RELEASE-NOTES-1.28

   1 == MediaWiki 1.28 ==
   2
   3 THIS IS NOT A RELEASE YET
   4
   5 MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
   6 production.
   7
   8 === Configuration changes in 1.28 ===
   9 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  10   made by MediaWiki via a proxy. Relying on the http_proxy environment
  11   variable is no longer supported.
  12 * The load.php entry point now enforces the existing policy of not allowing
  13   access to session data, which includes the session user and the session
  14   user's language. If such access is attempted, an exception will be thrown.
  15 * The number of internal PBKDF2 iterations used to derive the session secret
  16   is configurable via $wgSessionPbkdf2Iterations.
  17 * Upload dialog's file upload log comment can now be configured separately for
  18   local and foreign uploads.
  19 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  20   signifies local uploads. A value of `[]` (empty array) now means that
  21   no upload targets are allowed, effectively disabling the upload dialog.
  22 * The deprecated $wgEditEncoding variable has been removed; it was only used
  23   for Esperanto language character conversion. You are now recommended to use
  24   input methods provided by the UniversalLanguageSelector extension.
  25 * When $wgPingback is true, MediaWiki will periodically ping
  26   https://www.mediawiki.org/beacon with basic information about the local
  27   MediaWiki installation. This data includes, for example, the type of system,
  28   PHP version, and chosen database backend. This behavior is off by default.
  29 * When $EditSubmitButtonLabelPublish is true, MediaWiki will label the button
  30   to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  31   if false, the default, they will be "Save page"/"Save changes".
  32
  33 === New features in 1.28 ===
  34 * User::isBot() method for checking if an account is a bot role account.
  35 * Added a new 'slideshow' mode for galleries.
  36 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
  37 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  38   interact with API parsing.
  39 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  40   upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  41   and the file description page, but does not run for uploads to stash.
  42 * (T141604) Extensions can now provide a better error message when their
  43   maintenance scripts are run without the extension being installed.
  44 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  45   to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  46   a 'numeric' collation is also available. If migrating from another
  47   collation, you will need to run the updateCollation.php maintenance script.
  48 * Two new codes have been added to #time parser function: "xit" for days in current
  49   month, and "xiz" for days passed in the year, both in Iranian calendar.
  50 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  51   appropriate for sending multi-valued parameters. This defaults to true when
  52   the mw.Api instance seems to be for the local wiki.
  53
  54 === External library changes in 1.28 ===
  55
  56 ==== Upgraded external libraries ====
  57 * Updated es5-shim from v4.1.5 to v4.5.8
  58
  59 ==== New external libraries ====
  60
  61 ==== Removed and replaced external libraries ====
  62
  63 === Bug fixes in 1.28 ===
  64 * (T137264) SECURITY: XSS in unclosed internal links
  65 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
  66 * (T133147) SECURITY: Require login to preview user CSS pages
  67 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  68   the top file
  69 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  70   permissions
  71 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  72 * (T139670) Move 'UserGetRights' call before application of
  73   Session::getAllowedUserRights()
  74
  75 === Action API changes in 1.28 ===
  76 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  77   the value of $wgMaxArticleSize.
  78 * Property 'modulemessages' from action=parse&prop=modules was removed
  79   (deprecated since 1.26).
  80 * The following response properties from action=login, deprecated in 1.27, are
  81   now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  82   to properly manage session state.
  83 * Submitting the lgtoken and lgpassword parameters in the query string to
  84   action=login is now deprecated and outputs a warning. They should be submitted
  85   in the POST body instead.
  86 * Submitting sensitive authentication request parameters to action=clientlogin,
  87   action=createaccount, action=linkaccount, and action=changeauthenticationdata
  88   in the query string is now deprecated and outputs a warning. They should be
  89   submitted in the POST body instead.
  90 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  91   instead of the pipe character. This will be useful if some of the multiple
  92   values need to contain pipes, e.g. for action=options.
  93 * The API will now warn if input is not NFC-normalized Unicode or if it
  94   contains invalid characters.
  95 * The 'normalized' list output by action=query and other modules that use
  96   ApiPageSet may contain entries where the 'from' value is percent-encoded as
  97   the raw value cannot be represented in a valid API response. These are
  98   indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
  99 * (T28680) action=paraminfo can now return info about all submodules of a
 100   module without listing them all explicitly.
 101
 102 === Action API internal changes in 1.28 ===
 103 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
 104   interact with ApiParse and ApiExpandTemplates.
 105 * (T139565) SECURITY: API: Generate head items in the context of the given title
 106 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
 107
 108 === Languages updated in 1.28 ===
 109
 110 MediaWiki supports over 350 languages. Many localisations are updated
 111 regularly. Below only new and removed languages are listed, as well as
 112 changes to languages because of Phabricator reports.
 113
 114 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
 115   BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
 116 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
 117   Saiddzone Saimawnkham, Saosukham, and Sengwan.
 118 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks
 119
 120 === Other changes in 1.28 ===
 121 * (T128697) Improved handling of large diffs.
 122 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
 123   use or update a custom session provider if needed.
 124 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
 125 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
 126 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
 127 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual
 128   login and visiting the login page while already logged in.
 129 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
 130 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
 131 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
 132 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
 133 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
 134   MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
 135   were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
 136   respectively. See docs/hooks.txt for the specific changes needed for those hooks.
 137 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
 138   * Skin::commentBlock() (use Linker::commentBlock() instead)
 139   * Skin::generateRollback() (use Linker::generateRollback() instead)
 140   * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
 141   * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
 142   * Skin::userLink() (use Linker::userLink() instead)
 143   * Skin::userToolLinks() (use Linker::userToolLinks() instead)
 144 * The 'ParserLimitReportFormat' hook was removed.
 145 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
 146   disabled.
 147 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
 148 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
 149   Use ...->stashFile()->getFileKey() instead.
 150 * "Public domain" was removed as a wiki license option from the installer, in
 151   favour of CC-0.
 152 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
 153   on requests needed by primary providers even if all primaries need them.
 154   Primary providers are discouraged from returning multiple REQUIRED requests.
 155 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
 156   will no longer be automatically infused. You should call `OO.ui.infuse()`
 157   on them yourself from your JavaScript code.
 158
 159 == Compatibility ==
 160
 161 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
 162 HHVM 3.6.5 or later.
 163
 164 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
 165 support for them is somewhat less mature. There is experimental support for
 166 Oracle and Microsoft SQL Server.
 167
 168 The supported versions are:
 169
 170 * MySQL 5.0.3 or later
 171 * PostgreSQL 8.3 or later
 172 * SQLite 3.3.7 or later
 173 * Oracle 9.0.1 or later
 174 * Microsoft SQL Server 2005 (9.00.1399)
 175
 176 == Upgrading ==
 177
 178 1.28 has several database changes since 1.27, and will not work without schema
 179 updates. Note that due to changes to some very large tables like the revision
 180 table, the schema update may take quite long (minutes on a medium sized site,
 181 many hours on a large site).
 182
 183 If upgrading from before 1.11, and you are using a wiki as a commons
 184 repository, make sure that it is updated as well. Otherwise, errors may arise
 185 due to database schema changes.
 186
 187 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
 188 new database fields are filled with data.
 189
 190 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
 191 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
 192 with MediaWiki 1.21.
 193
 194 Don't forget to always back up your database before upgrading!
 195
 196 See the file UPGRADE for more detailed upgrade instructions.
 197
 198 For notes on 1.27.x and older releases, see HISTORY.
 199
 200 == Online documentation ==
 201
 202 Documentation for both end-users and site administrators is available on
 203 MediaWiki.org, and is covered under the GNU Free Documentation License (except
 204 for pages that explicitly state that their contents are in the public domain):
 205
 206        https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
 207
 208 == Mailing list ==
 209
 210 A mailing list is available for MediaWiki user support and discussion:
 211
 212        https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
 213
 214 A low-traffic announcements-only list is also available:
 215
 216        https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
 217
 218 It's highly recommended that you sign up for one of these lists if you're
 219 going to run a public MediaWiki, so you can be notified of security fixes.
 220
 221 == IRC help ==
 222
 223 There's usually someone online in #mediawiki on irc.freenode.net.