Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
17652 lines (16426 sloc) 952 KB
Change notes from older releases. For current info see RELEASE-NOTES-1.33.
= MediaWiki 1.32 =
== MediaWiki 1.32.0 ==
=== Changes since MediaWiki 1.32.0-rc.2 ===
* (T188327) Fix slow queries in migrateActors.php.
* (T102320) Fix $magicWords for the Sanskrit language.
=== Changes since MediaWiki 1.32.0-rc.1 ===
* Fix addition of ug_expiry column to user_groups table on MSSQL.
* (T210307) Fix the cache timestamp for forced updates.
* (T210621) User: Bypass repeatable-read when creating an actor_id.
* (T197535) Extensions can now specify PHP versions and PHP extensions they
depend on.
* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
* (T212356) When using action=delete on pages with many revisions, the module
may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
deletion will be processed via the job queue.
* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
recentchanges.rc_cur_time from the PostgreSQL schema.
=== Changes since MediaWiki 1.32.0-rc.0 ===
* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
has been started.
* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
if --lang is used with the command-line installer (install.php).
=== Configuration changes in 1.32 ===
==== New configuration ====
* $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
this setting. The default is 80, which matches the quality of JPEG thumbnails
previously generated by ImageMagick. The quality of JPEG thumbnails generated
by GD was previously 95, but now uses the $wgJpegQuality setting as well.
* $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
user is blocked. Doing so means that a blocked user, even after moving to a
new IP address, will still be blocked.
* $wgRawHtmlMessages – This new configuration setting is added for listing
messages which are displayed as raw HTML.
* $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
"Content Security Policy" for your wiki. This adds a defense-in-depth feature
to stop an attacker who has found a bug in the parser allowing them to insert
malicious attributes. Disabled by default. (T135963)
* $wgGroupPermissions – A new user group, 'interface-admin', is added for
controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
by default.
* $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
granting the above rights.
* $wgDBDefaultGroup – A default database group for use by maintenance scripts.
* $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
enable client-side profiling of JavaScript modules; it is off by default.
* (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
setting allows sysadmins to gradually migrate the database table schema for
how change tags are stored.
* (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
allows sysadmins to enable the caching of Special:Tags via the new
change_tag_def table.
==== Changed configuration ====
* $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
* $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
been increased from 3 to 7 days. (T194414)
* $wgGroupPermissions – The right to edit sitewide Javascript
(e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
'editinterface' is still necessary to edit such pages.
* $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
old and the new schema, but reading the new schema, so Multi-Content Revisions
(MCR) are now functional per default. The new default value of the setting is
SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
* $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
for intermediate stages of migration.
* $wgDBTableOptions – The default table options now use the binary charset. The
default was already overridden in the installer-generated LocalSettings.php,
and so is always set to binary after the installer UI option was removed. The
default value is only used when the installer installs an extension.
* $wgPopularPasswordFile — The location of the default popular passwords file
has been moved to be in line with other non-PHP files used by libraries and
classes.
* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
potential privacy leaks by administrators. You can check
"MediaWiki:External image whitelist" on your wiki to see whether the feature
was ever used, and whether it needs to be re-enabled.
==== Removed configuration ====
* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
have been removed. (T115414)
* $wgSiteSupportPage – This setting, unused since 1.5, was removed.
* $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
* $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
* $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
most extensions, is no longer set. Instead, you can modify the system
message `emailsender`.
* $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
were removed. RemexHtml, which is the default, should be used instead.
* (T181318) The $wgStyleVersion setting and its appendage to various script and
style URLs in OutputPage, deprecated in 1.31, was removed.
* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
from ResourceLoader. Instead, use `@import` statements in LESS to import
files directly from nearby directories within the same project.
* (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
the ResourceLoaderModule::getLessVars() method.
* $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
was removed.
* Two temporary variables for deploying the feature of filters on change lists,
$wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
$wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
using a particular page during edit previews.
* (T12331) You can now log page creation events by setting $wgPageCreationLog
to true.
* Added 'ApiParseMakeOutputPage' hook.
* (T174313) Added checkbox on Special:ListUsers to display only users in
temporary user groups.
* (T152462) A cookie can now be set when an IP user is blocked to track that
user if they move to a new IP address. This is disabled by default.
* (T194950) Added 'ApiMaxLagInfo' hook.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
&$query and &$widthOption, allowing extensions even finer control over the
resulting HTML code.
* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
if the [mark as patrolled] link should be shown at the footer of patrollable
pages.
* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
is now passed by reference, allowing extensions to modify or even unset it.
* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
modify the return value of OutputPage#getHeadLinksArray in order to add,
remove or otherwise alter the elements to be output in the page <head>.
* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
additional links to the subtitle of a history page.
* The 'GetLinkColours' hook now receives an additional $title parameter,
the Title object of the page being parsed, on which the links will be shown.
* (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
render diffs between two Content objects, and DifferenceEngine::setRevisions()
to render diffs between two custom (potentially multi-content) revisions.
Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
* Added a temporary action=mcrundo to the web UI, as the normal undo logic
can't yet handle MCR and deadlines are forcing is to put off fixing that.
This action should be considered deprecated and should not be used directly.
* Extensions overriding ContentHandler::getUndoContent() will need to be
updated for the changed method signature.
* Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
from user. Unlike the 'UserGetRights' it will ensure that removed rights
will not be reinserted.
* (T197535) Extensions can now specify PHP versions and PHP extensions they
depend on.
=== External library changes in 1.32 ===
==== New external libraries ====
* Added pear/Net_SMTP v1.8.0.
* Added wikimedia/xmp-reader v0.6.0.
* Added cache/integration-tests v0.16.0 (dev-only).
* Added giorgiosironi/eris v0.10.0 (dev-only).
* Added seld/jsonlint v1.7.1 (dev-only).
* Added EasyDeflate (unversioned).
==== Changed external libraries ====
* Updated OOUI from v0.26.3 to v0.29.2.
* Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
* Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
* Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
** ScopedCallback objects can no longer be serialized.
* Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
* Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
* oyejorge/less.php replaced with our fork wikimedia/less.php
* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
* Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
* Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
* Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
* Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
* Updated jquery from v3.2.1 to v3.3.1.
* Updated jquery.client from v2.0.0 to v2.0.1.
* Updated jquery.i18n from v1.0.4 to v1.0.5.
* Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
* Updated OOjs from v2.2.0 to v2.2.2.
* Updated qunitjs from v2.4.0 to v2.6.2.
* Updated sinonjs from v1.17.3 to v1.17.7.
==== Removed external libraries ====
* pear/mail_mime-decode was removed.
=== Bug fixes in 1.32 ===
* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* (T43720, T46197) Improved page display title handling for category pages
* (T65080) Fixed resetting options of some types via API action=options.
=== Action API changes in 1.32 ===
* Added templated parameters.
* A module can define a templated parameter like "{fruit}-quantity", where
the actual parameters recognized correspond to the values of a multi-valued
parameter. Then clients can make requests like
"fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
* action=paraminfo will return templated parameter definitions separately
from normal parameters. All parameter definitions now include an "index"
key to allow clients to maintain parameter ordering when merging normal and
templated parameters.
* It is now an error to submit too many values for a multi-valued parameter.
This has generated a warning since MediaWiki 1.14.
* Assertion failures from the 'assert' and 'assertuser' parameters will no
longer use the action module's custom response format, for the few modules
that use custom formatters that handle errors.
* (T198935) User list preferences such as `email-blacklist` and similar
extension preferences are no longer represented as arrays when returned by
action=query&meta=userinfo&uiprop=options.
* 'missingparam' errors will now use the prefixed parameter name in the code
and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
than "nofoo" and "The 'foo' parameter must be set".
* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
multi-content revision slots for which content should be returned. It also
has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
warning will be issued if rvprop=content or rvprop=contentmodel are used
without rvslots.
* The rvcontentformat parameter to action=query&prop=revisions has been
deprecated. Clients should be prepared to deal with the default format for
relevant models.
* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
rvprop=parsetree is forbidden with the new 'rvslots' parameter.
* action=query&prop=deletedrevisions, action=query&list=allrevisions, and
action=query&list=alldeletedrevisions are changed similarly to
&prop=revisions (see the three previous items).
* (T174032) action=compare now supports multi-content revisions.
* It has a 'slots' parameter to select diffing of individual slots. The
default behavior is to return one combined diff.
* The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
slots have text supplied and the corresponding templated parameters for
each slot.
* The behavior of 'fromsection' and 'tosection' of extracting one section's
content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
instead expand the given text as if for a section edit. This effectively
declines T183823 in favor of T185723.
* (T198214) The 'disabletidy' parameter to action=parse has been
deprecated; untidy output will not be supported by future wikitext
parsers.
* Added intestactionsdetail to action=query&prop=info to allow retrieving the
reasons an action is not allowed.
* Deprecated action=query&prop=info inprop=readable in favor of
intestactions=read.
* (T212356) When using action=delete on pages with many revisions, the module
may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
deletion will be processed via the job queue.
=== Action API internal changes in 1.32 ===
* Added 'ApiParseMakeOutputPage' hook.
* Parameter names may no longer contain '{' or '}', as these are now used for
templated parameters.
* (T194950) Added 'ApiMaxLagInfo' hook.
* The following methods now take a RevisionRecord rather than a Revision. No
external callers are known.
* ApiFeedContributions::feedItemAuthor()
* ApiFeedContributions::feedItemDesc()
* ApiQueryRevisionsBase::extractRevisionInfo()
* The following deprecated methods have been removed:
* ApiBase::profileIn() (deprecated in 1.25)
* ApiBase::profileOut() (deprecated in 1.25)
* ApiBase::safeProfileOut() (deprecated in 1.25)
* ApiBase::profileDBIn() (deprecated in 1.25)
* ApiBase::profileDBOut() (deprecated in 1.25)
* ApiBase::dieUsage() (deprecated in 1.29)
* ApiBase::dieUsageMsg() (deprecated in 1.29)
* ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
* ApiBase::getErrorFromStatus() (deprecated in 1.29)
* ApiBase::parseMsg() (deprecated in 1.29)
* ApiBase::setWarning() (deprecated in 1.29)
* ApiPageSet::getInvalidTitles() (deprecated in 1.26)
* ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
* ApiUsageException::getCodeString() (deprecated in 1.29)
* ApiUsageException::getMessageArray() (deprecated in 1.29)
* Class UsageException, deprecated in 1.29, has been removed.
* ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
can now easily test $formatter->getFormat() === 'bc', and then call
$formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
=== Languages updated in 1.32 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.
* (T193566) Added language support for Ambonese Malay (abs).
* (T194047) Added language support for Shawiya, Latin script (shy-latn).
* (T195940) Added language support for Batak Mandailing (btm).
* (T137491) Added language support for Standard Moroccan Amazigh (zgh).
* (T198132) Added language support for Manipuri (mni).
* (T201276) Added language support for Western Armenian (hyw).
* (T201583) Added language support for Mon (mnw).
=== Breaking changes in 1.32 ===
* $wgRequestTime, deprecated in 1.25, was removed. Use
$_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
* The MediaWikiI18N class, deprecated in 1.31, was removed.
* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
Skin::msg() instead.
* wfInitShellLocale(), deprecated in 1.30, was removed.
* wfShellExecDisabled(), deprecated in 1.30, was removed.
* The type string for the parameter $lang of DateFormatter::getInstance,
deprecated in 1.31, was removed.
* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
MediaWiki\Session\Token::SUFFIX instead.
* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
instead.
* (T61113) The following methods and constants from the Revision class, which
were deprecated in 1.25, have now been removed:
* Revision::getRawUser()
* Revision::getRawUserText()
* Revision::getRawComment()
* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
mw.msg() or mw.message() instead.
* mw.util.escapeId(), deprecated in 1.30, was removed. Use
mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
jquery.accessKeyLabel instead.
* The SqlDataUpdate class, deprecated in 1.28, has been removed.
* The Html5Internal and Html5Depurate tidy driver classes were removed, along
with the Balancer tidy implementation. Both implementations were experimental,
and were replaced by RemexHtml.
* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
removed. Use JobQueueGroup::singleton()->push() instead.
* The jquery.footHovzer module, for mediawiki.debug, was removed.
* The es5-shim module, empty and deprecated since 1.29, was removed.
* the dom-level2-shim module, empty and deprecated since 1.29, was removed.
* the json module, empty and deprecated since 1.29, was removed.
* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
removed. Use mediawiki.widgets.visibleLengthLimit instead.
* The jquery.farbtastic module, unused since 1.18, was removed.
* The 'jquery.expandableField' module, unused since 1.22, was removed.
* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
any HTMLForm object rather than PreferencesForm.
* The non namespaced TimestampException class, deprecated in 1.29, was removed.
Use Wikimedia\Timestamp\TimestampException instead.
* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
The UtfNormal\Utils class from the utfnormal library should be used instead.
* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
from the UtfNormal\Constants class from the utfnormal library should be used
* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
only needed for PHP5 compatibility, have been removed. It now uses the boolean
values `true` and `false` respectively.
* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
were removed. Use the ParserCache class instead.
* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
instead.
* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
is no longer loaded by default. The Vector and MonoBook skins have made a
minor change to implement the toggle feature with CSS instead. To restore
prior functionality, either explicitly load "jquery.mw-jump" in your skin
or refer to T195256 for details on how to make the same change.
* Hook 'EditPageBeforeEditChecks' was removed;
use 'EditPageGetCheckboxesDefinition' instead.
* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
instead.
* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
CapsuleMultiselectWidget. The following methods may no longer be used:
* setItemsFromData: Use setValue instead
* getItemsData: Use getItems instead and get the data property
* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
removed. Use addLink() instead.
* Another two OutputPage methods, setPageTitleActionText() and
getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
ten years). Use setHTMLTitle() directly.
* The return value of OutputPage::adaptCdnTTL() has been removed. The
value returned was misleading and probably not what any caller would
have wanted.
* All MagicWord static member variables have been removed. Use appropriate
hooks or MagicWordFactory methods instead.
* MagicWord::clearCache() has been removed. Instead, create a new
MagicWordFactory, such as by calling
resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
* mw.util.init() has been removed. This function is not needed anymore and was
a no-op function since 1.30.
* SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
instead.
* MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
$wgProfiler and $wgEnableProfileInfo.
* The mw.loader.addSource() is now considered a private method, and no longer
supports the `id, url` signature. Use the `Object` parameter instead.
* The backwards-compatibility code in HTMLForm to add a drop-down control to an
option that is not set to be a drop-down if the "mw-chosen" class is present,
is now removed.
* Several collations were removed. They were workarounds for bugs in the ICU
library and they are no longer needed (as of ICU 57.1):
* 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
* 'xx-uca-et' (CollationEt) - use 'uca-et' instead
* 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
* LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
that some MediaWiki-specific language codes, such as `simple`, are mapped
into valid BCP 47 codes (eg `en-simple`).
* The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
The ChangesListSpecialPage code for these legacy hooks, and their use in
SpecialRecentchanges.php and SpecialWatchlist, was also removed:
* ChangesListSpecialPage->getCustomFilters()
* ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
* ChangesListSpecialPage::customFilters
* The global function wfUseMW, deprecated since 1.26, has now been removed. Use
the "requires" property of static extension registration instead.
* $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
* The MailAddress constructor can no longer be called with a User object,
behaviour which has been deprecated since 1.24.
* LBFactory, deprecated since 1.28, has been removed. Instead, use
Wikimedia\Rdbms\LBFactory.
* The MimeMagic class, deprecated since 1.28 has been removed. Get a
MimeAnalyzer instance from MediaWikiServices instead.
* The '--tidy' option to maintenance/parse.php has been removed. Tidying
the output is now the default. Use '--no-tidy' to bypass the tidy
phase.
* The global function wfErrorLog, deprecated since 1.25, has now been removed.
Use MWLoggerLegacyLogger::emit or UDPTransport.
* The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
ChangesListSpecialPageQuery.
* The global function wfUsePHP, deprecated since 1.30, has now been removed. To
assert a newer version of PHP than MediaWiki does, use extension registration.
* The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
* DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
* File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
* The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
the hook 'SkinEditSectionLinks' instead.
* The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
* The global function wfRunHooks, deprecated since 1.25, has now been removed.
Use Hooks::run().
* The hook 'UnknownAction', deprecated since 1.19, has now been removed.
* The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
* The following deprecated API methods have been removed:
* ApiBase::profileIn() (deprecated in 1.25)
* ApiBase::profileOut() (deprecated in 1.25)
* ApiBase::safeProfileOut() (deprecated in 1.25)
* ApiBase::profileDBIn() (deprecated in 1.25)
* ApiBase::profileDBOut() (deprecated in 1.25)
* ApiBase::dieUsage() (deprecated in 1.29)
* ApiBase::dieUsageMsg() (deprecated in 1.29)
* ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
* ApiBase::getErrorFromStatus() (deprecated in 1.29)
* ApiBase::parseMsg() (deprecated in 1.29)
* ApiBase::setWarning() (deprecated in 1.29)
* ApiPageSet::getInvalidTitles() (deprecated in 1.26)
* ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
* ApiUsageException::getCodeString() (deprecated in 1.29)
* ApiUsageException::getMessageArray() (deprecated in 1.29)
* Class UsageException, deprecated in 1.29, has been removed.
* MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
been removed, and instead sysadmins will be required to choose one (or more)
of the several extensions available for this purpose if they need the
functionality. The MediaWiki "tarball" releases have included the replacement
extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
for many years now. As part of this, several parts of MediaWiki have been
removed or simplified:
* The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
hook, it will be shown; extensions should provide a specific user preference
to disable themselves as needed.
* The public methods Language::getImageFile() and ::getImageFiles(), and the
related specification of $imageFiles within individual languages' code file,
as well as the referenced static media assets, all of which were only used
inside MediaWiki itself for providing the icons for the old toolbar, have
been removed without explicit deprecation.
* The internal ResourceLoader module "mediawiki.toolbar", which is unused
except by MediaWiki itself and back-compatibility code, has been removed.
* The internal ResourceLoaderEditToolbarModule class has been removed.
=== Deprecations in 1.32 ===
* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
button is already marked as progressive.
* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
has been centralised to Skin::getDefaultModules(), which is now capable
of queueing style modules as well.
* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
deprecated. Use addModules() instead.
* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
in extending classes is deprecated. Extend related doSearch* methods
instead.
* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
and deprecated: mediawiki.api.category, mediawiki.api.edit,
mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
mediawiki.api.messages, and mediawiki.api.rollback.
* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
to use it.
* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
with the 'unwatch' action parameter instead.
* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
of the namespaced classes provided by the wikimedia/xmp-reader library.
* SearchResultSet::{next,rewind} are deprecated. Calling code should
use foreach on the SearchResultSet, or the extractResults method. Extending
code should override extractResults.
* Instantiating SearchResultSet directly is deprecated. SearchEngine
implementations must subclass SearchResultSet for their purposes.
* SearchResult::setExtensionData argument has been changed from accepting an
array to accepting a Closure that returns the array when called.
* Class CryptRand, everything in MWCryptRand except generateHex() and function
MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
random_bytes() to generate cryptographically secure random byte sequences.
* Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
instead.
* Language::markNoConversion() is deprecated. It confused readers because
it had unexpected behavior (only marking text if it looked like a URL)
and was only used in a single place in the code. Use
LanguageConverter::markNoConversion() instead.
* (T197492) Language::truncate() was soft deprecated in 1.31 and is
hard deprecated in this release. It has been split into two similar
methods, Language::truncateForVisual() and Language::truncateForDatabase(),
which measure length in characters and bytes, respectively. Use
Language::truncateForVisual() when possible to provide equity to users
of multibyte scripts.
* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
context title is unset is now deprecated; anything creating an EditPage
instance should set the context title via ::setContextTitle().
* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
are deprecated. These concepts are obsolete and have no replacement.
* String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
* The following methods of OutputPage are now deprecated in favour
of using showFatalError directly: OutputPage::showFileDeleteError()
OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
classes are now deprecated. Use a Closure instead.
* (T194263) ContentHandler::makeParserOptions() is deprecated. Use
WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
the Parsoid v3 API in May 2015.
* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
$formDescriptor instead.
* SearchEngine::transformSearchTerm( $term ) should no longer be called prior
to running searchText. This method was mainly implemented to support the
'prefix' URI param in SpecialSearch, but there are no reasons to expose this
logic as it should be handled internally by SearchEngine implementations
supporting this feature. SearchEngine implementations should no longer
override this methods.
* SearchEngine::replacePrefixes( $query ) should no longer be called prior
to running searchText/searchTitle.
* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
* Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
use array_filter() directly.
* The $wgShowSQLErrors global is deprecated and nonfunctional.
Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
Set $wgShowExceptionDetails instead.
* Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
getOldRevision() / getNewRevision() for the first four (note that the
revision ones return a RevisionRecord, not a Revision), do your own lookup
for page/content.
* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
just enable the PHP extension, and it will be autodetected.
* (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
subclass it to customize diff rendering); to diff custom (e.g. unsaved)
content, use setRevisions(). Subclassing DifferenceEngine should only be done
to customize page-level diff properties (such as the navigation header).
* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
* All MagicWord static methods are now deprecated. Use the MagicWordFactory
methods instead.
* PasswordFactory::init is deprecated. To get a password factory with the
standard configuration, use
MediaWikiServices::getInstance()->getPasswordFactory.
* $wgContLang is deprecated, use
MediaWikiServices::getInstance()->getContentLanguage() instead.
* $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
instead.
* wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
instead.
* wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
* All SpecialPageFactory static methods are deprecated. Instead, call the
methods on a SpecialPageFactory instance, which may be obtained from
MediaWikiServices.
* mw.user.stickyRandomId was renamed to the more explicit
mw.user.getPageviewToken to better capture its function.
* Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
Content object should be passed instead.
* (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
previously used by OOUI HTMLForm fields, are now deprecated. Use
'help', 'help-message', 'help-messages' instead.
* (T197179) HTMLFormField::getNotices() is now deprecated.
* The jquery.localize module is now deprecated. Use jquery.i18n instead.
* The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
or overriding ContentHandler::getSecondaryDataUpdates (T194038).
* The WikiPageDeletionUpdates hook was deprecated in favor of
PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
(T194038).
* Content::getSecondaryDataUpdates has been deprecated in favor of
ContentHandler::getSecondaryDataUpdates() for overriding by extensions
(T194038).
Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
* Content::getDeletionUpdates has been deprecated in favor of
ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
* (T198214) Old Tidy-related configuration settings, which were soft-deprecated
in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
$wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
$wgTidyConfig instead.
* All Tidy configurations other than Remex have been hard deprecated;
future parsers will not emit compatible output for these configurations.
In particular, running MediaWiki with tidy disabled has been deprecated.
* (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
and OutputPage::addWikiTextTitle() have been deprecated, since they
can result in untidy output. In addition OutputPage::addWikiTextTidy()
and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
methods consistent. Use OutputPage::addWikiTextAsInterface() or
OutputPage::addWikiTextAsContent() instead, which ensures the output is
tidy and clarifies whether content-language specific postprocessing should
be done on the text.
* OutputPage::parse() and OutputPage::parseInline() have been deprecated
due to untidy output and inconsistent handling of wrapper divs and
interface/content language defaults. Use OutputPage::parseAsContent(),
OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
as appropriate.
* QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
as they promote bad practises. I18n messages should always be properly
escaped.
* Skin::getDynamicStylesheetQuery() has been deprecated. It always
returns action=raw&ctype=text/css which callers should use directly.
* Class LegacyFormatter is deprecated.
* Use of CommentStore::insertWithTempTable() with 'img_description' is
deprecated. Use CommentStore::insert() instead.
* Language::setCode is deprecated as public function. Use Language::factory
to create a new Language object with a different language code.
* Several classes have been moved from the MediaWiki\Storage\ namespace to the
MediaWiki\Revision\ namespace. The old class names are aliased for
compatibility, but are deprecated. Classes are IncompleteRevisionException,
MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
SuppressedDataException.
* When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
option, it is now deprecated to give its contents (the 'default' option)
as a string. They should be given as a OOUI\FieldLayout object instead.
Notably, this affects fields defined in the 'GetPreferences' hook, because
Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
* In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
deprecated. For the $lang parameter, types other than Language are
deprecated.
* The $wgUseKeyHeader configuration option and the
OutputPage::getKeyHeader() method have been deprecated; the relevant
draft IETF spec expired without becoming a standard.
* Deprecated API action=query&prop=info inprop=readable in favor of
intestactions=read.
=== Other changes in 1.32 ===
* (T198811) The following tables have had their UNIQUE indexes turned into
proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
protected_titles and site_identifiers.
* OOUI HTMLForm will now display help text inline after the input field,
rather than in a popup. Previous behavior can be restored by using
`'help-inline' => false`.
* The archive table's ar_rev_id field is now unique.
* Special:BotPasswords now requires reauthentication.
* (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
storage layer and have basic support for display. No user interface exists
yet for creating or managing content in slots beides the main slot. See
<https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
information.
* The image_comment_temp database table has been removed. Since all access
should be mediated by the CommentStore class, this change shouldn't affect
external code.
* (T206147) Database::close() will no longer commit any open transactions.
* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
recentchanges.rc_cur_time from the PostgreSQL schema.
= MediaWiki 1.31 =
== MediaWiki 1.31.1 ==
This is a security and maintenance release of the MediaWiki 1.31 branch.
=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
hooks.
== MediaWiki 1.31.0 ==
=== Changes since MediaWiki 1.31.0-rc.2 ===
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
=== Changes since MediaWiki 1.31.0-rc.0 ===
* (T33223) Drop archive.ar_text and ar_flags.
* Add default edit rate limit of 90 edits/minute for all users.
* (T187645) Use codepoint as tiebreaker when getting first-letters in
IcuCollation.
* (T191947) Don't shell during the installer if shelling out is disabled.
* (T194319) Improve duplicate config setting exception as part of extension
registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.
=== Important pre-upgrade notes for 1.31 ===
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
schema changes, and cannot have downtime to run migrateArchiveText.php and
apply patch-drop-ar_text.sql manually, you'll have to apply a default value
to the ar_text and ar_flags columns of the archive table or make those
columns nullable before upgrading to MediaWiki 1.31.
maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
a future version. The API is now considered to be stable, secure and
essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
as a temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
maintenance/cleanupUsersWithNoId.php.
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
$wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
are not using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
first step of migration to human-readable section IDs that will later result
in 'html5' being the default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
for performance reasons, and installations with this setting will now work as
if it was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
rather than being off by default. If you wish to disable HTML tidying
entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
1.25 release notes for more information.
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
framework that it enables. Some extensions mistakenly used this to check
whether any AJAX functionality at all should be enabled, further making this
problematic to retain.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
has been marked as experimental ever since it was introduced.
=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that
….js and ….css pages are, so that configuration options can safely be placed
there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
Html class now provides helper methods for messageBox, successBox, errorBox
and warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
usernames formed like "iw>Example" as interwiki links, as if by wikitext like
[[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
ParserOutput::getText() post-cache transformation. This may be disabled by
passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
into a new actor table, with the rows in tables such as revision and logging
referring to the actor ID instead of storing the user ID and name/IP in
every row.
* This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
soon as any necessary extensions are updated.
* Most code accessing rows for logged actions from the database should use
the relevant getQueryInfo() methods to get the information needed to build
the SQL query. The ActorMigration class may also be used to get feature
-flagged information needed to access actor-related fields during the
migration period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
and non-MySQL ::replace() and ::upsert() no longer roll back the whole
transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
"1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor or
enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
property in extension.json. See the documentation at
<https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
for more details and an example.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
discussion pages) now have a tooltip to indicate state, not just colour.
=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
suggested to required. These packages now must be installed via composer
and not via PEAR itself.
==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
==== New external libraries ====
* Added wikimedia/object-factory 1.0.0
==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.
=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor.
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
space.
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
removed. It has never made a difference in the output, the name was always
returned regardless.
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
'watchlist' instead.
=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
* ApiBase::getProfileTime, deprecated since 1.25, was removed.
=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).
* (T189127) New language support: Gorontalo (gor).
=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
'byText' or ->setBlocker(). Callers should either ensure the blocker exists
locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
deprecated in 1.27, have been removed:
* WatchedItem::getTitle()
* WatchedItem::fromUserTitle()
* WatchedItem::addWatch()
* WatchedItem::removeWatch()
* WatchedItem::isWatched()
* WatchedItem::duplicateEntries()
* WatchedItem::IGNORE_USER_RIGHTS
* WatchedItem::CHECK_USER_RIGHTS
* WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
$wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
$wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
been removed:
* PreparedEdit->newText
* PreparedEdit->oldText
* PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
ParserOptions::setWrapOutputClass() can no longer be added to the parser
cache.
* The following deprecated methods from the OutputPage class have been removed:
* OutputPage::addExtensionStyle(); deprecated in 1.27
* OutputPage::getExtStyle(); deprecated in 1.27
* OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
* OutputPage::setSquidMaxage(); deprecated in 1.27
* OutputPage::readOnlyPage(); deprecated in 1.25
* OutputPage::rateLimited(); deprecated in 1.25
* Additionally, the protected OutputPage::$mExtStyles array, only accessed
through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
were removed:
* $isCssJsSubpage — use ::isUserConfigPage()
* $isCssSubpage — use ::isUserCssConfigPage()
* $isJsSubpage — use ::isUserJsConfigPage()
* $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
* ::getSummaryInput() – use ::getSummaryInputWidget()
* ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
* ::getCheckboxes() – use ::getCheckboxesWidget() or
::getCheckboxesDefinition()
* ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
the response object, and were deprecated in 1.27, have been removed:
* ::setCookie()
* ::clearCookie()
* ::setExtendedLoginCookie()
Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
been removed:
* ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
* ::getPasswordFactory() – create a PasswordFactory directly
* ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
DBO_TRX is set results in an exception. Calling Database::commit() explicitly
for an implicit transaction also results in an exception. Previously these
were logged as errors. The startAtomic() and endAtomic() methods, or
AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
MediaWiki\OutputHandler::handle() instead. The global function was only
sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
ResourceLoaderModule::getLessVars() to expose local variables instead of
global ones.
* As part of work to modernise user-generated content clean-up, a config option
and some methods related to HTML validity were removed without deprecation.
The public methods MWTidy::checkErrors() and the path through which it was
called, TidyDriverBase::validate(), are removed, as are the testing methods
MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of
Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
have been deprecated in favor of similar methods that also return the tables
to select from and the join conditions for those tables.
* Block::selectFields() → Block::getQueryInfo()
* RecentChange::selectFields() → RecentChange::getQueryInfo()
* ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
* LocalFile::selectFields() → LocalFile::getQueryInfo()
* LocalFile::getCacheFields() with a prefix no longer works
* LocalFile::getLazyCacheFields() with a prefix no longer works
* OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
* RecentChange::selectFields() → RecentChange::getQueryInfo()
* Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
* Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
* Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
* Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
* Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
* Revision::selectFields() → Revision::getQueryInfo()
* Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
* User::selectFields() → User::getQueryInfo()
* WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
RevisionRecordInserted. RevisionInsertComplete is still called, but the second
and third parameter will always be null. Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
Callers should use the new stateless $options parameter to
ParserOutput::getText() instead.
* ParserOptions::getEditSection()
* ParserOptions::setEditSection()
* ParserOutput::getEditSectionTokens()
* ParserOutput::setEditSectionTokens()
* ParserOutput::getTOCEnabled()
* ParserOutput::setTOCEnabled()
* OutputPage::enableSectionEditLinks()
* OutputPage::sectionEditLinksEnabled()
* The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
Setting template variables by reference allowed violating the principle of
data being immutable once added to the skin template. In practice, this method
was not being used for that. Rather, setRef() existed as memory optimisation
for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
\Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
introduce a $key parameter, usage of the methods on instances retrieved from
CommentStore::newKey will remain unchanged but deprecated:
* CommentStore::getFields
* CommentStore::getJoin
* CommentStore::getComment
* CommentStore::getCommentLegacy
* CommentStore::insert
* CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
deprecated:
* Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
* Title::isCssOrJsPage – use ::isSiteConfigPage
* Title::isCssJsSubpage – use ::isUserConfigPage
* Title::isCssSubpage – use ::isUserCssConfigPage
* Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
* Parser::serializeHalfParsedText()
* Parser::unserializeHalfParsedText()
* Parser::isValidHalfParsedText()
* StripState::getSubState()
* StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
used instead.
* The function wfShellWikiCmd() has been deprecated, use
MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
will be allowed to provide any HTMLForm object rather than PreferencesForm.
=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
<https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
wikitext table captions, wikitext table headings, wikitext table cells. HTML
headings, HTML list items, HTML table captions, HTML table headings, HTML
table cells will not have this trimming behavior.
== Compatibility ==
MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
supported, it is generally advised to use PHP 7.0.0 or later for long term
support.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.31 has several database changes since 1.30, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.
For notes on 1.30.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
= MediaWiki 1.30 =
== MediaWiki 1.30.1 ==
This is a security and maintenance release of the MediaWiki 1.30 branch.
=== Changes since MediaWiki 1.30.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
include extensions. Pass --with-extensions to enable that feature.
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker.
* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* oojs/oojs-ui updated to remove an unnecessary dependancy.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T193995) Fix undefined patchPath() method call in parser tests.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
hooks.
* (T190539) Explicitly require Postgres 9.1.
* (T118420) Unbreak Oracle installer.
== MediaWiki 1.30.0 ==
=== Changes since MediaWiki 1.30.0-rc.0 ===
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Add ip_changes to postgres/tables.sql.
* Skip null shell parameters.
* Add wfWaitForSlaves() to maintenance/migrateComments.php.
* (T182245) Fix join conditions in ImageListPager.
* (T178626) Revert #contentSub and #jump-to-nav margin changes.
=== MySQL version requirement in 1.30 ===
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
section).
=== Configuration changes in 1.30 ===
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
unexpected behavior when code uses locale-sensitive string comparisons. For
example, the Scribunto extension considers "bar" < "Foo" in most locales
since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
class names. This is intended for extensions that want control over the
instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative
to plain class names, using the 'factory' key in the module description
array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
of IP ranges that can be queried at Special:Contributions.
* (T45547) $wgUsePigLatinVariant added (off by default).
* (T152540) MediaWiki now supports a section ID escaping style that allows to display
non-Latin characters verbatim on many modern browsers. This is controlled by the
new configuration setting, $wgFragmentMode.
* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
use $wgFragmentMode to migrate off it to a modern alternative.
* $wgExternalInterwikiFragmentMode was introduced to control how fragments in
sinterwikis going outside of current wiki farm are encoded.
* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
requested through the configuration parameter $wgDBservers.
* $wgOOUIEditPage was removed, as it is now the default. This was documented as a
temporary variable during the migration period.
=== New features in 1.30 ===
* (T37247) Output from Parser::parse() will now be wrapped in a div with
class="mw-parser-output" by default. This may be changed or disabled using
ParserOptions::setWrapOutputClass().
* (T163562) Added ability to search for contributions within an IP ranges
at Special:Contributions.
* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
specific tags to be added by users.
* Added a 'ParserOptionsRegister' hook to allow extensions to register
additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
LanguageConverter variant. This allows English-speaking developers
to develop and test LanguageConverter more easily. Pig Latin can be
enabled by setting $wgUsePigLatinVariant to true.
* Added RecentChangesPurgeRows hook to allow extensions to purge data that
depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
'watchlistunwatchlinks' preference option is enabled). With JavaScript
enabled, these links toggle so the user can also re-watch pages that have
just been unwatched.
* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
MediaHandlerFactory for parser tests.
* Edit summaries, block reasons, and other "comments" are now stored in a
separate database table. Use the CommentFormatter class to access them.
** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
soon as any necessary extensions are updated.
* (T138166) Added ability for users to prohibit other users from sending them
emails with Special:Emailuser. Can be enabled by setting
$wgEnableUserEmailBlacklist to true.
* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
Instead, users using browsers that do not support Unicode will be unable to edit
and should upgrade to a modern browser instead.
=== External library changes in 1.30 ===
==== Upgraded external libraries ====
* Updated justinrainbow/json-schema from v3.0 to v5.2.
* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
* Updated wikimedia/relpath from v1.0.3 to v2.0.0.
* Updated OOjs from v2.0.0 to v2.1.0.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated QUnit from v1.23.1 to v2.4.0.
* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
* Upgraded Moment.js from v2.15.0 to v2.19.3.
==== New external libraries ====
* The class \TestingAccessWrapper has been moved to the external library
wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
* Purtle, a fast, lightweight RDF generator.
==== Removed and replaced external libraries ====
* …
=== Bug fixes in 1.30 ===
* (T151633) Ordered list items use now Devanagari digits in Nepalese
(thanks to Sfic)
=== Action API changes in 1.30 ===
* (T37247) action=parse output will be wrapped in a div with
class="mw-parser-output" by default. This may be changed or disabled using
the new 'wrapoutputclass' parameter.
* When errorformat is not 'bc', abort reasons from action=login will be
formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and
returning users and edit comments.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
parameters to prop=revisions are deprecated, as are the similarly named
parameters to prop=deletedrevisions, list=allrevisions, and
list=alldeletedrevisions. Use action=compare, action=parse, or
action=expandtemplates instead.
=== Action API internal changes in 1.30 ===
* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
deprecated. The existing message should be split between "apihelp-*-summary"
and "apihelp-*-extended-description".
* (T123931) Individual values of multi-valued parameters can now be marked as
deprecated.
=== Languages updated in 1.30 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Added: kbp (Kabɩyɛ / Kabiyè)
* Added: skr (Saraiki, سرائیکی)
* Added: tay (Tayal / Atayal)
* Removed: tokipona (Toki Pona)
==== Pig Latin added ====
* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
for easier variant development and testing. Disabled by default. It can be
enabled by setting $wgUsePigLatinVariant to true.
=== Other changes in 1.30 ===
* The use of an associative array for $wgProxyList, where the IP address is in
the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
* mw.user.bucket (deprecated in 1.23) was removed.
* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
deprecated. There are no known callers.
* File::getStreamHeaders() was deprecated.
* MediaHandler::getStreamHeaders() was deprecated.
* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
used instead.
* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
should be used instead.
* The ExtractThumbParameters hook (deprecated in 1.21) was removed.
* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
deprecated in 1.24) were removed.
* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
BagOStuff::makeGlobalKey() should be used instead.
* (T146304) Preprocessor handling of LanguageConverter markup has been improved.
As a result of the new uniform handling, '-{' may need to be escaped
(for example, as '-<nowiki/>{') where it occurs inside template arguments
or wikilinks.
* (T163966) Page moves are now counted as edits for the purposes of
autopromotion, i.e., they increment the user_editcount field in the database.
* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
manipulating Special:Log and Special:NewPages lines.
* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
hooks have an additional parameter, for manipulating HTML data attributes of
RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
$data['attribs'] subarray.
* (T130632) The OutputPage::enableTOC() method was removed.
* WikiPage::getParserOutput() will now throw an exception if passed
ParserOptions that would pollute the parser cache. Callers should use
WikiPage::makeParserOptions() to create the ParserOptions object and only
change options that affect the parser cache key.
* Article::viewRedirect() is deprecated.
* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
* DeprecatedGlobal no longer supports passing in a direct value, it requires a
callable factory function or a class name.
* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
are all deprecated. The main ParserCache instance should be obtained from
MediaWikiServices instead. Access to the underlying BagOStuff is possible
through the new ParserCache::getCacheStorage() method.
* .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
Sanitizer functions or, if possible, Title::getFragmentForURL().
* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
nothing and is deprecated.
* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
escapeIdForLink().
* MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
* WikiImporter now requires the second parameter to be an instance of the Config,
class. Prior to that, the Config parameter was optional (a behavior deprecated in
1.25).
* Removed 'jquery.mwExtension' module. (deprecated since 1.26)
* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
any more.
* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
The namespaced classes in the Cdb namespace should be used instead.
* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
should be used instead.
* RunningStat class (deprecated in 1.27) was removed. The namespaced
RunningStat\RunningStat should be used instead.
* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
The MemcachedClient class should be used instead.
* EditPage underwent some refactoring and deprecations:
* EditPage::isOouiEnabled() is deprecated and will always return true.
* EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
use ::getSummaryInputWidget() instead.
* EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
use ::getCheckboxesWidget() instead.
* Creating an EditPage instance without calling EditPage::setContextTitle() should
be avoided and will be deprecated in a future release.
* EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
* EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
corresponding methods from Title should be used instead.
* EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
* EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
::getArticle() and ::getTitle() should be used instead.
* Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
and $wgLang is no longer supported and won't work. The IContextSource returned from
EditPage::getContext() must be modified instead.
* Parser::getRandomString() (deprecated in 1.26) was removed.
* Parser::uniqPrefix() (deprecated in 1.26) was removed.
* Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
$uniq_prefix was deprecated in 1.26 and has now been removed.
* (T172514) The following tables have had their UNIQUE indexes turned into proper
PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
templatelinks, text, transcache, user_former_groups, user_properties.
* IDatabase::nextSequenceValue() is no longer needed by any database backends
(formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
PRIMARY KEY.
* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
user_properties.up_user have all been made unsigned on MySQL.
* DB_SLAVE is deprecated. DB_REPLICA should be used instead.
* wfUsePHP() is deprecated.
* wfFixSessionID() was removed.
* wfShellExec() and related functions are deprecated, use Shell::command(). This also
slightly changes the behavior of how execution time limits are calculated when only
some of defaults are overridden per-call. When in doubt, always override both wall
clock and CPU time.
* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
user object. Using the method without the second argument is deprecated.
* (T67297) Browsers that don't support Unicode will have their edits rejected.
* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
release. For notifying the user of an event, the Notifications ("Echo") system
should be used instead.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
= MediaWiki 1.29 =
== MediaWiki 1.29.3 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
=== Changes since 1.29.2 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T180551) Fix LanguageSrTest for language converter
* (T180552) Fix langauge converter parser test with self-close tags
* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
* (T180485) InputBox: Have inputbox langconvert certain attributes
* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
* (T172927) Drop vendor from MW release branch
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
include extensions. Pass --with-extensions to enable that feature.
* (T182381) Mask deprecated call in WatchedItemUnitTest
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* The karma qunit tests would fail on some configuration due to headers already
sent. Check headers_sent() before sending cpPosTime headers
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker
* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
fails under SQLite.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* (T179190) selenium: Move test running logic from package.json to selenium.sh.
* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T194237) Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.
== MediaWiki 1.29.2 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
=== Changes since 1.29.1 ===
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
branches in the previous security release.
== MediaWiki 1.29.1 ==
This is a maintenance release of the MediaWiki 1.29 branch.
The SpamBlacklist and PdfHandler extensions were missing from the generated
packages.
=== Changes since 1.29.1 ===
* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
* (T172061) Fix fatal when passing a category to refreshLinks.php.
== MediaWiki 1.29.0 ==
=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
determines whether to set a cookie when a user is autoblocked. Doing so means
that a blocked user, even after logging out and moving to a new IP address,
will still be blocked.
* The resetpassword right and associated password reset capture feature has
been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
or boolean false. This should be compatible with at least MediaWiki 1.23 if
not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
policies.
* Subpages are now enabled by default in the Template namespace. Set
$wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
browsers had poor support for them, but modern browsers handle them fine.
This might affect some forms that used them and only worked because the
attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
structures filters into user-friendly groups. This has corresponding
changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
Because this change can cause problems for extensions and on-wiki
scripts depending on the exact HTML, the old version is still available
and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
This will be removed later and OOjs UI will become the only option.
To make testing easier, users can also force either mode by adding
&ooui=true or &ooui=false to the action=edit URL.
=== External library changes in 1.29 ===
==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.
* Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.
==== Removed and replaced external libraries ====
=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
key 'talkmove-errors', rather than using 'talkmove-error-code' and
'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
and errors for each item. Use errorformat=wikitext if you're wanting parsed
output.
* action=rollback no longer returns a "messageHtml" property. Use
errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
query in miser mode. This may result in less results being returned than were
requested.
=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated
* ApiBase::dieUsageMsg() was deprecated
* ApiBase::dieUsageMsgOrDebug() was deprecated
* ApiBase::getErrorFromStatus() was deprecated
* ApiBase::parseMsg() was deprecated
* ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things that
catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
the logs.
=== Languages updated in 1.29 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded. When a
translation is missing in the user's preferred interface language, the
corresponding translation for the fallback language will be used instead.
English will only be used as last resort when there are no translations.
Some configurations (such as date formats and gender namespaces) have also
been updated when using the fallback language's configuration was inadequate.
The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.
==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
language will now use the default fallback language: English. When a translation
to Ukrainian is not available, an English string will be shown.
=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
\MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
URLs to continue to work, set up redirects. In Apache, this can be done by enabling
mod_rewrite and adding the following rules to your configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
now required to have a getGroupMemberships() method. See UserRightsProxy for
an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
and subclasses. It should only break if you call buildMainQueryConds
(changed to buildQuery with new signature) or doMainQuery (new
signature). Subclasses are likely to call at least doMainQuery
(possibly both), but other classes might too, because they were
public.
Also, some related hooks were deprecated, but this is not yet a
breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
WikiPage::PURGE_* constants are deprecated, and the functions will always
return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
if you don't actually care about checkboxes and just want to add some HTML
to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
rather than <strong> tags. The old class name, "selflink", was deprecated
and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
addClickHandler, removeHandler, getElementsByClassName, getInnerText,
setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
deprecated (T30856). This old code dates from 2006, and was replaced in the
MediaWiki release tarball and in Wikimedia production by the WikiEditor
extension in 2010. It is only shown to users if no other editor was
installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
addModuleStyles() is deprecated and will log a warning server-side.
= MediaWiki 1.28 =
== MediaWiki 1.28.3 ==
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.2 ==
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T157545) Add missing doUpdates() call to refreshLinks.php.
* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
* (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
* (T167798) Fix phrase search and highlighting for phrase queries.
* (T151136) Provide credits information to callbacks in extension registration.
* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
* (T168337) Fix ErrorPageError to work from non-UI contexts.
* (T143788) Backports for PHP 7.0 and 7.1 support.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T174255) Declare uploadCount property in importDump.php.
* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
== MediaWiki 1.28.2 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.28.1. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.28.1, but none of them were security relevant.
== MediaWiki 1.28.1 ==
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.0 ===
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
== MediaWiki 1.28 ==
=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.
=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
comment to a machine-readable JavaScript config option 'wgPageParseReport'
have been undone. They caused the human-readable limit report to be shown
incompletely or not at all. ParserOutput::setLimitReportData() and
getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
the text of subheadings on a category page when creating it. This wasn't
working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
canonical pretty URL when a non-pretty URL is used. It resulted in redirect
loops in some clients and in some server configurations. This undoes a change
made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.
=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
signifies local uploads. A value of `[]` (empty array) now means that
no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
for Esperanto language character conversion. You are now recommended to use
input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
instead of just administrators ('sysop'). Documentation for this feature is
available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
a tracking category will be added to help identify usage and make it easier to migrate
away from. If you depend upon magic link functionality, it is requested that you comment
on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
in upcoming Content-Security-Policy feature's reporting.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
upload. Unlike 'UploadVerifyFile' it provides information about upload comment
and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
a 'numeric' collation is also available. If migrating from another
collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
appropriate for sending multi-valued parameters. This defaults to true when
the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
MediaWiki will wait for the replica databases to synchronize with the master database
while it renders the HTML output. However, if the output is a redirect to another wiki
on the wiki farm with a different domain, MediaWiki will instead alter the redirect
URL to include a ?cpPosTime parameter that triggers the database synchronization when
the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules.
=== External library changes in 1.28 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1
=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights()
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
(deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
action=login is now deprecated and outputs a warning. They should be submitted
in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
action=createaccount, action=linkaccount, and action=changeauthenticationdata
in the query string is now deprecated and outputs a warning. They should be
submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
instead of the pipe character. This will be useful if some of the multiple
values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
ApiPageSet may contain entries where the 'from' value is percent-encoded as
the raw value cannot be represented in a valid API response. These are
indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
the 'TitleIsAlwaysKnown' hook) are output in various modules.
=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules. A query module can enable
these hooks by passing an array for $hookData to ApiQueryBase::select() and
by calling ApiQueryBase->processRow() before adding a row's data to the
result.
=== Languages updated in 1.28 ===
MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
* Skin::commentBlock() (use Linker::commentBlock() instead)
* Skin::generateRollback() (use Linker::generateRollback() instead)
* Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::userLink() (use Linker::userLink() instead)
* Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
on requests needed by primary providers even if all primaries need them.
Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
will no longer be automatically infused. You should call `OO.ui.infuse()`
on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
Instead of --keep-uploads, use the same option to parserTests.php, but you
must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
migrate to using the same functions on a ProxyLookup instance, obtainable from
MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
instead.
== Compatibility ==
MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.28 has several database changes since 1.27, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.27.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
= MediaWiki 1.27 =
== MediaWiki 1.27.5 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
=== Changes since 1.27.4 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* Upgraded Moment.js from v2.8.4 to v2.19.3.
* (T160298) Fixed Special:ActiveUsers due to bad backport.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
* Updated list of SPDX licenses for extensions.
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
include extensions. Pass --with-extensions to enable that feature.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.
== MediaWiki 1.27.4 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
=== Changes since 1.27.3 ===
* (T100085) Better handling of jobs execution in post-connection shutdown.
* (T141604) Support conditionally registered namespaces.
* (T167798) Fix highlighting for phrase queries and phrase search.
* (T151136) Provide credits information to callbacks.
* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T144705) (T148662) Password reset link is no longer shown when no reset options are
available.
* (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
* (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
policies.
* DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T142304) Allow putting the app ID in the password for bot passwords.
* Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
== MediaWiki 1.27.3 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.27.2. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.27.2, but none of them were security relevant.
=== Changes since 1.27.2 ===
* (T145664) Fix broken wincache merge() implementation
* (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
* (T153505) Fix php warnings on php 7.1 due to use of &$this
== MediaWiki 1.27.2 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0
was released.
=== Changes since 1.27.1 ===
* (T68404) CSS3 attr() function with url type argument is no longer allowed
in inline styles.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T152717) Better escaping for PHP mail() command
* Submitting the lgtoken and lgpassword parameters in the query string to
action=login is now deprecated and outputs a warning. They should be submitted
in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
action=createaccount, action=linkaccount, and action=changeauthenticationdata
in the query string is now deprecated and outputs a warning. They should be
submitted in the POST body instead.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount()
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
== MediaWiki 1.27.1 ==
This is a maintenance release of the MediaWiki 1.27 branch.
=== Changes since 1.27.0 ===
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
* (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()
== MediaWiki 1.27.0 ==
=== PHP version requirement in 1.27 ===
As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
section). Additionally, the following PHP extensions are required:
* ctype
* iconv
* json
* mbstring (new requirement in 1.27)
* xml
The following PHP extensions are strongly recommended:
* openssl
=== Configuration changes in 1.27 ===
* $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
now always enabled. If you use RDFa on your wiki, you now have to explicitly
set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
* $wgUseLinkNamespaceDBFields was removed.
* Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
$wgResourceLoaderMinifierMaxLineLength, because there was little value in
making the behavior configurable. The default values (`false` for the former,
1000 for the latter) are now hard-coded.
* $wgDebugDumpSqlLength was removed (deprecated in 1.24).
* $wgDebugDBTransactions was removed (deprecated in 1.20).
* $wgUseXVO has been removed, as it provides functionality only used by
custom Wikimedia patches against Squid 2.x that probably noone uses in
production anymore. There is now $wgUseKeyHeader that provides similar
functionality but instead of the MediaWiki-specific X-Vary-Options header,
uses the draft Key header standard.
* $wgScriptExtension (and support for '.php5' entry points) was removed. See the
deprecation notice in the release notes for version 1.25 for advice on how to
preserve support for '.php5' entry points via URL rewriting.
* Password handling via the User object has been deprecated and partially
removed, pending the future introduction of AuthManager. In particular:
** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
getPasswordExpired() have been removed. They were unused outside of core.
** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
now private and will be removed in the future.
** The getPassword() and getTemporaryPassword() methods now throw
BadMethodCallException and will be removed in the future.
** The ability to pass 'password' and 'newpassword' to createNew() has been
removed. The only users of it seem to have been using it to set invalid
passwords, and so shouldn't be greatly affected.
** setPassword(), setInternalPassword(), and setNewpassword() have been
deprecated, pending the introduction of AuthManager.
** User::randomPassword() is deprecated in favor of a new method
PasswordFactory::generateRandomPasswordString()
** User::getPasswordFactory() is deprecated, callers should just create a
PasswordFactory themselves.
** A new constructor, User::newSystemUser(), has been added to simplify the
creation of passwordless "system" users for logged actions.
* $wgMaxSquidPurgeTitles was removed.
* $wgAjaxWatch was removed. This is now enabled by default.
* $wgUseInstantCommons now hotlinks Commons images by default instead of
downloading originals and thumbnailing them locally. This allows wikis to save
on CPU and bandwidth while reducing time to first byte for pages, even without
a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
* (T27397) WebP is enabled by default as an uploadable filetype.
* (T48998) $wgArticlePath must now be either a full url, or start with a "/".
* $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
* Deprecated API formats dbg, txt, and yaml have been removed.
* CLDRPluralRule* classes have been replaced with
wikimedia/cldr-plural-rule-parser.
* Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
$wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
$wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
* For proper operation of LocalIdLookup with shared user tables, ensure that
$wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
that all others are sharing from and that $wgLocalDatabases is set to the
full list of sharing wikis on all those wikis.
* Massive overhaul to session handling:
** $wgSessionsInObjectCache is no longer supported and must be true, due to
MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
used.
** ObjectCacheSessionHandler is removed, replaced with
MediaWiki\Session\PhpSessionHandler.
** PHP session handling in general ($_SESSION, session_id(), and so on) is
deprecated. Use MediaWiki\Session\SessionManager instead. A new config
variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
issue a deprecation warning or to cause most PHP session handling to throw
exceptions.
** Deprecated UserSetCookies hook. Session-handling extensions should generally
be creating a custom subclass of CookieSessionProvider. Other extensions
messing with cookies can no longer count on user data being saved in cookies
versus other methods.
** Deprecated UserLoadFromSession hook, extensions should create a
MediaWiki\Session\SessionProvider.
** The User cannot be loaded from session until after Setup.php completes.
Attempts to do so will be ignored and the User will remain unloaded.
** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
the MediaWiki\Session\Token class.
* MediaWiki will now auto-create users as necessary, removing the need for
extensions to do so. An 'autocreateaccount' right is added to allow
auto-creation when 'createaccount' is not granted to all users.
* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
* Most cookie-handling methods in User are deprecated.
* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
experimental feature that has never worked.
* Login and createaccount tokens now vary by timestamp.
* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
return a MediaWiki\Session\Token, and tokens must be checked using that
class's methods.
* $wgEnotifUseJobQ was removed and the job queue is always used.
* The functionality of the ApiSandbox extension has been merged into core. The
extension should no longer be used.
* $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
Extensions, skins, gadgets and scripts that use the mediawiki.util module must
express a dependency on it.
* $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
module should express a dependency on it.
* Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
$wgFooterIcons['copyright']['copyright'] instead.
* If the openssl and mcrypt PHP extensions are both unavailable, secure
session storage (used for login) will raise an exception. This exception may
be bypassed by setting $wgSessionInsecureSecrets = true.
* Massive overhaul to authentication:
** AuthPlugin and AuthPluginUser are deprecated.
** LoginForm and associated templates are deprecated. Extensions which called
static LoginForm methods should be converted into authentication providers.
** The following hooks are deprecated:
*** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AddNewAccount (use LocalUserCreated instead)
*** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
*** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
*** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
*** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
** The following hooks are removed:
*** AbortChangePassword
*** LoginPasswordResetMessage
*** PrefsPasswordAudit
** The UserLoginComplete hook will no longer be called for all logins, only for
those via the web UI. Use UserLoggedIn if you need to do something on all
logins.
** $wgRequirePasswordforEmailChange is removed.
=== New features in 1.27 ===
* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
sticks to the primary DC (via cookies) after they make changes to the site.
* Added a new hook, 'UserMailerTransformContent', to transform the contents
of an email. This is similar to the EmailUser hook but applies to all mail
sent via UserMailer.
* Added a new hook, 'UserMailerTransformMessage', to transform the contents
of an emai after MIME encoding.
* Added a new hook, 'UserMailerSplitTo', to control which users have to be
emailed separately (ie. there is a single address in the To: field) so
user-specific changes to the email can be applied safely.
* $wgCdnMaxageLagged was added, which limits the CDN cache TTL
when any load balancer uses a DB that is lagged beyond the 'max lag'
setting in the relevant section of $wgLBFactoryConf.
* User::newSystemUser() may be used to simplify the creation of passwordless
"system" users for logged actions from scripts and extensions.
* Extensions can now return detailed error information via the API when
preventing user actions using 'getUserPermissionsErrors' and similar hooks
by using ApiMessage instances instead of strings for the $result value.
* $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
becomes too high.
* Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
cross-browser-compatible FlexBox rules. Users will still need to add fallback
float rules or the like for compatibility with IE9- separately.
* Added MWTimestamp::getTimezoneString() which returns the localized timezone
string, if available. To localize this string, see the comments of
$wgLocaltimezone in includes/DefaultSettings.php.
* Added CentralIdLookup, a service that allows extensions needing a concept of
"central" users to get that without having to know about specific central
authentication extensions.
* $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
Regular web request transactions that takes longer than this are aborted.
* Added a new hook, 'TitleMoveCompleting', which runs before a page move is
committed.
* $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
from CDN to mitigate DB replication lag and WAN cache purge lag.
* (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
if it is available.
* It is now possible to patrol file uploads (both for new files and new versions
of existing files). Special:NewFiles has gained an option to filter by patrol
status. This functionality can be disabled using $wgUseFilePatrol.
* MediaWiki\Session infrastructure allows for easier use of session mechanisms
other than the usual cookies.
** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
custom session metadata.
* Added MWGrants and associated configuration settings $wgGrantPermissions and
$wgGrantPermissionGroups to hold configuration for authentication features
such as OAuth that want to allow restricting the user rights a user may make
use of.
** If you're already using the OAuth extension, these new variables are
identical to (and will replace) $wgMWOAuthGrantPermissions and
$wgMWOAuthGrantPermissionGroups.
* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
to assert that the request comes from a particular IP range.
* Added bot passwords, a rights-restricted login mechanism for API-using bots.
* Whitelisted the following HTML attributes for all elements in wikitext:
aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
* Removed "presentation" restriction on the HTML role attribute in wikitext.
All values are now allowed for the role attribute.
* $wgContentHandlers now also supports callbacks to create an instance of the
appropriate ContentHandler subclass.
* Added $wgAuthenticationTokenVersion, which if non-null prevents the
user_token database field from being exposed in cookies. Setting this would
be a good idea, but will log out all current sessions.
* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
specifically for reliable CDN url purges.
* Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
generated 24-character string. This request ID is used to annotate log records
and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
is deprecated.
* (T33313) Add a preference for watching uploads by default, also applies
to API-based upload tools.
* $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
savings versus the previous behavior on many files.
* MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
configuration of multiple authentication pieces that was possible with
AuthPlugin. For example, it's now easy to plug in second-factor
authentication, or add additional checks to the login process, or to support
multiple login methods at once, or to support non-password-based login methods.
** Providers are configured via the global setting $wgAuthManagerConfig.
** A global, $wgDisableAuthManager, is temporarily available to disable
AuthManager until extensions are ready to support it.
** New hook, AuthChangeFormFields, to adjust the form fields on
AuthManager-related special pages.
** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
AuthManager-related authentication requests.
** New hook, ChangeAuthenticationDataAudit, for additional logging of
AuthManager-related authentication data changes.
** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
for requiring a recent login before taking security-sensitive operations
like changing a password.
** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
can be used to prevent the web UI and the API changing certain authentication data.
* The file upload dialog (available if you install WikiEditor or VisualEditor)
can now be configured using $wgUploadDialog.
=== External library changes in 1.27 ===
==== Upgraded external libraries ====
* Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
* Updated composer/semver from v1.0.0 to v1.2.0.
* Updated liuggio/statsd-php-client to 1.0.18.
* Updated QUnit from v1.18.0 to v1.22.0.
==== New external libraries ====
* Added wikimedia/base-convert v1.0.1.
* Added wikimedia/cldr-plural-rule-parser v1.0.0.
* Added wikimedia/relpath v1.0.3.
* Added wikimedia/running-stat v1.1.0.
* Added wikimedia/php-session-serializer v1.0.3.
==== Removed and replaced external libraries ====
=== Bug fixes in 1.27 ===
* Special:Upload will now display correct maximum allowed file size when running
under HHVM (T116347).
* (T54077) The APIEditBeforeSave hook will once again give only the content of
the section being edited, rather than the whole revision. This reverts the
change made in MediaWiki 1.22.
=== Action API changes in 1.27 ===
* Added list=allrevisions.
* generator=recentchanges now has the option to generate revids.
* ApiPageSet::setRedirectMergePolicy() was added. This allows generator
modules to define how generator data for a redirect source gets merged
into the redirect destination.
* prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
"was-deleted" warning.
* Added difftotextpst to query=revisions which preforms a pre-save transform on
the text before diffing it.
* Deprecated formats dbg, txt, and yaml have been removed.
* (T47988) The protect log event details now use new-style formatting.
* The following response properties from action=login are deprecated, and may
be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
handle cookies to properly manage session state.
* action=login transparently allows login using bot passwords. Clients should
merely need to change the username and password used after setting up a bot
password.
* action=upload no longer understands statuskey, asyncdownload or leavemessage.
* Several changes when $wgDisableAuthManager is false:
** action=login is deprecated for uses other than bot passwords.
** list=users can now indicate if a missing username is creatable.
** action=createaccount is changed in a non-backwards-compatible manner.
** Added action=query&meta=authmanagerinfo.
** Added action=clientlogin to be used to log into the main account instead of
action=login.
** Added action=linkaccount.
** Added action=unlinkaccount.
** Added action=changeauthenticationdata.
** Added action=removeauthenticationdata.
** Added action=resetpassword.
=== Action API internal changes in 1.27 ===
* ApiQueryORM removed.
* The following classes have been removed:
** ApiFormatDbg
** ApiFormatTxt
** ApiFormatYaml
* ApiBase::addTokenProperties() was removed (deprecated since 1.24).
* ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
* ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
* ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
* ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getResultProperties() was removed (deprecated since 1.24).
* ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
* ApiBase::parseErrors() was removed (deprecated since 1.24).
* ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
* ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
* ApiQuery::getGenerators() was removed (deprecated since 1.21).
* ApiQuery::getModules() was removed (deprecated since 1.21).
* ApiQuery::getModuleType() was removed (deprecated since 1.21).
* ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
* ApiMain::getModules() was removed (deprecated since 1.21).
* ApiBase::getVersion() was removed (deprecated since 1.21).
* ApiMain::getShowVersions() was removed (deprecated in 1.21).
* ApiMain::addModule() was removed (deprecated in 1.21).
* ApiMain::addFormat() was removed (deprecated in 1.21).
* ApiMain::getFormats() was removed (deprecated in 1.21).
* ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
* ApiCreateAccount was removed.
=== Languages updated in 1.27 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
* (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
=== Other changes in 1.27 ===
* Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
It is planned to incrementally move MediaWiki code towards using DI, using the
service locator (SL) pattern as a stepping stone.
* ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
* WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
ignore the 2nd and 3rd arguments (formerly $id and $commit).
* Removed "loaderScripts" option from ResourceLoaderFileModule class.
* Removed ORM-like wrapper added in 1.20.
* LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
(deprecated in 1.26).
* WikiPage::doQuickEdit() was removed (deprecated since 1.21).
* Removed SiteObject and SiteArray classes (deprecated in 1.21).
* MessageBlobStore::getInstance() was removed (deprecated since 1.25).
* (T84937) Free external links ("autolinked" urls) will now be terminated
by &nbsp; and HTML entity encodings of &nbsp, <, and >.
* (T36948) The default file revert message's timestamp is now in
$wgLocaltimezone, instead of UTC.
* The default name of the 'suppress' group page has been changed from
'Project:Oversight' to 'Project:Suppress'.
* DatabaseBase::resultObject() is now protected (use outside Database classes
not necessary since 1.11).
* Calling ResourceLoaderFileModule::readStyleFiles() without a
ResourceLoaderContext instance is deprecated.
* ResourceLoader::getLessCompiler() now takes an optional parameter of
additional LESS variables to set for the compiler.
* wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
instead.
* Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
* Removed msg_resource_links database table and associated code.
* Removed msg_resource database table and associated code.
* Skin::getNamespaceNotice() was removed.
* wfIsConfiguredProxy() was removed (deprecated since 1.24).
* wfDebugTimer() was removed (deprecated since 1.25).
* wfIsTrustedProxy() was removed (deprecated since 1.24).
* wfGetIP() was removed (deprecated since 1.19).
* MWHookException was removed.
* OutputPage::appendSubtitle() was removed (deprecated since 1.19).
* OutputPage::loginToUse() was removed (deprecated since 1.19).
* Article::loadContent() was removed (deprecated since 1.19).
* User::editToken() was removed (deprecated since 1.19).
* Removed --force-normal option of dumpBackup.php, as it no longer served
any useful purpose since 1.22.
* The functions processOption() and processArgs() on the BackupDumper and
TextPassDumper classes have been removed.
* The maintenance/backupTextPass.inc file was deleted. You should include
maintenance/dumpTextPass.php instead.
* WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
* wfEmptyMsg() was removed (deprecated since 1.18).
* OutputPage::permissionRequired() was removed (deprecated since 1.18).
* OutputPage::blockedPage() was removed (deprecated since 1.18).
* User::getSkin() was removed (deprecated since 1.18).
* OutputPage::includeJQuery() was removed (deprecated since 1.17).
* WikiPage::updateRestrictions() was removed (deprecated since 1.19).
* WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
* LogPage::logName() was removed (deprecated since 1.19).
* LogPage::logHeader() was removed (deprecated since 1.19).
* wfCheckLimits() was removed (deprecated since 1.24).
* Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
* Linker::makeLinkObj() was removed (deprecated since 1.16).
* wfMsgForContentNoTrans() was removed (deprecated since 1.18).
* ChangesList::usePatrol was removed (deprecated since 1.22).
* wfMsgNoTrans() was removed (deprecated since 1.18).
* Linker::makeImageLink2 was removed (deprecated since 1.20).
* Title::userIsWatching() was removed (deprecated since 1.20).
* Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
database function directly instead.
* wfMsg() was removed (deprecated since 1.18).
* wfMsgForContent() was removed (deprecated since 1.18).
* wfMsgReal() was removed (deprecated since 1.18).
* wfMsgGetKey() was removed (deprecated since 1.18).
* wfMsgHtml() was removed (deprecated since 1.18).
* wfMsgWikiHtml() was removed (deprecated since 1.18).
* wfMsgExt() was removed (deprecated since 1.18).
* Language::armourMath() was removed (deprecated since 1.22).
* LanguageConverter::armourMath() was removed (deprecated since 1.22).
* FakeConverter::armourMath() was removed (deprecated since 1.22).
* The unused jquery.validate ResourceLoader module was removed.
* FileRepo::getRootUrl() was removed (deprecated since 1.20).
* User::generateToken() was removed (deprecated since 1.20).
* WikiPage::getRawText() was removed (deprecated since 1.21).
* ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
* ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
* ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
* Gallery images with multiple caption pipes no longer concatenate them all
together but instead pick the final one, similar to image syntax.
* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
rather than consume everything until the end of the page.
* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
a user forgot password/account was stolen.
* wfCheckEntropy() was removed (deprecated in 1.27).
* Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
* ContentHandler::supportsCategories method added. Default is true.
CategoryMembershipChangeJob updates are skipped for content that
does not support categories.
* wikidiff difference engine is no longer supported, anyone still using it are encouraged
to upgrade to wikidiff2 which is actively maintained and has better package availability.
* Database logic was removed from WatchedItem and a WatchedItemStore was created:
** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
** WatchedItem::resetNotificationTimestamp was deprecated.
** WatchedItem::batchAddWatch was deprecated.
** WatchedItem::addWatch was deprecated.
** WatchedItem::removeWatch was deprecated.
** WatchedItem::isWatched was deprecated.
** WatchedItem::duplicateEntries was deprecated.
** EmailNotification::updateWatchlistTimestamp was deprecated.
** User::getWatchedItem was removed.
* Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
way. Run `composer install` to install it and other dev dependencies to run unit tests.
* wl_id field added to the watchlist table.
* Revision::getRawText() was removed (deprecated since 1.21).
* WikiPage::replaceSection() was removed (deprecated since 1.21).
* Article::replaceSection() was removed (deprecated since 1.21).
* Language::getLangObj() was removed (deprecated since 1.24).
* Language::getLanguageName() was removed (deprecated since 1.20).
* Language::getLanguageNames() was removed (deprecated since 1.20).
* Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
* Language::specialPage() was removed (deprecated since 1.24).
* MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
* OutputPage::getHeadItems() was removed (deprecated since 1.24).
* OutputPage::getScript() was removed (deprecated since 1.24).
* OutputPage::out() was removed (deprecated since 1.22).
* OutputPage::setAllowedModules() was removed (deprecated since 1.24).
* UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
* MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
* Title::newFromRedirect() was removed (deprecated since 1.21).
* Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
* Skin::getCommonStylePath() was removed (deprecated since 1.24).
* Skin::newFromKey() was removed (deprecated since 1.24).
* Skin::getUsableSkins() was removed (deprecated since 1.23).
* LoadBalancer::pickRandom() was removed (deprecated in 1.21).
* Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
1.21).
* DifferenceEngine::setText() was removed (deprecated in 1.21).
* Title::newFromRedirectArray() was removed (deprecated in 1.21).
* UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
as the 6th. These must be passed in the options array now.
* Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
* Skin::accesskey was removed (deprecated since 1.21).
* Skin::blockLink was removed (deprecated since 1.21).
* Skin::buildRollbackLink was removed (deprecated since 1.21).
* Skin::emailLink was removed (deprecated since 1.21).
* Skin::formatComment was removed (deprecated since 1.21).
* Skin::formatHiddenCategories was removed (deprecated since 1.21).
* Skin::formatLinksInComment was removed (deprecated since 1.21).
* Skin::formatRevisionSize was removed (deprecated since 1.21).
* Skin::formatSize was removed (deprecated since 1.21).
* Skin::formatTemplates was removed (deprecated since 1.21).
* Skin::generateTOC was removed (deprecated since 1.21).
* Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
* Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
* Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
* Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
* Skin::getLinkColour was removed (deprecated since 1.21).
* Skin::getRevDeleteLink was removed (deprecated since 1.21).
* Skin::getRollbackEditCount was removed (deprecated since 1.21).
* Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
* Skin::makeCommentLink was removed (deprecated since 1.21).
* Skin::makeExternalImage was removed (deprecated since 1.21).
* Skin::makeExternalLink was removed (deprecated since 1.21).
* Skin::makeHeadline was removed (deprecated since 1.21).
* Skin::makeImageLink was removed (deprecated since 1.21).
* Skin::makeMediaLinkFile was removed (deprecated since 1.21).
* Skin::makeMediaLinkObj was removed (deprecated since 1.21).
* Skin::makeSelfLinkObj was removed (deprecated since 1.21).
* Skin::makeThumbLink2 was removed (deprecated since 1.21).
* Skin::makeThumbLinkObj was removed (deprecated since 1.21).
* Skin::normaliseSpecialPage was removed (deprecated since 1.21).
* Skin::normalizeSubpageLink was removed (deprecated since 1.21).
* Skin::processResponsiveImages was removed (deprecated since 1.21).
* Skin::revComment was removed (deprecated since 1.21).
* Skin::revDeleteLink was removed (deprecated since 1.21).
* Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
* Skin::revUserLink was removed (deprecated since 1.21).
* Skin::revUserTools was removed (deprecated since 1.21).
* Skin::specialLink was removed (deprecated since 1.21).
* Skin::splitTrail was removed (deprecated since 1.21).
* Skin::titleAttrib was removed (deprecated since 1.21).
* Skin::tocIndent was removed (deprecated since 1.21).
* Skin::tocLine was removed (deprecated since 1.21).
* Skin::tocLineEnd was removed (deprecated since 1.21).
* Skin::tocList was removed (deprecated since 1.21).
* Skin::tocUnindent was removed (deprecated since 1.21).
* Skin::tooltip was removed (deprecated since 1.21).
* Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
* Skin::userTalkLink was removed (deprecated since 1.21).
* Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
* wikidiff3 is now the default and only PHP diff engine. It provides improved diff
performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
makes no difference now. Users are still recommended to use wikidiff2 if possible,
though.
* User::addNewUserLogEntry() was deprecated.
* User::addNewUserLogEntryAutoCreate() was deprecated.
* User::isPasswordReminderThrottled() was deprecated.
* Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
were removed.
* Installer can now be customized without patching MediaWiki code, see
mw-config/overrides/README for details.
=== Compatibility ===
MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
=== Upgrading ===
1.27 has several database changes since 1.26, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.26.x and older releases, see HISTORY.
= MediaWiki 1.26 =
== MediaWiki 1.26.4 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.3 ===
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* (T124163) Fixed fatal error in DifferenceEngine under HHVM.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* Remove support for $wgWellFormedXml = false, all output is now well formed
== MediaWiki 1.26.3 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.2 ===
* (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
* (T123166) Fix fatal error when importing pages to titles which cannot be
created, such as invalid titles or titles the user is not allowed to edit.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after
SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in
(many?) parser tags
* (T116030) Increase pbkdf2 parameter strengths
* (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
* (T126685) Globally throttle password attempts
== MediaWiki 1.26.2 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.1 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
== MediaWiki 1.26.1 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.0 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
* Fixed stray literal \n in Special:Search.
* Fix issue that breaks HHVM Repo Authorative mode.
* (T120267) Work around APCu memory corruption bug
== MediaWiki 1.26.0 ==
=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
in non-talk namespaces. A new configuration variable,
$wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
This experimental feature was never enabled by default and is obsolete as of
MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
blocked users to edit their talk pages unless explicitly disabled
when they are being blocked.
=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
"tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
search results are rendered. The initial use case is to append a "give us
feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
reject an otherwise-successful parser cache lookup. The intent is to allow
extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
($wgExtendedLoginCookieExpiration) can be configured independently of the
expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
of WebP images still disabled by default. Add $wgFileExtensions[] =
'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
'EnhancedChangesListModifyBlockLineData', to modify the data used to build
lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
This corresponds to a new $wgMainWANCache setting, which defaults to using
the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
page. During the deprecation period, the styles will only be loaded on pages
which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
suggestion, results for suggestion will be shown. Can be disabled by setting
$wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
from the client-side. See documentation for mw.Upload and its
subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
subclasses for more information.
=== extension.json changes in 1.26 ===
* (T99344) The extension.json schema is now versioned. All extensions
and skins should set a "manifest_version" property corresponding to
the schema version they were written for. The only supported version
currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
depend upon.
* (T105236) The extension.json schema now validates custom classes in
the "ResourceModules" property properly.
=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.
==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.
==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
rnfilterredir parameter that also allows for listing both redirects and
non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
and will honor corresponding If-None-Match and If-Modified-Since on such
requests.
=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
Last-Modified headers. The API will check these against If-None-Match and
If-Modified-Since request headers on GET requests and avoid executing the
module when appropriate.
=== Languages updated in 1.26 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
Ilja.mos, and Mashoi7
=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
ContentHandler, to provide a way for ApiEditPage and EditPage to check
if direct editing of content is allowed. These methods return false,
by default for the ContentHandler base class and true for TextContentHandler
and it's derivative classes (everything in core). For Content types that
do not support direct editing, an alternative mechanism should be provided
for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
one function. The callback can't be called directly any more. The callback
function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
ResourceLoaderModule::getDependencies(). Extension classes that override that
method should be updated. If they aren't updated, PHP Strict standards
warnings will appear when E_STRICT error reporting is enabled. Note: in the
near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
items that were stripped during parsing. It will use a fixed string instead.
This causes the parser to re-use the regular expressions it uses to search
and replace markers rather than generate novel expressions on each parse.
Re-using regular expressions will improve performance on HHVM and the
forthcoming PHP 7. The interfaces changes accompanying this change are:
- Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
- The $uniq_prefix argument for Parser::extractTagsAndParams() and the
$prefix argument for StripState::_construct() are deprecated and their
value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
mediawiki/at-ease, and are now deprecated. Callers should use
MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
instead of many optional positional arguments. Calling the constructor the old
way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
are deprecated. Applications using those can work via the OAuth
extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.
= MediaWiki 1.25 =
== MediaWiki 1.25.6 ==
This is a maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.5 ===
* (T123166) Fix fatal error when importing pages to titles which cannot be
created, such as invalid titles or titles the user is not allowed to edit.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after
SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in
(many?) parser tags
* (T116030) Increase pbkdf2 parameter strengths
* (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
* (T126685) Globally throttle password attempts
== MediaWiki 1.25.5 ==
This is a maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.4 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
== MediaWiki 1.25.4 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.3 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* (T103237) $wgUseGzip had no effect when using file cache.
* (T114606) mw.notify was not correctly fixed to the page if
initialized while not at the top of the page.
* Fix issue that breaks HHVM Repo Authorative mode.
== MediaWiki 1.25.3 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.2 ===
* (T98975) Fix having multiple callbacks for a single hook.
* (T107632) maintenance/refreshLinks.php did not always remove all links
pointing to nonexistent pages.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
* (T62174) Provide fallbacks for use of mb_convert_encoding() in
HtmlFormatter. It was causing an error when accessing the api help page
if the mbstring PHP extension was not installed.
* (T105896) Confirmation emails would sometimes contain invalid codes.
* (T105597) Fixed edit stash inclusion queries.
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
first
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
== MediaWiki 1.25.2 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.1 ===
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a "manifest_version" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
== MediaWiki 1.25.1 ==
This is a bug fix release of the MediaWiki 1.25 branch.
=== Changes since 1.25 ===
* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
== MediaWiki 1.25.0 ==
=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
* $wgAntiLockFlags was removed.
* $wgJavaScriptTestConfig was removed.
* Edit tokens returned from User::getEditToken may change on every call. Token
validity must be checked by passing the user-supplied token to
User::matchEditToken rather than by testing for equality with a
newly-generated token.
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
for its $context parameter. Formerly it was documented as receiving a
RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
See StartProfiler.sample for details.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
might be a flash policy directive configurable.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
longer be used. If extracts and page images are desired, the TextExtracts and
PageImages extensions are required.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* Edits are now prepared via AJAX as users type edit summaries. This behavior
can be disabled via $wgAjaxEditStash.
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
with the jQuery Migrate library, as indicated when this option was provided in
MediaWiki 1.24.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
StartProfiler.php config is updated to reflect this. Xhprof is available
for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
background with white fallback color, rather than just white background.
* MediaWikiBagOStuff class removed, make sure any object cache config
uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
job queues. This means that mediawiki/services/jobrunner service has to
be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
=== New features in 1.25 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
for plural forms in Russian, Prussian, Tagalog, Manx and several languages
that fall back to Russian.
* (T60139) ResourceLoaderFileModule now supports language fallback
for 'languageScripts'.
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
parser output for a content object before links update.
* (T37785) Enhanced recent changes and extended watchlist are now default.
Documentation: https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Enhanced_recent_changes
and https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgDefaultUserOptions.
* (T69341) SVG images will no longer be base64-encoded when being embedded
in CSS. This results in slight size increase before gzip compression (due to
percent-encoding), but up to 20% decrease after it.
* Update jStorage to v0.4.12.
* MediaWiki now natively supports page status indicators: icons (or short text
snippets) usually displayed in the top-right corner of the page. They have
been in use on Wikipedia for a long time, implemented using templates and CSS
absolute positioning.
- Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
- Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
- Adjusting custom skins to support indicators:
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Skinning#Page_status_indicators
* Edit tokens may now be time-limited: passing a maximum age to
User::matchEditToken will reject any older tokens.
* The debug logging internals have been overhauled, and are now using the
PSR-3 interfaces.
* Update CSSJanus to v1.1.1.
* Update lessphp to v0.5.0.
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
and images for ApiOpenSearch output. The semantics are identical to the
"OpenSearchXml" hook provided by the OpenSearchXml extension.
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
this allows for pagination of prefix results. Extensions using this hook
should implement supporting behavior. Not doing so can result in undefined
behavior from API clients trying to continue through prefix results.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
on Special:Version in their own section. Extensions or skins that are
installed via composer will not be shown in this section as it is assumed
they will add the proper credits to the skins or extensions section. They
can also be accessed through the API via the new siprop=libraries to
ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
"active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
"-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
Special:EditTags, generally accessed via the revision-deletion-like interface
on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
parameters for API log event output. Extensions should implement the new
getParametersForApi() method in their log formatters.
==== External libraries ====
* MediaWiki now requires certain external libraries to be installed. In the past
these were bundled inside the Git repository of MediaWiki core, but now they
need to be installed separately. For users using the tarball, this will be taken
care of and no action will be required. Users using Git will either need to use
composer to fetch dependencies or use the mediawiki/vendor repository which includes
all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
instructions can be found at:
https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
* The following libraries are now required:
** psr/log
This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
which are used by MediaWiki internally via the
MediaWiki\Logger\LoggerFactory class.
See the structured logging RfC (https://www.mediawiki.org/wiki/Special:MyLanguage/Requests_for_comment/Structured_logging)
for more background information.
** cssjanus/cssjanus
This library was formerly bundled with MediaWiki core and has been removed.
It automatically flips CSS for RTL support.
** leafo/lessphp
This library was formerly bundled with MediaWiki core and has been removed.
It compiles LESS files into CSS.
** wikimedia/cdb
This library was formerly a part of MediaWiki core, and has been moved into a separate library.
It provides CDB functions which are used in the Interwiki and Localization caches.
More information about the library can be found at https://www.mediawiki.org/wiki/Special:MyLanguage/CDB.
** liuggio/statsd-php-client
This library provides a StatsD client API for logging application metrics to a remote server.
=== Bug fixes in 1.25 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
10- and 13-digit forms) containing "X".
* Page moving was refactored into a MovePage class. As part of that:
** The AbortMove hook was removed.
** MovePageIsValidMove is for extensions to specify whether a page
cannot be moved for technical reasons, and should not be overridden.
** MovePageCheckPermissions is for checking whether the given user is
allowed to make the move.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
(instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
=== Action API changes in 1.25 ===
* (T67403) XML tag highlighting is now only performed for formats
"xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
explicitly select the language from the current user's preferences, and
"uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
$wgMangleFlashPolicy is in effect. format=php results will cleanly return an
error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
action=query.
* Query page data for generator=search and generator=prefixsearch will now
include an "index" field, which may be used by the client for sorting the
search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
user-modifiable change tags. Actually modifying the tagging of a revision or
log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
list=logevents, and a 'logparams' subkey for list=watchlist and
list=recentchanges.
* Log event details are changing formatting:
* block events now report flags as an array rather than as a comma-separated
list.
* patrol events now report the 'auto' flag as a boolean (absent/empty string
for BC formats) rather than as an integer.
* rights events now report the old and new group lists as arrays rather than
as comma-separated lists.
* merge events use new-style formatting.
* delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
such as json that distinguish between arrays and objects.
* Except for action=opensearch where the spec requires an array.
=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
Most existing modules should continue working without changes, but should do
the following:
* Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
* Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
to replace getParamDescription(). If necessary, the settings array returned
by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
message.
* Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
and will have no effect for modules using i18n messages. Use
'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
has been removed.
* ApiFormatBase now always buffers. Output is done when
ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
revisions as "good" if the user has the 'deletedhistory' right. New methods
ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
the current request was sent with the 'callback' parameter (or any future
method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
on whether a __toString() method exists on the object), and will refuse to
add unsupported value types.
* An informal interface, ApiSerializable, exists to override the default
object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
clients not using the experimental formatversion=2, code using
ApiResult::getResultData() without the transformations for backwards
compatibility may need updating, as will code that wasn't following the old
conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
release:
* ApiBase::getDescription
* ApiBase::getParamDescription
* ApiBase::getExamples
* ApiBase::makeHelpMsg
* ApiBase::makeHelpArrayToString
* ApiBase::makeHelpMsgParameters
* ApiBase::getModuleProfileName
* ApiBase::profileIn
* ApiBase::profileOut
* ApiBase::safeProfileOut
* ApiBase::getProfileTime
* ApiBase::profileDBIn
* ApiBase::profileDBOut
* ApiBase::getProfileDBTime
* ApiBase::getResultData
* ApiFormatBase::setUnescapeAmps
* ApiFormatBase::getWantsHelp
* ApiFormatBase::setHelp
* ApiFormatBase::formatHTML
* ApiFormatBase::setBufferResult
* ApiFormatBase::getDescription
* ApiFormatBase::getNeedsRawData
* ApiMain::setHelp
* ApiMain::reallyMakeHelpMsg
* ApiMain::makeHelpMsgHeader
* ApiResult::setRawMode
* ApiResult::getIsRawMode
* ApiResult::getData
* ApiResult::setElement
* ApiResult::setContent
* ApiResult::setIndexedTagName_recursive
* ApiResult::setIndexedTagName_internal
* ApiResult::setParsedLimit
* ApiResult::beginContinuation
* ApiResult::setContinueParam
* ApiResult::setGeneratorContinueParam
* ApiResult::endContinuation
* ApiResult::size
* ApiResult::convertStatusToArray
* ApiQueryImageInfo::getPropertyDescriptions
* ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
release:
* ApiQueryDeletedrevs
=== Languages updated in 1.25 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
* Languages added:
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
** ses (Koyraboro Senni), thanks to translator Songhay.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
interface language to kk where unexpected.
* The Chinese conversion table was substantially updated to fix a lot of
bugs and ensure better reading experience for different variants.
=== Other changes in 1.25 ===
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
mostly in special pages. Local custom target titles can be placed in the
relevant '(namespace-X|action name|special page name)-helppage' system
message. Extensions can use the addHelpLink() function to do the same.
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
migration guide for creators and users of custom skins that relied on it.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
available on Special:Upload.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
inline styles in the HTML.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
since 1.20)
* Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
since 1.20)
* Removed 'jquery.json' module. (deprecated since 1.24)
Use the 'json' module and global JSON object instead.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
Also, the former will now throw an MWException if called with one or more
arguments.
* Removed hitcounters and associated code.
* The "temp" zone of the upload respository is now considered private. If it
already exists (such as under the images/ directory), please make sure that
the directory is not web readable (e.g. via a .htaccess file).
* BREAKING CHANGE: In the XML dump format used by Special:Export and
dumpBackup.php, the <model> and <format> tags now apprear before the <text>
tag, instead of after the <text> and <sha1> tags.
The new schema version is 0.10, the new schema URI is:
https://www.mediawiki.org/xml/export-0.10.xsd
* MWFunction::call() and MWFunction::callArray() were removed, having being
deprecated in 1.22.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
and getInternalLinkAttributes methods in Linker, and removed
getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Changed parsing of variables in schema (.sql) files:
** The substituted values are no longer parsed. (Formerly, several passes
were made for each variable, so depending on the order in which variables
were defined, variables might have been found inside encoded values. This
is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
"A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
does not exist yet variable B does, the latter may not be replaced.
However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
newlines; but they can contain &nbsp; and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
* HTMLForm::isVForm() is now deprecated.
* You can no longer do this:
$form = new HTMLForm( … );
$form->setDisplayFormat( 'vform' ); // throws exception
Instead, do this:
$form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
instead just returns the Status object. Extension calling it should be aware of
this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
It had no effect since MediaWiki 1.18 and should be removed from any cron
jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
configuration variable. Refer to the ".php" files instead. If you want
".php5" URLs to continue to work, set up redirects. In Apache, this can be
done by enabling mod_rewrite and adding the following rules to your
configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.php5 $1.php [R=301,L]
* The global importScriptURI and importStylesheetURI functions, as well as the
loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
warnings through mw.log.warn when accessed.
= MediaWiki 1.24 =
== MediaWiki 1.24.6 ==
This is a maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.5 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
== MediaWiki 1.24.5 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.24.4 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* (T103237) $wgUseGzip had no effect when using file cache.
== MediaWiki 1.24.4 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.3 ===
* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
update.php to fix.
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
first
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
== MediaWiki 1.24.3 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.2 ===
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* Update jQuery from v1.11.2 to v1.11.3.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
== MediaWiki 1.24.2 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.1 ===
* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
to prevent various DoS attacks.
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
likelihood of DoS.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
using PBKDF2.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
prevent XSS and protect viewer's privacy.
* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
loading these special pages when $wgAutoloadAttemptLowercase is false.
* (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.
* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
and running update.php to fix.
== MediaWiki 1.24.1 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.0 ===
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
could lead to xss. Permission to edit MediaWiki namespace is required to
exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fixed a couple of entries in RELEASE-NOTES-1.24.
* (bug T76168) OutputPage: Add accessors for some protected properties.
* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
== MediaWiki 1.24.0 ==
=== Configuration changes in 1.24 ===
* MediaWiki will no longer run if register_globals is enabled. It has been
deprecated for 5 years now, and was removed in PHP 5.4. For more information
about why, see <https://www.mediawiki.org/wiki/register_globals>.
* MediaWiki now requires PHP's iconv extension. openSUSE users may need to
install the php5-iconv package. Users of other systems may need to add
extension=iconv.so to php.ini or recompile PHP without --without-iconv.
* MediaWiki will no longer function if magic quotes are enabled. It has
been deprecated for 5 years now, and was removed in PHP 5.4.
* The server's canonical hostname is available as $wgServerName, which is
exposed in both mw.config and ApiQuerySiteInfo.
* Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
for using the old schema of the page_props table, in case the respective
schema update was not applied.
* $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
* $wgMasterWaitTimeout has been deprecated.
* $wgDBClusterTimeout has been removed.
* $wgProxyKey has been removed. It is no longer used by MediaWiki core.
Ensure $wgSecretKey is set in LocalSettings.php.
* $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
contains an array of interwiki prefixes that should be treated as language
prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
to true).
* $wgParserTestRemote has been removed.
* $wgCountTotalSearchHits has been removed. If you're concerned about efficiency
of search, you should use something like CirrusSearch instead of built in
search.
* Users in the 'sysop' group have access to Special:MergeHistory by default.
* $wgFileStore was removed after having been deprecated in 1.17. Alternative
configurations are $wgDeletedDirectory and $wgHashedUploadDirectory.
* The deprecated $wgUseCommaCount variable has been removed.
* $wgEnableSorbs and $wgSorbsUrl have been removed.
* The UserCryptPassword and UserComparePassword hooks are no longer called.
Any extensions using them must be updated to use the Password Hashing API.
* $wgCompiledFiles has been removed.
* $wgSortSpecialPages was removed, the listing on Special:SpecialPages is