= MediaWiki 1.34 =
-== MediaWiki 1.34.0-PRERELEASE ==
-
-THIS IS NOT A RELEASE YET
-
-MediaWiki 1.34 is an alpha-quality development branch, and is not recommended
-for use in production.
+== MediaWiki 1.34.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.34 branch.
+
+=== Changes since MediaWiki 1.34.0 ===
+* (T211450) User: better error message when getActorId fails.
+* (T241340) Don't redefine MW_ENTRY_POINT in thumb.php if already defined.
+* (T236444) User: Allow newSystemUser() to create over anonymous actors.
+* (T238483) Fix NewPagesPager "hide registered users" option.
+* (T245072) mediawiki.language: Rename languageData back to languageNames.
+* Use proper SemVer comparison in CheckComposerLockUpToDate.
+* (T212738) Add the MW_VERSION constant, global $wgVersion is soft deprecated.
+* (T246127) Fix error when initialising updateCollation.php.
+* Update comment about PHP versions supported by The PHP Group.
+* (T247215) Fix output of RecountCategories::doWork().
+* Add check for page existence to view.php maintenance script.
+* (T245149) Fix fetching login token from action=query&meta=tokens on private
+ wikis.
+* (T236509) SECURITY: Fix HTML escaping in UserGroupMembership::getLink().
+* (T232932) SECURITY: User content can redirect the logout button to different
+ URL.
+* (T246602) SECURITY: jquery.makeCollapsible allows applying event handler to
+ any CSS selector.
+
+== MediaWiki 1.34.0 ==
+
+=== Changes since MediaWiki 1.34.0-rc.1 ===
+* $wgDiffEngine (T237049) – This configuration can be used to specify which
+ difference engine to use. MediaWiki continues to default to automatically
+ choosing the first of $wgExternalDiffEngine, wikidiff2, or php that is
+ usable.
+* (T231866) SqlBlobStore no longer needs Language object.
+* (T236735) WikiExporter: Remove unnecessary check for SCHEMA_COMPAT_WRITE_OLD
+ flag.
+* (T231673) Set MCR migration stage to SCHEMA_COMPAT_NEW.
+* (T229601) Make sure DBLoadBalancerFactory service is not disabled.
+* (T232866) Fix support for HTTP/2 in MultiHttpClient.
+* (T231866) LocalisationCache: Don't instantiate ResourceLoader.
+* (T227461) Stop calling deprecated Redis delete functions.
+* (T239561) Mark options as requiring parameters in addSite.php.
+* (T232866) Mimic CURLOPT_POST in GuzzleHttpRequest.
+* (T239734) Replace deprecated lSize with lLen in Redis code.
+* (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset.
+* (T239428) ApiEditPage: Test for bad redirect targets.
+* (T233342) rdbms: Log debug message traces as 'exception.trace' instead of
+ 'trace'.
+* (T226751) media: Log and fail gracefully on invalid EXIF coordinates.
+* (T240924) NewPagesPager: Fix namespace query conditions.
+* (T212067) Tests for an old PHP bug in parse_url.
+
+== MediaWiki 1.34.0-rc.1 ==
+
+=== Changes since MediaWiki 1.34.0-rc.0 ===
+* (T231742) rdbms: Restore debug toolbar "Queries" feature.
+* (T231366) The ProfilerOutputDb class, 'profiling' table, and profileinfo.php
+ entry point had been deprecated.
+* (T234361) localisation: Add debug message for backend of MessageCache.
+* (T234361) session: Add debug message for the used store class.
+* (T235559) Fix example Kask configuration in RESTBagOStuff class comment.
+* (T235137) Don't apply styling for Special:Contributions on other pages.
+* Upgrade mediawiki-codesniffer from 26.0.0 to 28.0.0 (dev-only).
+* (T219604) The "jquery.ui.*" and "jquery.effects.*" modules are now
+ deprecated as aliases for the "jquery.ui" module.
+* (T235392) Deprecate setting Parser::mTitle to null.
+* Supporting commits for T235392 were also backported to prevent divergence
+ from master (MediaWiki 1.35).
+* (T234581) The 'jquery.tabIndex' module is deprecated.
+* Fix docs for GetUserBlock hooks.
+* Parser: Hard deprecate getConverterLanguage.
+* (T236810) A number of public methods of Parser were exposed only for
+ historical reasons and have been deprecated: doMagicLinks,
+ doDoubleUnderscore, doHeadings, doAllQuotes, replaceExternalLinks,
+ replaceInternalLinks, replaceInternalLinks2, getVariableValue,
+ initialiseVariables, formatHeadings, testPst, testPreprocess, testSrvus,
+ areSubpagesAllowed, maybeDoSubpageLink, splitWhitespace, createAssocArgs,
+ armorLinks, makeKnownLinkHolder, getImageParams, parseLinkParameter,
+ stripAltText, replaceLinkHolders, replaceLinkHoldersText, armorLinks,
+ makeKnownLinkHolder, getImageParams, parseLinkParameter, stripAltText.
+* (T30798) $wgServer must now always be set in LocalSettings.php. This is most
+ likely the case already for any wiki installed after 1.18. The autodetection
+ system was informally deprecated since 1.18 and vulnerable to cache poisoning
+ attacks. Older wikis may need to update their LocalSettings.php file.
+* (T232169) Hard deprecate $wgSysopEmailBans.
+* (T236628) Fix for ArticleRevisionViewCustom hook in DifferenceEngine.php.
+* (T181658) Do not insert page titles into querycache.qc_value.
+* ParamValidator has been flagged as unstable.
+* Hard deprecate Parser::disableCache().
+
+== MediaWiki 1.34.0-rc.0 ==
== Upgrading notes for 1.34 ==
1.34 has several database changes since 1.33, and will not work without schema
Some specific notes for MediaWiki 1.34 upgrades are below:
-* …
+* MediaWiki now requires PHP 7.2.9 or above.
+* MediaWiki no longer supports HHVM.
For notes on 1.33.x and older releases, see HISTORY.
=== Configuration changes for system administrators in 1.34 ===
+In an effort to enforce best practices for passwords, MediaWiki will now warn
+users, and suggest that they change their password, if it is in the list of
+100,000 commonly used passwords that are considered bad passwords. If you want
+to disable this for your users, please add the following to your local settings:
+
+$wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false;
+
==== New configuration ====
* $wgAllowExternalReqID (T201409) - This configuration setting controls whether
Mediawiki accepts the request ID set by the incoming request via the
redirects in their userspace unless the target of the redirect is also in
their userspace. By default, this right is given to everyone.
* (T226733) Add rate limiter to Special:ConfirmEmail.
+* $wgDiffEngine (T237049) – This configuration can be used to specify which
+ difference engine to use. MediaWiki continues to default to automatically
+ choosing the first of $wgExternalDiffEngine, wikidiff2, or php that is
+ usable.
==== Changed configuration ====
* $wgUseCdn, $wgCdnServers, $wgCdnServersNoPurge, and $wgCdnMaxAge – These four
containing some HTML markup in metadata. As a result, the $wgAllowTitlesInSVG
setting is no longer applied and is now always true. Note that MSIE 7 may
still be able to misinterpret certain malformed PNG files as HTML.
+* (T30798) $wgServer must now always be set in LocalSettings.php. This is most
+ likely the case already for any wiki installed after 1.18. The autodetection
+ system was informally deprecated since 1.18 and vulnerable to cache poisoning
+ attacks. Older wikis may need to update their LocalSettings.php file.
* Introduced $wgVerifyMimeTypeIE to allow disabling the MSIE 6/7 file type
detection heuristic on upload, which is more conservative than the checks
that were changed above.
+* $wgExternalDiffEngine — Setting this to a string value of 'wikidiff',
+ 'wikidiff2', or 'wikidiff3' will no longer work. This legacy behaviour was
+ deprecated in MediaWiki 1.27, 1.32, and 1.27, respectively.
* $wgSkipSkin — Setting this instead of $wgSkipSkins, deprecated in 1.23, is now
hard-deprecated.
* $wgLocalInterwiki — Setting this instead of $wgLocalInterwikis, deprecated in
which was deprecated in 1.30, no longer works. Instead, $wgProxyList should be
an array with IP addresses as the values, or a string path to a file
containing one IP address per line.
-* …
+* $wgCookieSetOnAutoblock and $wgCookieSetOnIpBlock are now enabled by default.
==== Removed configuration ====
* $wgWikiDiff2MovedParagraphDetectionCutoff — If you still want a custom change
size threshold, please specify in php.ini, using the configuration variable
wikidiff2.moved_paragraph_detection_cutoff.
+* $wgUseESI - This experimental setting, deprecated in 1.33, is now removed.
* $wgDebugPrintHttpHeaders - The default of including HTTP headers in the
debug log channel is no longer configurable. The debug log itself remains
configurable via $wgDebugLogFile.
* $wgDBOracleDRCP - If you must use persistent connections, set DBO_PERSISTENT
in the 'flags' field for servers in $wgDBServers (or $wgLBFactoryConf).
* $wgMemCachedDebug - Set the cache "debug" field in $wgObjectCaches instead.
+* $wgActorTableSchemaMigrationStage has been removed. Extension code for
+ MediaWiki 1.31+ finding it unset should treat it as being SCHEMA_COMPAT_NEW.
=== New user-facing features in 1.34 ===
* Special:Mute has been added as a quick way for users to block unwanted emails
GetBlockedStatus.
* ObjectFactory is available as a service. When used as a service, the object
specs can now specify needed DI services.
+* (T222388) Special pages can now be specified as an ObjectFactory spec,
+ allowing the construction of special pages that require services to be
+ injected in their constructor.
+* (T222388) API modules can now be specified as an ObjectFactory spec,
+ allowing the construction of modules that require services to be injected
+ in their constructor.
+* (T117736) The function signature of SpecialContributions::getForm::filters
+ has changed. It now expects definitions of additional filter fields as array
+ rather than string.
=== External library changes in 1.34 ===
-==== New external libraries ====
-* …
-
==== Changed external libraries ====
* Updated Mustache from 1.0.0 to v3.0.1.
-* Updated OOUI from v0.31.3 to v0.33.4.
+* Updated OOUI from v0.31.3 to v0.34.0.
+* Updated OOjs from v2.2.2 to v3.0.0.
* Updated composer/semver from 1.4.2 to 1.5.0.
* Updated composer/spdx-licenses from 1.4.0 to 1.5.1 (dev-only).
-* Updated mediawiki/codesniffer from 25.0.0 to 26.0.0 (dev-only).
+* Updated mediawiki/codesniffer from 25.0.0 to 28.0.0 (dev-only).
* Updated cssjanus/cssjanus from 1.2.1 to 1.3.0.
* Updated wikimedia/at-ease from 1.2.0 to 2.0.0.
-* Updated wikimedia/remex-html from 2.0.1 to 2.0.3.
+* Updated wikimedia/remex-html from 2.0.1 to 2.1.0.
* Updated monolog/monolog from 1.22.1 to 1.24.0 (dev-only).
* Updated wikimedia/object-factory from 1.0.0 to 2.1.0.
* Updated wikimedia/timestamp from 2.2.0 to 3.0.0.
* Updated wikimedia/xmp-reader from 0.6.2 to 0.6.3.
* Updated mediawiki/mediawiki-phan-config from 0.6.0 to 0.6.1 (dev-only).
-* …
+* Updated wikimedia/avro from 1.8.0 to 1.9.0 (dev-only).
==== Removed external libraries ====
* The jquery.async module, deprecated in 1.33, was removed.
-* …
=== Bug fixes in 1.34 ===
* (T222529) If a log entry or page revision is recorded in the database with an
=== Action API changes in 1.34 ===
* The 'recenteditcount' response property from action=query list=allusers,
deprecated in 1.25, has been removed.
+* (T60993) action=query list=filearchive, list=alldeletedrevisions and
+ prop=deletedrevisions no longer require the 'deletedhistory' user right.
+* In the response to queries that use 'prop=imageinfo', entries for
+ non-existing files (indicated by the 'filemissing' field) now omit the
+ following fields, since they are meaningless in this context:
+ 'timestamp', 'userhidden', 'user', 'userid', 'anon', 'size', 'width',
+ 'height', 'pagecount', 'duration', 'commenthidden', 'parsedcomment',
+ 'comment', 'thumburl', 'thumbwidth', 'thumbheight', 'thumbmime',
+ 'thumberror', 'url', 'sha1', 'metadata', 'extmetadata', 'commonmetadata',
+ 'mime', 'mediadtype', 'bitdepth'.
+ Clients that process these fields should first check if 'filemissing' is
+ set. Fields that are supported even if the file is missing include:
+ 'canonicaltitle', 'archivename' (deleted files only), 'descriptionurl',
+ 'descriptionshorturl'.
+* The 'blockexpiry' result property in list=users and list=allusers will now be
+ returned in the same format used by the rest of the API: ISO 8601 for
+ expiring blocks, and "infinite" for non-expiring blocks.
=== Action API internal changes in 1.34 ===
-* …
+* The exception thrown in ApiModuleManager::getModule has been changed
+ from an MWException to an UnexpectedValueException, thrown by ObjectFactory.
+ ApiModuleManager::getModule now also throws InvalidArgumentExceptions when
+ ObjectFactory is presented with an invalid spec or incorrectly constructed
+ objects.
+* Added ApiQueryBlockInfoTrait.
=== Languages updated in 1.34 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
* CryptRand class
* CryptRand service
* Functions of the MWCryptRand class: singleton(), wasStrong() and generate().
+* Various Special Page PHP Classes were renamed (mostly casing changes):
+ * SpecialAncientpages => SpecialAncientPages
+ * SpecialConfirmemail => SpecialConfirmEmail
+ * SpecialDeadendpages => SpecialDeadendPages
+ * SpecialFewestrevisions => SpecialFewestRevisions
+ * SpecialListredirects => SpecialListRedirects
+ * SpecialLonelypages => SpecialLonelyPages
+ * SpecialLongpages => SpecialLongPages
+ * SpecialMIMEsearch => SpecialMIMESearch
+ * SpecialMostcategories => SpecialMostCategories
+ * SpecialMostinterwikis => SpecialMostInterwikis
+ * SpecialMostlinked => SpecialMostLinked
+ * SpecialMostlinkedcategories => SpecialMostLinkedCategories
+ * SpecialMostlinkedtemplates => SpecialMostLinkedTemplates
+ * SpecialMostrevisions => SpecialMostRevisions
+ * SpecialNewimages => SpecialNewFiles
+ * SpecialShortpages => SpecialShortPages
+ * SpecialUncategorizedcategories => SpecialUncategorizedCategories
+ * SpecialUncategorizedimages => SpecialUncategorizedImages
+ * SpecialUncategorizedpages => SpecialUncategorizedPages
+ * SpecialUncategorizedtemplates => SpecialUncategorizedTemplates
+ * SpecialUnusedcategories => SpecialUnusedCategories
+ * SpecialUnusedimages => SpecialUnusedImages
+ * SpecialUnusedtemplates => SpecialUnusedTemplates
+ * SpecialUnwatchedpages => SpecialUnwatchedPages
+ * SpecialWantedcategories => SpecialWantedCategories
+ * SpecialWantedtemplates => SpecialWantedTemplates
+ * SpecialWithoutinterwiki => SpecialWithoutInterwiki
* Language::setCode, deprecated in 1.32, was removed. Use Language::factory to
create a new Language object with a different language code.
* MWNamespace::clearCaches() has been removed. So has the $rebuild parameter
Use the mediawiki.String module instead.
* mw.language.specialCharacters, deprecated in 1.33, has been removed.
Use require( 'mediawiki.language.specialCharacters' ) instead.
+* The jquery.colorUtil module was removed. Use jquery.color instead.
+* The jquery.checkboxShiftClick module was removed. The functionality
+ is provided by mediawiki.page.ready instead (T232688).
+* The 'jquery.accessKeyLabel' module has been removed. This jQuery
+ plugin now ships as part of the 'mediawiki.util' module bundle.
* EditPage::submit(), deprecated in 1.29, has been removed. Use $this->edit()
directly.
* HTMLForm::getErrors(), deprecated in 1.28, has been removed. Use
initialized after calling SearchResult::initFromTitle().
* The UserIsBlockedFrom hook is only called if a block is found first, and
should only be used to unblock a blocked user.
-* …
+* Parameters for index.php from PATH_INFO, such as the title, are no longer
+ written to $_GET.
+* The selectFields() methods on classes LocalFile, ArchivedFile, OldLocalFile,
+ DatabaseBlock, and RecentChange, deprecated in 1.31, have been removed. Use
+ the corresponding getQueryInfo() methods instead.
+* The following methods on Revision, deprecated since 1.31, have been removed.
+ Use RevisionStore::getQueryInfo() or RevisionStore::getArchiveQueryInfo()
+ instead.
+ * Revision::userJoinCond()
+ * Revision::pageJoinCond()
+ * Revision::selectFields()
+ * Revision::selectArchiveFields()
+ * Revision::selectTextFields()
+ * Revision::selectPageFields()
+ * Revision::selectUserFields()
+* User::setNewpassword(), deprecated in 1.27 has been removed.
+* The ObjectCache::getMainWANInstance and ObjectCache::getMainStashInstance
+ functions, deprecated since 1.28, have been removed.
+* Language::$dataCache has been removed (without prior deprecation, for
+ practical reasons). Use MediaWikiServices instead to get a LocalisationCache.
=== Deprecations in 1.34 ===
* The MWNamespace class is deprecated. Use NamespaceInfo.
* The Profiler::setTemplated and Profiler::getTemplated methods have been
deprecated. Use Profiler::setAllowOutput and Profiler::getAllowOutput
instead.
+* The ProfilerOutputDb class, 'profiling' table, and profileinfo.php entry
+ point had been deprecated (T231366).
* The Preprocessor_DOM implementation has been deprecated. It will be
removed in a future release. Use the Preprocessor_Hash implementation
instead.
* IDatabase::bufferResults() has been deprecated. Use query batching instead.
* MessageCache::singleton() is deprecated. Use
MediaWikiServices::getMessageCache().
+* ObjectCache::getWANInstance() is deprecated. Use
+ MediaWikiServices::getMainWANObjectCache() instead.
+* ObjectCache::newWANCacheFromParams() is deprecated. Use
+ MediaWikiServices::getMainWANObjectCache() instead.
* Constructing MovePage directly is deprecated. Use MovePageFactory.
* TempFSFile::factory() has been deprecated. Use TempFSFileFactory instead.
* wfIsBadImage() is deprecated. Use the BadFileLookup service instead.
class. If you extend this class please be sure to override all its methods
or extend RevisionSearchResult.
* Skin::getSkinNameMessages() is deprecated and no longer used.
+* The mediawiki.RegExp module is deprecated; use mw.util.escapeRegExp() instead.
+* Specifying a SpecialPage object for the list of special pages (either through
+ the SpecialPage_initList hook or by adding to $wgSpecialPages) is now
+ deprecated.
+* The 'jquery.tabIndex' module is deprecated.
+* WebInstaller::getInfoBox(), getWarningBox() and getErrorBox() are deprecated.
+ Use Html::errorBox() or Html::warningBox() instead.
+* Use of ActorMigration with 'ar_user', 'img_user', 'oi_user', 'fa_user',
+ 'rc_user', 'log_user', and 'ipb_by' is deprecated. Queries should be adjusted
+ to use the corresponding actor fields directly. Note that use with
+ 'rev_user' is *not* deprecated at this time.
+* Specifying both the class and factory parameters for
+ ApiModuleManager::addModule is now deprecated. The ObjectFactory spec should
+ be used instead.
+* The UserIsHidden hook is deprecated. Use GetUserBlock instead, and add a
+ system block that hides the user.
+* The GetBlockedStatus hook is deprecated. Use GetUserBlock instead, to add or
+ remove a block.
+* $wgContentHandlerUseDB is deprecated and should always be true.
+* StreamFile::send404Message() and StreamFile::parseRange() are now deprecated.
+ Use HTTPFileStreamer::send404Message() and HTTPFileStreamer::parseRange()
+ respectively instead.
+* Global variable $wgSysopEmailBans is deprecated; to allow sysops to ban
+ users from sending emails, use
+ $wgGroupPermissions['sysop']['blockemail'] = true;
+* ApiQueryBase::showHiddenUsersAddBlockInfo() is deprecated. Use
+ ApiQueryBlockInfoTrait instead.
+* PasswordReset is now a service, its direct instantiation is deprecated.
+* RESTBagOStuff users should specify either "JSON" or "PHP" serialization type.
+* The global function wfIsHHVM() is deprecated and will now always return false
+ regardless of the runtime environment. This is part of the continuing work to
+ remove HHVM support from MediaWiki, which started in MediaWiki 1.31.
+* Language::getLocalisationCache() is deprecated. Use MediaWikiServices
+ instead.
+* The following Language methods are deprecated: isSupportedLanguage,
+ isValidCode, isValidBuiltInCode, isKnownLanguageTag, fetchLanguageNames,
+ fetchLanguageName, getFileName, getMessagesFileName, getJsonMessagesFileName.
+ Use the new LanguageNameUtils class instead. (Note that fetchLanguageName(s)
+ are called getLanguageName(s) in the new class.)
+* Using the Parser without initializing its $mTitle property to non-null has
+ been deprecated. In a future release Parser::getTitle() will throw a
+ TypeError if $mTitle is uninitialized.
+* A number of public methods of Parser were exposed only for historical
+ reasons and have been deprecated: doMagicLinks, doDoubleUnderscore,
+ doHeadings, doAllQuotes, replaceExternalLinks, replaceInternalLinks,
+ replaceInternalLinks2, getVariableValue, initialiseVariables, formatHeadings,
+ testPst, testPreprocess, testSrvus, areSubpagesAllowed, maybeDoSubpageLink,
+ splitWhitespace, createAssocArgs, armorLinks, makeKnownLinkHolder,
+ getImageParams, parseLinkParameter, stripAltText, replaceLinkHolders,
+ replaceLinkHoldersText, armorLinks, makeKnownLinkHolder, getImageParams,
+ parseLinkParameter, stripAltText.
=== Other changes in 1.34 ===
-* …
+* Added option to specify "Various authors" as author in extension credits using
+ "..." as the only author name. If the "author" array contains more than one
+ entry and "..." is one of the entries in the array, "..." will be parsed as
+ "others" (version-poweredby-others i18n message) like previously.
+* (T232563) Browser support ("Grade C") for Internet Explorer 6 and 7
+ was discontinued. Basic content and security features may no longer
+ work correctly in these browsers.
== Compatibility ==
-MediaWiki 1.34 requires PHP 7.0.13 or later. Although HHVM 3.18.5 or later is
-supported, it is generally advised to use PHP 7.0.13 or later for long term
-support. It also requires the following PHP extensions:
+MediaWiki 1.34 requires PHP 7.2.9 or later, and the following PHP extensions:
* ctype
* dom
dépôts / lhc / web / wiklou.git / blobdiff