X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=HISTORY;h=292965d25baa632918d4aab4ca0428eade2ac676;hp=020ac667ea2454d397b8bb407dd3a3b6abf45ea9;hb=cae285042e551d3c884b998600da08424cc8ba47;hpb=95e49195432aae0bf85c73ec43556d44f2fd828f diff --git a/HISTORY b/HISTORY index 020ac667ea..292965d25b 100644 --- a/HISTORY +++ b/HISTORY @@ -1,7 +1,52 @@ -Change notes from older releases. For current info see RELEASE-NOTES-1.33. +Change notes from older releases. For current info see RELEASE-NOTES-1.34. = MediaWiki 1.32 = +== MediaWiki 1.32.3 == + +This is a maintenance release of the MediaWiki 1.32 branch. + +=== Changes since MediaWiki 1.32.2 === +* (T225558) Update installer link to PHP intl. +* (T225496) Detect APC for MainCacheType in CLI installer. +* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies. +* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order. + +== MediaWiki 1.32.2 == + +This is a security and maintenance release of the MediaWiki 1.32 branch. + +=== Changes since MediaWiki 1.32.1 === +* (T204423) Backport support for hyphenated DB names in JobQueueGroup. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL. +* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T216029) Chrome redirects to Special:BadTitle after editing a section with + a non-Latin name on a page with non-Latin characters in title. +* Unbreak language related maintenance scripts that use StaticArrayWriter. +* (T219728) Added support for new Japanese era name "Reiwa". +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0. +* (T221045) Remove orphaned code from ConfigRepository. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is + out of date makes sense. +* (T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to + connect to external server with local database name. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358. + == MediaWiki 1.32.1 == === Changes since MediaWiki 1.32.0 === @@ -716,6 +761,117 @@ because of Phabricator reports. = MediaWiki 1.31 = +== MediaWiki 1.31.3 == + +This is a maintenance release of the MediaWiki 1.31 branch. + +=== Changes since MediaWiki 1.31.2 === +* (T225558) Update installer link to PHP intl. +* (T225496) Detect APC for MainCacheType in CLI installer. +* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies. +* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order. + +== MediaWiki 1.31.2 == + +This is a security and maintenance release of the MediaWiki 1.31 branch. + +Required PHP version has been increased from 7.0.0 to 7.0.13. + +=== Changes since MediaWiki 1.31.1 === +* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query + all titles when asked for none. +* (T205967) Fix syntax error typo in postgres database upgrade file. +* (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies. +* (T206765) Load installer i18n when running update.php. +* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested + libraries. + [Also in the bundled composer /vendor directory.] +* Various PHP 7.2 and 7.3 compatibility fixes: + * (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some + scenarios instead of "break". + * (T206976, T206977) Also in the bundled LocalisationUpdate and + ParserFunctions extensions. + * (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may + not be set. + * (T215632) FormatMetadata and UploadStash regexes fixed to be PHP + 7.3-compatible. + * Fix PHP warnings "preg_replace(): [...] invalid range in character class. + * Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable. + * Suppress "Headers already sent" in PHP 7.2 too. + * (T206476) Output only to stderr in unit tests. + * (T207112) Add session_write_close() calls to SessionManager tests. + * oyejorge/less.php replaced with our fork wikimedia/less.php + * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0. + * (T213489) Avoid session double-start in Setup.php. + * (T206975) Switch to our fork of less.php. +* (T207540) Include IP address in "Login for $1 succeeded" log entry. +* (T201781) Database: Allow selectFieldValues() to accept SQL fragments. +* (T205765) installer: Don't link to the obsolete "Extension Matrix" page. +* (T206013) Update ImportableUploadRevisionImporter for interwiki usernames. +* (T207541) Pass an email address, not a MailAddress, to mail(). +* (T207603) SECURITY: User JS may no longer be loaded with mime type + text/javascript if there is no account associated with the username. +* (T112937, T113042) SECURITY: Do not allow loading pages raw with a + text/javascript MIME + type if non-admins can edit the page. +* (T17491) / elements can be phrasing or flow. +* (T200827) RemexCompatMunger: Don't call endTag() in case B/b +* (T207088) Upgrade wikimedia/remex-html to 2.0.1. + [Also in the bundled composer /vendor directory.] +* (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0. + [Also in the bundled composer /vendor directory.] +* (T199494) Fix notices in maintenance/removeUnusuedAccounts.php. +* Require ext-fileinfo in composer.json, per PHPVersionCheck. +* (T176390) Bundled LocalisationUpdate extension: Handle exceptions from + GitHubFetcher. +* (T208255) Completion search should not change the search query. +* (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis. +* (T185049) LogFormatter: Fail softer when trying to link an invalid titles. +* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php + if --lang is used with the command-line installer (install.php). +* (T211061) ImageListPager: Actor migration for buildQueryConds(). +* (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself. +* Fix addition of ug_expiry column to user_groups table on MSSQL. +* (T204767) Add join conditions to ActiveUsersPager. +* (T210621) User: Bypass repeatable-read when creating an actor_id. +* (T204531) rdbms: reduce LoadBalancer replication log spam. +* (T195525) Fix db error outage page. +* (T208871) The hard-coded Google search form on the database error page was + removed. +* (T176097) Fix flaky MessageBlobStoreTest assertion failures. +* (T209423) Update required PHP version to 7.0.13. +* (T209885) Prevent populateSearchIndex.php from breaking once actor migration + has been started. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL. +* (T204423) Backport support for hyphenated DB names in JobQueueGroup. +* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T216029) Chrome redirects to Special:BadTitle after editing a section with + a non-Latin name on a page with non-Latin characters in title. +* (T219728) Added support for new Japanese era name "Reiwa". +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is out + of date makes sense. +* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when + reauthenticating. +* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358. + == MediaWiki 1.31.1 == This is a security and maintenance release of the MediaWiki 1.31 branch. @@ -750,7 +906,8 @@ This is a security and maintenance release of the MediaWiki 1.31 branch. * (T196185) Don't allow setting $wgDBmysql5 in the installer. * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. * (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+ -* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete + hook. * (T196672) The mtime of extension.json files is now able to be zero * (T180403) Validate $length in padleft/padright parser functions. * (T143790) Make $wgEmailConfirmToEdit only affect edit actions. @@ -774,7 +931,8 @@ This is a security and maintenance release of the MediaWiki 1.31 branch. apply patch-drop-ar_text.sql manually, you'll have to apply a default value to the ar_text and ar_flags columns of the archive table or make those columns nullable before upgrading to MediaWiki 1.31. - maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL. + maintenance/archives/patch-nullable-ar_text.sql shows how to do this for + MySQL. === Configuration changes in 1.31 === * $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in @@ -1096,7 +1254,8 @@ changes to languages because of Phabricator reports. * Passing a ParserOptions object to OutputPage::parserOptions() is deprecated. * The RevisionInsertComplete hook is now deprecated; use instead the hook RevisionRecordInserted. RevisionInsertComplete is still called, but the second - and third parameter will always be null. Hard deprecation is scheduled for 1.32. + and third parameter will always be null. Hard deprecation is scheduled for + 1.32. * The following methods that get and set ParserOutput state are deprecated. Callers should use the new stateless $options parameter to ParserOutput::getText() instead. @@ -1228,6 +1387,51 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.30 = +== MediaWiki 1.30.2 == + +This is a security and maintenance release of the MediaWiki 1.30 branch. + +=== Changes since MediaWiki 1.30.1 === +* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query + all titles when asked for none. +* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested + libraries. +* (T207540) Include IP address in "Login for $1 succeeded" log entry. +* (T205765) Don't link to the obsolete "Extension Matrix" page in installer. +* (T207603) SECURITY: User JS may no longer be loaded with mime type + text/javascript if there is no account associated with the username. +* (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME + type if non-admins can edit the page. +* (T207541) Pass email address to mail(). +* Fix addition of ug_expiry column to user_groups table on MSSQL. +* (T204531) rdbms: reduce LoadBalancer replication log spam. +* (T213489) Avoid session double-start in Setup.php. +* (T195525) Fix db error outage page. +* (T208871) The hard-coded Google search form on the database error page was + removed. +* (T216968) Return pageid as int in both list=iwbacklinks and + list=langbacklinks. +* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when + $wgBlockDisablesLogin is true. +* (T25227) SECURITY: action=logout now requires to be posted and have a csrf + token. +* (T222385) resourceloader: Use AND instead of OR for upsert conds in + saveFileDependencies(). +* (T224374) Fix message parameters so that the message that says SQLite is out + of date makes sense. +* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when + reauthenticating. +* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if + getLoginSecurityLevel() returns non-false. +* (T197279) SECURITY: Fix reauth in Special:ChangeEmail. +* (T208881) SECURITY: blacklist CSS var(). +* (T209794) SECURITY: rate-limit and prevent blocked users from changing email. +* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. +* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. +* (T222036, T222038) SECURITY: Add permission check for user is permitted to + view the log type. +* (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358. + == MediaWiki 1.30.1 == This is a security and maintenance release of the MediaWiki 1.30 branch. @@ -1237,20 +1441,23 @@ This is a security and maintenance release of the MediaWiki 1.30 branch. 'newbie'. * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock. -* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array. +* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative + array. * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency). * (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature. * (T190503) Let built-in web server (maintenance/dev) handle .php requests. * (T167507) selenium: Run Chrome headlessly. * selenium: Pass -no-sandbox to Chrome under Docker. -* (T179190) selenium: Move logic for running tests from package.json to selenium.sh +* (T179190) selenium: Move logic for running tests from package.json to + selenium.sh * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). * Add default edit rate limit of 90 edits/minute for all users. * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`. * oojs/oojs-ui updated to remove an unnecessary dependancy. * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. -* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. +* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete + hook. * (T196672) The mtime of extension.json files is now able to be zero * (T180403) Validate $length in padleft/padright parser functions. * (T143790) Make $wgEmailConfirmToEdit only affect edit actions. @@ -1298,19 +1505,19 @@ section). * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size of IP ranges that can be queried at Special:Contributions. * (T45547) $wgUsePigLatinVariant added (off by default). -* (T152540) MediaWiki now supports a section ID escaping style that allows to display - non-Latin characters verbatim on many modern browsers. This is controlled by the - new configuration setting, $wgFragmentMode. -* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version, - use $wgFragmentMode to migrate off it to a modern alternative. +* (T152540) MediaWiki now supports a section ID escaping style that allows to + display non-Latin characters verbatim on many modern browsers. This is + controlled by the new configuration setting, $wgFragmentMode. +* $wgExperimentalHtmlIds is now deprecated and will be removed in a future + version, use $wgFragmentMode to migrate off it to a modern alternative. * $wgExternalInterwikiFragmentMode was introduced to control how fragments in sinterwikis going outside of current wiki farm are encoded. -* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'. - This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki - auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly - requested through the configuration parameter $wgDBservers. -* $wgOOUIEditPage was removed, as it is now the default. This was documented as a - temporary variable during the migration period. +* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of + 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. + MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if + explicitly requested through the configuration parameter $wgDBservers. +* $wgOOUIEditPage was removed, as it is now the default. This was documented as + a temporary variable during the migration period. === New features in 1.30 === * (T37247) Output from Parser::parse() will now be wrapped in a div with @@ -1343,9 +1550,9 @@ section). * (T138166) Added ability for users to prohibit other users from sending them emails with Special:Emailuser. Can be enabled by setting $wgEnableUserEmailBlacklist to true. -* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect. - Instead, users using browsers that do not support Unicode will be unable to edit - and should upgrade to a modern browser instead. +* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no + effect. Instead, users using browsers that do not support Unicode will be + unable to edit and should upgrade to a modern browser instead. === External library changes in 1.30 === @@ -1436,9 +1643,10 @@ changes to languages because of Phabricator reports. * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for manipulating Special:Log and Special:NewPages lines. * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, - PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding - hooks have an additional parameter, for manipulating HTML data attributes of - RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the + PageHistoryLineEnding, ContributionsLineEnding and + DeletedContributionsLineEnding hooks have an additional parameter, for + manipulating HTML data attributes of RC/history lines. + EnhancedChangesListModifyBlockLineData can do that via the $data['attribs'] subarray. * (T130632) The OutputPage::enableTOC() method was removed. * WikiPage::getParserOutput() will now throw an exception if passed @@ -1449,10 +1657,10 @@ changes to languages because of Phabricator reports. * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange(). * DeprecatedGlobal no longer supports passing in a direct value, it requires a callable factory function or a class name. -* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton() - are all deprecated. The main ParserCache instance should be obtained from - MediaWikiServices instead. Access to the underlying BagOStuff is possible - through the new ParserCache::getCacheStorage() method. +* The $parserMemc global, wfGetParserCacheStorage(), and + ParserCache::singleton() are all deprecated. The main ParserCache instance + should be obtained from MediaWikiServices instead. Access to the underlying + BagOStuff is possible through the new ParserCache::getCacheStorage() method. * .mw-ui-constructive CSS class (deprecated in 1.27) was removed. * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(), escapeIdForLink() or escapeIdForExternalInterwiki() instead. @@ -1463,9 +1671,9 @@ changes to languages because of Phabricator reports. * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or escapeIdForLink(). * MagicWord::replaceMultiple() (deprecated in 1.25) was removed. -* WikiImporter now requires the second parameter to be an instance of the Config, - class. Prior to that, the Config parameter was optional (a behavior deprecated in - 1.25). +* WikiImporter now requires the second parameter to be an instance of the + Config, class. Prior to that, the Config parameter was optional (a behavior + deprecated in 1.25). * Removed 'jquery.mwExtension' module. (deprecated since 1.26) * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette any more. @@ -1475,55 +1683,60 @@ changes to languages because of Phabricator reports. should be used instead. * RunningStat class (deprecated in 1.27) was removed. The namespaced RunningStat\RunningStat should be used instead. -* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed. +* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were + removed. The MemcachedClient class should be used instead. * EditPage underwent some refactoring and deprecations: * EditPage::isOouiEnabled() is deprecated and will always return true. - * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please - use ::getSummaryInputWidget() instead. + * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. + Please use ::getSummaryInputWidget() instead. * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please use ::getCheckboxesWidget() instead. - * Creating an EditPage instance without calling EditPage::setContextTitle() should - be avoided and will be deprecated in a future release. - * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops. - * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The - corresponding methods from Title should be used instead. + * Creating an EditPage instance without calling EditPage::setContextTitle() + should be avoided and will be deprecated in a future release. + * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and + no-ops. + * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are + deprecated. The corresponding methods from Title should be used instead. * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement. - * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters - ::getArticle() and ::getTitle() should be used instead. - * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut, - and $wgLang is no longer supported and won't work. The IContextSource returned from - EditPage::getContext() must be modified instead. + * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The + getters ::getArticle() and ::getTitle() should be used instead. + * Trying to control or fake EditPage context by overriding $wgUser, + $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The + IContextSource returned from EditPage::getContext() must be modified + instead. * Parser::getRandomString() (deprecated in 1.26) was removed. * Parser::uniqPrefix() (deprecated in 1.26) was removed. * Parser::extractTagsAndParams() now only accepts three arguments. The fourth, $uniq_prefix was deprecated in 1.26 and has now been removed. -* (T172514) The following tables have had their UNIQUE indexes turned into proper - PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks, - langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats, - templatelinks, text, transcache, user_former_groups, user_properties. +* (T172514) The following tables have had their UNIQUE indexes turned into + proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, + iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks, + query_cache, site_stats, templatelinks, text, transcache, user_former_groups, + user_properties. * IDatabase::nextSequenceValue() is no longer needed by any database backends (formerly it was needed by PostgreSQL and Oracle), and is now deprecated. -* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a - PRIMARY KEY. +* (T146591) The lc_lang_key index on the l10n_cache table has been changed into + a PRIMARY KEY. * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id, page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and user_properties.up_user have all been made unsigned on MySQL. * DB_SLAVE is deprecated. DB_REPLICA should be used instead. * wfUsePHP() is deprecated. * wfFixSessionID() was removed. -* wfShellExec() and related functions are deprecated, use Shell::command(). This also - slightly changes the behavior of how execution time limits are calculated when only - some of defaults are overridden per-call. When in doubt, always override both wall - clock and CPU time. -* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending - user object. Using the method without the second argument is deprecated. +* wfShellExec() and related functions are deprecated, use Shell::command(). This + also slightly changes the behavior of how execution time limits are calculated + when only some of defaults are overridden per-call. When in doubt, always + override both wall clock and CPU time. +* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the + sending user object. Using the method without the second argument is + deprecated. * (T67297) Browsers that don't support Unicode will have their edits rejected. -* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future - release. For notifying the user of an event, the Notifications ("Echo") system - should be used instead. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T178450) The module 'jquery.badge' is deprecated and will be removed in a + future release. For notifying the user of an event, the Notifications ("Echo") + system should be used instead. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. = MediaWiki 1.29 = @@ -1576,7 +1789,8 @@ This is a security and maintenance release of the MediaWiki 1.29 branch. This is a security and maintenance release of the MediaWiki 1.29 branch. === Changes since 1.29.1 === -* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting. +* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to + nesting. * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * Fixed login button label to accept RawMessage. @@ -1585,19 +1799,20 @@ This is a security and maintenance release of the MediaWiki 1.29 branch. * (T163646) Pass a string not an int to mysql_real_escape_string(). * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2. * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. * (T125163) SECURITY: Make anchor for headlines escape > and <. * (T180237) SECURITY: Protect vendor folder with .htaccess. -* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in + update.php. * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. * (T119158) SECURITY: Handle -{}- syntax in attributes safely. -* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all - branches in the previous security release. +* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly + fixed in all branches in the previous security release. == MediaWiki 1.29.1 == @@ -1636,7 +1851,8 @@ packages. * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. * (T158474) "Unknown user" has been added to $wgReservedUsernames. -* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs. +* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single + IPs. * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be added to $wgExtraLanguageCodes instead. * (T161453) LocalisationCache will no longer use the temporary directory in it's @@ -1695,30 +1911,32 @@ packages. ==== Removed and replaced external libraries ==== === Bug fixes in 1.29 === -* (T62604) Core parser functions returning a number now format the number according - to the page content language, not wiki content language. -* (T27187) Search suggestions based on jquery.suggestions will now correctly only - highlight prefix matches in the results. +* (T62604) Core parser functions returning a number now format the number + according to the page content language, not wiki content language. +* (T27187) Search suggestions based on jquery.suggestions will now correctly + only highlight prefix matches in the results. * (T157035) "new mw.Uri()" was ignoring options when using default URI. * Special:Allpages can no longer be filtered by redirect in miser mode. -* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. -* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect - to interwiki links. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is + installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow + redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. -* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF - token. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a + CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. -* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory - in it's fallback chain when trying to work out where to write the cache. -* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion - syntax's link parameter. -* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against - it. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary + directory in it's fallback chain when trying to work out where to write the + cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file + inclusion syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected + against it. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, @@ -1733,8 +1951,8 @@ packages. parameter prefixes (e.g. all query submodules) will no longer be prefixed. * ApiPageSet-using modules will report the 'invalidreason' using the specified 'errorformat'. -* action=emailuser may return a "Warnings" status, and now returns 'warnings' and - 'errors' subelements (as applicable) instead of 'message'. +* action=emailuser may return a "Warnings" status, and now returns 'warnings' + and 'errors' subelements (as applicable) instead of 'message'. * action=imagerotate returns an 'errors' subelement rather than 'errormessage'. * action=move now reports errors when moving the talk page as an array under key 'talkmove-errors', rather than using 'talkmove-error-code' and @@ -1804,8 +2022,8 @@ changes to languages because of Phabricator reports. ==== No fallback for Ukrainian ==== * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian - language will now use the default fallback language: English. When a translation - to Ukrainian is not available, an English string will be shown. + language will now use the default fallback language: English. When a + translation to Ukrainian is not available, an English string will be shown. === Other changes in 1.29 === * Database::getSearchEngine() (deprecated in 1.28) was removed. Use @@ -1820,8 +2038,8 @@ changes to languages because of Phabricator reports. were removed. * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21) were removed. -* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom - instead. +* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use + ArticleContentViewCustom instead. * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed. * Class RevisiondeleteAction (deprecated in 1.25) was removed. * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed. @@ -1832,13 +2050,16 @@ changes to languages because of Phabricator reports. * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed. * Class FSRepo (deprecated in 1.19) was removed. * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use - \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead. + \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() + instead. * Class ImageGallery (deprecated in 1.22) was removed. Use ImageGalleryBase::factory instead. -* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead. +* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class + instead. * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now emit warnings). Create a subclass of Action and add it to $wgActions instead. -* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated. +* WikiRevision::getText() (deprecated since 1.21) is no longer marked + deprecated. * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed. @@ -1846,9 +2067,10 @@ changes to languages because of Phabricator reports. * RedisConnectionPool::handleException (deprecated since 1.23) was removed. * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete and outdated lists of errors/warnings returned by the API, are now deprecated. -* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" - URLs to continue to work, set up redirects. In Apache, this can be done by enabling - mod_rewrite and adding the following rules to your configuration: +* wiki.phtml entry point was removed. Refer to index.php instead. If you want + "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can + be done by enabling mod_rewrite and adding the following rules to your + configuration: RewriteEngine On RewriteBase / @@ -1876,8 +2098,8 @@ changes to languages because of Phabricator reports. * Article::doEditContent() was marked as deprecated, to be removed in 1.30 or later. * ContentHandler::runLegacyHooks() was removed. -* refreshLinks.php now can be limited to a particular category with --category=... - or a tracking category with --tracking-category=... +* refreshLinks.php now can be limited to a particular category with + --category=... or a tracking category with --tracking-category=... * User-like objects that are passed to SpecialUserRights and its subclasses are now required to have a getGroupMemberships() method. See UserRightsProxy for an example. @@ -1951,28 +2173,34 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. === Changes since 1.28.2 == * (T168856) Allow SVGs created by Dia to be uploaded. * (T157545) Add missing doUpdates() call to refreshLinks.php. -* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown. -* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle. +* (T165714) (T100085) Better handling of jobs execution in post-connection + shutdown. +* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of + Database->onTransactionIdle. * (T154425) Make DeferredUpdates detect LBFactory transaction rounds. -* (T149454) Restore erroneously removed realTableName call from DatabasePostgres. +* (T149454) Restore erroneously removed realTableName call from + DatabasePostgres. * (T167798) Fix phrase search and highlighting for phrase queries. * (T151136) Provide credits information to callbacks in extension registration. -* (T160462) Allow namespaces defined in extension.json to be overwritten locally. +* (T160462) Allow namespaces defined in extension.json to be overwritten + locally. * (T168337) Fix ErrorPageError to work from non-UI contexts. * (T143788) Backports for PHP 7.0 and 7.1 support. * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T174255) Declare uploadCount property in importDump.php. -* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. -* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser - sends non-standard url escaping. +* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to + v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and + browser sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. * (T125163) SECURITY: Make anchor for headlines escape > and <. * (T180237) SECURITY: Protect vendor folder with .htaccess. -* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in + update.php. * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. * (T119158) SECURITY: Handle -{}- syntax in attributes safely. @@ -1991,8 +2219,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. -* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has - more than one database server setup. +* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki + has more than one database server setup. * (T152717) Better escaping for PHP mail() command, * (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored. @@ -2000,25 +2228,28 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * (T158766) Avoid SQL error on MSSQL when using selectRowCount(). * (T145635) Fix too long index error when installing with MSSQL. * (T156184) $wgRawHtml will no longer apply to internationalization messages. -* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. -* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs. -* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect - to interwiki links. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is + installed. +* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 + installs. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow + redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. -* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF - token. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a + CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. -* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory - in it's fallback chain when trying to work out where to write the cache. -* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion - syntax's link parameter. -* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against - it. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary + directory in it's fallback chain when trying to work out where to write the + cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file + inclusion syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected + against it. == MediaWiki 1.28 == @@ -2045,7 +2276,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * (T149759) manifest_version: 2 was removed. === Configuration changes in 1.28 === -* $wgSend404Code now affects status code of action=history if the page is not there. +* $wgSend404Code now affects status code of action=history if the page is not + there. * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported. @@ -2069,16 +2301,19 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes". -* The 'editcontentmodel' permission is now granted to all logged-in users ('user'). +* The 'editcontentmodel' permission is now granted to all logged-in users + ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at . -* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled. -* Magic links are now disabled by default, and can be re-enabled by modifying the value - of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, - a tracking category will be added to help identify usage and make it easier to migrate - away from. If you depend upon magic link functionality, it is requested that you comment - on and - explain your use case(s). +* $wgRevisionCacheExpiry is now set to one week by default instead of being + disabled. +* Magic links are now disabled by default, and can be re-enabled by modifying + the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are + manually enabled, a tracking category will be added to help identify usage and + make it easier to migrate away from. If you depend upon magic link + functionality, it is requested that you comment on + + and explain your use case(s). * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting. @@ -2093,21 +2328,24 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. and the file description page, but does not run for uploads to stash. * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed. -* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation - to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, - a 'numeric' collation is also available. If migrating from another - collation, you will need to run the updateCollation.php maintenance script. -* Two new codes have been added to #time parser function: "xit" for days in current - month, and "xiz" for days passed in the year, both in Iranian calendar. +* (T8948) Numeric sorting in categories is now supported by setting + $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you + can't use UCA collations, a 'numeric' collation is also available. If + migrating from another collation, you will need to run the updateCollation.php + maintenance script. +* Two new codes have been added to #time parser function: "xit" for days in + current month, and "xiz" for days passed in the year, both in Iranian + calendar. * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki. -* After a client performs an action which alters a database that has replica databases, - MediaWiki will wait for the replica databases to synchronize with the master database - while it renders the HTML output. However, if the output is a redirect to another wiki - on the wiki farm with a different domain, MediaWiki will instead alter the redirect - URL to include a ?cpPosTime parameter that triggers the database synchronization when - the URL is followed by the client. The same-domain case uses a new cpPosTime cookie. +* After a client performs an action which alters a database that has replica + databases, MediaWiki will wait for the replica databases to synchronize with + the master database while it renders the HTML output. However, if the output + is a redirect to another wiki on the wiki farm with a different domain, + MediaWiki will instead alter the redirect URL to include a ?cpPosTime + parameter that triggers the database synchronization when the URL is followed + by the client. The same-domain case uses a new cpPosTime cookie. * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. @@ -2124,7 +2362,8 @@ This is a security and maintenance release of the MediaWiki 1.28 branch. * Added wikimedia/wait-condition-loop v1.0.1 === Bug fixes in 1.28 === -* (T146496) action=history pages should return 404 HTTP error code if the page does not exist +* (T146496) action=history pages should return 404 HTTP error code if the page + does not exist * (T137264) SECURITY: XSS in unclosed internal links * (T133147) SECURITY: Escape '<' and ']]>' in inline