parser: Validate $length in padleft/padright parser functions

[lhc/web/wiklou.git] / RELEASE-NOTES-1.32

== MediaWiki 1.32 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.32 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.32 ===
* (T115414) The $wgEnableAPI and $wgEnableWriteAPI settings, deprecated in 1.31,
  have been removed.
* The $wgUseAjax setting, deprecated in 1.31, is now ignored.
* The $wgSiteSupportPage setting, unused since 1.5, was removed.
* The default quality of JPEG thumbnails generated by GD was reduced from 95 to
  80. The quality of JPEG thumbnails is now configurable through the new setting
  $wgJpegQuality (default 80). This aligns the quality to what ImageMagick uses.
* $wgExperimentalHtmlIds, deprecated since 1.30, has been removed. The
  'html5-legacy' value for $wgFragmentMode is no longer accepted.
* The experimental Html5Internal and Html5Depurate tidy drivers were removed.
  RemexHtml, which is the default, should be used instead.
* (T135963) You can now define a Content Security Policy for your wiki. This
  adds a defense-in-depth feature to stop an attacker who has found a bug in
  the parser allowing them to insert malicious attributes. Disabled by default,
  you can configure this via $wgCSPHeader and $wgCSPReportOnlyHeader.
* New configuration variable has been added: $wgCookieSetOnIpBlock.
  This determines whether to set a cookie when an IP user is blocked. Doing so means
  that a blocked user, even after moving to a new IP address, will still be blocked.
* The archive table's ar_rev_id field is now unique.

=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
  using a particular page during edit previews.
* (T12331) You can now log page creation events by setting $wgPageCreationLog
  to true.
* Added 'ApiParseMakeOutputPage' hook.
* (T174313) Added checkbox on Special:ListUsers to display only users in
  temporary user groups.
* (T152462) A cookie can now be set when an IP user is blocked to track that user if
  they move to a new IP address. This is disabled by default.
* (T194950) Added 'ApiMaxLagInfo' hook.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
  reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
  getLoginSecurityLevel() returns non-false.

=== External library changes in 1.32 ===
* …

==== Upgraded external libraries ====
* Updated QUnit from 2.4.0 to 2.6.0.
* Updated wikimedia/scoped-callback from 1.0.0 to 2.0.0.
** ScopedCallback objects can no longer be serialized.
* Updated wikimedia/wrappedstring from 2.3.0 to 3.0.1.

==== New external libraries ====
* Added wikimedia/xmp-reader 0.5.1
* …

==== Removed and replaced external libraries ====
* …

=== Bug fixes in 1.32 ===
* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
  getLoginSecurityLevel() returns non-false.

=== Action API changes in 1.32 ===
* Added templated parameters.
  * A module can define a templated parameter like "{fruit}-quantity", where
    the actual parameters recognized correspond to the values of a multi-valued
    parameter. Then clients can make requests like
    "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
  * action=paraminfo will return templated parameter definitions separately
    from normal parameters. All parameter definitions now include an "index"
    key to allow clients to maintain parameter ordering when merging normal and
    templated parameters.
* It is now an error to submit too many values for a multi-valued parameter.
  This has generated a warning since MediaWiki 1.14.

=== Action API internal changes in 1.32 ===
* Added 'ApiParseMakeOutputPage' hook.
* Parameter names may no longer contain '{' or '}', as these are now used for
  templated parameters.
* (T194950) Added 'ApiMaxLagInfo' hook.

=== Languages updated in 1.32 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.

* (T193566) Added language support for Ambonese Malay (abs).
* (T194047) Added language support for Shawiya, Latin script (shy-latn).
* (T195940) Added language support for Batak Mandailing (btm).

=== Breaking changes in 1.32 ===
* $wgRequestTime, deprecated in 1.25, was removed. Use
  $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
* The MediaWikiI18N class, deprecated in 1.31, was removed.
* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
  Skin::msg() instead.
* wfInitShellLocale(), deprecated in 1.30, was removed.
* wfShellExecDisabled(), deprecated in 1.30, was removed.
* The type string for the parameter $lang of DateFormatter::getInstance,
  deprecated in 1.31, was removed.
* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
  MediaWiki\Session\Token::SUFFIX instead.
* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
  instead.
* (T61113) The following methods and constants from the Revision class, which
  were deprecated in 1.25, have now been removed:
  * Revision::getRawUser()
  * Revision::getRawUserText()
  * Revision::getRawComment()
* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
  mw.msg() or mw.message() instead.
* mw.util.escapeId(), deprecated in 1.30, was removed. Use
  mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
  jquery.accessKeyLabel instead.
* The SqlDataUpdate class, deprecated in 1.28, has been removed.
* The Html5Internal and Html5Depurate tidy driver classes were removed, along
  with the Balancer tidy implementation. Both implementations were experimental,
  and were replaced by RemexHtml.
* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
  removed. Use JobQueueGroup::singleton()->push() instead.
* The jquery.footHovzer module, for mediawiki.debug, was removed.
* The es5-shim module, empty and deprecated since 1.29, was removed.
* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
  removed. Use mediawiki.widgets.visibleLengthLimit instead.
* The jquery.farbtastic module, unused since 1.18, was removed.
* (T181318) The $wgStyleVersion setting and its appendage to various script and
  style URLs in OutputPage, deprecated in 1.31, was removed.
* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
  any HTMLForm object rather than PreferencesForm.
* The non namespaced TimestampException class, deprecated in 1.29, was removed.
  Use Wikimedia\Timestamp\TimestampException instead.
* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
  utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
  The UtfNormal\Utils class from the utfnormal library should be used instead.
* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
  from the UtfNormal\Constants class from the utfnormal library should be used
* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
  from ResourceLoader. Instead, use `@import` statements in LESS to import
  files directly from nearby directories within the same project.
* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
  only needed for PHP5 compatibility, have been removed. It now uses the boolean
  values `true` and `false` respectively.
* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
  were removed. Use the ParserCache class instead.
* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
  instead.
* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
  deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
  and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
  is no longer loaded by default. The Vector and MonoBook skins have made a
  minor change to implement the toggle feature with CSS instead. To restore
  prior functionality, either explicitly load "jquery.mw-jump" in your skin
  or refer to T195256 for details on how to make the same change.

=== Deprecations in 1.32 ===
* Use of a StartProfiler.php file is deprecated in favour of placing
  configuration in LocalSettings.php.
* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
  button is already marked as progressive.
* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
  has been centralised to Skin::getDefaultModules(), which is now capable
  of queueing style modules as well.
* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
  deprecated. Use addModules() instead.
* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
  in extending classes is deprecated.  Extend related doSearch* methods
  instead.
* CollationFa has been removed completely as it's not needed anymore
* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
  and deprecated: mediawiki.api.category, mediawiki.api.edit,
  mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
  mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
  mediawiki.api.messages, and mediawiki.api.rollback.
* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
  to use it.
* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
  with the 'unwatch' action parameter instead.
* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
  constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
  of the namespaced classes provided by the wikimedia/xmp-reader library.
* Class CryptRand, everything in MWCryptRand except generateHex() and function
  MediaWikiServices::getCryptRand() are deprecated, use random_bytes() to
  generate cryptographically secure random byte sequences.

=== Other changes in 1.32 ===
* …

== Compatibility ==
MediaWiki 1.32 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
supported, it is generally advised to use PHP 7.0.0 or later for long term
support.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==
1.32 has several database changes since 1.31, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

For notes on 1.31.x and older releases, see HISTORY.

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.