-Change notes from older releases. For current info see RELEASE-NOTES-1.32.
+Change notes from older releases. For current info see RELEASE-NOTES-1.33.
+
+= MediaWiki 1.32 =
+
+== MediaWiki 1.32.0 ==
+
+=== Changes since MediaWiki 1.32.0-rc.2 ===
+* (T188327) Fix slow queries in migrateActors.php.
+* (T102320) Fix $magicWords for the Sanskrit language.
+
+=== Changes since MediaWiki 1.32.0-rc.1 ===
+* Fix addition of ug_expiry column to user_groups table on MSSQL.
+* (T210307) Fix the cache timestamp for forced updates.
+* (T210621) User: Bypass repeatable-read when creating an actor_id.
+* (T197535) Extensions can now specify PHP versions and PHP extensions they
+ depend on.
+* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
+* (T212356) When using action=delete on pages with many revisions, the module
+ may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
+ deletion will be processed via the job queue.
+* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
+ recentchanges.rc_cur_time from the PostgreSQL schema.
+
+=== Changes since MediaWiki 1.32.0-rc.0 ===
+* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
+ has been started.
+* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
+ if --lang is used with the command-line installer (install.php).
+
+=== Configuration changes in 1.32 ===
+
+==== New configuration ====
+* $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
+ this setting. The default is 80, which matches the quality of JPEG thumbnails
+ previously generated by ImageMagick. The quality of JPEG thumbnails generated
+ by GD was previously 95, but now uses the $wgJpegQuality setting as well.
+* $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
+ user is blocked. Doing so means that a blocked user, even after moving to a
+ new IP address, will still be blocked.
+* $wgRawHtmlMessages – This new configuration setting is added for listing
+ messages which are displayed as raw HTML.
+* $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
+ "Content Security Policy" for your wiki. This adds a defense-in-depth feature
+ to stop an attacker who has found a bug in the parser allowing them to insert
+ malicious attributes. Disabled by default. (T135963)
+* $wgGroupPermissions – A new user group, 'interface-admin', is added for
+ controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
+ other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
+ by default.
+* $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
+ granting the above rights.
+* $wgDBDefaultGroup – A default database group for use by maintenance scripts.
+* $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
+ enable client-side profiling of JavaScript modules; it is off by default.
+* (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
+ setting allows sysadmins to gradually migrate the database table schema for
+ how change tags are stored.
+* (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
+ allows sysadmins to enable the caching of Special:Tags via the new
+ change_tag_def table.
+
+==== Changed configuration ====
+* $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
+* $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
+ been increased from 3 to 7 days. (T194414)
+* $wgGroupPermissions – The right to edit sitewide Javascript
+ (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
+ and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
+ 'editinterface' is still necessary to edit such pages.
+* $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
+ old and the new schema, but reading the new schema, so Multi-Content Revisions
+ (MCR) are now functional per default. The new default value of the setting is
+ SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
+* $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
+ MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
+ SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
+ for intermediate stages of migration.
+* $wgDBTableOptions – The default table options now use the binary charset. The
+ default was already overridden in the installer-generated LocalSettings.php,
+ and so is always set to binary after the installer UI option was removed. The
+ default value is only used when the installer installs an extension.
+* $wgPopularPasswordFile — The location of the default popular passwords file
+ has been moved to be in line with other non-PHP files used by libraries and
+ classes.
+* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
+ potential privacy leaks by administrators. You can check
+ "MediaWiki:External image whitelist" on your wiki to see whether the feature
+ was ever used, and whether it needs to be re-enabled.
+
+==== Removed configuration ====
+* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
+ have been removed. (T115414)
+* $wgSiteSupportPage – This setting, unused since 1.5, was removed.
+* $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
+* $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
+ The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
+* $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
+ most extensions, is no longer set. Instead, you can modify the system
+ message `emailsender`.
+* $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
+ were removed. RemexHtml, which is the default, should be used instead.
+* (T181318) The $wgStyleVersion setting and its appendage to various script and
+ style URLs in OutputPage, deprecated in 1.31, was removed.
+* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
+ from ResourceLoader. Instead, use `@import` statements in LESS to import
+ files directly from nearby directories within the same project.
+* (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
+ since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
+ the ResourceLoaderModule::getLessVars() method.
+* $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
+ was removed.
+* Two temporary variables for deploying the feature of filters on change lists,
+ $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
+ $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
+
+=== New features in 1.32 ===
+* (T112474) Generalized the ResourceLoader mechanism for overriding modules
+ using a particular page during edit previews.
+* (T12331) You can now log page creation events by setting $wgPageCreationLog
+ to true.
+* Added 'ApiParseMakeOutputPage' hook.
+* (T174313) Added checkbox on Special:ListUsers to display only users in
+ temporary user groups.
+* (T152462) A cookie can now be set when an IP user is blocked to track that
+ user if they move to a new IP address. This is disabled by default.
+* (T194950) Added 'ApiMaxLagInfo' hook.
+* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
+ reauthenticating.
+* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
+ getLoginSecurityLevel() returns non-false.
+* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
+ &$query and &$widthOption, allowing extensions even finer control over the
+ resulting HTML code.
+* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
+ if the [mark as patrolled] link should be shown at the footer of patrollable
+ pages.
+* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
+ is now passed by reference, allowing extensions to modify or even unset it.
+* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
+ modify the return value of OutputPage#getHeadLinksArray in order to add,
+ remove or otherwise alter the elements to be output in the page <head>.
+* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
+ additional links to the subtitle of a history page.
+* The 'GetLinkColours' hook now receives an additional $title parameter,
+ the Title object of the page being parsed, on which the links will be shown.
+* (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
+ render diffs between two Content objects, and DifferenceEngine::setRevisions()
+ to render diffs between two custom (potentially multi-content) revisions.
+ Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
+* Added a temporary action=mcrundo to the web UI, as the normal undo logic
+ can't yet handle MCR and deadlines are forcing is to put off fixing that.
+ This action should be considered deprecated and should not be used directly.
+* Extensions overriding ContentHandler::getUndoContent() will need to be
+ updated for the changed method signature.
+* Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
+ from user. Unlike the 'UserGetRights' it will ensure that removed rights
+ will not be reinserted.
+* (T197535) Extensions can now specify PHP versions and PHP extensions they
+ depend on.
+
+=== External library changes in 1.32 ===
+
+==== New external libraries ====
+* Added pear/Net_SMTP v1.8.0.
+* Added wikimedia/xmp-reader v0.6.0.
+
+* Added cache/integration-tests v0.16.0 (dev-only).
+* Added giorgiosironi/eris v0.10.0 (dev-only).
+* Added seld/jsonlint v1.7.1 (dev-only).
+
+* Added EasyDeflate (unversioned).
+
+==== Changed external libraries ====
+* Updated OOUI from v0.26.3 to v0.29.2.
+* Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
+* Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
+* Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
+** ScopedCallback objects can no longer be serialized.
+* Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
+* Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
+* oyejorge/less.php replaced with our fork wikimedia/less.php
+* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
+
+* Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
+* Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
+* Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
+
+* Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
+* Updated jquery from v3.2.1 to v3.3.1.
+* Updated jquery.client from v2.0.0 to v2.0.1.
+* Updated jquery.i18n from v1.0.4 to v1.0.5.
+* Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
+* Updated OOjs from v2.2.0 to v2.2.2.
+* Updated qunitjs from v2.4.0 to v2.6.2.
+* Updated sinonjs from v1.17.3 to v1.17.7.
+
+==== Removed external libraries ====
+* pear/mail_mime-decode was removed.
+
+=== Bug fixes in 1.32 ===
+* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
+ getLoginSecurityLevel() returns non-false.
+* (T43720, T46197) Improved page display title handling for category pages
+* (T65080) Fixed resetting options of some types via API action=options.
+
+=== Action API changes in 1.32 ===
+* Added templated parameters.
+ * A module can define a templated parameter like "{fruit}-quantity", where
+ the actual parameters recognized correspond to the values of a multi-valued
+ parameter. Then clients can make requests like
+ "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
+ * action=paraminfo will return templated parameter definitions separately
+ from normal parameters. All parameter definitions now include an "index"
+ key to allow clients to maintain parameter ordering when merging normal and
+ templated parameters.
+* It is now an error to submit too many values for a multi-valued parameter.
+ This has generated a warning since MediaWiki 1.14.
+* Assertion failures from the 'assert' and 'assertuser' parameters will no
+ longer use the action module's custom response format, for the few modules
+ that use custom formatters that handle errors.
+* (T198935) User list preferences such as `email-blacklist` and similar
+ extension preferences are no longer represented as arrays when returned by
+ action=query&meta=userinfo&uiprop=options.
+* 'missingparam' errors will now use the prefixed parameter name in the code
+ and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
+ than "nofoo" and "The 'foo' parameter must be set".
+* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
+ multi-content revision slots for which content should be returned. It also
+ has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
+ warning will be issued if rvprop=content or rvprop=contentmodel are used
+ without rvslots.
+* The rvcontentformat parameter to action=query&prop=revisions has been
+ deprecated. Clients should be prepared to deal with the default format for
+ relevant models.
+* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
+ rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
+ rvprop=parsetree is forbidden with the new 'rvslots' parameter.
+* action=query&prop=deletedrevisions, action=query&list=allrevisions, and
+ action=query&list=alldeletedrevisions are changed similarly to
+ &prop=revisions (see the three previous items).
+* (T174032) action=compare now supports multi-content revisions.
+ * It has a 'slots' parameter to select diffing of individual slots. The
+ default behavior is to return one combined diff.
+ * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
+ 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
+ are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
+ slots have text supplied and the corresponding templated parameters for
+ each slot.
+ * The behavior of 'fromsection' and 'tosection' of extracting one section's
+ content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
+ instead expand the given text as if for a section edit. This effectively
+ declines T183823 in favor of T185723.
+* (T198214) The 'disabletidy' parameter to action=parse has been
+ deprecated; untidy output will not be supported by future wikitext
+ parsers.
+* Added intestactionsdetail to action=query&prop=info to allow retrieving the
+ reasons an action is not allowed.
+* Deprecated action=query&prop=info inprop=readable in favor of
+ intestactions=read.
+* (T212356) When using action=delete on pages with many revisions, the module
+ may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
+ deletion will be processed via the job queue.
+
+=== Action API internal changes in 1.32 ===
+* Added 'ApiParseMakeOutputPage' hook.
+* Parameter names may no longer contain '{' or '}', as these are now used for
+ templated parameters.
+* (T194950) Added 'ApiMaxLagInfo' hook.
+* The following methods now take a RevisionRecord rather than a Revision. No
+ external callers are known.
+ * ApiFeedContributions::feedItemAuthor()
+ * ApiFeedContributions::feedItemDesc()
+ * ApiQueryRevisionsBase::extractRevisionInfo()
+* The following deprecated methods have been removed:
+ * ApiBase::profileIn() (deprecated in 1.25)
+ * ApiBase::profileOut() (deprecated in 1.25)
+ * ApiBase::safeProfileOut() (deprecated in 1.25)
+ * ApiBase::profileDBIn() (deprecated in 1.25)
+ * ApiBase::profileDBOut() (deprecated in 1.25)
+ * ApiBase::dieUsage() (deprecated in 1.29)
+ * ApiBase::dieUsageMsg() (deprecated in 1.29)
+ * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
+ * ApiBase::getErrorFromStatus() (deprecated in 1.29)
+ * ApiBase::parseMsg() (deprecated in 1.29)
+ * ApiBase::setWarning() (deprecated in 1.29)
+ * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
+ * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
+ * ApiUsageException::getCodeString() (deprecated in 1.29)
+ * ApiUsageException::getMessageArray() (deprecated in 1.29)
+* Class UsageException, deprecated in 1.29, has been removed.
+* ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
+ can now easily test $formatter->getFormat() === 'bc', and then call
+ $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
+
+=== Languages updated in 1.32 ===
+MediaWiki supports over 350 languages. Many localisations are updated regularly.
+Below only new and removed languages are listed, as well as changes to languages
+because of Phabricator reports.
+
+* (T193566) Added language support for Ambonese Malay (abs).
+* (T194047) Added language support for Shawiya, Latin script (shy-latn).
+* (T195940) Added language support for Batak Mandailing (btm).
+* (T137491) Added language support for Standard Moroccan Amazigh (zgh).
+* (T198132) Added language support for Manipuri (mni).
+* (T201276) Added language support for Western Armenian (hyw).
+* (T201583) Added language support for Mon (mnw).
+
+=== Breaking changes in 1.32 ===
+* $wgRequestTime, deprecated in 1.25, was removed. Use
+ $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
+* The MediaWikiI18N class, deprecated in 1.31, was removed.
+* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
+ Skin::msg() instead.
+* wfInitShellLocale(), deprecated in 1.30, was removed.
+* wfShellExecDisabled(), deprecated in 1.30, was removed.
+* The type string for the parameter $lang of DateFormatter::getInstance,
+ deprecated in 1.31, was removed.
+* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
+ MediaWiki\Session\Token::SUFFIX instead.
+* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
+* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
+ instead.
+* (T61113) The following methods and constants from the Revision class, which
+ were deprecated in 1.25, have now been removed:
+ * Revision::getRawUser()
+ * Revision::getRawUserText()
+ * Revision::getRawComment()
+* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
+ mw.msg() or mw.message() instead.
+* mw.util.escapeId(), deprecated in 1.30, was removed. Use
+ mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
+* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
+ jquery.accessKeyLabel instead.
+* The SqlDataUpdate class, deprecated in 1.28, has been removed.
+* The Html5Internal and Html5Depurate tidy driver classes were removed, along
+ with the Balancer tidy implementation. Both implementations were experimental,
+ and were replaced by RemexHtml.
+* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
+ removed. Use JobQueueGroup::singleton()->push() instead.
+* The jquery.footHovzer module, for mediawiki.debug, was removed.
+* The es5-shim module, empty and deprecated since 1.29, was removed.
+* the dom-level2-shim module, empty and deprecated since 1.29, was removed.
+* the json module, empty and deprecated since 1.29, was removed.
+* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
+ removed. Use mediawiki.widgets.visibleLengthLimit instead.
+* The jquery.farbtastic module, unused since 1.18, was removed.
+* The 'jquery.expandableField' module, unused since 1.22, was removed.
+* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
+ any HTMLForm object rather than PreferencesForm.
+* The non namespaced TimestampException class, deprecated in 1.29, was removed.
+ Use Wikimedia\Timestamp\TimestampException instead.
+* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
+ utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
+ The UtfNormal\Utils class from the utfnormal library should be used instead.
+* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
+ from the UtfNormal\Constants class from the utfnormal library should be used
+* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
+ only needed for PHP5 compatibility, have been removed. It now uses the boolean
+ values `true` and `false` respectively.
+* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
+ were removed. Use the ParserCache class instead.
+* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
+ instead.
+* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
+ deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
+* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
+ and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
+ is no longer loaded by default. The Vector and MonoBook skins have made a
+ minor change to implement the toggle feature with CSS instead. To restore
+ prior functionality, either explicitly load "jquery.mw-jump" in your skin
+ or refer to T195256 for details on how to make the same change.
+* Hook 'EditPageBeforeEditChecks' was removed;
+ use 'EditPageGetCheckboxesDefinition' instead.
+* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
+ 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
+* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
+ been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
+ instead.
+* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
+ CapsuleMultiselectWidget. The following methods may no longer be used:
+ * setItemsFromData: Use setValue instead
+ * getItemsData: Use getItems instead and get the data property
+* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
+ removed. Use addLink() instead.
+* Another two OutputPage methods, setPageTitleActionText() and
+ getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
+ ten years). Use setHTMLTitle() directly.
+* The return value of OutputPage::adaptCdnTTL() has been removed. The
+ value returned was misleading and probably not what any caller would
+ have wanted.
+* All MagicWord static member variables have been removed. Use appropriate
+ hooks or MagicWordFactory methods instead.
+* MagicWord::clearCache() has been removed. Instead, create a new
+ MagicWordFactory, such as by calling
+ resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
+* mw.util.init() has been removed. This function is not needed anymore and was
+ a no-op function since 1.30.
+* SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
+ instead.
+* MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
+ $wgProfiler and $wgEnableProfileInfo.
+* The mw.loader.addSource() is now considered a private method, and no longer
+ supports the `id, url` signature. Use the `Object` parameter instead.
+* The backwards-compatibility code in HTMLForm to add a drop-down control to an
+ option that is not set to be a drop-down if the "mw-chosen" class is present,
+ is now removed.
+* Several collations were removed. They were workarounds for bugs in the ICU
+ library and they are no longer needed (as of ICU 57.1):
+ * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
+ * 'xx-uca-et' (CollationEt) - use 'uca-et' instead
+ * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
+* LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
+ that some MediaWiki-specific language codes, such as `simple`, are mapped
+ into valid BCP 47 codes (eg `en-simple`).
+* The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
+ in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
+ The ChangesListSpecialPage code for these legacy hooks, and their use in
+ SpecialRecentchanges.php and SpecialWatchlist, was also removed:
+ * ChangesListSpecialPage->getCustomFilters()
+ * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
+ * ChangesListSpecialPage::customFilters
+* The global function wfUseMW, deprecated since 1.26, has now been removed. Use
+ the "requires" property of static extension registration instead.
+* $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
+* The MailAddress constructor can no longer be called with a User object,
+ behaviour which has been deprecated since 1.24.
+* LBFactory, deprecated since 1.28, has been removed. Instead, use
+ Wikimedia\Rdbms\LBFactory.
+* The MimeMagic class, deprecated since 1.28 has been removed. Get a
+ MimeAnalyzer instance from MediaWikiServices instead.
+* The '--tidy' option to maintenance/parse.php has been removed. Tidying
+ the output is now the default. Use '--no-tidy' to bypass the tidy
+ phase.
+* The global function wfErrorLog, deprecated since 1.25, has now been removed.
+ Use MWLoggerLegacyLogger::emit or UDPTransport.
+* The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
+ 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
+ ChangesListSpecialPageQuery.
+* The global function wfUsePHP, deprecated since 1.30, has now been removed. To
+ assert a newer version of PHP than MediaWiki does, use extension registration.
+* The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
+ removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
+* DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
+* File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
+* The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
+ the hook 'SkinEditSectionLinks' instead.
+* The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
+* The global function wfRunHooks, deprecated since 1.25, has now been removed.
+ Use Hooks::run().
+* The hook 'UnknownAction', deprecated since 1.19, has now been removed.
+* The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
+ the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
+* The following deprecated API methods have been removed:
+ * ApiBase::profileIn() (deprecated in 1.25)
+ * ApiBase::profileOut() (deprecated in 1.25)
+ * ApiBase::safeProfileOut() (deprecated in 1.25)
+ * ApiBase::profileDBIn() (deprecated in 1.25)
+ * ApiBase::profileDBOut() (deprecated in 1.25)
+ * ApiBase::dieUsage() (deprecated in 1.29)
+ * ApiBase::dieUsageMsg() (deprecated in 1.29)
+ * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
+ * ApiBase::getErrorFromStatus() (deprecated in 1.29)
+ * ApiBase::parseMsg() (deprecated in 1.29)
+ * ApiBase::setWarning() (deprecated in 1.29)
+ * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
+ * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
+ * ApiUsageException::getCodeString() (deprecated in 1.29)
+ * ApiUsageException::getMessageArray() (deprecated in 1.29)
+* Class UsageException, deprecated in 1.29, has been removed.
+* MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
+ old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
+ been removed, and instead sysadmins will be required to choose one (or more)
+ of the several extensions available for this purpose if they need the
+ functionality. The MediaWiki "tarball" releases have included the replacement
+ extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
+ for many years now. As part of this, several parts of MediaWiki have been
+ removed or simplified:
+ * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
+ available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
+ hook, it will be shown; extensions should provide a specific user preference
+ to disable themselves as needed.
+ * The public methods Language::getImageFile() and ::getImageFiles(), and the
+ related specification of $imageFiles within individual languages' code file,
+ as well as the referenced static media assets, all of which were only used
+ inside MediaWiki itself for providing the icons for the old toolbar, have
+ been removed without explicit deprecation.
+ * The internal ResourceLoader module "mediawiki.toolbar", which is unused
+ except by MediaWiki itself and back-compatibility code, has been removed.
+ * The internal ResourceLoaderEditToolbarModule class has been removed.
+
+=== Deprecations in 1.32 ===
+* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
+ button is already marked as progressive.
+* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
+ has been centralised to Skin::getDefaultModules(), which is now capable
+ of queueing style modules as well.
+* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
+ deprecated. Use addModules() instead.
+* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
+ in extending classes is deprecated. Extend related doSearch* methods
+ instead.
+* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
+ and deprecated: mediawiki.api.category, mediawiki.api.edit,
+ mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
+ mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
+ mediawiki.api.messages, and mediawiki.api.rollback.
+* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
+ to use it.
+* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
+ with the 'unwatch' action parameter instead.
+* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
+ constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
+* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
+* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
+* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
+ of the namespaced classes provided by the wikimedia/xmp-reader library.
+* SearchResultSet::{next,rewind} are deprecated. Calling code should
+ use foreach on the SearchResultSet, or the extractResults method. Extending
+ code should override extractResults.
+* Instantiating SearchResultSet directly is deprecated. SearchEngine
+ implementations must subclass SearchResultSet for their purposes.
+* SearchResult::setExtensionData argument has been changed from accepting an
+ array to accepting a Closure that returns the array when called.
+* Class CryptRand, everything in MWCryptRand except generateHex() and function
+ MediaWikiServices::getCryptRand() are deprecated, use random_bytes() to
+ generate cryptographically secure random byte sequences.
+* Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
+ instead.
+* Language::markNoConversion() is deprecated. It confused readers because
+ it had unexpected behavior (only marking text if it looked like a URL)
+ and was only used in a single place in the code. Use
+ LanguageConverter::markNoConversion() instead.
+* (T197492) Language::truncate() was soft deprecated in 1.31 and is
+ hard deprecated in this release. It has been split into two similar
+ methods, Language::truncateForVisual() and Language::truncateForDatabase(),
+ which measure length in characters and bytes, respectively. Use
+ Language::truncateForVisual() when possible to provide equity to users
+ of multibyte scripts.
+* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
+ context title is unset is now deprecated; anything creating an EditPage
+ instance should set the context title via ::setContextTitle().
+* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
+* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
+ are deprecated. These concepts are obsolete and have no replacement.
+* String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
+* The following methods of OutputPage are now deprecated in favour
+ of using showFatalError directly: OutputPage::showFileDeleteError()
+ OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
+ OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
+* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
+ classes are now deprecated. Use a Closure instead.
+* (T194263) ContentHandler::makeParserOptions() is deprecated. Use
+ WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
+* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
+ MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
+ the Parsoid v3 API in May 2015.
+* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
+ $formDescriptor instead.
+* SearchEngine::transformSearchTerm( $term ) should no longer be called prior
+ to running searchText. This method was mainly implemented to support the
+ 'prefix' URI param in SpecialSearch, but there are no reasons to expose this
+ logic as it should be handled internally by SearchEngine implementations
+ supporting this feature. SearchEngine implementations should no longer
+ override this methods.
+* SearchEngine::replacePrefixes( $query ) should no longer be called prior
+ to running searchText/searchTitle.
+* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
+ 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
+* Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
+ use array_filter() directly.
+* The $wgShowSQLErrors global is deprecated and nonfunctional.
+ Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
+* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
+ Set $wgShowExceptionDetails instead.
+* Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
+ mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
+ mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
+ getOldRevision() / getNewRevision() for the first four (note that the
+ revision ones return a RevisionRecord, not a Revision), do your own lookup
+ for page/content.
+* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
+ just enable the PHP extension, and it will be autodetected.
+* (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
+ setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
+ are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
+ subclass it to customize diff rendering); to diff custom (e.g. unsaved)
+ content, use setRevisions(). Subclassing DifferenceEngine should only be done
+ to customize page-level diff properties (such as the navigation header).
+* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
+* All MagicWord static methods are now deprecated. Use the MagicWordFactory
+ methods instead.
+* PasswordFactory::init is deprecated. To get a password factory with the
+ standard configuration, use MediaWikiServices::getPasswordFactory.
+* $wgContLang is deprecated, use MediaWikiServices::getContentLanguage()
+ instead.
+* $wgParser is deprecated, use MediaWikiServices::getParser() instead.
+* wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
+ instead.
+* wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
+* All SpecialPageFactory static methods are deprecated. Instead, call the
+ methods on a SpecialPageFactory instance, which may be obtained from
+ MediaWikiServices.
+* mw.user.stickyRandomId was renamed to the more explicit
+ mw.user.getPageviewToken to better capture its function.
+* Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
+ Content object should be passed instead.
+* (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
+ previously used by OOUI HTMLForm fields, are now deprecated. Use
+ 'help', 'help-message', 'help-messages' instead.
+* (T197179) HTMLFormField::getNotices() is now deprecated.
+* The jquery.localize module is now deprecated. Use jquery.i18n instead.
+* The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
+ or overriding ContentHandler::getSecondaryDataUpdates (T194038).
+* The WikiPageDeletionUpdates hook was deprecated in favor of
+ PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
+ (T194038).
+* Content::getSecondaryDataUpdates has been deprecated in favor of
+ ContentHandler::getSecondaryDataUpdates() for overriding by extensions
+ (T194038).
+ Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
+* Content::getDeletionUpdates has been deprecated in favor of
+ ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
+ Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
+* (T198214) Old Tidy-related configuration settings, which were soft-deprecated
+ in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
+ $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
+ $wgTidyConfig instead.
+* All Tidy configurations other than Remex have been hard deprecated;
+ future parsers will not emit compatible output for these configurations.
+ In particular, running MediaWiki with tidy disabled has been deprecated.
+* (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
+ and OutputPage::addWikiTextTitle() have been deprecated, since they
+ can result in untidy output. In addition OutputPage::addWikiTextTidy()
+ and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
+ methods consistent. Use OutputPage::addWikiTextAsInterface() or
+ OutputPage::addWikiTextAsContent() instead, which ensures the output is
+ tidy and clarifies whether content-language specific postprocessing should
+ be done on the text.
+* OutputPage::parse() and OutputPage::parseInline() have been deprecated
+ due to untidy output and inconsistent handling of wrapper divs and
+ interface/content language defaults. Use OutputPage::parseAsContent(),
+ OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
+ as appropriate.
+* QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
+ as they promote bad practises. I18n messages should always be properly
+ escaped.
+* Skin::getDynamicStylesheetQuery() has been deprecated. It always
+ returns action=raw&ctype=text/css which callers should use directly.
+* Class LegacyFormatter is deprecated.
+* Use of CommentStore::insertWithTempTable() with 'img_description' is
+ deprecated. Use CommentStore::insert() instead.
+* Language::setCode is deprecated as public function. Use Language::factory
+ to create a new Language object with a different language code.
+* Several classes have been moved from the MediaWiki\Storage\ namespace to the
+ MediaWiki\Revision\ namespace. The old class names are aliased for
+ compatibility, but are deprecated. Classes are IncompleteRevisionException,
+ MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
+ RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
+ RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
+ SuppressedDataException.
+* When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
+ option, it is now deprecated to give its contents (the 'default' option)
+ as a string. They should be given as a OOUI\FieldLayout object instead.
+ Notably, this affects fields defined in the 'GetPreferences' hook, because
+ Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
+* In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
+ deprecated. For the $lang parameter, types other than Language are
+ deprecated.
+* The $wgUseKeyHeader configuration option and the
+ OutputPage::getKeyHeader() method have been deprecated; the relevant
+ draft IETF spec expired without becoming a standard.
+* Deprecated API action=query&prop=info inprop=readable in favor of
+ intestactions=read.
+
+=== Other changes in 1.32 ===
+* (T198811) The following tables have had their UNIQUE indexes turned into
+ proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
+ protected_titles and site_identifiers.
+* OOUI HTMLForm will now display help text inline after the input field,
+ rather than in a popup. Previous behavior can be restored by using
+ `'help-inline' => false`.
+* The archive table's ar_rev_id field is now unique.
+* Special:BotPasswords now requires reauthentication.
+* (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
+ storage layer and have basic support for display. No user interface exists
+ yet for creating or managing content in slots beides the main slot. See
+ <https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
+ information.
+* The image_comment_temp database table has been removed. Since all access
+ should be mediated by the CommentStore class, this change shouldn't affect
+ external code.
+* (T206147) Database::close() will no longer commit any open transactions.
+* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
+ recentchanges.rc_cur_time from the PostgreSQL schema.
= MediaWiki 1.31 =
+== MediaWiki 1.31.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.31 branch.
+
+=== Changes since MediaWiki 1.31.0 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
+* (T197229) Bundle Nuke extension, it was accidentally omitted.
+* (T193995) Fix undefined patchPath() method call in parser tests.
+* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T198037) GitInfo: Don't try shelling out if it's disabled.
+* (T151415) Log email changes.
+* (T197206) Fix performance regression when multiple DB used without caching.
+* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
+* (T182377, T196793) Exif: Guard against uncountable tag values.
+* (T200861) Fix total breakage of SQLite web upgrade.
+* (T200864) Fix pingback over-reporting on non-MySQL databases
+* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
+ hooks.
+
== MediaWiki 1.31.0 ==
=== Changes since MediaWiki 1.31.0-rc.2 ===
= MediaWiki 1.30 =
+== MediaWiki 1.30.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.30 branch.
+
+=== Changes since MediaWiki 1.30.0 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
+* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
+* (T167507) selenium: Run Chrome headlessly.
+* selenium: Pass -no-sandbox to Chrome under Docker.
+* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
+* oojs/oojs-ui updated to remove an unnecessary dependancy.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
+* (T196672) The mtime of extension.json files is now able to be zero
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* (T193995) Fix undefined patchPath() method call in parser tests.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T200861) Fix total breakage of SQLite web upgrade.
+* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
+ hooks.
+* (T190539) Explicitly require Postgres 9.1.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.30.0 ==
=== Changes since MediaWiki 1.30.0-rc.0 ===
= MediaWiki 1.29 =
+== MediaWiki 1.29.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.29 branch.
+
+=== Changes since 1.29.2 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T180551) Fix LanguageSrTest for language converter
+* (T180552) Fix langauge converter parser test with self-close tags
+* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
+* (T180485) InputBox: Have inputbox langconvert certain attributes
+* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
+* (T172927) Drop vendor from MW release branch
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
+* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T182381) Mask deprecated call in WatchedItemUnitTest
+* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
+* The karma qunit tests would fail on some configuration due to headers already
+ sent. Check headers_sent() before sending cpPosTime headers
+* (T167507) selenium: Run Chrome headlessly.
+* selenium: Pass -no-sandbox to Chrome under Docker
+* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
+* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
+ fails under SQLite.
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* (T179190) selenium: Move test running logic from package.json to selenium.sh.
+* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T196672) The mtime of extension.json files is now able to be zero
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* (T194237) Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.29.2 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
= MediaWiki 1.27 =
+== MediaWiki 1.27.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.27 branch.
+
+=== Changes since 1.27.4 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* Upgraded Moment.js from v2.8.4 to v2.19.3.
+* (T160298) Fixed Special:ActiveUsers due to bad backport.
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
+* Updated list of SPDX licenses for extensions.
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T196672) The mtime of extension.json files is now able to be zero.
+* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.27.4 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
=== Changes since 1.22.9 ===
* (bug 64970) Fix support for blobs on DatabaseOracle::update
-* (bug 60719) In MediaWiki 1.22, the job queue execution on each page request was changed (Gerrit change 59797) so, instead of executing the job inside the same PHP process that's rendering the page, a new PHP cli command is spawned to execute runJobs.php in the background. It will only work if $wgPhpCli is set to an actual path or safe mode is off, otherwise, the old method will be used. https://www.mediawiki.org/wiki/Manual:Job_queue#Changes_introduced_in_MediaWiki_1.22 for more infomation. This change was in earlier releases of 1.22 but was not noted here until now.
+* (bug 60719) In MediaWiki 1.22, the job queue execution on each page request was changed (Gerrit change 59797) so, instead of executing the job inside the same PHP process that's rendering the page, a new PHP cli command is spawned to execute runJobs.php in the background. It will only work if $wgPhpCli is set to an actual path or safe mode is off, otherwise, the old method will be used. https://www.mediawiki.org/wiki/Manual:Job_queue#Changes_introduced_in_MediaWiki_1.22 for more information. This change was in earlier releases of 1.22 but was not noted here until now.
== MediaWiki 1.22.9 ==
This is a security and maintenance release of the MediaWiki 1.22 branch.
* Localisation updates from http://translatewiki.net.
* mwdocgen.php: Implement --version option.
* Remove svnstat stuff used in Doxygen generation
-* (bug 43594) Correctly supress warnings that were missed after the upstream
+* (bug 43594) Correctly suppress warnings that were missed after the upstream
* PHP change to E_STRICT being included in E_ALL.
== MediaWiki 1.20.4 ==
== MediaWiki 1.16 ==
+== MediaWiki 1.16.5 ==
+=== Changes since 1.16.4 ===
+
+* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third
+ attempt at fixing bug 28235.
+* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin
+ is enabled.
+
+== MediaWiki 1.16.4 ==
+=== Changes since 1.16.3 ===
+
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
+ clients) was not actually sufficient to fix that bug. This release contains
+ a second attempt, hopefully we have fixed it this time.
+
+== MediaWiki 1.16.3 ==
+=== Changes since 1.16.2 ===
+
+* (bug 28449) Fixed permissions checks in Special:Import which allowed users
+ without the 'import' permission to import pages from the configured import
+ sources.
+* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those
+ browsers looking for a file extension in the query string of the URL, and
+ ignoring the Content-Type header if one is found.
+* (bug 28450) Fixed a CSS validation issue involving escaped comments, which
+ led to XSS for Internet Explorer clients and privacy loss for other clients.
+
+== MediaWiki 1.16.2 ==
+=== Changes since 1.16.1 ===
+
+* (bug 26642) Fixed incorrect translated namespace due to a regression in the
+ language converter.
+* The interface translations were updated.
+* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
+* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
+ Affects Windows servers only. A malicious file with extension ".php" must
+ exist on the server for the exploit to be effective.
+
+== MediaWiki 1.16.1 ==
+=== Changes since 1.16.0 ===
+
+* (bug 24981) Allow extensions to access SpecialUpload variables again
+* (bug 24724) list=allusers was out by 1 (shows total users - 1)
+* (bug 24166) Fixed API error when using rvprop=tags
+* For wikis using French as a content language, Special:Téléchargement works
+ again as an alias for Special:Upload.
+* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0)
+* (bug 25248) Fixed paraminfo errors in certain API modules.
+* The installer now has improved handling for situations where safe_mode is
+ active or exec() and similar functions are disabled.
+* (bug 19593) Specifying --server in now works for all maintenance scripts.
+* Fixed $wgLicenseTerms register globals.
+* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for
+ X-Frame-Options. The header value can be configured using $wgBreakFrames and
+ $wgEditPageFrameOptions.
+
+== MediaWiki 1.16.0 ==
+=== Changes since 1.16 beta 3 ===
+
+* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in
+ 1.16 beta 1, but is currently poorly supported by browsers.
+* (bug 23175) Re-added window.ta variable for backwards compatibility.
+* (bug 23264) Fixed breakage of various command line scripts due to extra line
+ endings being inserted by Maintenance::output().
+* Fixed HTTP client functionality with safe_mode=On.
+* Fixed parser tests broken in 1.16 beta 3.
+* For Oracle DB backend: fixed parser tests and table prefix feature.
+* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue).
+* Fixed plural function for Northern Sami (se)
+* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and
+ parser-generated heading IDs. Renamed head, panel, head-base and page-base.
+* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet.
+* (bug 23465) Don't ignore the predefined destination filename on
+ Special:Upload after following a red link to a file.
+* In SQLite full-text search feature: fixed "move page" feature, was non-
+ functional.
+* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
+ user privacy in the case where an attacker can access the wiki through the
+ same HTTP proxy as a logged-in user.
+* Fixed an XSS vulnerability in profileinfo.php for installations with
+ $wgEnableProfileInfo = true (false by default)
+* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
+ false. Fixed a minor header parsing issue when $wgUseXVO = true.
+* Fixed a register_globals arbitrary inclusion vulnerability in
+ MediaWikiParserTest.php, introduced in 1.16 beta 1.
+
+=== Changes since 1.16 beta 2 ===
+
+* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of
+ invalid usernames.
+* Fixed sorting in [[Special:Allmessages]]
+* (bug 23113) Fixed title in the show/hide links on diff pages
+* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests
+* (bug 23127) Re-added missing $1 parameter to the uploadtext message
+* Fixed a bug in the Vector skin where personal tools display behind the logo
+* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes
+ showed the same text.
+* (bug 23115, bug 23124) Fixed various problems with <title> and <h1> elements
+ in page views and previews when the language converter is enabled.
+* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image
+ scaling, which was introduced in 1.16 beta 1.
+* Improved error checking on installer.
+* (bug 22970) Fixed a JavaScript error in the upload destination conflict
+ check.
+* (bug 23167) Check the watch checkbox by default if the watchcreations
+ preference is set.
+* (bug 23171) Improve IE6 version check to avoid false positives.
+* (bug 23176) Fixed upload warning override feature "upload new version",
+ broken in 1.16 beta 1.
+* Fixed regression in unwatch links sent out in notification emails. When the
+ mailing job was deferred via the job queue, the title was incorrect.
+* (bug 23534) Fixed SQL query error in API list=allusers.
+* Fixed a bug in uploads for non-JavaScript clients. An empty string was used
+ as the default destination filename, instead of the source filename as
+ expected.
+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
+ account" and "create by e-mail" features of [[Special:Userlogin]]
+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick
+ expanded wildcard characters "?" and "*" in image filenames, potentially
+ causing large numbers of images to be scaled in response to a single request.
+ The fix for this involves breaking the scaling of such image filenames until
+ ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details.
+* (bug 23608) Fixed invalid HTML in diff pages.
+
+=== Changes since 1.16 beta 1 ===
+
+* Fixed errors in maintenance/patchSql.php
+* (bug 19627) Fix regression from r57867 where HTMLForm would output
+ <element classes="foo bar"> rather than <element class="foo bar">
+* Fixed broken "-r" option to maintenance/lag.php
+* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
+ be submitted along with the user name and password.
+
=== Configuration changes in 1.16 ===
* (bug 18222) $wgMinimalPasswordLength default is now 1
== MediaWiki 1.15 ==
+== MediaWiki 1.15.5 ==
+=== Changes since 1.15.4 ===
+
+* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
+ user privacy in the case where an attacker can access the wiki through the
+ same HTTP proxy as a logged-in user.
+* Fixed a minor cookie header parsing issue causing incorrect Cache-Control
+ headers to be sent.
+* Fixed an XSS vulnerability in profileinfo.php for installations with
+ $wgEnableProfileInfo = true (false by default)
+* For backwards compatibility with extensions from 1.14.x or before, restored
+ the original function ApiMain::requestWriteMode().
+* In API login "need token" responses, added the cookieprefix and sessionid
+ fields, as in MediaWiki 1.16.x. This is an improvement to the CSRF fix
+ introduced in 1.15.3.
+
+== MediaWiki 1.15.4 ==
+=== Changes since 1.15.3 ===
+
+* (bug 23534) Fixed SQL query error in API list=allusers.
+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
+ account" and "create by e-mail" features of [[Special:Userlogin]]
+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+
+== MediaWiki 1.15.3 ==
+=== Changes since 1.15.2 ===
+
+* (bug 22828) Fixed deletion on SQLite.
+* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
+ be submitted along with the user name and password.
+
+== MediaWiki 1.15.2 ==
+=== Changes since 1.15.1 ===
+
+* The installer now includes a check for a data corruption issue with certain
+ versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug
+ present in the official release of PHP 5.3.1.
+* (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which
+ was displayed to the user
+* (bug 21150) SQLite no longer raise an error when deleting files
+* (bug 20880) Fixed updater failure on SQLite backend
+* upgrade1_5.php now requires to be run --update option to prevent confusion
+* Fixed a CSS validation issue which allowed external images to be included
+ into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
+ similar image access authentication schemes. Check user permissions before
+ streaming out scaled images from thumb.php.
+
+== MediaWiki 1.15.1 ==
+=== Changes since 1.15.0 ===
+* Fixed fatal errors for unusual file repository configurations, such as
+ ForeignAPIRepo.
+* Fixed the "change password" link on Special:Preferences to have the correct
+ returnto parameter.
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
+
+== MediaWiki 1.15.0 ==
+=== Changes since 1.15.0rc1 ===
+
+* Removed category redirect feature, implementation was incomplete.
+* (bug 18846) Remove update_password_format(), unnecessary, destroys all
+ passwords if a wiki with $wgPasswordSalt=false is upgraded with the web
+ installer.
+* (bug 19127) Documentation warning for PostgreSQL users who run update.php:
+ use the same user in AdminSettings.php as in LocalSettings.php.
+* Fixed possible web invocation of some maintenance scripts, due to the use of
+ include() instead of require(). A full exploit would require a very strange
+ web server configuration.
+* Localisation updates.
+
=== Configuration changes in 1.15 ===
* Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to
== MediaWiki 1.14 ==
+== MediaWiki 1.14.1 ==
+=== Changes since 1.14.0 ===
+
+* (bug 17737) Fixed russian URLs for Special:BookSources
+* (bug 17713) Using links with only an anchor no longer add an dummy entry in
+ the pagelinks table
+* (bug 17897) Fixed string offset error in <pre> tags
+* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
+ 'permissiondenied' when the user is blocked
+* Fixed performance regression when accessing deleted (archived) files
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
+
+== MediaWiki 1.14.0 ==
+=== Changes since 1.14.0rc1 ===
+
+* Fixed the performance of the backlinks API module
+* (bug 17420) Send the correct content type from action=raw when the HTML file
+ cache is enabled.
+* (bug 17437) Fixed incorrect link to web-based installer
+* (bug 17527) Fixed missing MySQL-specific options in installer
+
=== Configuration changes in 1.14 ===
* $wgExemptFromUserRobotsControl is an array of namespaces to be exempt from
* (bug 11082) Fix check for fully-specced table names in Database::tableName
* (bug 11067) Fix regression in upload conflict thumbnail display
* (bug 10985) Resolved cached entries on Special:DoubleRedirects were being
- supressed, breaking paging - now strikes out "fixed" results
+ suppressed, breaking paging - now strikes out "fixed" results
* (bug 8393) <sup> and <sub> need to be preserved (without attributes) for
entries in the table of contents
* (bug 11114) Fix regression in read-only mode error display during editing
* (bug 1241) Don't show 'cont.' for first entry of the category list
* (bug 1240) Special:Preferences was broken in Slovenian locale when
$wgUseDynamicDates is enabled
-* Added magic word MAG_NOCONTENTCONVERT to supress the conversion of the
+* Added magic word MAG_NOCONTENTCONVERT to suppress the conversion of the
content of an article. Useful in zh:
* write-lock for updating the zh conversion tables in memcache
* recursively parse subpages of MediaWiki:Zhconversiontable
dépôts / lhc / web / wiklou.git / blobdiff