| == MediaWiki 1.27.7 == |
| |
| This is a maintenance release of the MediaWiki 1.27 branch. |
| |
| === Changes since MediaWiki 1.27.6 === |
| * Add missing `use MediaWiki\MediaWikiServices;` to LogEventsList.php. |
| * Remove broken tests from ApiBlockTest.php. |
| |
| == MediaWiki 1.27.6 == |
| |
| This is a security and maintenance release of the MediaWiki 1.27 branch. |
| |
| === Changes since MediaWiki 1.27.5 === |
| * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query all |
| titles when asked for none. |
| * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested libraries. |
| * (T207241) Augment precision of updatelist time. |
| * (T207540) Include IP address in "Login for $1 succeeded" log entry. |
| * (T205765) Don't link to the obsolete "Extension Matrix" page in installer. |
| * (T207603) SECURITY: User JS may no longer be loaded with mime type text/javascript if |
| there is no account associated with the username. |
| * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME type if |
| non-admins can edit the page. |
| * (T207541) Pass email address to mail(). |
| * (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself. |
| * (T213359) Update mediawiki/mediawiki-codesniffer to 0.8.1. |
| * (T208871) The hard-coded Google search form on the database error page was |
| removed. |
| * (T216968) Return pageid as int in both list=iwbacklinks and list=langbacklinks. |
| * (T218608) Fix an issue that prevents Extension:OAuth working when |
| $wgBlockDisablesLogin is true. |
| * (T219728) Added support for new Japanese era name "Reiwa". |
| * (T25227) SECURITY: action=logout now requires to be posted and have a csrf token. |
| * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when |
| reauthenticating. |
| * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if |
| getLoginSecurityLevel() returns non-false. |
| * (T197279) SECURITY: Fix reauth in Special:ChangeEmail. |
| * (T208881) SECURITY: blacklist CSS var(). |
| * (T209794) SECURITY: rate-limit and prevent blocked users from changing email. |
| * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block. |
| * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query. |
| * (T222036, T222038) SECURITY: Add permission check for user is permitted to |
| view the log type. |
| * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358. |
| |
| == MediaWiki 1.27.5 == |
| |
| This is a security and maintenance release of the MediaWiki 1.27 branch. |
| |
| === Changes since 1.27.4 === |
| * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides |
| 'newbie'. |
| * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's |
| account lock. |
| * Upgraded Moment.js from v2.8.4 to v2.19.3. |
| * (T160298) Fixed Special:ActiveUsers due to bad backport. |
| * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array. |
| * Updated list of SPDX licenses for extensions. |
| * (T189567) the CLI installer (maintenance/install.php) learned to detect and |
| include extensions. Pass --with-extensions to enable that feature. |
| * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds(). |
| * Add default edit rate limit of 90 edits/minute for all users. |
| * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported. |
| * (T196672) The mtime of extension.json files is now able to be zero. |
| * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook. |
| * (T180403) Validate $length in padleft/padright parser functions. |
| * (T143790) Make $wgEmailConfirmToEdit only affect edit actions. |
| * Special:BotPasswords now requires reauthentication. |
| * (T191608, T187638) Add 'logid' parameter to Special:Log. |
| * (T193829) Indicate when a Bot Password needs reset. |
| * (T151415) Log email changes. |
| * (T118420) Unbreak Oracle installer. |
| |
| == MediaWiki 1.27.4 == |
| This is a security and maintenance release of the MediaWiki 1.27 branch. |
| |
| === Changes since 1.27.3 === |
| * (T100085) Better handling of jobs execution in post-connection shutdown. |
| * (T141604) Support conditionally registered namespaces. |
| * (T167798) Fix highlighting for phrase queries and phrase search. |
| * (T151136) Provide credits information to callbacks. |
| * (T160462) Allow namespaces defined in extension.json to be overwritten locally. |
| * (T168856) Allow SVGs created by Dia to be uploaded. |
| * (T144705) (T148662) Password reset link is no longer shown when no reset options are |
| available. |
| * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support. |
| * (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC |
| policies. |
| * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core. |
| * (T175439) Unbreak Postgres Updater when setting defaults for a column. |
| * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. |
| * (T142304) Allow putting the app ID in the password for bot passwords. |
| * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. |
| * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser |
| sends non-standard url escaping. |
| * (T165846) SECURITY: BotPassword login attempts weren't throttled. |
| * (T128209) SECURITY: Reflected File Download from api.php. |
| * (T134100) SECURITY: Do not reveal if user exists during login failure. |
| * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. |
| * (T125163) SECURITY: Make anchor for headlines escape > and <. |
| * (T180237) SECURITY: Protect vendor folder with .htaccess. |
| * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. |
| * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. |
| * (T119158) SECURITY: Handle -{}- syntax in attributes safely. |
| |
| == MediaWiki 1.27.3 == |
| Due to a packaging error, the wrong version of the SyntaxHighlight extension was |
| included in the tarball version of MediaWiki 1.27.2. The version included had a |
| serious security issue in it (T158689). There was also some minor code fixes in |
| MediaWiki itself since 1.27.2, but none of them were security relevant. |
| |
| === Changes since 1.27.2 === |
| * (T145664) Fix broken wincache merge() implementation |
| * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility |
| * (T153505) Fix php warnings on php 7.1 due to use of &$this |
| |
| == MediaWiki 1.27.2 == |
| This is a security and maintenance release of the MediaWiki 1.27 branch. |
| |
| ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as |
| deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0 |
| was released. |
| |
| === Changes since 1.27.1 === |
| |
| * (T68404) CSS3 attr() function with url type argument is no longer allowed |
| in inline styles. |
| * $wgRunJobsAsync is now false by default (T142751). This change only affects |
| wikis with $wgJobRunRate > 0. |
| * (T152717) Better escaping for PHP mail() command |
| * Submitting the lgtoken and lgpassword parameters in the query string to |
| action=login is now deprecated and outputs a warning. They should be submitted |
| in the POST body instead. |
| * Submitting sensitive authentication request parameters to action=clientlogin, |
| action=createaccount, action=linkaccount, and action=changeauthenticationdata |
| in the query string is now deprecated and outputs a warning. They should be |
| submitted in the POST body instead. |
| * (T158766) Avoid SQL error on MSSQL when using selectRowCount() |
| * (T145635) Fix too long index error when installing with MSSQL. |
| * (T156184) $wgRawHtml will no longer apply to internationalization messages. |
| * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. |
| * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect |
| to interwiki links. |
| * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when |
| $wgAdvancedSearchHighlighting is true. |
| * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep |
| their values out of the logs. |
| * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF |
| token. |
| * (T156184) SECURITY: Escape content model/format url parameter in message. |
| * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD |
| declaration. |
| * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory |
| in it's fallback chain when trying to work out where to write the cache. |
| * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion |
| syntax's link parameter. |
| * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against |
| it. |
| |
| == MediaWiki 1.27.1 == |
| |
| This is a maintenance release of the MediaWiki 1.27 branch. |
| |
| === Changes since 1.27.0 === |
| * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests |
| made by MediaWiki via a proxy. Relying on the http_proxy environment |
| variable is no longer supported. |
| * (T139565) SECURITY: API: Generate head items in the context of the given title |
| * (T137264) SECURITY: XSS in unclosed internal links |
| * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks |
| * (T133147) SECURITY: Require login to preview user CSS pages |
| * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is |
| the top file |
| * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in |
| permissions |
| * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true |
| * (T115333) SECURITY: Check read permission when loading page content in ApiParse |
| * (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed |
| * (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights() |
| |
| == MediaWiki 1.27 == |
| |
| === PHP version requirement === |
| As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility |
| section). Additionally, the following PHP extensions are required: |
| * ctype |
| * iconv |
| * json |
| * mbstring (new requirement in 1.27) |
| * xml |
| The following PHP extensions are strongly recommended: |
| * openssl |
| |
| === Configuration changes in 1.27 === |
| * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed, |
| now always enabled. If you use RDFa on your wiki, you now have to explicitly |
| set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'. |
| * $wgUseLinkNamespaceDBFields was removed. |
| * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and |
| $wgResourceLoaderMinifierMaxLineLength, because there was little value in |
| making the behavior configurable. The default values (`false` for the former, |
| 1000 for the latter) are now hard-coded. |
| * $wgDebugDumpSqlLength was removed (deprecated in 1.24). |
| * $wgDebugDBTransactions was removed (deprecated in 1.20). |
| * $wgUseXVO has been removed, as it provides functionality only used by |
| custom Wikimedia patches against Squid 2.x that probably noone uses in |
| production anymore. There is now $wgUseKeyHeader that provides similar |
| functionality but instead of the MediaWiki-specific X-Vary-Options header, |
| uses the draft Key header standard. |
| * $wgScriptExtension (and support for '.php5' entry points) was removed. See the |
| deprecation notice in the release notes for version 1.25 for advice on how to |
| preserve support for '.php5' entry points via URL rewriting. |
| * Password handling via the User object has been deprecated and partially |
| removed, pending the future introduction of AuthManager. In particular: |
| ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and |
| getPasswordExpired() have been removed. They were unused outside of core. |
| ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are |
| now private and will be removed in the future. |
| ** The getPassword() and getTemporaryPassword() methods now throw |
| BadMethodCallException and will be removed in the future. |
| ** The ability to pass 'password' and 'newpassword' to createNew() has been |
| removed. The only users of it seem to have been using it to set invalid |
| passwords, and so shouldn't be greatly affected. |
| ** setPassword(), setInternalPassword(), and setNewpassword() have been |
| deprecated, pending the introduction of AuthManager. |
| ** User::randomPassword() is deprecated in favor of a new method |
| PasswordFactory::generateRandomPasswordString() |
| ** User::getPasswordFactory() is deprecated, callers should just create a |
| PasswordFactory themselves. |
| ** A new constructor, User::newSystemUser(), has been added to simplify the |
| creation of passwordless "system" users for logged actions. |
| * $wgMaxSquidPurgeTitles was removed. |
| * $wgAjaxWatch was removed. This is now enabled by default. |
| * $wgUseInstantCommons now hotlinks Commons images by default instead of |
| downloading originals and thumbnailing them locally. This allows wikis to save |
| on CPU and bandwidth while reducing time to first byte for pages, even without |
| a thumbnail handler. See $wgForeignFileRepos documentation for tweaks. |
| * (T27397) WebP is enabled by default as an uploadable filetype. |
| * (T48998) $wgArticlePath must now be either a full url, or start with a "/". |
| * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead. |
| * Deprecated API formats dbg, txt, and yaml have been removed. |
| * CLDRPluralRule* classes have been replaced with |
| wikimedia/cldr-plural-rule-parser. |
| * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort, |
| $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID, |
| $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20). |
| * For proper operation of LocalIdLookup with shared user tables, ensure that |
| $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki |
| that all others are sharing from and that $wgLocalDatabases is set to the |
| full list of sharing wikis on all those wikis. |
| * Massive overhaul to session handling: |
| ** $wgSessionsInObjectCache is no longer supported and must be true, due to |
| MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer |
| used. |
| ** ObjectCacheSessionHandler is removed, replaced with |
| MediaWiki\Session\PhpSessionHandler. |
| ** PHP session handling in general ($_SESSION, session_id(), and so on) is |
| deprecated. Use MediaWiki\Session\SessionManager instead. A new config |
| variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to |
| issue a deprecation warning or to cause most PHP session handling to throw |
| exceptions. |
| ** Deprecated UserSetCookies hook. Session-handling extensions should generally |
| be creating a custom subclass of CookieSessionProvider. Other extensions |
| messing with cookies can no longer count on user data being saved in cookies |
| versus other methods. |
| ** Deprecated UserLoadFromSession hook, extensions should create a |
| MediaWiki\Session\SessionProvider. |
| ** The User cannot be loaded from session until after Setup.php completes. |
| Attempts to do so will be ignored and the User will remain unloaded. |
| ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses |
| the MediaWiki\Session\Token class. |
| * MediaWiki will now auto-create users as necessary, removing the need for |
| extensions to do so. An 'autocreateaccount' right is added to allow |
| auto-creation when 'createaccount' is not granted to all users. |
| * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated. |
| * Most cookie-handling methods in User are deprecated. |
| * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an |
| experimental feature that has never worked. |
| * Login and createaccount tokens now vary by timestamp. |
| * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() |
| return a MediaWiki\Session\Token, and tokens must be checked using that |
| class's methods. |
| * $wgEnotifUseJobQ was removed and the job queue is always used. |
| * The functionality of the ApiSandbox extension has been merged into core. The |
| extension should no longer be used. |
| * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26). |
| Extensions, skins, gadgets and scripts that use the mediawiki.util module must |
| express a dependency on it. |
| * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false. |
| Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits |
| module should express a dependency on it. |
| * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use |
| $wgFooterIcons['copyright']['copyright'] instead. |
| * If the openssl and mcrypt PHP extensions are both unavailable, secure |
| session storage (used for login) will raise an exception. This exception may |
| be bypassed by setting $wgSessionInsecureSecrets = true. |
| * Massive overhaul to authentication: |
| ** AuthPlugin and AuthPluginUser are deprecated. |
| ** LoginForm and associated templates are deprecated. Extensions which called |
| static LoginForm methods should be converted into authentication providers. |
| ** The following hooks are deprecated: |
| *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead) |
| *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead) |
| *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead) |
| *** AddNewAccount (use LocalUserCreated instead) |
| *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead) |
| *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels) |
| *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead) |
| *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead) |
| *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead) |
| ** The following hooks are removed: |
| *** AbortChangePassword |
| *** LoginPasswordResetMessage |
| *** PrefsPasswordAudit |
| ** The UserLoginComplete hook will no longer be called for all logins, only for |
| those via the web UI. Use UserLoggedIn if you need to do something on all |
| logins. |
| ** $wgRequirePasswordforEmailChange is removed. |
| * $wgWellFormedXml has been removed. |
| |
| === New features in 1.27 === |
| * $wgDataCenterUpdateStickTTL was also added. This decides how long a user |
| sticks to the primary DC (via cookies) after they make changes to the site. |
| * Added a new hook, 'UserMailerTransformContent', to transform the contents |
| of an email. This is similar to the EmailUser hook but applies to all mail |
| sent via UserMailer. |
| * Added a new hook, 'UserMailerTransformMessage', to transform the contents |
| of an emai after MIME encoding. |
| * Added a new hook, 'UserMailerSplitTo', to control which users have to be |
| emailed separately (ie. there is a single address in the To: field) so |
| user-specific changes to the email can be applied safely. |
| * $wgCdnMaxageLagged was added, which limits the CDN cache TTL |
| when any load balancer uses a DB that is lagged beyond the 'max lag' |
| setting in the relevant section of $wgLBFactoryConf. |
| * User::newSystemUser() may be used to simplify the creation of passwordless |
| "system" users for logged actions from scripts and extensions. |
| * Extensions can now return detailed error information via the API when |
| preventing user actions using 'getUserPermissionsErrors' and similar hooks |
| by using ApiMessage instances instead of strings for the $result value. |
| * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag |
| becomes too high. |
| * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex) |
| and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create |
| cross-browser-compatible FlexBox rules. Users will still need to add fallback |
| float rules or the like for compatibility with IE9- separately. |
| * Added MWTimestamp::getTimezoneString() which returns the localized timezone |
| string, if available. To localize this string, see the comments of |
| $wgLocaltimezone in includes/DefaultSettings.php. |
| * Added CentralIdLookup, a service that allows extensions needing a concept of |
| "central" users to get that without having to know about specific central |
| authentication extensions. |
| * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions. |
| Regular web request transactions that takes longer than this are aborted. |
| * Added a new hook, 'TitleMoveCompleting', which runs before a page move is |
| committed. |
| * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs |
| from CDN to mitigate DB replication lag and WAN cache purge lag. |
| * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type |
| if it is available. |
| * It is now possible to patrol file uploads (both for new files and new versions |
| of existing files). Special:NewFiles has gained an option to filter by patrol |
| status. This functionality can be disabled using $wgUseFilePatrol. |
| * MediaWiki\Session infrastructure allows for easier use of session mechanisms |
| other than the usual cookies. |
| ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking |
| custom session metadata. |
| * Added MWGrants and associated configuration settings $wgGrantPermissions and |
| $wgGrantPermissionGroups to hold configuration for authentication features |
| such as OAuth that want to allow restricting the user rights a user may make |
| use of. |
| ** If you're already using the OAuth extension, these new variables are |
| identical to (and will replace) $wgMWOAuthGrantPermissions and |
| $wgMWOAuthGrantPermissionGroups. |
| * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g. |
| to assert that the request comes from a particular IP range. |
| * Added bot passwords, a rights-restricted login mechanism for API-using bots. |
| * Whitelisted the following HTML attributes for all elements in wikitext: |
| aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns. |
| * Removed "presentation" restriction on the HTML role attribute in wikitext. |
| All values are now allowed for the role attribute. |
| * $wgContentHandlers now also supports callbacks to create an instance of the |
| appropriate ContentHandler subclass. |
| * Added $wgAuthenticationTokenVersion, which if non-null prevents the |
| user_token database field from being exposed in cookies. Setting this would |
| be a good idea, but will log out all current sessions. |
| * $wgEventRelayerConfig was added, for managing PubSub event relay configuration, |
| specifically for reliable CDN url purges. |
| * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when |
| MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly- |
| generated 24-character string. This request ID is used to annotate log records |
| and error messages. It is available client-side via mw.config.get( 'wgRequestId' ). |
| The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId() |
| is deprecated. |
| * (T33313) Add a preference for watching uploads by default, also applies |
| to API-based upload tools. |
| * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image |
| thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth |
| savings versus the previous behavior on many files. |
| * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible |
| configuration of multiple authentication pieces that was possible with |
| AuthPlugin. For example, it's now easy to plug in second-factor |
| authentication, or add additional checks to the login process, or to support |
| multiple login methods at once, or to support non-password-based login methods. |
| ** Providers are configured via the global setting $wgAuthManagerConfig. |
| ** New hook, AuthChangeFormFields, to adjust the form fields on |
| AuthManager-related special pages. |
| ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of |
| AuthManager-related authentication requests. |
| ** New hook, ChangeAuthenticationDataAudit, for additional logging of |
| AuthManager-related authentication data changes. |
| ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism |
| for requiring a recent login before taking security-sensitive operations |
| like changing a password. |
| ** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist |
| can be used to prevent the web UI and the API changing certain authentication data. |
| * The file upload dialog (available if you install WikiEditor or VisualEditor) |
| can now be configured using $wgUploadDialog. |
| |
| === External library changes in 1.27 === |
| |
| ==== Upgraded external libraries ==== |
| * Updated oojs/oojs-ui from v0.12.12 to v0.13.3. |
| * Updated composer/semver from v1.0.0 to v1.2.0. |
| * Updated liuggio/statsd-php-client to 1.0.18. |
| * Updated QUnit from v1.18.0 to v1.22.0. |
| |
| ==== New external libraries ==== |
| * Added wikimedia/base-convert v1.0.1. |
| * Added wikimedia/cldr-plural-rule-parser v1.0.0. |
| * Added wikimedia/relpath v1.0.3. |
| * Added wikimedia/running-stat v1.1.0. |
| * Added wikimedia/php-session-serializer v1.0.3. |
| |
| ==== Removed and replaced external libraries ==== |
| |
| === Bug fixes in 1.27 === |
| * Special:Upload will now display correct maximum allowed file size when running |
| under HHVM (T116347). |
| * (T54077) The APIEditBeforeSave hook will once again give only the content of |
| the section being edited, rather than the whole revision. This reverts the |
| change made in MediaWiki 1.22. |
| |
| === Action API changes in 1.27 === |
| * Added list=allrevisions. |
| * generator=recentchanges now has the option to generate revids. |
| * ApiPageSet::setRedirectMergePolicy() was added. This allows generator |
| modules to define how generator data for a redirect source gets merged |
| into the redirect destination. |
| * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of |
| "was-deleted" warning. |
| * Added difftotextpst to query=revisions which preforms a pre-save transform on |
| the text before diffing it. |
| * Deprecated formats dbg, txt, and yaml have been removed. |
| * (T47988) The protect log event details now use new-style formatting. |
| * The following response properties from action=login are deprecated, and may |
| be removed in the future: lgtoken, cookieprefix, sessionid. Clients should |
| handle cookies to properly manage session state. |
| * action=login transparently allows login using bot passwords. Clients should |
| merely need to change the username and password used after setting up a bot |
| password. |
| * action=upload no longer understands statuskey, asyncdownload or leavemessage. |
| * action=login is deprecated for uses other than bot passwords. |
| * list=users can now indicate if a missing username is creatable. |
| * action=createaccount is changed in a non-backwards-compatible manner. |
| * Added action=query&meta=authmanagerinfo. |
| * Added action=clientlogin to be used to log into the main account instead of |
| action=login. |
| * Added action=linkaccount. |
| * Added action=unlinkaccount. |
| * Added action=changeauthenticationdata. |
| * Added action=removeauthenticationdata. |
| * Added action=resetpassword. |
| * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep |
| their values out of the logs. |
| |
| === Action API internal changes in 1.27 === |
| * ApiQueryORM removed. |
| * The following classes have been removed: |
| ** ApiFormatDbg |
| ** ApiFormatTxt |
| ** ApiFormatYaml |
| * ApiBase::addTokenProperties() was removed (deprecated since 1.24). |
| * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24). |
| * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24). |
| * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24). |
| * ApiBase::getPossibleErrors() was removed (deprecated since 1.24). |
| * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24). |
| * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24). |
| * ApiBase::getResultProperties() was removed (deprecated since 1.24). |
| * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24). |
| * ApiBase::parseErrors() was removed (deprecated since 1.24). |
| * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and |
| ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24). |
| * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24). |
| * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25). |
| * ApiQuery::getGenerators() was removed (deprecated since 1.21). |
| * ApiQuery::getModules() was removed (deprecated since 1.21). |
| * ApiQuery::getModuleType() was removed (deprecated since 1.21). |
| * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24). |
| * ApiMain::getModules() was removed (deprecated since 1.21). |
| * ApiBase::getVersion() was removed (deprecated since 1.21). |
| * ApiMain::getShowVersions() was removed (deprecated in 1.21). |
| * ApiMain::addModule() was removed (deprecated in 1.21). |
| * ApiMain::addFormat() was removed (deprecated in 1.21). |
| * ApiMain::getFormats() was removed (deprecated in 1.21). |
| * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21). |
| * ApiCreateAccount was removed. |
| |
| === Languages updated in 1.27 === |
| |
| MediaWiki supports over 350 languages. Many localisations are updated |
| regularly. Below only new and removed languages are listed, as well as |
| changes to languages because of Phabricator reports. |
| |
| * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale. |
| * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage. |
| |
| === Other changes in 1.27 === |
| * Added dependency injection (DI) infrastructure, see docs/injection.txt for details. |
| It is planned to incrementally move MediaWiki code towards using DI, using the |
| service locator (SL) pattern as a stepping stone. |
| * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class. |
| * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now |
| ignore the 2nd and 3rd arguments (formerly $id and $commit). |
| * Removed "loaderScripts" option from ResourceLoaderFileModule class. |
| * Removed ORM-like wrapper added in 1.20. |
| * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed |
| (deprecated in 1.26). |
| * WikiPage::doQuickEdit() was removed (deprecated since 1.21). |
| * Removed SiteObject and SiteArray classes (deprecated in 1.21). |
| * MessageBlobStore::getInstance() was removed (deprecated since 1.25). |
| * (T84937) Free external links ("autolinked" urls) will now be terminated |
| by and HTML entity encodings of  , <, and >. |
| * (T36948) The default file revert message's timestamp is now in |
| $wgLocaltimezone, instead of UTC. |
| * The default name of the 'suppress' group page has been changed from |
| 'Project:Oversight' to 'Project:Suppress'. |
| * DatabaseBase::resultObject() is now protected (use outside Database classes |
| not necessary since 1.11). |
| * Calling ResourceLoaderFileModule::readStyleFiles() without a |
| ResourceLoaderContext instance is deprecated. |
| * ResourceLoader::getLessCompiler() now takes an optional parameter of |
| additional LESS variables to set for the compiler. |
| * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly |
| instead. |
| * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php |
| were removed. The underlying data is sent to StatsD (see $wgStatsdServer). |
| * Removed msg_resource_links database table and associated code. |
| * Removed msg_resource database table and associated code. |
| * Skin::getNamespaceNotice() was removed. |
| * wfIsConfiguredProxy() was removed (deprecated since 1.24). |
| * wfDebugTimer() was removed (deprecated since 1.25). |
| * wfIsTrustedProxy() was removed (deprecated since 1.24). |
| * wfGetIP() was removed (deprecated since 1.19). |
| * MWHookException was removed. |
| * OutputPage::appendSubtitle() was removed (deprecated since 1.19). |
| * OutputPage::loginToUse() was removed (deprecated since 1.19). |
| * Article::loadContent() was removed (deprecated since 1.19). |
| * User::editToken() was removed (deprecated since 1.19). |
| * Removed --force-normal option of dumpBackup.php, as it no longer served |
| any useful purpose since 1.22. |
| * The functions processOption() and processArgs() on the BackupDumper and |
| TextPassDumper classes have been removed. |
| * The maintenance/backupTextPass.inc file was deleted. You should include |
| maintenance/dumpTextPass.php instead. |
| * WikiPage::getUsedTemplates() was removed (deprecated since 1.19). |
| * wfEmptyMsg() was removed (deprecated since 1.18). |
| * OutputPage::permissionRequired() was removed (deprecated since 1.18). |
| * OutputPage::blockedPage() was removed (deprecated since 1.18). |
| * User::getSkin() was removed (deprecated since 1.18). |
| * OutputPage::includeJQuery() was removed (deprecated since 1.17). |
| * WikiPage::updateRestrictions() was removed (deprecated since 1.19). |
| * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19). |
| * LogPage::logName() was removed (deprecated since 1.19). |
| * LogPage::logHeader() was removed (deprecated since 1.19). |
| * wfCheckLimits() was removed (deprecated since 1.24). |
| * Linker::makeKnownLinkObj() was removed (deprecated since 1.16). |
| * Linker::makeLinkObj() was removed (deprecated since 1.16). |
| * wfMsgForContentNoTrans() was removed (deprecated since 1.18). |
| * ChangesList::usePatrol was removed (deprecated since 1.22). |
| * wfMsgNoTrans() was removed (deprecated since 1.18). |
| * Linker::makeImageLink2 was removed (deprecated since 1.20). |
| * Title::userIsWatching() was removed (deprecated since 1.20). |
| * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT() |
| database function directly instead. |
| * wfMsg() was removed (deprecated since 1.18). |
| * wfMsgForContent() was removed (deprecated since 1.18). |
| * wfMsgReal() was removed (deprecated since 1.18). |
| * wfMsgGetKey() was removed (deprecated since 1.18). |
| * wfMsgHtml() was removed (deprecated since 1.18). |
| * wfMsgWikiHtml() was removed (deprecated since 1.18). |
| * wfMsgExt() was removed (deprecated since 1.18). |
| * Language::armourMath() was removed (deprecated since 1.22). |
| * LanguageConverter::armourMath() was removed (deprecated since 1.22). |
| * FakeConverter::armourMath() was removed (deprecated since 1.22). |
| * The unused jquery.validate ResourceLoader module was removed. |
| * FileRepo::getRootUrl() was removed (deprecated since 1.20). |
| * User::generateToken() was removed (deprecated since 1.20). |
| * WikiPage::getRawText() was removed (deprecated since 1.21). |
| * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25). |
| * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25). |
| * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25). |
| * Gallery images with multiple caption pipes no longer concatenate them all |
| together but instead pick the final one, similar to image syntax. |
| * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed |
| rather than consume everything until the end of the page. |
| * New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case |
| a user forgot password/account was stolen. |
| * wfCheckEntropy() was removed (deprecated in 1.27). |
| * Browser support for Internet Explorer 8 lowered from Grade A to Grade C. |
| * ContentHandler::supportsCategories method added. Default is true. |
| CategoryMembershipChangeJob updates are skipped for content that |
| does not support categories. |
| * wikidiff difference engine is no longer supported, anyone still using it are encouraged |
| to upgrade to wikidiff2 which is actively maintained and has better package availability. |
| * Database logic was removed from WatchedItem and a WatchedItemStore was created: |
| ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated. |
| User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced. |
| ** WatchedItem::fromUserTitle was deprecated in favour of the constructor. |
| ** WatchedItem::resetNotificationTimestamp was deprecated. |
| ** WatchedItem::batchAddWatch was deprecated. |
| ** WatchedItem::addWatch was deprecated. |
| ** WatchedItem::removeWatch was deprecated. |
| ** WatchedItem::isWatched was deprecated. |
| ** WatchedItem::duplicateEntries was deprecated. |
| ** EmailNotification::updateWatchlistTimestamp was deprecated. |
| ** User::getWatchedItem was removed. |
| * Unit tests don't work with external PHPUnit anymore, Composer is now the only supported |
| way. Run `composer install` to install it and other dev dependencies to run unit tests. |
| * wl_id field added to the watchlist table. |
| * Revision::getRawText() was removed (deprecated since 1.21). |
| * WikiPage::replaceSection() was removed (deprecated since 1.21). |
| * Article::replaceSection() was removed (deprecated since 1.21). |
| * Language::getLangObj() was removed (deprecated since 1.24). |
| * Language::getLanguageName() was removed (deprecated since 1.20). |
| * Language::getLanguageNames() was removed (deprecated since 1.20). |
| * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20). |
| * Language::specialPage() was removed (deprecated since 1.24). |
| * MediaWikiTestCase::assertException() was removed (deprecated since 1.22). |
| * OutputPage::getHeadItems() was removed (deprecated since 1.24). |
| * OutputPage::getScript() was removed (deprecated since 1.24). |
| * OutputPage::out() was removed (deprecated since 1.22). |
| * OutputPage::setAllowedModules() was removed (deprecated since 1.24). |
| * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21). |
| * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21). |
| * Title::newFromRedirect() was removed (deprecated since 1.21). |
| * Skin::commonPrintStylesheet() was removed (deprecated since 1.22). |
| * Skin::getCommonStylePath() was removed (deprecated since 1.24). |
| * Skin::newFromKey() was removed (deprecated since 1.24). |
| * Skin::getUsableSkins() was removed (deprecated since 1.23). |
| * LoadBalancer::pickRandom() was removed (deprecated in 1.21). |
| * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since |
| 1.21). |
| * DifferenceEngine::setText() was removed (deprecated in 1.21). |
| * Title::newFromRedirectArray() was removed (deprecated in 1.21). |
| * UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType |
| as the 6th. These must be passed in the options array now. |
| * Title::newFromRedirectRecurse() was removed (deprecated in 1.21). |
| * Skin::accesskey was removed (deprecated since 1.21). |
| * Skin::blockLink was removed (deprecated since 1.21). |
| * Skin::buildRollbackLink was removed (deprecated since 1.21). |
| * Skin::emailLink was removed (deprecated since 1.21). |
| * Skin::formatComment was removed (deprecated since 1.21). |
| * Skin::formatHiddenCategories was removed (deprecated since 1.21). |
| * Skin::formatLinksInComment was removed (deprecated since 1.21). |
| * Skin::formatRevisionSize was removed (deprecated since 1.21). |
| * Skin::formatSize was removed (deprecated since 1.21). |
| * Skin::formatTemplates was removed (deprecated since 1.21). |
| * Skin::generateTOC was removed (deprecated since 1.21). |
| * Skin::getInternalLinkAttributes was removed (deprecated since 1.21). |
| * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21). |
| * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21). |
| * Skin::getInvalidTitleDescription was removed (deprecated since 1.21). |
| * Skin::getLinkColour was removed (deprecated since 1.21). |
| * Skin::getRevDeleteLink was removed (deprecated since 1.21). |
| * Skin::getRollbackEditCount was removed (deprecated since 1.21). |
| * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21). |
| * Skin::makeCommentLink was removed (deprecated since 1.21). |
| * Skin::makeExternalImage was removed (deprecated since 1.21). |
| * Skin::makeExternalLink was removed (deprecated since 1.21). |
| * Skin::makeHeadline was removed (deprecated since 1.21). |
| * Skin::makeImageLink was removed (deprecated since 1.21). |
| * Skin::makeMediaLinkFile was removed (deprecated since 1.21). |
| * Skin::makeMediaLinkObj was removed (deprecated since 1.21). |
| * Skin::makeSelfLinkObj was removed (deprecated since 1.21). |
| * Skin::makeThumbLink2 was removed (deprecated since 1.21). |
| * Skin::makeThumbLinkObj was removed (deprecated since 1.21). |
| * Skin::normaliseSpecialPage was removed (deprecated since 1.21). |
| * Skin::normalizeSubpageLink was removed (deprecated since 1.21). |
| * Skin::processResponsiveImages was removed (deprecated since 1.21). |
| * Skin::revComment was removed (deprecated since 1.21). |
| * Skin::revDeleteLink was removed (deprecated since 1.21). |
| * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21). |
| * Skin::revUserLink was removed (deprecated since 1.21). |
| * Skin::revUserTools was removed (deprecated since 1.21). |
| * Skin::specialLink was removed (deprecated since 1.21). |
| * Skin::splitTrail was removed (deprecated since 1.21). |
| * Skin::titleAttrib was removed (deprecated since 1.21). |
| * Skin::tocIndent was removed (deprecated since 1.21). |
| * Skin::tocLine was removed (deprecated since 1.21). |
| * Skin::tocLineEnd was removed (deprecated since 1.21). |
| * Skin::tocList was removed (deprecated since 1.21). |
| * Skin::tocUnindent was removed (deprecated since 1.21). |
| * Skin::tooltip was removed (deprecated since 1.21). |
| * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21). |
| * Skin::userTalkLink was removed (deprecated since 1.21). |
| * Skin::userToolLinksRedContribs was removed (deprecated since 1.21). |
| * wikidiff3 is now the default and only PHP diff engine. It provides improved diff |
| performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore |
| makes no difference now. Users are still recommended to use wikidiff2 if possible, |
| though. |
| * User::addNewUserLogEntry() was deprecated. |
| * User::addNewUserLogEntryAutoCreate() was deprecated. |
| * User::isPasswordReminderThrottled() was deprecated. |
| * Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck) |
| were removed. |
| * Installer can now be customized without patching MediaWiki code, see |
| mw-config/overrides/README for details. |
| |
| == Compatibility == |
| |
| MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for |
| HHVM 3.6.5 or later. |
| |
| MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but |
| support for them is somewhat less mature. There is experimental support for |
| Oracle and Microsoft SQL Server. |
| |
| The supported versions are: |
| |
| * MySQL 5.0.3 or later |
| * PostgreSQL 8.3 or later |
| * SQLite 3.3.7 or later |
| * Oracle 9.0.1 or later |
| * Microsoft SQL Server 2005 (9.00.1399) |
| |
| == Upgrading == |
| |
| 1.27 has several database changes since 1.26, and will not work without schema |
| updates. Note that due to changes to some very large tables like the revision |
| table, the schema update may take quite long (minutes on a medium sized site, |
| many hours on a large site). |
| |
| If upgrading from before 1.11, and you are using a wiki as a commons |
| repository, make sure that it is updated as well. Otherwise, errors may arise |
| due to database schema changes. |
| |
| If upgrading from before 1.7, you may want to run refreshLinks.php to ensure |
| new database fields are filled with data. |
| |
| If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to |
| 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed |
| with MediaWiki 1.21. |
| |
| Don't forget to always back up your database before upgrading! |
| |
| See the file UPGRADE for more detailed upgrade instructions. |
| |
| For notes on 1.26.x and older releases, see HISTORY. |
| |
| == Online documentation == |
| |
| Documentation for both end-users and site administrators is available on |
| MediaWiki.org, and is covered under the GNU Free Documentation License (except |
| for pages that explicitly state that their contents are in the public domain): |
| |
| https://www.mediawiki.org/wiki/Documentation |
| |
| == Mailing list == |
| |
| A mailing list is available for MediaWiki user support and discussion: |
| |
| https://lists.wikimedia.org/mailman/listinfo/mediawiki-l |
| |
| A low-traffic announcements-only list is also available: |
| |
| https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce |
| |
| It's highly recommended that you sign up for one of these lists if you're |
| going to run a public MediaWiki, so you can be notified of security fixes. |
| |
| == IRC help == |
| |
| There's usually someone online in #mediawiki on irc.freenode.net. |