-
Notifications
You must be signed in to change notification settings - Fork 0
/
HISTORY
14259 lines (13284 loc) · 767 KB
/
HISTORY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Change notes from older releases. For current info see RELEASE-NOTES-1.27.
= MediaWiki 1.26 =
== MediaWiki 1.26.2 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.1 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
== MediaWiki 1.26.1 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.0 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
* Fixed stray literal \n in Special:Search.
* Fix issue that breaks HHVM Repo Authorative mode.
* (T120267) Work around APCu memory corruption bug
== MediaWiki 1.26.0 ==
=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
in non-talk namespaces. A new configuration variable,
$wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
This experimental feature was never enabled by default and is obsolete as of
MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
blocked users to edit their talk pages unless explicitly disabled
when they are being blocked.
=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
"tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
search results are rendered. The initial use case is to append a "give us
feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
reject an otherwise-successful parser cache lookup. The intent is to allow
extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
($wgExtendedLoginCookieExpiration) can be configured independently of the
expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
of WebP images still disabled by default. Add $wgFileExtensions[] =
'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
'EnhancedChangesListModifyBlockLineData', to modify the data used to build
lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
This corresponds to a new $wgMainWANCache setting, which defaults to using
the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
page. During the deprecation period, the styles will only be loaded on pages
which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
suggestion, results for suggestion will be shown. Can be disabled by setting
$wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
from the client-side. See documentation for mw.Upload and its
subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
subclasses for more information.
=== extension.json changes in 1.26 ===
* (T99344) The extension.json schema is now versioned. All extensions
and skins should set a "manifest_version" property corresponding to
the schema version they were written for. The only supported version
currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
depend upon.
* (T105236) The extension.json schema now validates custom classes in
the "ResourceModules" property properly.
=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.
==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.
==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
rnfilterredir parameter that also allows for listing both redirects and
non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
and will honor corresponding If-None-Match and If-Modified-Since on such
requests.
=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
Last-Modified headers. The API will check these against If-None-Match and
If-Modified-Since request headers on GET requests and avoid executing the
module when appropriate.
=== Languages updated in 1.26 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
Ilja.mos, and Mashoi7
=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
ContentHandler, to provide a way for ApiEditPage and EditPage to check
if direct editing of content is allowed. These methods return false,
by default for the ContentHandler base class and true for TextContentHandler
and it's derivative classes (everything in core). For Content types that
do not support direct editing, an alternative mechanism should be provided
for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
one function. The callback can't be called directly any more. The callback
function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
ResourceLoaderModule::getDependencies(). Extension classes that override that
method should be updated. If they aren't updated, PHP Strict standards
warnings will appear when E_STRICT error reporting is enabled. Note: in the
near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
items that were stripped during parsing. It will use a fixed string instead.
This causes the parser to re-use the regular expressions it uses to search
and replace markers rather than generate novel expressions on each parse.
Re-using regular expressions will improve performance on HHVM and the
forthcoming PHP 7. The interfaces changes accompanying this change are:
- Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
- The $uniq_prefix argument for Parser::extractTagsAndParams() and the
$prefix argument for StripState::_construct() are deprecated and their
value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
mediawiki/at-ease, and are now deprecated. Callers should use
MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
instead of many optional positional arguments. Calling the constructor the old
way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
are deprecated. Applications using those can work via the OAuth
extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.
= MediaWiki 1.25 =
== MediaWiki 1.25.5 ==
This is a maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.4 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
== MediaWiki 1.25.4 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.3 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* (T103237) $wgUseGzip had no effect when using file cache.
* (T114606) mw.notify was not correctly fixed to the page if
initialized while not at the top of the page.
* Fix issue that breaks HHVM Repo Authorative mode.
== MediaWiki 1.25.3 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.2 ===
* (T98975) Fix having multiple callbacks for a single hook.
* (T107632) maintenance/refreshLinks.php did not always remove all links
pointing to nonexistent pages.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
* (T62174) Provide fallbacks for use of mb_convert_encoding() in
HtmlFormatter. It was causing an error when accessing the api help page
if the mbstring PHP extension was not installed.
* (T105896) Confirmation emails would sometimes contain invalid codes.
* (T105597) Fixed edit stash inclusion queries.
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
first
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
== MediaWiki 1.25.2 ==
This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Changes since 1.25.1 ===
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a "manifest_version" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
== MediaWiki 1.25.1 ==
This is a bug fix release of the MediaWiki 1.25 branch.
=== Changes since 1.25 ===
* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
== MediaWiki 1.25.0 ==
=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
* $wgAntiLockFlags was removed.
* $wgJavaScriptTestConfig was removed.
* Edit tokens returned from User::getEditToken may change on every call. Token
validity must be checked by passing the user-supplied token to
User::matchEditToken rather than by testing for equality with a
newly-generated token.
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
for its $context parameter. Formerly it was documented as receiving a
RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
See StartProfiler.sample for details.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
might be a flash policy directive configurable.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
longer be used. If extracts and page images are desired, the TextExtracts and
PageImages extensions are required.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* Edits are now prepared via AJAX as users type edit summaries. This behavior
can be disabled via $wgAjaxEditStash.
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
with the jQuery Migrate library, as indicated when this option was provided in
MediaWiki 1.24.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
StartProfiler.php config is updated to reflect this. Xhprof is available
for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
background with white fallback color, rather than just white background.
* MediaWikiBagOStuff class removed, make sure any object cache config
uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
job queues. This means that mediawiki/services/jobrunner service has to
be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
=== New features in 1.25 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
for plural forms in Russian, Prussian, Tagalog, Manx and several languages
that fall back to Russian.
* (T60139) ResourceLoaderFileModule now supports language fallback
for 'languageScripts'.
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
parser output for a content object before links update.
* (T37785) Enhanced recent changes and extended watchlist are now default.
Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions.
* (T69341) SVG images will no longer be base64-encoded when being embedded
in CSS. This results in slight size increase before gzip compression (due to
percent-encoding), but up to 20% decrease after it.
* Update jStorage to v0.4.12.
* MediaWiki now natively supports page status indicators: icons (or short text
snippets) usually displayed in the top-right corner of the page. They have
been in use on Wikipedia for a long time, implemented using templates and CSS
absolute positioning.
- Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
- Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
- Adjusting custom skins to support indicators:
https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
* Edit tokens may now be time-limited: passing a maximum age to
User::matchEditToken will reject any older tokens.
* The debug logging internals have been overhauled, and are now using the
PSR-3 interfaces.
* Update CSSJanus to v1.1.1.
* Update lessphp to v0.5.0.
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
and images for ApiOpenSearch output. The semantics are identical to the
"OpenSearchXml" hook provided by the OpenSearchXml extension.
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
this allows for pagination of prefix results. Extensions using this hook
should implement supporting behavior. Not doing so can result in undefined
behavior from API clients trying to continue through prefix results.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
on Special:Version in their own section. Extensions or skins that are
installed via composer will not be shown in this section as it is assumed
they will add the proper credits to the skins or extensions section. They
can also be accessed through the API via the new siprop=libraries to
ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
"active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
"-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
Special:EditTags, generally accessed via the revision-deletion-like interface
on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
parameters for API log event output. Extensions should implement the new
getParametersForApi() method in their log formatters.
==== External libraries ====
* MediaWiki now requires certain external libraries to be installed. In the past
these were bundled inside the Git repository of MediaWiki core, but now they
need to be installed separately. For users using the tarball, this will be taken
care of and no action will be required. Users using Git will either need to use
composer to fetch dependencies or use the mediawiki/vendor repository which includes
all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
instructions can be found at:
https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
* The following libraries are now required:
** psr/log
This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
which are used by MediaWiki internally via the
MediaWiki\Logger\LoggerFactory class.
See the structured logging RfC (https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging)
for more background information.
** cssjanus/cssjanus
This library was formerly bundled with MediaWiki core and has been removed.
It automatically flips CSS for RTL support.
** leafo/lessphp
This library was formerly bundled with MediaWiki core and has been removed.
It compiles LESS files into CSS.
** wikimedia/cdb
This library was formerly a part of MediaWiki core, and has been moved into a separate library.
It provides CDB functions which are used in the Interwiki and Localization caches.
More information about the library can be found at https://www.mediawiki.org/wiki/CDB.
** liuggio/statsd-php-client
This library provides a StatsD client API for logging application metrics to a remote server.
=== Bug fixes in 1.25 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
10- and 13-digit forms) containing "X".
* Page moving was refactored into a MovePage class. As part of that:
** The AbortMove hook was removed.
** MovePageIsValidMove is for extensions to specify whether a page
cannot be moved for technical reasons, and should not be overridden.
** MovePageCheckPermissions is for checking whether the given user is
allowed to make the move.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
(instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
=== Action API changes in 1.25 ===
* (T67403) XML tag highlighting is now only performed for formats
"xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
explicitly select the language from the current user's preferences, and
"uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
$wgMangleFlashPolicy is in effect. format=php results will cleanly return an
error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
action=query.
* Query page data for generator=search and generator=prefixsearch will now
include an "index" field, which may be used by the client for sorting the
search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
user-modifiable change tags. Actually modifying the tagging of a revision or
log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
list=logevents, and a 'logparams' subkey for list=watchlist and
list=recentchanges.
* Log event details are changing formatting:
* block events now report flags as an array rather than as a comma-separated
list.
* patrol events now report the 'auto' flag as a boolean (absent/empty string
for BC formats) rather than as an integer.
* rights events now report the old and new group lists as arrays rather than
as comma-separated lists.
* merge events use new-style formatting.
* delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
such as json that distinguish between arrays and objects.
* Except for action=opensearch where the spec requires an array.
=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
Most existing modules should continue working without changes, but should do
the following:
* Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
* Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
to replace getParamDescription(). If necessary, the settings array returned
by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
message.
* Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
and will have no effect for modules using i18n messages. Use
'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
has been removed.
* ApiFormatBase now always buffers. Output is done when
ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
revisions as "good" if the user has the 'deletedhistory' right. New methods
ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
the current request was sent with the 'callback' parameter (or any future
method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
on whether a __toString() method exists on the object), and will refuse to
add unsupported value types.
* An informal interface, ApiSerializable, exists to override the default
object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
clients not using the experimental formatversion=2, code using
ApiResult::getResultData() without the transformations for backwards
compatibility may need updating, as will code that wasn't following the old
conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
release:
* ApiBase::getDescription
* ApiBase::getParamDescription
* ApiBase::getExamples
* ApiBase::makeHelpMsg
* ApiBase::makeHelpArrayToString
* ApiBase::makeHelpMsgParameters
* ApiBase::getModuleProfileName
* ApiBase::profileIn
* ApiBase::profileOut
* ApiBase::safeProfileOut
* ApiBase::getProfileTime
* ApiBase::profileDBIn
* ApiBase::profileDBOut
* ApiBase::getProfileDBTime
* ApiBase::getResultData
* ApiFormatBase::setUnescapeAmps
* ApiFormatBase::getWantsHelp
* ApiFormatBase::setHelp
* ApiFormatBase::formatHTML
* ApiFormatBase::setBufferResult
* ApiFormatBase::getDescription
* ApiFormatBase::getNeedsRawData
* ApiMain::setHelp
* ApiMain::reallyMakeHelpMsg
* ApiMain::makeHelpMsgHeader
* ApiResult::setRawMode
* ApiResult::getIsRawMode
* ApiResult::getData
* ApiResult::setElement
* ApiResult::setContent
* ApiResult::setIndexedTagName_recursive
* ApiResult::setIndexedTagName_internal
* ApiResult::setParsedLimit
* ApiResult::beginContinuation
* ApiResult::setContinueParam
* ApiResult::setGeneratorContinueParam
* ApiResult::endContinuation
* ApiResult::size
* ApiResult::convertStatusToArray
* ApiQueryImageInfo::getPropertyDescriptions
* ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
release:
* ApiQueryDeletedrevs
=== Languages updated in 1.25 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
* Languages added:
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
** ses (Koyraboro Senni), thanks to translator Songhay.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
interface language to kk where unexpected.
* The Chinese conversion table was substantially updated to fix a lot of
bugs and ensure better reading experience for different variants.
=== Other changes in 1.25 ===
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
mostly in special pages. Local custom target titles can be placed in the
relevant '(namespace-X|action name|special page name)-helppage' system
message. Extensions can use the addHelpLink() function to do the same.
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
migration guide for creators and users of custom skins that relied on it.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
available on Special:Upload.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
inline styles in the HTML.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
since 1.20)
* Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
since 1.20)
* Removed 'jquery.json' module. (deprecated since 1.24)
Use the 'json' module and global JSON object instead.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
Also, the former will now throw an MWException if called with one or more
arguments.
* Removed hitcounters and associated code.
* The "temp" zone of the upload respository is now considered private. If it
already exists (such as under the images/ directory), please make sure that
the directory is not web readable (e.g. via a .htaccess file).
* BREAKING CHANGE: In the XML dump format used by Special:Export and
dumpBackup.php, the <model> and <format> tags now apprear before the <text>
tag, instead of after the <text> and <sha1> tags.
The new schema version is 0.10, the new schema URI is:
https://www.mediawiki.org/xml/export-0.10.xsd
* MWFunction::call() and MWFunction::callArray() were removed, having being
deprecated in 1.22.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
and getInternalLinkAttributes methods in Linker, and removed
getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Changed parsing of variables in schema (.sql) files:
** The substituted values are no longer parsed. (Formerly, several passes
were made for each variable, so depending on the order in which variables
were defined, variables might have been found inside encoded values. This
is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
"A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
does not exist yet variable B does, the latter may not be replaced.
However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
newlines; but they can contain and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
* HTMLForm::isVForm() is now deprecated.
* You can no longer do this:
$form = new HTMLForm( … );
$form->setDisplayFormat( 'vform' ); // throws exception
Instead, do this:
$form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
instead just returns the Status object. Extension calling it should be aware of
this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
It had no effect since MediaWiki 1.18 and should be removed from any cron
jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
configuration variable. Refer to the ".php" files instead. If you want
".php5" URLs to continue to work, set up redirects. In Apache, this can be
done by enabling mod_rewrite and adding the following rules to your
configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.php5 $1.php [R=301,L]
* The global importScriptURI and importStylesheetURI functions, as well as the
loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
warnings through mw.log.warn when accessed.
= MediaWiki 1.24 =
== MediaWiki 1.24.6 ==
This is a maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.5 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
== MediaWiki 1.24.5 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.24.4 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
* (T103237) $wgUseGzip had no effect when using file cache.
== MediaWiki 1.24.4 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.3 ===
* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
update.php to fix.
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
first
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
== MediaWiki 1.24.3 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.2 ===
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* Update jQuery from v1.11.2 to v1.11.3.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
== MediaWiki 1.24.2 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.1 ===
* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
to prevent various DoS attacks.
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
likelihood of DoS.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
using PBKDF2.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
prevent XSS and protect viewer's privacy.
* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
loading these special pages when $wgAutoloadAttemptLowercase is false.
* (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.
* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
and running update.php to fix.
== MediaWiki 1.24.1 ==
This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Changes since 1.24.0 ===
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
could lead to xss. Permission to edit MediaWiki namespace is required to
exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fixed a couple of entries in RELEASE-NOTES-1.24.
* (bug T76168) OutputPage: Add accessors for some protected properties.
* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
== MediaWiki 1.24.0 ==
=== Configuration changes in 1.24 ===
* MediaWiki will no longer run if register_globals is enabled. It has been
deprecated for 5 years now, and was removed in PHP 5.4. For more information
about why, see <https://www.mediawiki.org/wiki/register_globals>.
* MediaWiki now requires PHP's iconv extension. openSUSE users may need to
install the php5-iconv package. Users of other systems may need to add
extension=iconv.so to php.ini or recompile PHP without --without-iconv.
* MediaWiki will no longer function if magic quotes are enabled. It has
been deprecated for 5 years now, and was removed in PHP 5.4.
* The server's canonical hostname is available as $wgServerName, which is
exposed in both mw.config and ApiQuerySiteInfo.
* Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
for using the old schema of the page_props table, in case the respective
schema update was not applied.
* $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
* $wgMasterWaitTimeout has been deprecated.
* $wgDBClusterTimeout has been removed.
* $wgProxyKey has been removed. It is no longer used by MediaWiki core.
Ensure $wgSecretKey is set in LocalSettings.php.
* $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
contains an array of interwiki prefixes that should be treated as language
prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
to true).
* $wgParserTestRemote has been removed.