incorrectly.
3448 * Deprecated API formats dump and wddx have been completely removed.
3449 * (T7645) The "Signature" button on the edit toolbar is now hidden by default
3450 in non-talk namespaces. A new configuration variable,
3451 $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
3452 the "Signature" button on the edit toolbar will be displayed.
3453 * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
3454 feature that was never enabled by default.
3455 * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
3456 This experimental feature was never enabled by default and is obsolete as of
3457 MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
3458 * $wgMasterWaitTimeout was removed (deprecated in 1.24).
3459 * Fields in ParserOptions are now private. Use the accessors instead.
3460 * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
3461 in extension.json) have been removed, after being deprecated in 1.24.
3462 * $wgAlwaysUseTidy has been removed.
3463 * ResetSessionID hook has been removed. Nothing seems to use it.
3464 * Certain AuthPlugin methods are deprecated in favor of new hooks:
3465 ** AuthPlugin::initUser() is replaced by LocalUserCreated.
3466 ** AuthPlugin::updateUser() is replaced by UserLoggedIn.
3467 ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
3468 ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
3469 ** AuthPluginUser::isHidden() is replaced by UserIsHidden.
3470 ** AuthPluginUser::isLocked() is replaced by UserIsLocked.
3471 * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
3472 * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
3473 the passed User object.
3474 * $wgBlockAllowsUTEdit is now set to true by default. This allows
3475 blocked users to edit their talk pages unless explicitly disabled
3476 when they are being blocked.
3477
3478 === New features in 1.26 ===
3479 * (T51506) Now action=info gives estimates of actual watchers for a page.
3480 See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
3481 to learn how to configure if needed.
3482 * Change tags can now be hidden in the interface by disabling the associated
3483 "tag-<id>" interface message.
3484 * ':' (colon) is now invalid in usernames for new accounts. Existing accounts
3485 are not affected.
3486 * Added a new hook, 'LogException', to log exceptions in nonstandard ways.
3487 * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
3488 search results are rendered. The initial use case is to append a "give us
3489 feedback" link beneath the search results.
3490 * Added a new hook, 'RejectParserCacheValue', which allows extensions to
3491 reject an otherwise-successful parser cache lookup. The intent is to allow
3492 extensions to manage the eviction of archaic HTML output from the cache.
3493 * (T68699) The expiration of the UserID and Token login cookies
3494 ($wgExtendedLoginCookieExpiration) can be configured independently of the
3495 expiration of all other cookies ($wgCookieExpiration).
3496 * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
3497 if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
3498 of WebP images still disabled by default. Add $wgFileExtensions[] =
3499 'webp'; to LocalSettings.php to enable uploading of WebP images.
3500 * Added new hooks 'EnhancedChangesListModifyLineData' &
3501 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
3502 lines in enhanced recentchanges and watchlist.
3503 * Caches that need purging ability now use the WANObjectCache interface.
3504 This corresponds to a new $wgMainWANCache setting, which defaults to using
3505 the $wgMainCacheType settings.
3506 * Callers needing fast light-weight data stores use $wgMainStash to select
3507 the store type from $wgObjectCaches. The default is the local database.
3508 * Interface message overrides in the MediaWiki namespace will now be cached in
3509 memcached and APC (if available), rather than memcached and local files.
3510 * Added a new hook, 'RandomPageQuery', to allow modification of the query used
3511 by Special:Random to select random pages.
3512 * $wgTransactionalTimeLimit was added, which controls the request time limit
3513 for potentially slow POST requests that need to be as atomic as possible.
3514 * ResourceLoader now loads all scripts asynchronously. The top-queue and
3515 startup modules are no longer synchronously loaded.
3516 * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
3517 page. During the deprecation period, the styles will only be loaded on pages
3518 which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
3519 only be loaded if explicitly required.
3520 * If search returns zero results and current search engine has a "did you mean"
3521 suggestion, results for suggestion will be shown. Can be disabled by setting
3522 $wgSearchRunSuggestedQuery to false.
3523 * Added several JavaScript libraries for uploading files to MediaWiki
3524 from the client-side. See documentation for mw.Upload and its
3525 subclasses for more information.
3526 * Added OOUI dialogs and layout for file upload interfaces. See
3527 documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
3528 subclasses for more information.
3529
3530 === extension.json changes in 1.26 ===
3531 * (T99344) The extension.json schema is now versioned. All extensions
3532 and skins should set a "manifest_version" property corresponding to
3533 the schema version they were written for. The only supported version
3534 currently is "1".
3535 * (T102523) The error message if a non-array attribute is set was improved.
3536 * (T107646) Configuration settings can now specify how they should be merged,
3537 which is necessary for arrays using integer keys.
3538 * (T110389) Adding namespaces through extension.json now actually works
3539 * $wgNamespaceProtection can now be set in extension.json.
3540 * $wgCapitalLinkOverrides can now be set in extension.json.
3541 * (T97186) Extensions using a custom prefix for their configuration settings
3542 can now set a "_prefix" key to override the default of "wg".
3543 * (T99084) Extensions can now specify what MediaWiki core versions they
3544 depend upon.
3545 * (T105236) The extension.json schema now validates custom classes in
3546 the "ResourceModules" property properly.
3547
3548 === External library changes in 1.26 ===
3549 ==== Upgraded external libraries ====
3550 * Updated es5-shim from v4.0.0 to v4.1.5.
3551 * Updated json2 from revision 2014-02-04 to 2015-05-03.
3552 * Updated Sinon.JS from 1.10.3 to 1.15.4.
3553 * Updated jQuery Client from v1.0.0 to v2.0.0.
3554 * Updated QUnit from v1.17.1 to v1.18.0.
3555 * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
3556 * Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
3557 * Updated wikimedia/cdb from v1.0.1 to v1.3.0.
3558 * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
3559 * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
3560 * Updated zordius/lightncandy from v0.18 to v0.21.
3561
3562 ==== New external libraries ====
3563 * Added composer/semver v1.0.0.
3564 * Added mediawiki/at-ease v1.1.0.
3565 * Added wikimedia/assert v0.2.2.
3566 * Added wikimedia/ip-set v1.0.1.
3567 * Added wikimedia/wrappedstring v2.0.0.
3568
3569 ==== Removed and replaced external libraries ====
3570 * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
3571
3572 === Bug fixes in 1.26 ===
3573 * (T53283) load.php sometimes sends 304 response without full headers
3574 * (T65198) Talk page tabs now have a "rel=discussion" attribute
3575 * (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
3576 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3577 value if set to an empty string.
3578
3579 === Action API changes in 1.26 ===
3580 * New-style continuation is now the default for action=continue. Clients may
3581 use the 'rawcontinue' parameter to receive raw query-continue data, but the
3582 new style is encouraged as it's harder to implement incorrectly.
3583 * Deprecated API formats dump and wddx have been completely removed.
3584 * API action=query&list=tags: The displayname can now be boolean false if the
3585 tag is meant to be hidden from user interfaces.
3586 * action=import no longer allows both the namespace= and rootpage= parameters
3587 to be set. If they are both set, the value of rootpage= will be ignored.
3588 * prop=revision output in enum mode is now sorted by timestamp rather than
3589 revision ID. This usually won't make any difference.
3590 * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
3591 with formatversion=2.
3592 * Various other output from meta=siteinfo will now always be arrays instead of
3593 sometimes being numerically-indexed objects with formatversion=2.
3594 * When errors about users being blocked are returned, they now include
3595 information about the relevant block.
3596 * (T99926) list=random has higher limits, in line with other API modules.
3597 * list=random's rnredirect parameter is deprecated in favor of a new
3598 rnfilterredir parameter that also allows for listing both redirects and
3599 non-redirects.
3600 * list=random now supports continuation.
3601 * API responses to GET requests may now include ETag and Last-Modified headers,
3602 and will honor corresponding If-None-Match and If-Modified-Since on such
3603 requests.
3604
3605 === Action API internal changes in 1.26 ===
3606 * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
3607 into the value when the value is an assoc.
3608 * API action modules may now provide values for the RFC 7232 ETag and
3609 Last-Modified headers. The API will check these against If-None-Match and
3610 If-Modified-Since request headers on GET requests and avoid executing the
3611 module when appropriate.
3612
3613 === Languages updated in 1.26 ===
3614
3615 MediaWiki supports over 350 languages. Many localisations are updated
3616 regularly. Below only new and removed languages are listed, as well as
3617 changes to languages because of Phabricator reports.
3618
3619 * Languages added:
3620 ** ase (American sign language), thanks to translator Icemandeaf
3621 ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
3622 मेश सिंह बोहरा, and राम प्रसाद जोशी
3623 ** luz (لئری دوٙمینی / Southern Luri)
3624 ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin
3625 Natoi, Ilja.mos, and Mashoi7
3626
3627 === Other changes in 1.26 ===
3628 * ChangeTags::tagDescription() will return false if the interface message
3629 for the tag is disabled.
3630 * Added PageHistoryPager::doBatchLookups hook.
3631 * Added $wikiId parameter to FormatAutocomments hook.
3632 * Added ParserCacheSaveComplete to ParserCache
3633 * supportsDirectEditing and supportsDirectApiEditing methods added to
3634 ContentHandler, to provide a way for ApiEditPage and EditPage to check
3635 if direct editing of content is allowed. These methods return false,
3636 by default for the ContentHandler base class and true for TextContentHandler
3637 and it's derivative classes (everything in core). For Content types that
3638 do not support direct editing, an alternative mechanism should be provided
3639 for editing, such as action overrides or specific api modules.
3640 * mediaWiki.confirmCloseWindow now returns an object of functions, instead of
3641 one function. The callback can't be called directly any more. The callback
3642 function is replaced with confirmCloseWindow.release().
3643 * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
3644 ResourceLoaderModule::getDependencies(). Extension classes that override that
3645 method should be updated. If they aren't updated, PHP Strict standards
3646 warnings will appear when E_STRICT error reporting is enabled. Note: in the
3647 near future, this parameter will probably become non-optional.
3648 * Removed maintenance script deleteImageMemcached.php.
3649 * MWFunction::newObj() was removed (deprecated in 1.25).
3650 ObjectFactory::getObjectFromSpec() should be used instead.
3651 * The parser will no longer randomize the string it uses to mark the place of
3652 items that were stripped during parsing. It will use a fixed string instead.
3653 This causes the parser to re-use the regular expressions it uses to search
3654 and replace markers rather than generate novel expressions on each parse.
3655 Re-using regular expressions will improve performance on HHVM and the
3656 forthcoming PHP 7. The interfaces changes accompanying this change are:
3657 - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
3658 - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
3659 $prefix argument for StripState::_construct() are deprecated and their
3660 value is ignored.
3661 * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate
3662 library, mediawiki/at-ease, and are now deprecated. Callers should use
3663 MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
3664 * The Block class constructor now takes an associative array of parameters
3665 instead of many optional positional arguments. Calling the constructor the old
3666 way will issue a deprecation warning.
3667 * The jquery.mwExtension module was deprecated.
3668 * $wgSpecialPageGroups was removed (deprecated in 1.21).
3669 * SpecialPageFactory::setGroup was removed (deprecated in 1.21).
3670 * SpecialPageFactory::getGroup was removed (deprecated in 1.21).
3671 * DatabaseBase::ignoreErrors() is now protected.
3672 * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
3673 a lengthy deprecation period.
3674 * The ScopedPHPTimeout class was removed.
3675 * Removed maintenance script fixSlaveDesync.php.
3676 * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
3677 are deprecated. Applications using those can work via the OAuth
3678 extension instead. New tokens types should not be added.
3679 * DatabaseBase::errorCount() was removed (unused).
3680 * $wgDeferredUpdateList was removed.
3681 * DeferredUpdates::addHTMLCacheUpdate() was removed.
3682
3683 = MediaWiki 1.25 =
3684
3685 == MediaWiki 1.25.6 ==
3686
3687 This is a maintenance release of the MediaWiki 1.25 branch.
3688
3689 === Changes since 1.25.5 ===
3690 * (T123166) Fix fatal error when importing pages to titles which cannot be
3691 created, such as invalid titles or titles the user is not allowed to edit.
3692 * (T122056) Old tokens are remaining valid within a new session
3693 * (T127114) Login throttle can be tricked using non-canonicalized usernames
3694 * (T123653) Cross-domain policy regexp is too narrow
3695 * (T123071) Incorrectly identifying http link in a's href attributes, due to
3696 m modifier in regex
3697 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
3698 * (T125283) Users occasionally logged in as different users after
3699 SessionManager deployment
3700 * (T103239) Patrol allows click catching and patrolling of any page
3701 * (T122807) [tracking] Check php crypto primatives
3702 * (T98313) Graphs can leak tokens, leading to CSRF
3703 * (T130947) Diff generation should use PoolCounter
3704 * (T133507) Careless use of $wgExternalLinkTarget is insecure
3705 * (T132874) API action=move is not rate limited
3706 * (T110143) strip markers can be used to get around html attribute escaping in
3707 (many?) parser tags
3708 * (T116030) Increase pbkdf2 parameter strengths
3709 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
3710 * (T126685) Globally throttle password attempts
3711
3712 == MediaWiki 1.25.5 ==
3713
3714 This is a maintenance release of the MediaWiki 1.25 branch.
3715
3716 === Changes since 1.25.4 ===
3717 * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
3718
3719 == MediaWiki 1.25.4 ==
3720
3721 This is a security and maintenance release of the MediaWiki 1.25 branch.
3722
3723 === Changes since 1.25.3 ===
3724 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3725 that do not begin with a slash. This enabled trivial XSS attacks.
3726 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3727 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3728 error.
3729 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3730 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3731 with '@' as file uploads
3732 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3733 longer be shorter than $wgMinimalPasswordLength
3734 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3735 result in improper blocks being issued
3736 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3737 and related pages no longer use HTTP redirects and are now redirected by
3738 MediaWiki
3739 * (T103237) $wgUseGzip had no effect when using file cache.
3740 * (T114606) mw.notify was not correctly fixed to the page if
3741 initialized while not at the top of the page.
3742 * Fix issue that breaks HHVM Repo Authorative mode.
3743
3744 == MediaWiki 1.25.3 ==
3745
3746 This is a security and maintenance release of the MediaWiki 1.25 branch.
3747
3748 === Changes since 1.25.2 ===
3749
3750 * (T98975) Fix having multiple callbacks for a single hook.
3751 * (T107632) maintenance/refreshLinks.php did not always remove all links
3752 pointing to nonexistent pages.
3753 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
3754 value if set to an empty string.
3755 * (T62174) Provide fallbacks for use of mb_convert_encoding() in
3756 HtmlFormatter. It was causing an error when accessing the api help page
3757 if the mbstring PHP extension was not installed.
3758 * (T105896) Confirmation emails would sometimes contain invalid codes.
3759 * (T105597) Fixed edit stash inclusion queries.
3760 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
3761 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
3762 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
3763 first
3764 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
3765
3766 == MediaWiki 1.25.2 ==
3767
3768 This is a security and maintenance release of the MediaWiki 1.25 branch.
3769
3770 === Changes since 1.25.1 ===
3771
3772 * (T94116) SECURITY: Compare API watchlist token in constant time
3773 * (T97391) SECURITY: Escape error message strings in thumb.php
3774 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
3775 Special:DeletedContributions
3776 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
3777 policy of Wikimedia Commons.
3778 * (T100767) Setting a configuration setting for skin or extension to
3779 false in LocalSettings.php was not working.
3780 * (T100635) API action=opensearch json output no longer breaks when
3781 $wgDebugToolbar is enabled.
3782 * (T102522) Using an extension.json or skin.json file which has
3783 a "manifest_version" property for 1.26 compatability will no longer
3784 trigger warnings.
3785 * (T86156) Running updateSearchIndex.php will not throw an error as
3786 page_restrictions has been added to the locked table list.
3787 * Special:Version would throw notices if using SVN due to an incorrectly
3788 named variable. Add an additional check that an index is defined.
3789
3790 == MediaWiki 1.25.1 ==
3791
3792 This is a bug fix release of the MediaWiki 1.25 branch.
3793
3794 === Changes since 1.25 ===
3795 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
3796
3797 == MediaWiki 1.25.0 ==
3798
3799 === Configuration changes in 1.25 ===
3800 * $wgPageShowWatchingUsers was removed.
3801 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
3802 * $wgAntiLockFlags was removed.
3803 * $wgJavaScriptTestConfig was removed.
3804 * Edit tokens returned from User::getEditToken may change on every call. Token
3805 validity must be checked by passing the user-supplied token to
3806 User::matchEditToken rather than by testing for equality with a
3807 newly-generated token.
3808 * (T74951) The UserGetLanguageObject hook may be passed any IContextSource
3809 for its $context parameter. Formerly it was documented as receiving a
3810 RequestContext specifically.
3811 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
3812 See StartProfiler.sample for details.
3813 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3814 might be a flash policy directive configurable.
3815 * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
3816 longer be used. If extracts and page images are desired, the TextExtracts and
3817 PageImages extensions are required.
3818 * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
3819 * Edits are now prepared via AJAX as users type edit summaries. This behavior
3820 can be disabled via $wgAjaxEditStash.
3821 * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
3822 with the jQuery Migrate library, as indicated when this option was provided in
3823 MediaWiki 1.24.
3824 * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
3825 StartProfiler.php config is updated to reflect this. Xhprof is available
3826 for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
3827 * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
3828 rather than 'rsvg'.
3829 * Default value of $wgSVGConverters['ImageMagick'] now uses transparent
3830 background with white fallback color, rather than just white background.
3831 * MediaWikiBagOStuff class removed, make sure any object cache config
3832 uses SqlBagOStuff instead.
3833 * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
3834 job queues. This means that mediawiki/services/jobrunner service has to
3835 be installed and running for any such queues to work.
3836 * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
3837 compatibility, any 'view' event triggers will still trigger on 'edit'.
3838 * $wgExtensionDirectory was added for when your extensions directory is
3839 somewhere other than $IP/extensions (as $wgStyleDirectory does with the skins
3840 directory).
3841
3842 === New features in 1.25 ===
3843 * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
3844 for plural forms in Russian, Prussian, Tagalog, Manx and several languages
3845 that fall back to Russian.
3846 * (T60139) ResourceLoaderFileModule now supports language fallback
3847 for 'languageScripts'.
3848 * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify
3849 the parser output for a content object before links update.
3850 * (T37785) Enhanced recent changes and extended watchlist are now default.
3851 Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
3852 and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions
3853 * (T69341) SVG images will no longer be base64-encoded when being embedded
3854 in CSS. This results in slight size increase before gzip compression (due to
3855 percent-encoding), but up to 20% decrease after it.
3856 * Update jStorage to v0.4.12.
3857 * MediaWiki now natively supports page status indicators: icons (or short text
3858 snippets) usually displayed in the top-right corner of the page. They have
3859 been in use on Wikipedia for a long time, implemented using templates and CSS
3860 absolute positioning.
3861 - Basic wikitext syntax:
3862 <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
3863 - Usage instructions:
3864 https://www.mediawiki.org/wiki/Help:Page_status_indicators
3865 - Adjusting custom skins to support indicators:
3866 https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
3867 * Edit tokens may now be time-limited: passing a maximum age to
3868 User::matchEditToken will reject any older tokens.
3869 * The debug logging internals have been overhauled, and are now using the
3870 PSR-3 interfaces.
3871 * Update CSSJanus to v1.1.1.
3872 * Update lessphp to v0.5.0.
3873 * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
3874 and images for ApiOpenSearch output. The semantics are identical to the
3875 "OpenSearchXml" hook provided by the OpenSearchXml extension.
3876 * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
3877 this allows for pagination of prefix results. Extensions using this hook
3878 should implement supporting behavior. Not doing so can result in undefined
3879 behavior from API clients trying to continue through prefix results.
3880 * Update jQuery from v1.11.1 to v1.11.3.
3881 * External libraries installed via composer will now be displayed
3882 on Special:Version in their own section. Extensions or skins that are
3883 installed via composer will not be shown in this section as it is assumed
3884 they will add the proper credits to the skins or extensions section. They
3885 can also be accessed through the API via the new siprop=libraries to
3886 ApiQuerySiteInfo.
3887 * Update QUnit from v1.14.0 to v1.16.0.
3888 * Update Moment.js from v2.8.3 to v2.8.4.
3889 * Special:Tags now allows for manipulating the list of user-modifiable change
3890 tags.
3891 * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
3892 and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
3893 tags.
3894 * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
3895 "active" formerly conflated by the 'ListDefinedTags' hook.
3896 * Added TemplateParser class that provides a server-side interface to cachable
3897 dynamically-compiled Mustache templates (currently uses lightncandy library).
3898 * Clickable anchors for each section heading in the content are now generated
3899 and appear in the gutter on hovering over the heading.
3900 * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink'
3901 hooks to allow extensions to override how links to pages are rendered within
3902 NS_CATEGORY
3903 * (T19665) Special:WantedPages only lists page which having at least one red
3904 link pointing to it.
3905 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
3906 used for conditional registration of API modules.
3907 * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
3908 links of a group of changes in EnhancedChangesList.
3909 * A full interface for StatsD metric reporting has been added to the context
3910 interface, reachable via IContextSource::getStats().
3911 * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
3912 proper, published library, which is now tagged as v1.0.0.
3913 * A new message (defaulting to blank), 'editnotice-notext', can be shown to
3914 users when they are editing if no edit notices apply to the page being edited.
3915 * (T94536) You can now make the sitenotice appear to logged-in users only by
3916 editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
3917 "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
3918 * Modifying the tagging of a revision or log entry is now available via
3919 Special:EditTags, generally accessed via the revision-deletion-like interface
3920 on history pages and Special:Log is likely to be more useful.
3921 * Added 'applychangetags' and 'changetags' user rights.
3922 * (T35235) LogFormatter subclasses are now responsible for formatting the
3923 parameters for API log event output. Extensions should implement the new
3924 getParametersForApi() method in their log formatters.
3925
3926 ==== External libraries ====
3927 * MediaWiki now requires certain external libraries to be installed. In the past
3928 these were bundled inside the Git repository of MediaWiki core, but now they
3929 need to be installed separately. For users using the tarball, this will be
3930 taken care of and no action will be required. Users using Git will either need
3931 to use composer to fetch dependencies or use the mediawiki/vendor repository
3932 which includes all dependencies for MediaWiki core and ones used in Wikimedia
3933 deployment. Detailed instructions can be found at:
3934 https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
3935 * The following libraries are now required:
3936 ** psr/log
3937 This library provides the interfaces set by the PSR-3 standard
3938 (http://www.php-fig.org/psr/psr-3/) which are used by MediaWiki internally
3939 via the MediaWiki\Logger\LoggerFactory class.
3940 See the structured logging RfC
3941 <https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging>
3942 for more background information.
3943 ** cssjanus/cssjanus
3944 This library was formerly bundled with MediaWiki core and has been removed.
3945 It automatically flips CSS for RTL support.
3946 ** leafo/lessphp
3947 This library was formerly bundled with MediaWiki core and has been removed.
3948 It compiles LESS files into CSS.
3949 ** wikimedia/cdb
3950 This library was formerly a part of MediaWiki core, and has been moved into a
3951 separate library. It provides CDB functions which are used in the Interwiki
3952 and Localization caches. More information about the library can be found at
3953 https://www.mediawiki.org/wiki/CDB.
3954 ** liuggio/statsd-php-client
3955 This library provides a StatsD client API for logging application metrics to
3956 a remote server.
3957
3958 === Bug fixes in 1.25 ===
3959 * (T73003) No additional code will be generated to try to load CSS-embedded
3960 SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
3961 * (T69021) On Special:BookSources, corrected validation of ISBNs (both
3962 10- and 13-digit forms) containing "X".
3963 * Page moving was refactored into a MovePage class. As part of that:
3964 ** The AbortMove hook was removed.
3965 ** MovePageIsValidMove is for extensions to specify whether a page
3966 cannot be moved for technical reasons, and should not be overridden.
3967 ** MovePageCheckPermissions is for checking whether the given user is
3968 allowed to make the move.
3969 ** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
3970 ** Title::moveTo() was deprecated. Use the MovePage class instead.
3971 ** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
3972 and MovePage::checkPermissions().
3973 * (T18530) Multiple autocomments are now formatted in an edit summary.
3974 * (T70361) Autocomments containing "/*" are parsed correctly.
3975 * The Special:WhatLinksHere page linked from 'Number of redirects to this page'
3976 on action=info about a file page does not list file links anymore.
3977 * (T78637) Search bar is not autofocused unless it is empty so that proper
3978 scrolling using arrow keys is possible.
3979 * (T50853) Database::makeList() modified to handle 'NULL' separately when
3980 building IN clause
3981 * (T85192) Captcha position modified in Usercreate template. As a result:
3982 ** extrafields parameter added to Usercreate.php to insert additional data
3983 ** 'extend' method added to QuickTemplate to append additional values to any
3984 field of data array
3985 * (T86974) Several Title methods now load from the database when necessary
3986 (instead of returning incorrect results) even when the page ID is known.
3987 * (T74070) Duplicate search for archived files on file upload now omits the
3988 extension.
3989 This requires the fa_sha1 field being populated.
3990 * Removed rel="archives" from the "View history" link, as it did not pass
3991 HTML validation.
3992 * $wgUseTidy is now set when parserTests are run with the tidy option to match
3993 output on wiki.
3994 * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed
3995 to it.
3996 * (T72109) mediawiki.language should respect $wgTranslateNumerals in
3997 convertNumber().
3998
3999 === Action API changes in 1.25 ===
4000 * (T67403) XML tag highlighting is now only performed for formats
4001 "xmlfm" and "wddxfm".
4002 * action=paraminfo supports generalized submodules (modules=query+value),
4003 querymodules and formatmodules are deprecated
4004 * action=paraminfo no longer outputs descriptions and other help text by
4005 default. If needed, it may be requested using the new 'helpformat' parameter.
4006 * action=help has been completely rewritten, and outputs help in HTML
4007 rather than plain text.
4008 * Hitting api.php without specifying an action now displays only the help for
4009 the main module, with links to submodule help.
4010 * API help is no longer displayed on errors.
4011 * 'uselang' is now a recognized API parameter; "uselang=user" may be used to
4012 explicitly select the language from the current user's preferences, and
4013 "uselang=content" may be used to select the wiki's content language.
4014 * Default output format for the API is now jsonfm.
4015 * Simplified continuation will return a "batchcomplete" property in the result
4016 when a batch of pages is complete.
4017 * Pretty-printed HTML output now has nicer formatting and (if available)
4018 better syntax highlighting.
4019 * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
4020 list=alldeletedrevisions.
4021 * prop=revisions will gracefully continue when given too many revids or titles,
4022 rather than just ignoring the extras.
4023 * prop=revisions will no longer die if rvcontentformat doesn't match a
4024 revision's content model; it will instead warn and omit the content.
4025 * If the user has the 'deletedhistory' right, action=query's revids parameter
4026 will now recognize deleted revids.
4027 * prop=revisions may be used as a generator, generating revids.
4028 * (T68776) format=json results will no longer be corrupted when
4029 $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
4030 error instead of returning invalid serialized data.
4031 * Generators may now return data for the generated pages when used with
4032 action=query.
4033 * Query page data for generator=search and generator=prefixsearch will now
4034 include an "index" field, which may be used by the client for sorting the
4035 search results.
4036 * ApiOpenSearch now supports XML output.
4037 * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
4038 in JSON format.
4039 * (T76051) list=tags will now continue correctly.
4040 * (T76052) list=tags can now indicate whether a tag is defined.
4041 * (T75522) list=prefixsearch now supports continuation
4042 * (T78737) action=expandtemplates can now return page properties.
4043 * (T78690) list=allimages now accepts multiple pipe-separated values
4044 for the 'aimime' parameter.
4045 * prop=info with inprop=protections will now return applicable protection types
4046 with the 'restrictiontypes' key.
4047 * (T85417) When resolving redirects, ApiPageSet will now add the targets of
4048 interwiki redirects to the list of interwiki titles.
4049 * (T85417) When outputting the list of redirect titles, a 'tointerwiki'
4050 property (like the existing 'tofragment' property) will be set.
4051 * Added action=managetags to allow for managing the list of
4052 user-modifiable change tags. Actually modifying the tagging of a revision or
4053 log entry is not implemented yet.
4054 * list=tags has additional properties to indicate 'active' status and tag
4055 sources.
4056 * siprop=libraries was added to ApiQuerySiteInfo to list installed external
4057 libraries.
4058 * (T88010) Added action=checktoken, to test a CSRF token's validity.
4059 * (T88010) Added intestactions to prop=info, to allow querying of
4060 Title::userCan() via the API.
4061 * Default type param for query list=watchlist and list=recentchanges has
4062 been changed from all types (e.g. including 'external') to 'edit|new|log'.
4063 * Added formatversion to format=json. Still "experimental" as further changes
4064 to the output formatting might still be made.
4065 * (T73020) Log event details are now always under a 'params' subkey for
4066 list=logevents, and a 'logparams' subkey for list=watchlist and
4067 list=recentchanges.
4068 * Log event details are changing formatting:
4069 * block events now report flags as an array rather than as a comma-separated
4070 list.
4071 * patrol events now report the 'auto' flag as a boolean (absent/empty string
4072 for BC formats) rather than as an integer.
4073 * rights events now report the old and new group lists as arrays rather than
4074 as comma-separated lists.
4075 * merge events use new-style formatting.
4076 * delete/event and delete/revision events use new-style formatting.
4077 * The root node and various other nodes will now always be an object in formats
4078 such as json that distinguish between arrays and objects.
4079 * Except for action=opensearch where the spec requires an array.
4080