X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=HISTORY;h=244d68190231af832b8f851cc204e2d20f298110;hp=c6ce06c698aa145308b2c4d7e4fdfac30438fd88;hb=d6314935df54f9cfdf2e0ac06ced8167251de57c;hpb=d42d6bd868fd5b579080639995e6a7e23851fcf3 diff --git a/HISTORY b/HISTORY index c6ce06c698..244d681902 100644 --- a/HISTORY +++ b/HISTORY @@ -1,7 +1,682 @@ -Change notes from older releases. For current info see RELEASE-NOTES-1.29. +Change notes from older releases. For current info see RELEASE-NOTES-1.31. + += MediaWiki 1.30 = + +== MediaWiki 1.30.0 == + +=== Changes since MediaWiki 1.30.0-rc.0 === +* Upgraded Moment.js from v2.15.0 to v2.19.3. +* Add ip_changes to postgres/tables.sql. +* Skip null shell parameters. +* Add wfWaitForSlaves() to maintenance/migrateComments.php. +* (T182245) Fix join conditions in ImageListPager. +* (T178626) Revert #contentSub and #jump-to-nav margin changes. + +=== MySQL version requirement in 1.30 === +As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility +section). + +=== Configuration changes in 1.30 === +* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid + unexpected behavior when code uses locale-sensitive string comparisons. For + example, the Scribunto extension considers "bar" < "Foo" in most locales + since it ignores case. +* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See + documentation of $wgShellLocale for details. +* $wgShellLocale is now applied for all requests. wfInitShellLocale() is + deprecated and a no-op, as it is no longer needed. +* $wgJobClasses may now specify callback functions as an alternative to plain + class names. This is intended for extensions that want control over the + instantiation of their jobs, to allow for proper dependency injection. +* $wgResourceModules may now specify callback functions as an alternative + to plain class names, using the 'factory' key in the module description + array. This allows dependency injection to be used for ResourceLoader modules. +* $wgExceptionHooks has been removed. +* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size + of IP ranges that can be queried at Special:Contributions. +* (T45547) $wgUsePigLatinVariant added (off by default). +* (T152540) MediaWiki now supports a section ID escaping style that allows to display + non-Latin characters verbatim on many modern browsers. This is controlled by the + new configuration setting, $wgFragmentMode. +* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version, + use $wgFragmentMode to migrate off it to a modern alternative. +* $wgExternalInterwikiFragmentMode was introduced to control how fragments in + sinterwikis going outside of current wiki farm are encoded. +* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'. + This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki + auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly + requested through the configuration parameter $wgDBservers. +* $wgOOUIEditPage was removed, as it is now the default. This was documented as a + temporary variable during the migration period. + +=== New features in 1.30 === +* (T37247) Output from Parser::parse() will now be wrapped in a div with + class="mw-parser-output" by default. This may be changed or disabled using + ParserOptions::setWrapOutputClass(). +* (T163562) Added ability to search for contributions within an IP ranges + at Special:Contributions. +* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software- + specific tags to be added by users. +* Added a 'ParserOptionsRegister' hook to allow extensions to register + additional parser options. +* (T45547) Included Pig Latin, a language game in English, as a + LanguageConverter variant. This allows English-speaking developers + to develop and test LanguageConverter more easily. Pig Latin can be + enabled by setting $wgUsePigLatinVariant to true. +* Added RecentChangesPurgeRows hook to allow extensions to purge data that + depends on the recentchanges table. +* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages. +* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the + 'watchlistunwatchlinks' preference option is enabled). With JavaScript + enabled, these links toggle so the user can also re-watch pages that have + just been unwatched. +* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to + MediaHandlerFactory for parser tests. +* Edit summaries, block reasons, and other "comments" are now stored in a + separate database table. Use the CommentFormatter class to access them. +** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis + can set this to MIGRATION_NEW and run maintenance/migrateComments.php as + soon as any necessary extensions are updated. +* (T138166) Added ability for users to prohibit other users from sending them + emails with Special:Emailuser. Can be enabled by setting + $wgEnableUserEmailBlacklist to true. +* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect. + Instead, users using browsers that do not support Unicode will be unable to edit + and should upgrade to a modern browser instead. + +=== External library changes in 1.30 === + +==== Upgraded external libraries ==== +* Updated justinrainbow/json-schema from v3.0 to v5.2. +* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0. +* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1. +* Updated wikimedia/relpath from v1.0.3 to v2.0.0. +* Updated OOjs from v2.0.0 to v2.1.0. +* Updated OOUI from v0.21.1 to v0.23.0. +* Updated QUnit from v1.23.1 to v2.4.0. +* Updated phpunit/phpunit from v4.8.35 to v4.8.36. +* Upgraded Moment.js from v2.15.0 to v2.19.3. + +==== New external libraries ==== +* The class \TestingAccessWrapper has been moved to the external library + wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper. +* Purtle, a fast, lightweight RDF generator. + +==== Removed and replaced external libraries ==== +* … + +=== Bug fixes in 1.30 === +* (T151633) Ordered list items use now Devanagari digits in Nepalese + (thanks to Sfic) + +=== Action API changes in 1.30 === +* (T37247) action=parse output will be wrapped in a div with + class="mw-parser-output" by default. This may be changed or disabled using + the new 'wrapoutputclass' parameter. +* When errorformat is not 'bc', abort reasons from action=login will be + formatted as specified by the error formatter parameters. +* action=compare can now handle arbitrary text, deleted revisions, and + returning users and edit comments. +* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto', + 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree' + parameters to prop=revisions are deprecated, as are the similarly named + parameters to prop=deletedrevisions, list=allrevisions, and + list=alldeletedrevisions. Use action=compare, action=parse, or + action=expandtemplates instead. + +=== Action API internal changes in 1.30 === +* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are + deprecated. The existing message should be split between "apihelp-*-summary" + and "apihelp-*-extended-description". +* (T123931) Individual values of multi-valued parameters can now be marked as + deprecated. + +=== Languages updated in 1.30 === +MediaWiki supports over 350 languages. Many localisations are updated +regularly. Below only new and removed languages are listed, as well as +changes to languages because of Phabricator reports. + +* Added: kbp (Kabɩyɛ / Kabiyè) +* Added: skr (Saraiki, سرائیکی) +* Added: tay (Tayal / Atayal) +* Removed: tokipona (Toki Pona) + +==== Pig Latin added ==== +* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin), + for easier variant development and testing. Disabled by default. It can be + enabled by setting $wgUsePigLatinVariant to true. + +=== Other changes in 1.30 === +* The use of an associative array for $wgProxyList, where the IP address is in + the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]). + Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]). +* mw.user.bucket (deprecated in 1.23) was removed. +* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are + deprecated. There are no known callers. +* File::getStreamHeaders() was deprecated. +* MediaHandler::getStreamHeaders() was deprecated. +* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be + used instead. +* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace() + should be used instead. +* The ExtractThumbParameters hook (deprecated in 1.21) was removed. +* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both + deprecated in 1.24) were removed. +* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and + BagOStuff::makeGlobalKey() should be used instead. +* (T146304) Preprocessor handling of LanguageConverter markup has been improved. + As a result of the new uniform handling, '-{' may need to be escaped + (for example, as '-{') where it occurs inside template arguments + or wikilinks. +* (T163966) Page moves are now counted as edits for the purposes of + autopromotion, i.e., they increment the user_editcount field in the database. +* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for + manipulating Special:Log and Special:NewPages lines. +* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, + PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding + hooks have an additional parameter, for manipulating HTML data attributes of + RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the + $data['attribs'] subarray. +* (T130632) The OutputPage::enableTOC() method was removed. +* WikiPage::getParserOutput() will now throw an exception if passed + ParserOptions that would pollute the parser cache. Callers should use + WikiPage::makeParserOptions() to create the ParserOptions object and only + change options that affect the parser cache key. +* Article::viewRedirect() is deprecated. +* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange(). +* DeprecatedGlobal no longer supports passing in a direct value, it requires a + callable factory function or a class name. +* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton() + are all deprecated. The main ParserCache instance should be obtained from + MediaWikiServices instead. Access to the underlying BagOStuff is possible + through the new ParserCache::getCacheStorage() method. +* .mw-ui-constructive CSS class (deprecated in 1.27) was removed. +* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(), + escapeIdForLink() or escapeIdForExternalInterwiki() instead. +* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned + Sanitizer functions or, if possible, Title::getFragmentForURL(). +* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does + nothing and is deprecated. +* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or + escapeIdForLink(). +* MagicWord::replaceMultiple() (deprecated in 1.25) was removed. +* WikiImporter now requires the second parameter to be an instance of the Config, + class. Prior to that, the Config parameter was optional (a behavior deprecated in + 1.25). +* Removed 'jquery.mwExtension' module. (deprecated since 1.26) +* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette + any more. +* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed. + The namespaced classes in the Cdb namespace should be used instead. +* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet + should be used instead. +* RunningStat class (deprecated in 1.27) was removed. The namespaced + RunningStat\RunningStat should be used instead. +* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed. + The MemcachedClient class should be used instead. +* EditPage underwent some refactoring and deprecations: + * EditPage::isOouiEnabled() is deprecated and will always return true. + * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please + use ::getSummaryInputWidget() instead. + * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please + use ::getCheckboxesWidget() instead. + * Creating an EditPage instance without calling EditPage::setContextTitle() should + be avoided and will be deprecated in a future release. + * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops. + * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The + corresponding methods from Title should be used instead. + * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement. + * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters + ::getArticle() and ::getTitle() should be used instead. + * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut, + and $wgLang is no longer supported and won't work. The IContextSource returned from + EditPage::getContext() must be modified instead. +* Parser::getRandomString() (deprecated in 1.26) was removed. +* Parser::uniqPrefix() (deprecated in 1.26) was removed. +* Parser::extractTagsAndParams() now only accepts three arguments. The fourth, + $uniq_prefix was deprecated in 1.26 and has now been removed. +* (T172514) The following tables have had their UNIQUE indexes turned into proper + PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks, + langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats, + templatelinks, text, transcache, user_former_groups, user_properties. +* IDatabase::nextSequenceValue() is no longer needed by any database backends + (formerly it was needed by PostgreSQL and Oracle), and is now deprecated. +* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a + PRIMARY KEY. +* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id, + page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and + user_properties.up_user have all been made unsigned on MySQL. +* DB_SLAVE is deprecated. DB_REPLICA should be used instead. +* wfUsePHP() is deprecated. +* wfFixSessionID() was removed. +* wfShellExec() and related functions are deprecated, use Shell::command(). This also + slightly changes the behavior of how execution time limits are calculated when only + some of defaults are overridden per-call. When in doubt, always override both wall + clock and CPU time. +* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending + user object. Using the method without the second argument is deprecated. +* (T67297) Browsers that don't support Unicode will have their edits rejected. +* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future + release. For notifying the user of an event, the Notifications ("Echo") system + should be used instead. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. + += MediaWiki 1.29 = + +== MediaWiki 1.29.2 == + +This is a security and maintenance release of the MediaWiki 1.29 branch. + +=== Changes since 1.29.1 === +* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* Fixed login button label to accept RawMessage. +* Fixed case of SpecialRecentChanges class usage. +* (T174255) Declare uploadCount property in importDump.php. +* (T163646) Pass a string not an int to mysql_real_escape_string(). +* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2. +* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. +* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all + branches in the previous security release. + +== MediaWiki 1.29.1 == + +This is a maintenance release of the MediaWiki 1.29 branch. + +The SpamBlacklist and PdfHandler extensions were missing from the generated +packages. + +=== Changes since 1.29.1 === +* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js. +* (T172061) Fix fatal when passing a category to refreshLinks.php. + +== MediaWiki 1.29.0 == + +=== Configuration changes in 1.29 === +* Default cookie expiration time has been reduced to 30 days. Login cookie + expiration time is kept at 180 days. +* A new configuration variable has been added: $wgCookieSetOnAutoblock. This + determines whether to set a cookie when a user is autoblocked. Doing so means + that a blocked user, even after logging out and moving to a new IP address, + will still be blocked. +* The resetpassword right and associated password reset capture feature has + been removed. +* The $error parameter to the EmailUser hook should be set to a Status object + or boolean false. This should be compatible with at least MediaWiki 1.23 if + not earlier. Returning a raw HTML string is now deprecated. +* The $message parameter to the ApiCheckCanExecute hook should be set to an + ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a + code for ApiBase::parseMsg() will no longer work. +* ApiBase::$messageMap is no longer public. Code attempting to access it will + result in a PHP fatal error. +* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC + policies. +* Subpages are now enabled by default in the Template namespace. Set + $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior. +* $wgRunJobsAsync is now false by default (T142751). This change only affects + wikis with $wgJobRunRate > 0. +* (T158474) "Unknown user" has been added to $wgReservedUsernames. +* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs. +* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be + added to $wgExtraLanguageCodes instead. +* (T161453) LocalisationCache will no longer use the temporary directory in it's + fallback chain when trying to work out where to write the cache. +* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use + 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead. + +=== New features in 1.29 === +* (T5233) A cookie can now be set when a user is autoblocked, to track that user + if they move to a new IP address. This is disabled by default. +* Added ILocalizedException interface to standardize the use of localized + exceptions, largely so the API can handle them more sensibly. +* Blocks created automatically by MediaWiki, such as for configured proxies or + dnsbls, are now indicated as such and use a new i18n message when displayed. +* Added new $wgHTTPImportTimeout setting. Sets timeout for + downloading the XML dump during a transwiki import in seconds. +* Parser limit report is now available in machine-readable format to JavaScript + via mw.config.get('wgPageParseReport'). +* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits + from certain IP ranges (e.g. private IPs). +* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code + of the page being parsed. +* HTML5 form validation attributes will no longer be suppressed. Originally + browsers had poor support for them, but modern browsers handle them fine. + This might affect some forms that used them and only worked because the + attributes were not actually being set. +* Expiry times can now be specified when users are added to user groups. +* Completely new user interface for the RecentChanges page, which + structures filters into user-friendly groups. This has corresponding + changes to how filters are registered by core and extensions. +* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input. + Because this change can cause problems for extensions and on-wiki + scripts depending on the exact HTML, the old version is still available + and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php. + This will be removed later and OOjs UI will become the only option. + To make testing easier, users can also force either mode by adding + &ooui=true or &ooui=false to the action=edit URL. + +=== External library changes in 1.29 === + +==== Upgraded external libraries ==== +* Updated QUnit from v1.22.0 to v1.23.1. +* Updated cssjanus from v1.1.2 to v1.2.0. +* Updated psr/log from v1.0.0 to v1.0.2. +* Update Moment.js from v2.8.4 to v2.15.0. +* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14. +* Updated monolog from v1.18.2 to 1.22.1. +* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0. +* Updated OOjs from v1.1.10 to v2.0.0. +* Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0). + +==== New external libraries ==== +* Added wikimedia/timestamp v1.0.0. +* Added wikimedia/remex-html v1.0.1. + +==== Removed and replaced external libraries ==== + +=== Bug fixes in 1.29 === +* (T62604) Core parser functions returning a number now format the number according + to the page content language, not wiki content language. +* (T27187) Search suggestions based on jquery.suggestions will now correctly only + highlight prefix matches in the results. +* (T157035) "new mw.Uri()" was ignoring options when using default URI. +* Special:Allpages can no longer be filtered by redirect in miser mode. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. +* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep + their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. +* (T156184) SECURITY: Escape content model/format url parameter in message. +* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD + declaration. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory + in it's fallback chain when trying to work out where to write the cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion + syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against + it. + +=== Action API changes in 1.29 === +* Submitting sensitive authentication request parameters to action=login, + action=clientlogin, action=createaccount, action=linkaccount, and + action=changeauthenticationdata in the query string is now an error. They + should be submitted in the POST body instead. +* The capture option for action=resetpassword has been removed +* action=clearhasmsg now requires a POST. +* (T47843) API errors and warnings may be requested in non-English languages + using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters. +* API error codes may have changed. Most notably, errors from modules using + parameter prefixes (e.g. all query submodules) will no longer be prefixed. +* ApiPageSet-using modules will report the 'invalidreason' using the specified + 'errorformat'. +* action=emailuser may return a "Warnings" status, and now returns 'warnings' and + 'errors' subelements (as applicable) instead of 'message'. +* action=imagerotate returns an 'errors' subelement rather than 'errormessage'. +* action=move now reports errors when moving the talk page as an array under + key 'talkmove-errors', rather than using 'talkmove-error-code' and + 'talkmove-error-info'. The format for subpage move errors has also changed. +* action=revisiondelete no longer includes a "rendered" property on warnings + and errors for each item. Use errorformat=wikitext if you're wanting parsed + output. +* action=rollback no longer returns a "messageHtml" property. Use + errorformat=html if you're wanting HTML formatting of error messages. +* action=upload now reports optional stash failures as an array under key + 'stasherrors' rather than a 'stashfailed' text string. +* action=watch reports 'errors' and 'warnings' instead of a single 'error', and + no longer returns a 'message' on success. +* Added action=validatepassword to validate passwords for the account creation + and password change forms. +* action=purge now requires a POST. +* There is a new `languagevariants` siprop for action=query&meta=siteinfo, + which returns a list of languages with active LanguageConverter instances. +* action=query&query=allpages will no longer filter redirects using a database + query in miser mode. This may result in less results being returned than were + requested. + +=== Action API internal changes in 1.29 === +* New methods were added to ApiBase to handle errors and warnings using i18n + keys. Methods for using hard-coded English messages were deprecated: + * ApiBase::dieUsage() was deprecated + * ApiBase::dieUsageMsg() was deprecated + * ApiBase::dieUsageMsgOrDebug() was deprecated + * ApiBase::getErrorFromStatus() was deprecated + * ApiBase::parseMsg() was deprecated + * ApiBase::setWarning() was deprecated +* ApiBase::$messageMap is no longer public. Code attempting to access it will + result in a PHP fatal error. +* The $message parameter to the ApiCheckCanExecute hook should be set to an + ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a + code for ApiBase::parseMsg() will no longer work. +* UsageException is deprecated in favor of ApiUsageException. For the time + being ApiUsageException is a subclass of UsageException to allow things that + catch only UsageException to still function properly. +* If, for some strange reason, code was using an ApiErrorFormatter instead of + ApiErrorFormatter_BackCompat, note that the result format has changed and + various methods now take a module path rather than a module name. +* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes + from the message key, and maps some message keys for backwards compatibility. +* API parameters may now be marked as "sensitive" to keep their values out of + the logs. + +=== Languages updated in 1.29 === + +MediaWiki supports over 350 languages. Many localisations are updated +regularly. Below only new and removed languages are listed, as well as +changes to languages because of Phabricator reports. + +* Based as always on linguistic studies on intelligibility and language + knowledge by geography, language fallbacks have been expanded. When a + translation is missing in the user's preferred interface language, the + corresponding translation for the fallback language will be used instead. + English will only be used as last resort when there are no translations. + Some configurations (such as date formats and gender namespaces) have also + been updated when using the fallback language's configuration was inadequate. + The new or reinstated language fallbacks are (after cs ↔ sk in 1.28): + ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro; + sh → bs, sr-el, hr. +* (T137376) New language support: Atikamekw (atj). +* (T163600) New language support: Dinka (din). +* (T155957) Talk Namespaces for Javanese language (jv) have been updated. + +==== No fallback for Ukrainian ==== +* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian + language will now use the default fallback language: English. When a translation + to Ukrainian is not available, an English string will be shown. + +=== Other changes in 1.29 === +* Database::getSearchEngine() (deprecated in 1.28) was removed. Use + SearchEngineFactory::getSearchEngineClass() instead. +* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is + required as all sessions are stored in Object Cache now. +* MWHttpRequest::execute() should be considered to return a StatusValue; the + Status return type is deprecated. +* User::edits() (deprecated in 1.21) was removed. +* Xml::escapeJsString() (deprecated in 1.21) was removed. +* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21) + were removed. +* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21) + were removed. +* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom + instead. +* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed. +* Class RevisiondeleteAction (deprecated in 1.25) was removed. +* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed. +* WikiPage::getText() (deprecated in 1.21) was removed. +* Article::fetchContent() (deprecated in 1.21) was removed. +* User::getPassword() (deprecated in 1.27) was removed. +* User::getTemporaryPassword() (deprecated in 1.27) was removed. +* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed. +* Class FSRepo (deprecated in 1.19) was removed. +* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use + \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead. +* Class ImageGallery (deprecated in 1.22) was removed. + Use ImageGalleryBase::factory instead. +* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead. +* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now + emit warnings). Create a subclass of Action and add it to $wgActions instead. +* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated. +* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed. +* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed. +* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed. +* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed. +* RedisConnectionPool::handleException (deprecated since 1.23) was removed. +* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete + and outdated lists of errors/warnings returned by the API, are now deprecated. +* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" + URLs to continue to work, set up redirects. In Apache, this can be done by enabling + mod_rewrite and adding the following rules to your configuration: + + RewriteEngine On + RewriteBase / + RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L] +* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed. + Use ArticleAfterFetchContentObject instead. +* Hook ArticleInsertComplete (deprecated in 1.21) was removed. + Use PageContentInsertComplete instead. +* Hook ArticleSave (deprecated in 1.21) was removed. + Use PageContentSave instead. +* Hook ArticleSaveComplete (deprecated in 1.21) was removed. + Use PageContentSaveComplete instead. +* Hook EditFilterMerged (deprecated in 1.21) was removed. + Use EditFilterMergedContent instead. +* Hook EditPageGetPreviewText (deprecated in 1.21) was removed. + Use EditPageGetPreviewContent instead. +* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed. + Use ContentHandlerDefaultModelFor instead. +* Hook TitleIsWikitextPage (deprecated in 1.21) was removed. + Use ContentHandlerDefaultModelFor instead. +* Article::getContent() (deprecated in 1.21) was removed. +* Revision::getText() (deprecated in 1.21) was removed. +* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed. +* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed. +* Article::doEditContent() was marked as deprecated, to be removed in 1.30 + or later. +* ContentHandler::runLegacyHooks() was removed. +* refreshLinks.php now can be limited to a particular category with --category=... + or a tracking category with --tracking-category=... +* User-like objects that are passed to SpecialUserRights and its subclasses are + now required to have a getGroupMemberships() method. See UserRightsProxy for + an example. +* User::$mGroups (instance variable) was marked private. Use User::getGroups() + instead. +* User::getGroupName(), User::getGroupMember(), User:getGroupPage(), + User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated. + Use equivalent methods on the UserGroupMembership class. +* Maintenance scripts and tests that call User::addGroup() must now ensure that + User objects have been added to the database prior to calling addGroup(). +* Protected function UsersPager::getGroups() was removed, and protected function + UsersPager::buildGroupLink() was changed from a static to an instance method. +* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed; + see docs/hooks.txt. +* User::crypt() (deprecated in 1.24) was removed. +* User::comparePasswords() (deprecated in 1.24) was removed. +* ArchivedFile::getUserText() (deprecated in 1.23) was removed. +* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed. +* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage + and subclasses. It should only break if you call buildMainQueryConds + (changed to buildQuery with new signature) or doMainQuery (new + signature). Subclasses are likely to call at least doMainQuery + (possibly both), but other classes might too, because they were + public. + Also, some related hooks were deprecated, but this is not yet a + breaking change. +* Removed 'jquery.arrowSteps' module. (deprecated since 1.28) +* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated. +* WikiRevision::$fileIsTemp was deprecated. +* WikiRevision::$importer was deprecated. +* WikiRevision::$user was deprecated. +* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the + WikiPage::PURGE_* constants are deprecated, and the functions will always + return false. They were a hack for an issue that has since been fixed. +* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook + 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options' + if you don't actually care about checkboxes and just want to add some HTML + to the page. +* Selflinks are now rendered as href-less tags with the class mw-selflink + rather than tags. The old class name, "selflink", was deprecated + and will be removed in a future release. (T160480) +* (T156184) $wgRawHtml will no longer apply to internationalization messages. +* Browser support for non-ES5 JavaScript browsers, including Android 2, + Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C. +* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755): + is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari, + webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs, + opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera, + ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent, + addClickHandler, removeHandler, getElementsByClassName, getInnerText, + setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons, + mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes, + escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix, + tooltipAccessKeyRegexp, updateTooltipAccessKeys. +* The ID of the
  • element containing the login link has changed from + 'pt-login' to 'pt-login-private' in private wikis. +* The old, neglected "bulletin board style toolbar" in the edit form is now + deprecated (T30856). This old code dates from 2006, and was replaced in the + MediaWiki release tarball and in Wikimedia production by the WikiEditor + extension in 2010. It is only shown to users if no other editor was + installed, and leads to confusion. +* (T92459) Loading ResourceLoader modules containing JavaScript through + addModuleStyles() is deprecated and will log a warning server-side. = MediaWiki 1.28 = +== MediaWiki 1.28.3 == + +This is a security and maintenance release of the MediaWiki 1.28 branch. + +=== Changes since 1.28.2 == +* (T168856) Allow SVGs created by Dia to be uploaded. +* (T157545) Add missing doUpdates() call to refreshLinks.php. +* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown. +* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle. +* (T154425) Make DeferredUpdates detect LBFactory transaction rounds. +* (T149454) Restore erroneously removed realTableName call from DatabasePostgres. +* (T167798) Fix phrase search and highlighting for phrase queries. +* (T151136) Provide credits information to callbacks in extension registration. +* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T168337) Fix ErrorPageError to work from non-UI contexts. +* (T143788) Backports for PHP 7.0 and 7.1 support. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* (T174255) Declare uploadCount property in importDump.php. +* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. + +== MediaWiki 1.28.2 == + +Due to a packaging error, the wrong version of the SyntaxHighlight extension was +included in the tarball version of MediaWiki 1.28.1. The version included had a +serious security issue in it (T158689). There was also some minor code fixes in +MediaWiki itself since 1.28.1, but none of them were security relevant. + == MediaWiki 1.28.1 == This is a security and maintenance release of the MediaWiki 1.28 branch. @@ -365,6 +1040,49 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.27 = +== MediaWiki 1.27.4 == +This is a security and maintenance release of the MediaWiki 1.27 branch. + +=== Changes since 1.27.3 === +* (T100085) Better handling of jobs execution in post-connection shutdown. +* (T141604) Support conditionally registered namespaces. +* (T167798) Fix highlighting for phrase queries and phrase search. +* (T151136) Provide credits information to callbacks. +* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T168856) Allow SVGs created by Dia to be uploaded. +* (T144705) (T148662) Password reset link is no longer shown when no reset options are + available. +* (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support. +* (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC + policies. +* DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core. +* (T175439) Unbreak Postgres Updater when setting defaults for a column. +* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* (T142304) Allow putting the app ID in the password for bot passwords. +* Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. +* (T165846) SECURITY: BotPassword login attempts weren't throttled. +* (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. +* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. +* (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. +* (T119158) SECURITY: Handle -{}- syntax in attributes safely. + +== MediaWiki 1.27.3 == +Due to a packaging error, the wrong version of the SyntaxHighlight extension was +included in the tarball version of MediaWiki 1.27.2. The version included had a +serious security issue in it (T158689). There was also some minor code fixes in +MediaWiki itself since 1.27.2, but none of them were security relevant. + +=== Changes since 1.27.2 === +* (T145664) Fix broken wincache merge() implementation +* (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility +* (T153505) Fix php warnings on php 7.1 due to use of &$this + == MediaWiki 1.27.2 == This is a security and maintenance release of the MediaWiki 1.27 branch.