Change notes from older releases. For current info see RELEASE-NOTES-1.28. = MediaWiki 1.27 = == MediaWiki 1.27.0 == === PHP version requirement in 1.27 === As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility section). Additionally, the following PHP extensions are required: * ctype * iconv * json * mbstring (new requirement in 1.27) * xml The following PHP extensions are strongly recommended: * openssl === Configuration changes in 1.27 === * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed, now always enabled. If you use RDFa on your wiki, you now have to explicitly set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'. * $wgUseLinkNamespaceDBFields was removed. * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and $wgResourceLoaderMinifierMaxLineLength, because there was little value in making the behavior configurable. The default values (`false` for the former, 1000 for the latter) are now hard-coded. * $wgDebugDumpSqlLength was removed (deprecated in 1.24). * $wgDebugDBTransactions was removed (deprecated in 1.20). * $wgUseXVO has been removed, as it provides functionality only used by custom Wikimedia patches against Squid 2.x that probably noone uses in production anymore. There is now $wgUseKeyHeader that provides similar functionality but instead of the MediaWiki-specific X-Vary-Options header, uses the draft Key header standard. * $wgScriptExtension (and support for '.php5' entry points) was removed. See the deprecation notice in the release notes for version 1.25 for advice on how to preserve support for '.php5' entry points via URL rewriting. * Password handling via the User object has been deprecated and partially removed, pending the future introduction of AuthManager. In particular: ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and getPasswordExpired() have been removed. They were unused outside of core. ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are now private and will be removed in the future. ** The getPassword() and getTemporaryPassword() methods now throw BadMethodCallException and will be removed in the future. ** The ability to pass 'password' and 'newpassword' to createNew() has been removed. The only users of it seem to have been using it to set invalid passwords, and so shouldn't be greatly affected. ** setPassword(), setInternalPassword(), and setNewpassword() have been deprecated, pending the introduction of AuthManager. ** User::randomPassword() is deprecated in favor of a new method PasswordFactory::generateRandomPasswordString() ** User::getPasswordFactory() is deprecated, callers should just create a PasswordFactory themselves. ** A new constructor, User::newSystemUser(), has been added to simplify the creation of passwordless "system" users for logged actions. * $wgMaxSquidPurgeTitles was removed. * $wgAjaxWatch was removed. This is now enabled by default. * $wgUseInstantCommons now hotlinks Commons images by default instead of downloading originals and thumbnailing them locally. This allows wikis to save on CPU and bandwidth while reducing time to first byte for pages, even without a thumbnail handler. See $wgForeignFileRepos documentation for tweaks. * (T27397) WebP is enabled by default as an uploadable filetype. * (T48998) $wgArticlePath must now be either a full url, or start with a "/". * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead. * Deprecated API formats dbg, txt, and yaml have been removed. * CLDRPluralRule* classes have been replaced with wikimedia/cldr-plural-rule-parser. * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort, $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID, $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20). * For proper operation of LocalIdLookup with shared user tables, ensure that $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki that all others are sharing from and that $wgLocalDatabases is set to the full list of sharing wikis on all those wikis. * Massive overhaul to session handling: ** $wgSessionsInObjectCache is no longer supported and must be true, due to MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer used. ** ObjectCacheSessionHandler is removed, replaced with MediaWiki\Session\PhpSessionHandler. ** PHP session handling in general ($_SESSION, session_id(), and so on) is deprecated. Use MediaWiki\Session\SessionManager instead. A new config variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to issue a deprecation warning or to cause most PHP session handling to throw exceptions. ** Deprecated UserSetCookies hook. Session-handling extensions should generally be creating a custom subclass of CookieSessionProvider. Other extensions messing with cookies can no longer count on user data being saved in cookies versus other methods. ** Deprecated UserLoadFromSession hook, extensions should create a MediaWiki\Session\SessionProvider. ** The User cannot be loaded from session until after Setup.php completes. Attempts to do so will be ignored and the User will remain unloaded. ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses the MediaWiki\Session\Token class. * MediaWiki will now auto-create users as necessary, removing the need for extensions to do so. An 'autocreateaccount' right is added to allow auto-creation when 'createaccount' is not granted to all users. * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated. * Most cookie-handling methods in User are deprecated. * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an experimental feature that has never worked. * Login and createaccount tokens now vary by timestamp. * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() return a MediaWiki\Session\Token, and tokens must be checked using that class's methods. * $wgEnotifUseJobQ was removed and the job queue is always used. * The functionality of the ApiSandbox extension has been merged into core. The extension should no longer be used. * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26). Extensions, skins, gadgets and scripts that use the mediawiki.util module must express a dependency on it. * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false. Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits module should express a dependency on it. * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use $wgFooterIcons['copyright']['copyright'] instead. * If the openssl and mcrypt PHP extensions are both unavailable, secure session storage (used for login) will raise an exception. This exception may be bypassed by setting $wgSessionInsecureSecrets = true. * Massive overhaul to authentication: ** AuthPlugin and AuthPluginUser are deprecated. ** LoginForm and associated templates are deprecated. Extensions which called static LoginForm methods should be converted into authentication providers. ** The following hooks are deprecated: *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead) *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead) *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead) *** AddNewAccount (use LocalUserCreated instead) *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead) *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels) *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead) *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead) *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead) ** The following hooks are removed: *** AbortChangePassword *** LoginPasswordResetMessage *** PrefsPasswordAudit ** The UserLoginComplete hook will no longer be called for all logins, only for those via the web UI. Use UserLoggedIn if you need to do something on all logins. ** $wgRequirePasswordforEmailChange is removed. === New features in 1.27 === * $wgDataCenterUpdateStickTTL was also added. This decides how long a user sticks to the primary DC (via cookies) after they make changes to the site. * Added a new hook, 'UserMailerTransformContent', to transform the contents of an email. This is similar to the EmailUser hook but applies to all mail sent via UserMailer. * Added a new hook, 'UserMailerTransformMessage', to transform the contents of an emai after MIME encoding. * Added a new hook, 'UserMailerSplitTo', to control which users have to be emailed separately (ie. there is a single address in the To: field) so user-specific changes to the email can be applied safely. * $wgCdnMaxageLagged was added, which limits the CDN cache TTL when any load balancer uses a DB that is lagged beyond the 'max lag' setting in the relevant section of $wgLBFactoryConf. * User::newSystemUser() may be used to simplify the creation of passwordless "system" users for logged actions from scripts and extensions. * Extensions can now return detailed error information via the API when preventing user actions using 'getUserPermissionsErrors' and similar hooks by using ApiMessage instances instead of strings for the $result value. * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag becomes too high. * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex) and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create cross-browser-compatible FlexBox rules. Users will still need to add fallback float rules or the like for compatibility with IE9- separately. * Added MWTimestamp::getTimezoneString() which returns the localized timezone string, if available. To localize this string, see the comments of $wgLocaltimezone in includes/DefaultSettings.php. * Added CentralIdLookup, a service that allows extensions needing a concept of "central" users to get that without having to know about specific central authentication extensions. * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions. Regular web request transactions that takes longer than this are aborted. * Added a new hook, 'TitleMoveCompleting', which runs before a page move is committed. * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs from CDN to mitigate DB replication lag and WAN cache purge lag. * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type if it is available. * It is now possible to patrol file uploads (both for new files and new versions of existing files). Special:NewFiles has gained an option to filter by patrol status. This functionality can be disabled using $wgUseFilePatrol. * MediaWiki\Session infrastructure allows for easier use of session mechanisms other than the usual cookies. ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking custom session metadata. * Added MWGrants and associated configuration settings $wgGrantPermissions and $wgGrantPermissionGroups to hold configuration for authentication features such as OAuth that want to allow restricting the user rights a user may make use of. ** If you're already using the OAuth extension, these new variables are identical to (and will replace) $wgMWOAuthGrantPermissions and $wgMWOAuthGrantPermissionGroups. * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g. to assert that the request comes from a particular IP range. * Added bot passwords, a rights-restricted login mechanism for API-using bots. * Whitelisted the following HTML attributes for all elements in wikitext: aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns. * Removed "presentation" restriction on the HTML role attribute in wikitext. All values are now allowed for the role attribute. * $wgContentHandlers now also supports callbacks to create an instance of the appropriate ContentHandler subclass. * Added $wgAuthenticationTokenVersion, which if non-null prevents the user_token database field from being exposed in cookies. Setting this would be a good idea, but will log out all current sessions. * $wgEventRelayerConfig was added, for managing PubSub event relay configuration, specifically for reliable CDN url purges. * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly- generated 24-character string. This request ID is used to annotate log records and error messages. It is available client-side via mw.config.get( 'wgRequestId' ). The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId() is deprecated. * (T33313) Add a preference for watching uploads by default, also applies to API-based upload tools. * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth savings versus the previous behavior on many files. * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible configuration of multiple authentication pieces that was possible with AuthPlugin. For example, it's now easy to plug in second-factor authentication, or add additional checks to the login process, or to support multiple login methods at once, or to support non-password-based login methods. ** Providers are configured via the global setting $wgAuthManagerConfig. ** A global, $wgDisableAuthManager, is temporarily available to disable AuthManager until extensions are ready to support it. ** New hook, AuthChangeFormFields, to adjust the form fields on AuthManager-related special pages. ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of AuthManager-related authentication requests. ** New hook, ChangeAuthenticationDataAudit, for additional logging of AuthManager-related authentication data changes. ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism for requiring a recent login before taking security-sensitive operations like changing a password. ** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist can be used to prevent the web UI and the API changing certain authentication data. * The file upload dialog (available if you install WikiEditor or VisualEditor) can now be configured using $wgUploadDialog. === External library changes in 1.27 === ==== Upgraded external libraries ==== * Updated oojs/oojs-ui from v0.12.12 to v0.13.3. * Updated composer/semver from v1.0.0 to v1.2.0. * Updated liuggio/statsd-php-client to 1.0.18. * Updated QUnit from v1.18.0 to v1.22.0. ==== New external libraries ==== * Added wikimedia/base-convert v1.0.1. * Added wikimedia/cldr-plural-rule-parser v1.0.0. * Added wikimedia/relpath v1.0.3. * Added wikimedia/running-stat v1.1.0. * Added wikimedia/php-session-serializer v1.0.3. ==== Removed and replaced external libraries ==== === Bug fixes in 1.27 === * Special:Upload will now display correct maximum allowed file size when running under HHVM (T116347). * (T54077) The APIEditBeforeSave hook will once again give only the content of the section being edited, rather than the whole revision. This reverts the change made in MediaWiki 1.22. === Action API changes in 1.27 === * Added list=allrevisions. * generator=recentchanges now has the option to generate revids. * ApiPageSet::setRedirectMergePolicy() was added. This allows generator modules to define how generator data for a redirect source gets merged into the redirect destination. * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of "was-deleted" warning. * Added difftotextpst to query=revisions which preforms a pre-save transform on the text before diffing it. * Deprecated formats dbg, txt, and yaml have been removed. * (T47988) The protect log event details now use new-style formatting. * The following response properties from action=login are deprecated, and may be removed in the future: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state. * action=login transparently allows login using bot passwords. Clients should merely need to change the username and password used after setting up a bot password. * action=upload no longer understands statuskey, asyncdownload or leavemessage. * Several changes when $wgDisableAuthManager is false: ** action=login is deprecated for uses other than bot passwords. ** list=users can now indicate if a missing username is creatable. ** action=createaccount is changed in a non-backwards-compatible manner. ** Added action=query&meta=authmanagerinfo. ** Added action=clientlogin to be used to log into the main account instead of action=login. ** Added action=linkaccount. ** Added action=unlinkaccount. ** Added action=changeauthenticationdata. ** Added action=removeauthenticationdata. ** Added action=resetpassword. === Action API internal changes in 1.27 === * ApiQueryORM removed. * The following classes have been removed: ** ApiFormatDbg ** ApiFormatTxt ** ApiFormatYaml * ApiBase::addTokenProperties() was removed (deprecated since 1.24). * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24). * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24). * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24). * ApiBase::getPossibleErrors() was removed (deprecated since 1.24). * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24). * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24). * ApiBase::getResultProperties() was removed (deprecated since 1.24). * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24). * ApiBase::parseErrors() was removed (deprecated since 1.24). * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24). * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24). * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25). * ApiQuery::getGenerators() was removed (deprecated since 1.21). * ApiQuery::getModules() was removed (deprecated since 1.21). * ApiQuery::getModuleType() was removed (deprecated since 1.21). * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24). * ApiMain::getModules() was removed (deprecated since 1.21). * ApiBase::getVersion() was removed (deprecated since 1.21). * ApiMain::getShowVersions() was removed (deprecated in 1.21). * ApiMain::addModule() was removed (deprecated in 1.21). * ApiMain::addFormat() was removed (deprecated in 1.21). * ApiMain::getFormats() was removed (deprecated in 1.21). * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21). * ApiCreateAccount is deprecated, and will be removed soon. === Languages updated in 1.27 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale. * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage. === Other changes in 1.27 === * Added dependency injection (DI) infrastructure, see docs/injection.txt for details. It is planned to incrementally move MediaWiki code towards using DI, using the service locator (SL) pattern as a stepping stone. * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class. * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now ignore the 2nd and 3rd arguments (formerly $id and $commit). * Removed "loaderScripts" option from ResourceLoaderFileModule class. * Removed ORM-like wrapper added in 1.20. * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed (deprecated in 1.26). * WikiPage::doQuickEdit() was removed (deprecated since 1.21). * Removed SiteObject and SiteArray classes (deprecated in 1.21). * MessageBlobStore::getInstance() was removed (deprecated since 1.25). * (T84937) Free external links ("autolinked" urls) will now be terminated by   and HTML entity encodings of  , <, and >. * (T36948) The default file revert message's timestamp is now in $wgLocaltimezone, instead of UTC. * The default name of the 'suppress' group page has been changed from 'Project:Oversight' to 'Project:Suppress'. * DatabaseBase::resultObject() is now protected (use outside Database classes not necessary since 1.11). * Calling ResourceLoaderFileModule::readStyleFiles() without a ResourceLoaderContext instance is deprecated. * ResourceLoader::getLessCompiler() now takes an optional parameter of additional LESS variables to set for the compiler. * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly instead. * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php were removed. The underlying data is sent to StatsD (see $wgStatsdServer). * Removed msg_resource_links database table and associated code. * Removed msg_resource database table and associated code. * Skin::getNamespaceNotice() was removed. * wfIsConfiguredProxy() was removed (deprecated since 1.24). * wfDebugTimer() was removed (deprecated since 1.25). * wfIsTrustedProxy() was removed (deprecated since 1.24). * wfGetIP() was removed (deprecated since 1.19). * MWHookException was removed. * OutputPage::appendSubtitle() was removed (deprecated since 1.19). * OutputPage::loginToUse() was removed (deprecated since 1.19). * Article::loadContent() was removed (deprecated since 1.19). * User::editToken() was removed (deprecated since 1.19). * Removed --force-normal option of dumpBackup.php, as it no longer served any useful purpose since 1.22. * The functions processOption() and processArgs() on the BackupDumper and TextPassDumper classes have been removed. * The maintenance/backupTextPass.inc file was deleted. You should include maintenance/dumpTextPass.php instead. * WikiPage::getUsedTemplates() was removed (deprecated since 1.19). * wfEmptyMsg() was removed (deprecated since 1.18). * OutputPage::permissionRequired() was removed (deprecated since 1.18). * OutputPage::blockedPage() was removed (deprecated since 1.18). * User::getSkin() was removed (deprecated since 1.18). * OutputPage::includeJQuery() was removed (deprecated since 1.17). * WikiPage::updateRestrictions() was removed (deprecated since 1.19). * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19). * LogPage::logName() was removed (deprecated since 1.19). * LogPage::logHeader() was removed (deprecated since 1.19). * wfCheckLimits() was removed (deprecated since 1.24). * Linker::makeKnownLinkObj() was removed (deprecated since 1.16). * Linker::makeLinkObj() was removed (deprecated since 1.16). * wfMsgForContentNoTrans() was removed (deprecated since 1.18). * ChangesList::usePatrol was removed (deprecated since 1.22). * wfMsgNoTrans() was removed (deprecated since 1.18). * Linker::makeImageLink2 was removed (deprecated since 1.20). * Title::userIsWatching() was removed (deprecated since 1.20). * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT() database function directly instead. * wfMsg() was removed (deprecated since 1.18). * wfMsgForContent() was removed (deprecated since 1.18). * wfMsgReal() was removed (deprecated since 1.18). * wfMsgGetKey() was removed (deprecated since 1.18). * wfMsgHtml() was removed (deprecated since 1.18). * wfMsgWikiHtml() was removed (deprecated since 1.18). * wfMsgExt() was removed (deprecated since 1.18). * Language::armourMath() was removed (deprecated since 1.22). * LanguageConverter::armourMath() was removed (deprecated since 1.22). * FakeConverter::armourMath() was removed (deprecated since 1.22). * The unused jquery.validate ResourceLoader module was removed. * FileRepo::getRootUrl() was removed (deprecated since 1.20). * User::generateToken() was removed (deprecated since 1.20). * WikiPage::getRawText() was removed (deprecated since 1.21). * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25). * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25). * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25). * Gallery images with multiple caption pipes no longer concatenate them all together but instead pick the final one, similar to image syntax. * XML-like parser tags (such as ), when unclosed, will be left unparsed rather than consume everything until the end of the page. * New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case a user forgot password/account was stolen. * wfCheckEntropy() was removed (deprecated in 1.27). * Browser support for Internet Explorer 8 lowered from Grade A to Grade C. * ContentHandler::supportsCategories method added. Default is true. CategoryMembershipChangeJob updates are skipped for content that does not support categories. * wikidiff difference engine is no longer supported, anyone still using it are encouraged to upgrade to wikidiff2 which is actively maintained and has better package availability. * Database logic was removed from WatchedItem and a WatchedItemStore was created: ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated. User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced. ** WatchedItem::fromUserTitle was deprecated in favour of the constructor. ** WatchedItem::resetNotificationTimestamp was deprecated. ** WatchedItem::batchAddWatch was deprecated. ** WatchedItem::addWatch was deprecated. ** WatchedItem::removeWatch was deprecated. ** WatchedItem::isWatched was deprecated. ** WatchedItem::duplicateEntries was deprecated. ** EmailNotification::updateWatchlistTimestamp was deprecated. ** User::getWatchedItem was removed. * Unit tests don't work with external PHPUnit anymore, Composer is now the only supported way. Run `composer install` to install it and other dev dependencies to run unit tests. * wl_id field added to the watchlist table. * Revision::getRawText() was removed (deprecated since 1.21). * WikiPage::replaceSection() was removed (deprecated since 1.21). * Article::replaceSection() was removed (deprecated since 1.21). * Language::getLangObj() was removed (deprecated since 1.24). * Language::getLanguageName() was removed (deprecated since 1.20). * Language::getLanguageNames() was removed (deprecated since 1.20). * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20). * Language::specialPage() was removed (deprecated since 1.24). * MediaWikiTestCase::assertException() was removed (deprecated since 1.22). * OutputPage::getHeadItems() was removed (deprecated since 1.24). * OutputPage::getScript() was removed (deprecated since 1.24). * OutputPage::out() was removed (deprecated since 1.22). * OutputPage::setAllowedModules() was removed (deprecated since 1.24). * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21). * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21). * Title::newFromRedirect() was removed (deprecated since 1.21). * Skin::commonPrintStylesheet() was removed (deprecated since 1.22). * Skin::getCommonStylePath() was removed (deprecated since 1.24). * Skin::newFromKey() was removed (deprecated since 1.24). * Skin::getUsableSkins() was removed (deprecated since 1.23). * LoadBalancer::pickRandom() was removed (deprecated in 1.21). * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since 1.21). * DifferenceEngine::setText() was removed (deprecated in 1.21). * Title::newFromRedirectArray() was removed (deprecated in 1.21). * UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType as the 6th. These must be passed in the options array now. * Title::newFromRedirectRecurse() was removed (deprecated in 1.21). * Skin::accesskey was removed (deprecated since 1.21). * Skin::blockLink was removed (deprecated since 1.21). * Skin::buildRollbackLink was removed (deprecated since 1.21). * Skin::emailLink was removed (deprecated since 1.21). * Skin::formatComment was removed (deprecated since 1.21). * Skin::formatHiddenCategories was removed (deprecated since 1.21). * Skin::formatLinksInComment was removed (deprecated since 1.21). * Skin::formatRevisionSize was removed (deprecated since 1.21). * Skin::formatSize was removed (deprecated since 1.21). * Skin::formatTemplates was removed (deprecated since 1.21). * Skin::generateTOC was removed (deprecated since 1.21). * Skin::getInternalLinkAttributes was removed (deprecated since 1.21). * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21). * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21). * Skin::getInvalidTitleDescription was removed (deprecated since 1.21). * Skin::getLinkColour was removed (deprecated since 1.21). * Skin::getRevDeleteLink was removed (deprecated since 1.21). * Skin::getRollbackEditCount was removed (deprecated since 1.21). * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21). * Skin::makeCommentLink was removed (deprecated since 1.21). * Skin::makeExternalImage was removed (deprecated since 1.21). * Skin::makeExternalLink was removed (deprecated since 1.21). * Skin::makeHeadline was removed (deprecated since 1.21). * Skin::makeImageLink was removed (deprecated since 1.21). * Skin::makeMediaLinkFile was removed (deprecated since 1.21). * Skin::makeMediaLinkObj was removed (deprecated since 1.21). * Skin::makeSelfLinkObj was removed (deprecated since 1.21). * Skin::makeThumbLink2 was removed (deprecated since 1.21). * Skin::makeThumbLinkObj was removed (deprecated since 1.21). * Skin::normaliseSpecialPage was removed (deprecated since 1.21). * Skin::normalizeSubpageLink was removed (deprecated since 1.21). * Skin::processResponsiveImages was removed (deprecated since 1.21). * Skin::revComment was removed (deprecated since 1.21). * Skin::revDeleteLink was removed (deprecated since 1.21). * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21). * Skin::revUserLink was removed (deprecated since 1.21). * Skin::revUserTools was removed (deprecated since 1.21). * Skin::specialLink was removed (deprecated since 1.21). * Skin::splitTrail was removed (deprecated since 1.21). * Skin::titleAttrib was removed (deprecated since 1.21). * Skin::tocIndent was removed (deprecated since 1.21). * Skin::tocLine was removed (deprecated since 1.21). * Skin::tocLineEnd was removed (deprecated since 1.21). * Skin::tocList was removed (deprecated since 1.21). * Skin::tocUnindent was removed (deprecated since 1.21). * Skin::tooltip was removed (deprecated since 1.21). * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21). * Skin::userTalkLink was removed (deprecated since 1.21). * Skin::userToolLinksRedContribs was removed (deprecated since 1.21). * wikidiff3 is now the default and only PHP diff engine. It provides improved diff performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore makes no difference now. Users are still recommended to use wikidiff2 if possible, though. * User::addNewUserLogEntry() was deprecated. * User::addNewUserLogEntryAutoCreate() was deprecated. * User::isPasswordReminderThrottled() was deprecated. * Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck) were removed. * Installer can now be customized without patching MediaWiki code, see mw-config/overrides/README for details. === Compatibility === MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for HHVM 3.6.5 or later. MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server. The supported versions are: * MySQL 5.0.3 or later * PostgreSQL 8.3 or later * SQLite 3.3.7 or later * Oracle 9.0.1 or later * Microsoft SQL Server 2005 (9.00.1399) === Upgrading === 1.27 has several database changes since 1.26, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site). If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes. If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data. If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21. Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed upgrade instructions. For notes on 1.26.x and older releases, see HISTORY. = MediaWiki 1.26 = == MediaWiki 1.26.2 == This is a maintenance release of the MediaWiki 1.26 branch. === Changes since 1.26.1 === * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1. == MediaWiki 1.26.1 == This is a maintenance release of the MediaWiki 1.26 branch. === Changes since 1.26.0 === * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. * (T119309) SECURITY: Use hash_compare() for edit token comparison * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads * (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy. * Fixed stray literal \n in Special:Search. * Fix issue that breaks HHVM Repo Authorative mode. * (T120267) Work around APCu memory corruption bug == MediaWiki 1.26.0 == === Configuration changes in 1.26 === * $wgPasswordResetRoutes['email'] = true by default. * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE instead if you want to disable the parser cache. * New-style continuation is now the default for API action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly. * Deprecated API formats dump and wddx have been completely removed. * (T7645) The "Signature" button on the edit toolbar is now hidden by default in non-talk namespaces. A new configuration variable, $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces the "Signature" button on the edit toolbar will be displayed. * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental feature that was never enabled by default. * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed. This experimental feature was never enabled by default and is obsolete as of MediaWiki 1.26, in where ResourceLoader became fully asynchronous. * $wgMasterWaitTimeout was removed (deprecated in 1.24). * Fields in ParserOptions are now private. Use the accessors instead. * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or in extension.json) have been removed, after being deprecated in 1.24. * $wgAlwaysUseTidy has been removed. * ResetSessionID hook has been removed. Nothing seems to use it. * Certain AuthPlugin methods are deprecated in favor of new hooks: ** AuthPlugin::initUser() is replaced by LocalUserCreated. ** AuthPlugin::updateUser() is replaced by UserLoggedIn. ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings. ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged. ** AuthPluginUser::isHidden() is replaced by UserIsHidden. ** AuthPluginUser::isLocked() is replaced by UserIsLocked. * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook. * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace the passed User object. * $wgBlockAllowsUTEdit is now set to true by default. This allows blocked users to edit their talk pages unless explicitly disabled when they are being blocked. === New features in 1.26 === * (T51506) Now action=info gives estimates of actual watchers for a page. See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret to learn how to configure if needed. * Change tags can now be hidden in the interface by disabling the associated "tag-" interface message. * ':' (colon) is now invalid in usernames for new accounts. Existing accounts are not affected. * Added a new hook, 'LogException', to log exceptions in nonstandard ways. * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of search results are rendered. The initial use case is to append a "give us feedback" link beneath the search results. * Added a new hook, 'RejectParserCacheValue', which allows extensions to reject an otherwise-successful parser cache lookup. The intent is to allow extensions to manage the eviction of archaic HTML output from the cache. * (T68699) The expiration of the UserID and Token login cookies ($wgExtendedLoginCookieExpiration) can be configured independently of the expiration of all other cookies ($wgCookieExpiration). * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading of WebP images still disabled by default. Add $wgFileExtensions[] = 'webp'; to LocalSettings.php to enable uploading of WebP images. * Added new hooks 'EnhancedChangesListModifyLineData' & 'EnhancedChangesListModifyBlockLineData', to modify the data used to build lines in enhanced recentchanges and watchlist. * Caches that need purging ability now use the WANObjectCache interface. This corresponds to a new $wgMainWANCache setting, which defaults to using the $wgMainCacheType settings. * Callers needing fast light-weight data stores use $wgMainStash to select the store type from $wgObjectCaches. The default is the local database. * Interface message overrides in the MediaWiki namespace will now be cached in memcached and APC (if available), rather than memcached and local files. * Added a new hook, 'RandomPageQuery', to allow modification of the query used by Special:Random to select random pages. * $wgTransactionalTimeLimit was added, which controls the request time limit for potentially slow POST requests that need to be as atomic as possible. * ResourceLoader now loads all scripts asynchronously. The top-queue and startup modules are no longer synchronously loaded. * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every page. During the deprecation period, the styles will only be loaded on pages which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will only be loaded if explicitly required. * If search returns zero results and current search engine has a "did you mean" suggestion, results for suggestion will be shown. Can be disabled by setting $wgSearchRunSuggestedQuery to false. * Added several JavaScript libraries for uploading files to MediaWiki from the client-side. See documentation for mw.Upload and its subclasses for more information. * Added OOUI dialogs and layout for file upload interfaces. See documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its subclasses for more information. === extension.json changes in 1.26 === * (T99344) The extension.json schema is now versioned. All extensions and skins should set a "manifest_version" property corresponding to the schema version they were written for. The only supported version currently is "1". * (T102523) The error message if a non-array attribute is set was improved. * (T107646) Configuration settings can now specify how they should be merged, which is necessary for arrays using integer keys. * (T110389) Adding namespaces through extension.json now actually works * $wgNamespaceProtection can now be set in extension.json. * $wgCapitalLinkOverrides can now be set in extension.json. * (T97186) Extensions using a custom prefix for their configuration settings can now set a "_prefix" key to override the default of "wg". * (T99084) Extensions can now specify what MediaWiki core versions they depend upon. * (T105236) The extension.json schema now validates custom classes in the "ResourceModules" property properly. === External library changes in 1.26 === ==== Upgraded external libraries ==== * Updated es5-shim from v4.0.0 to v4.1.5. * Updated json2 from revision 2014-02-04 to 2015-05-03. * Updated Sinon.JS from 1.10.3 to 1.15.4. * Updated jQuery Client from v1.0.0 to v2.0.0. * Updated QUnit from v1.17.1 to v1.18.0. * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16. * Updated oojs/oojs-ui from v0.11.3 to v0.12.12. * Updated wikimedia/cdb from v1.0.1 to v1.3.0. * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3. * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0. * Updated zordius/lightncandy from v0.18 to v0.21. ==== New external libraries ==== * Added composer/semver v1.0.0. * Added mediawiki/at-ease v1.1.0. * Added wikimedia/assert v0.2.2. * Added wikimedia/ip-set v1.0.1. * Added wikimedia/wrappedstring v2.0.0. ==== Removed and replaced external libraries ==== * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9. === Bug fixes in 1.26 === * (T53283) load.php sometimes sends 304 response without full headers * (T65198) Talk page tabs now have a "rel=discussion" attribute * (T98841) {{msgnw:}} now preserves comments even when subst: is not used. * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string. === Action API changes in 1.26 === * New-style continuation is now the default for action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly. * Deprecated API formats dump and wddx have been completely removed. * API action=query&list=tags: The displayname can now be boolean false if the tag is meant to be hidden from user interfaces. * action=import no longer allows both the namespace= and rootpage= parameters to be set. If they are both set, the value of rootpage= will be ignored. * prop=revision output in enum mode is now sorted by timestamp rather than revision ID. This usually won't make any difference. * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array with formatversion=2. * Various other output from meta=siteinfo will now always be arrays instead of sometimes being numerically-indexed objects with formatversion=2. * When errors about users being blocked are returned, they now include information about the relevant block. * (T99926) list=random has higher limits, in line with other API modules. * list=random's rnredirect parameter is deprecated in favor of a new rnfilterredir parameter that also allows for listing both redirects and non-redirects. * list=random now supports continuation. * API responses to GET requests may now include ETag and Last-Modified headers, and will honor corresponding If-None-Match and If-Modified-Since on such requests. === Action API internal changes in 1.26 === * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key into the value when the value is an assoc. * API action modules may now provide values for the RFC 7232 ETag and Last-Modified headers. The API will check these against If-None-Match and If-Modified-Since request headers on GET requests and avoid executing the module when appropriate. === Languages updated in 1.26 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * Languages added: ** ase (American sign language), thanks to translator Icemandeaf ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द, मेश सिंह बोहरा, and राम प्रसाद जोशी ** luz (لئری دوٙمینی / Southern Luri) ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi, Ilja.mos, and Mashoi7 === Other changes in 1.26 === * ChangeTags::tagDescription() will return false if the interface message for the tag is disabled. * Added PageHistoryPager::doBatchLookups hook. * Added $wikiId parameter to FormatAutocomments hook. * Added ParserCacheSaveComplete to ParserCache * supportsDirectEditing and supportsDirectApiEditing methods added to ContentHandler, to provide a way for ApiEditPage and EditPage to check if direct editing of content is allowed. These methods return false, by default for the ContentHandler base class and true for TextContentHandler and it's derivative classes (everything in core). For Content types that do not support direct editing, an alternative mechanism should be provided for editing, such as action overrides or specific api modules. * mediaWiki.confirmCloseWindow now returns an object of functions, instead of one function. The callback can't be called directly any more. The callback function is replaced with confirmCloseWindow.release(). * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to ResourceLoaderModule::getDependencies(). Extension classes that override that method should be updated. If they aren't updated, PHP Strict standards warnings will appear when E_STRICT error reporting is enabled. Note: in the near future, this parameter will probably become non-optional. * Removed maintenance script deleteImageMemcached.php. * MWFunction::newObj() was removed (deprecated in 1.25). ObjectFactory::getObjectFromSpec() should be used instead. * The parser will no longer randomize the string it uses to mark the place of items that were stripped during parsing. It will use a fixed string instead. This causes the parser to re-use the regular expressions it uses to search and replace markers rather than generate novel expressions on each parse. Re-using regular expressions will improve performance on HHVM and the forthcoming PHP 7. The interfaces changes accompanying this change are: - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated. - The $uniq_prefix argument for Parser::extractTagsAndParams() and the $prefix argument for StripState::_construct() are deprecated and their value is ignored. * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library, mediawiki/at-ease, and are now deprecated. Callers should use MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly. * The Block class constructor now takes an associative array of parameters instead of many optional positional arguments. Calling the constructor the old way will issue a deprecation warning. * The jquery.mwExtension module was deprecated. * $wgSpecialPageGroups was removed (deprecated in 1.21). * SpecialPageFactory::setGroup was removed (deprecated in 1.21). * SpecialPageFactory::getGroup was removed (deprecated in 1.21). * DatabaseBase::ignoreErrors() is now protected. * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following a lengthy deprecation period. * The ScopedPHPTimeout class was removed. * Removed maintenance script fixSlaveDesync.php. * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption() are deprecated. Applications using those can work via the OAuth extension instead. New tokens types should not be added. * DatabaseBase::errorCount() was removed (unused). * $wgDeferredUpdateList was removed. * DeferredUpdates::addHTMLCacheUpdate() was removed. = MediaWiki 1.25 = == MediaWiki 1.25.5 == This is a maintenance release of the MediaWiki 1.25 branch. === Changes since 1.25.4 === * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4. == MediaWiki 1.25.4 == This is a security and maintenance release of the MediaWiki 1.25 branch. === Changes since 1.25.3 === * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. * (T119309) SECURITY: Use hash_compare() for edit token comparison * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads * (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki * (T103237) $wgUseGzip had no effect when using file cache. * (T114606) mw.notify was not correctly fixed to the page if initialized while not at the top of the page. * Fix issue that breaks HHVM Repo Authorative mode. == MediaWiki 1.25.3 == This is a security and maintenance release of the MediaWiki 1.25 branch. === Changes since 1.25.2 === * (T98975) Fix having multiple callbacks for a single hook. * (T107632) maintenance/refreshLinks.php did not always remove all links pointing to nonexistent pages. * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string. * (T62174) Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was causing an error when accessing the api help page if the mbstring PHP extension was not installed. * (T105896) Confirmation emails would sometimes contain invalid codes. * (T105597) Fixed edit stash inclusion queries. * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the first * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails == MediaWiki 1.25.2 == This is a security and maintenance release of the MediaWiki 1.25 branch. === Changes since 1.25.1 === * (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. * (T100767) Setting a configuration setting for skin or extension to false in LocalSettings.php was not working. * (T100635) API action=opensearch json output no longer breaks when $wgDebugToolbar is enabled. * (T102522) Using an extension.json or skin.json file which has a "manifest_version" property for 1.26 compatability will no longer trigger warnings. * (T86156) Running updateSearchIndex.php will not throw an error as page_restrictions has been added to the locked table list. * Special:Version would throw notices if using SVN due to an incorrectly named variable. Add an additional check that an index is defined. == MediaWiki 1.25.1 == This is a bug fix release of the MediaWiki 1.25 branch. === Changes since 1.25 === * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension == MediaWiki 1.25.0 == === Configuration changes in 1.25 === * $wgPageShowWatchingUsers was removed. * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts. * $wgAntiLockFlags was removed. * $wgJavaScriptTestConfig was removed. * Edit tokens returned from User::getEditToken may change on every call. Token validity must be checked by passing the user-supplied token to User::matchEditToken rather than by testing for equality with a newly-generated token. * (T74951) The UserGetLanguageObject hook may be passed any IContextSource for its $context parameter. Formerly it was documented as receiving a RequestContext specifically. * Profiling was restructured and $wgProfiler now requires an 'output' parameter. See StartProfiler.sample for details. * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable. * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no longer be used. If extracts and page images are desired, the TextExtracts and PageImages extensions are required. * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates. * Edits are now prepared via AJAX as users type edit summaries. This behavior can be disabled via $wgAjaxEditStash. * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along with the jQuery Migrate library, as indicated when this option was provided in MediaWiki 1.24. * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any StartProfiler.php config is updated to reflect this. Xhprof is available for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler. * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary rather than 'rsvg'. * Default value of $wgSVGConverters['ImageMagick'] now uses transparent background with white fallback color, rather than just white background. * MediaWikiBagOStuff class removed, make sure any object cache config uses SqlBagOStuff instead. * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis job queues. This means that mediawiki/services/jobrunner service has to be installed and running for any such queues to work. * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some compatibility, any 'view' event triggers will still trigger on 'edit'. * $wgExtensionDirectory was added for when your extensions directory is somewhere other than $IP/extensions (as $wgStyleDirectory does with the skins directory). === New features in 1.25 === * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes for plural forms in Russian, Prussian, Tagalog, Manx and several languages that fall back to Russian. * (T60139) ResourceLoaderFileModule now supports language fallback for 'languageScripts'. * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the parser output for a content object before links update. * (T37785) Enhanced recent changes and extended watchlist are now default. Documentation: https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Enhanced_recent_changes and https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgDefaultUserOptions. * (T69341) SVG images will no longer be base64-encoded when being embedded in CSS. This results in slight size increase before gzip compression (due to percent-encoding), but up to 20% decrease after it. * Update jStorage to v0.4.12. * MediaWiki now natively supports page status indicators: icons (or short text snippets) usually displayed in the top-right corner of the page. They have been in use on Wikipedia for a long time, implemented using templates and CSS absolute positioning. - Basic wikitext syntax: [[File:Foo.svg|20px]] - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators - Adjusting custom skins to support indicators: https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Skinning#Page_status_indicators * Edit tokens may now be time-limited: passing a maximum age to User::matchEditToken will reject any older tokens. * The debug logging internals have been overhauled, and are now using the PSR-3 interfaces. * Update CSSJanus to v1.1.1. * Update lessphp to v0.5.0. * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts and images for ApiOpenSearch output. The semantics are identical to the "OpenSearchXml" hook provided by the OpenSearchXml extension. * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit, this allows for pagination of prefix results. Extensions using this hook should implement supporting behavior. Not doing so can result in undefined behavior from API clients trying to continue through prefix results. * Update jQuery from v1.11.1 to v1.11.3. * External libraries installed via composer will now be displayed on Special:Version in their own section. Extensions or skins that are installed via composer will not be shown in this section as it is assumed they will add the proper credits to the skins or extensions section. They can also be accessed through the API via the new siprop=libraries to ApiQuerySiteInfo. * Update QUnit from v1.14.0 to v1.16.0. * Update Moment.js from v2.8.3 to v2.8.4. * Special:Tags now allows for manipulating the list of user-modifiable change tags. * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete', and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change tags. * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and "active" formerly conflated by the 'ListDefinedTags' hook. * Added TemplateParser class that provides a server-side interface to cachable dynamically-compiled Mustache templates (currently uses lightncandy library). * Clickable anchors for each section heading in the content are now generated and appear in the gutter on hovering over the heading. * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks to allow extensions to override how links to pages are rendered within NS_CATEGORY * (T19665) Special:WantedPages only lists page which having at least one red link pointing to it. * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be used for conditional registration of API modules. * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the links of a group of changes in EnhancedChangesList. * A full interface for StatsD metric reporting has been added to the context interface, reachable via IContextSource::getStats(). * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a proper, published library, which is now tagged as v1.0.0. * A new message (defaulting to blank), 'editnotice-notext', can be shown to users when they are editing if no edit notices apply to the page being edited. * (T94536) You can now make the sitenotice appear to logged-in users only by editing MediaWiki:Anonnotice and replacing its content with "". Setting it to "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice. * Modifying the tagging of a revision or log entry is now available via Special:EditTags, generally accessed via the revision-deletion-like interface on history pages and Special:Log is likely to be more useful. * Added 'applychangetags' and 'changetags' user rights. * (T35235) LogFormatter subclasses are now responsible for formatting the parameters for API log event output. Extensions should implement the new getParametersForApi() method in their log formatters. ==== External libraries ==== * MediaWiki now requires certain external libraries to be installed. In the past these were bundled inside the Git repository of MediaWiki core, but now they need to be installed separately. For users using the tarball, this will be taken care of and no action will be required. Users using Git will either need to use composer to fetch dependencies or use the mediawiki/vendor repository which includes all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed instructions can be found at: https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries * The following libraries are now required: ** psr/log This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/) which are used by MediaWiki internally via the MediaWiki\Logger\LoggerFactory class. See the structured logging RfC (https://www.mediawiki.org/wiki/Special:MyLanguage/Requests_for_comment/Structured_logging) for more background information. ** cssjanus/cssjanus This library was formerly bundled with MediaWiki core and has been removed. It automatically flips CSS for RTL support. ** leafo/lessphp This library was formerly bundled with MediaWiki core and has been removed. It compiles LESS files into CSS. ** wikimedia/cdb This library was formerly a part of MediaWiki core, and has been moved into a separate library. It provides CDB functions which are used in the Interwiki and Localization caches. More information about the library can be found at https://www.mediawiki.org/wiki/Special:MyLanguage/CDB. ** liuggio/statsd-php-client This library provides a StatsD client API for logging application metrics to a remote server. === Bug fixes in 1.25 === * (T73003) No additional code will be generated to try to load CSS-embedded SVG images in Internet Explorer 6 and 7, as they don't support them anyway. * (T69021) On Special:BookSources, corrected validation of ISBNs (both 10- and 13-digit forms) containing "X". * Page moving was refactored into a MovePage class. As part of that: ** The AbortMove hook was removed. ** MovePageIsValidMove is for extensions to specify whether a page cannot be moved for technical reasons, and should not be overridden. ** MovePageCheckPermissions is for checking whether the given user is allowed to make the move. ** Title::moveNoAuth() was deprecated. Use the MovePage class instead. ** Title::moveTo() was deprecated. Use the MovePage class instead. ** Title::isValidMoveOperation() broken down into MovePage::isValidMove() and MovePage::checkPermissions(). * (T18530) Multiple autocomments are now formatted in an edit summary. * (T70361) Autocomments containing "/*" are parsed correctly. * The Special:WhatLinksHere page linked from 'Number of redirects to this page' on action=info about a file page does not list file links anymore. * (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible. * (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause * (T85192) Captcha position modified in Usercreate template. As a result: ** extrafields parameter added to Usercreate.php to insert additional data ** 'extend' method added to QuickTemplate to append additional values to any field of data array * (T86974) Several Title methods now load from the database when necessary (instead of returning incorrect results) even when the page ID is known. * (T74070) Duplicate search for archived files on file upload now omits the extension. This requires the fa_sha1 field being populated. * Removed rel="archives" from the "View history" link, as it did not pass HTML validation. * $wgUseTidy is now set when parserTests are run with the tidy option to match output on wiki. * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it. * (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber(). === Action API changes in 1.25 === * (T67403) XML tag highlighting is now only performed for formats "xmlfm" and "wddxfm". * action=paraminfo supports generalized submodules (modules=query+value), querymodules and formatmodules are deprecated * action=paraminfo no longer outputs descriptions and other help text by default. If needed, it may be requested using the new 'helpformat' parameter. * action=help has been completely rewritten, and outputs help in HTML rather than plain text. * Hitting api.php without specifying an action now displays only the help for the main module, with links to submodule help. * API help is no longer displayed on errors. * 'uselang' is now a recognized API parameter; "uselang=user" may be used to explicitly select the language from the current user's preferences, and "uselang=content" may be used to select the wiki's content language. * Default output format for the API is now jsonfm. * Simplified continuation will return a "batchcomplete" property in the result when a batch of pages is complete. * Pretty-printed HTML output now has nicer formatting and (if available) better syntax highlighting. * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and list=alldeletedrevisions. * prop=revisions will gracefully continue when given too many revids or titles, rather than just ignoring the extras. * prop=revisions will no longer die if rvcontentformat doesn't match a revision's content model; it will instead warn and omit the content. * If the user has the 'deletedhistory' right, action=query's revids parameter will now recognize deleted revids. * prop=revisions may be used as a generator, generating revids. * (T68776) format=json results will no longer be corrupted when $wgMangleFlashPolicy is in effect. format=php results will cleanly return an error instead of returning invalid serialized data. * Generators may now return data for the generated pages when used with action=query. * Query page data for generator=search and generator=prefixsearch will now include an "index" field, which may be used by the client for sorting the search results. * ApiOpenSearch now supports XML output. * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3 in JSON format. * (T76051) list=tags will now continue correctly. * (T76052) list=tags can now indicate whether a tag is defined. * (T75522) list=prefixsearch now supports continuation * (T78737) action=expandtemplates can now return page properties. * (T78690) list=allimages now accepts multiple pipe-separated values for the 'aimime' parameter. * prop=info with inprop=protections will now return applicable protection types with the 'restrictiontypes' key. * (T85417) When resolving redirects, ApiPageSet will now add the targets of interwiki redirects to the list of interwiki titles. * (T85417) When outputting the list of redirect titles, a 'tointerwiki' property (like the existing 'tofragment' property) will be set. * Added action=managetags to allow for managing the list of user-modifiable change tags. Actually modifying the tagging of a revision or log entry is not implemented yet. * list=tags has additional properties to indicate 'active' status and tag sources. * siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries. * (T88010) Added action=checktoken, to test a CSRF token's validity. * (T88010) Added intestactions to prop=info, to allow querying of Title::userCan() via the API. * Default type param for query list=watchlist and list=recentchanges has been changed from all types (e.g. including 'external') to 'edit|new|log'. * Added formatversion to format=json. Still "experimental" as further changes to the output formatting might still be made. * (T73020) Log event details are now always under a 'params' subkey for list=logevents, and a 'logparams' subkey for list=watchlist and list=recentchanges. * Log event details are changing formatting: * block events now report flags as an array rather than as a comma-separated list. * patrol events now report the 'auto' flag as a boolean (absent/empty string for BC formats) rather than as an integer. * rights events now report the old and new group lists as arrays rather than as comma-separated lists. * merge events use new-style formatting. * delete/event and delete/revision events use new-style formatting. * The root node and various other nodes will now always be an object in formats such as json that distinguish between arrays and objects. * Except for action=opensearch where the spec requires an array. === Action API internal changes in 1.25 === * ApiHelp has been rewritten to support i18n and paginated HTML output. Most existing modules should continue working without changes, but should do the following: * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription(). * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter to replace getParamDescription(). If necessary, the settings array returned by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the message. * Implement getExamplesMessages() to replace getExamples(). * Modules with submodules (like action=query) must have their submodules override ApiBase::getParent() to return the correct parent object. * The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated, and will have no effect for modules using i18n messages. Use 'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead. * Api formatters will no longer be asked to display the help screen on errors. * ApiMain::getCredits() was removed. The credits are available in the 'api-credits' i18n message. * ApiFormatBase has been changed to support i18n and syntax highlighting via extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting has been removed. * ApiFormatBase now always buffers. Output is done when ApiFormatBase::closePrinter is called. * Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase. * The 'revids' parameter supplied by ApiPageSet will now count deleted revisions as "good" if the user has the 'deletedhistory' right. New methods ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are provided to access just the live or just the deleted revids. * Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData() to allow generators to include data in the action=query result. * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be used for conditional registration of API modules. * Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if the current request was sent with the 'callback' parameter (or any future method that breaks the same-origin policy). * Profiling methods in ApiBase are deprecated and no longer need to be called. * ApiResult was greatly overhauled. See inline documentation for details. * ApiResult will automatically convert objects to strings or arrays (depending on whether a __toString() method exists on the object), and will refuse to add unsupported value types. * An informal interface, ApiSerializable, exists to override the default object conversion. * ApiResult/ApiFormatBase "raw mode" is deprecated. * ApiFormatXml now assumes defaults and so on instead of throwing errors when metadata isn't set. * (T35235) LogFormatter subclasses are now responsible for formatting log event parameters for the API. * Many modules have changed result data formats. While this shouldn't affect clients not using the experimental formatversion=2, code using ApiResult::getResultData() without the transformations for backwards compatibility may need updating, as will code that wasn't following the old conventions for API boolean output. * The following methods have been deprecated and may be removed in a future release: * ApiBase::getDescription * ApiBase::getParamDescription * ApiBase::getExamples * ApiBase::makeHelpMsg * ApiBase::makeHelpArrayToString * ApiBase::makeHelpMsgParameters * ApiBase::getModuleProfileName * ApiBase::profileIn * ApiBase::profileOut * ApiBase::safeProfileOut * ApiBase::getProfileTime * ApiBase::profileDBIn * ApiBase::profileDBOut * ApiBase::getProfileDBTime * ApiBase::getResultData * ApiFormatBase::setUnescapeAmps * ApiFormatBase::getWantsHelp * ApiFormatBase::setHelp * ApiFormatBase::formatHTML * ApiFormatBase::setBufferResult * ApiFormatBase::getDescription * ApiFormatBase::getNeedsRawData * ApiMain::setHelp * ApiMain::reallyMakeHelpMsg * ApiMain::makeHelpMsgHeader * ApiResult::setRawMode * ApiResult::getIsRawMode * ApiResult::getData * ApiResult::setElement * ApiResult::setContent * ApiResult::setIndexedTagName_recursive * ApiResult::setIndexedTagName_internal * ApiResult::setParsedLimit * ApiResult::beginContinuation * ApiResult::setContinueParam * ApiResult::setGeneratorContinueParam * ApiResult::endContinuation * ApiResult::size * ApiResult::convertStatusToArray * ApiQueryImageInfo::getPropertyDescriptions * ApiQueryLogEvents::addLogParams * The following classes have been deprecated and may be removed in a future release: * ApiQueryDeletedrevs === Languages updated in 1.25 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports. * Languages added: ** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey; ** bgn (بلوچی رخشانی / Western Balochi), thanks to translators Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali; ** ses (Koyraboro Senni), thanks to translator Songhay. * (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's interface language to kk where unexpected. * The Chinese conversion table was substantially updated to fix a lot of bugs and ensure better reading experience for different variants. === Other changes in 1.25 === * (T45591) Links to MediaWiki.org translatable help were added to indicators, mostly in special pages. Local custom target titles can be placed in the relevant '(namespace-X|action name|special page name)-helppage' system message. Extensions can use the addHelpLink() function to do the same. * The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for migration guide for creators and users of custom skins that relied on it. * Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only available on Special:Upload. * (T58257) Set site logo from mediawiki.skinning.interface module instead of inline styles in the HTML. * Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20) * Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20) * Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20) * Removed Preferences::trySetUserEmail(). (deprecated since 1.20) * Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20) * Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated since 1.20) * Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated since 1.20) * Removed 'jquery.json' module. (deprecated since 1.24) Use the 'json' module and global JSON object instead. * Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited(). Also, the former will now throw an MWException if called with one or more arguments. * Removed hitcounters and associated code. * The "temp" zone of the upload respository is now considered private. If it already exists (such as under the images/ directory), please make sure that the directory is not web readable (e.g. via a .htaccess file). * BREAKING CHANGE: In the XML dump format used by Special:Export and dumpBackup.php, the and tags now apprear before the tag, instead of after the and tags. The new schema version is 0.10, the new schema URI is: https://www.mediawiki.org/xml/export-0.10.xsd * MWFunction::call() and MWFunction::callArray() were removed, having being deprecated in 1.22. * Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj, and getInternalLinkAttributes methods in Linker, and removed getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18. * Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore. * Added wgRelevantArticleId to the client-side config, for use on special pages. * Deprecated the TitleIsCssOrJsPage hook. Superseded by the ContentHandlerDefaultModelFor hook since MediaWiki 1.21. * Deprecated the TitleIsWikitextPage hook. Superseded by the ContentHandlerDefaultModelFor hook since MediaWiki 1.21. * Changed parsing of variables in schema (.sql) files: ** The substituted values are no longer parsed. (Formerly, several passes were made for each variable, so depending on the order in which variables were defined, variables might have been found inside encoded values. This is no longer the case.) ** Variables are no longer string encoded when the /*$var*/ syntax is used. If string encoding is necessary, use the '{$var}' syntax instead. ** Variable names must only consist of one or more of the characters "A-Za-z0-9_". ** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A does not exist yet variable B does, the latter may not be replaced. However, this difference is unlikely to arise in practice. * (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word characters on both sides. * The FormatAutocomments hook will now receive $pre and $post as booleans, rather than as strings that must be prepended or appended to $comment. * (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain newlines; but they can contain   and other non-newline whitespace. * The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you relied on this behavior, update your scripts' dependencies. * HTMLForm's 'vform' display style has been separated to a subclass. Therefore: * HTMLForm::isVForm() is now deprecated. * You can no longer do this: $form = new HTMLForm( … ); $form->setDisplayFormat( 'vform' ); // throws exception Instead, do this: $form = HTMLForm::factory( 'vform', … ); * Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment(). * BREAKING CHANGE: mediawiki.user.generateRandomSessionId: The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F * (T87504) Avoid serving SVG background-images in CSS for Opera 12, which renders them incorrectly when combined with border-radius or background-size. * Removed maintenance script dumpSisterSites.php. * DatabaseBase class constructors must be called using the array argument style. Ideally, DatabaseBase:factory() should be used instead in most cases. * Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates. This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26, since they interfere with caching of ParserOutput objects. * Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates. * Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform updates when a page is re-rendered. * EditPage::attemptSave has been modified not to call handleStatus itself and instead just returns the Status object. Extension calling it should be aware of this. * Removed class DBObject. (unused since 1.10) * wfDiff() is deprecated. * The -m (maximum replication lag) option of refreshLinks.php was removed. It had no effect since MediaWiki 1.18 and should be removed from any cron jobs or similar scripts you may have set up. * (T85864) The following messages no longer support raw html: redirectto, thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others, retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode, protect-summary-cascade * All BloomCache related code has been removed. This was largely experimental. * $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They can only be set for the entire skin. * Removed global function swap(). (deprecated since 1.24) * Deprecated the ".php5" file extension entry points and the $wgScriptExtension configuration variable. Refer to the ".php" files instead. If you want ".php5" URLs to continue to work, set up redirects. In Apache, this can be done by enabling mod_rewrite and adding the following rules to your configuration: RewriteEngine On RewriteBase / RewriteRule ^(.*)\.php5 $1.php [R=301,L] * The global importScriptURI and importStylesheetURI functions, as well as the loadedScripts object, from wikibits.js (deprecated since 1.17) now emit warnings through mw.log.warn when accessed. = MediaWiki 1.24 = == MediaWiki 1.24.6 == This is a maintenance release of the MediaWiki 1.24 branch. === Changes since 1.24.5 === * (T121892) Fix fatal error on some Special pages, introduced in 1.24.5. == MediaWiki 1.24.5 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.24.4 === * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. * (T119309) SECURITY: Use hash_compare() for edit token comparison * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads * (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki * (T103237) $wgUseGzip had no effect when using file cache. == MediaWiki 1.24.4 == This is a security and maintenance release of the MediaWiki 1.24 branch. === Changes since 1.24.3 === * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the first * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails == MediaWiki 1.24.3 == This is a security and maintenance release of the MediaWiki 1.24 branch. === Changes since 1.24.2 === * (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions * Update jQuery from v1.11.2 to v1.11.3. * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. == MediaWiki 1.24.2 == This is a security and maintenance release of the MediaWiki 1.24 branch. === Changes since 1.24.1 === * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. * (T88310) SECURITY: Always expand xml entities when checking SVG's. * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. * (T85855) SECURITY: Don't execute another user's CSS or JS on preview. * (T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2. * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false. * (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix. == MediaWiki 1.24.1 == This is a security and maintenance release of the MediaWiki 1.24 branch. === Changes since 1.24.0 === * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. * (bug T74222) The original patch for T74222 was reverted as unnecessary. * Fixed a couple of entries in RELEASE-NOTES-1.24. * (bug T76168) OutputPage: Add accessors for some protected properties. * (bug T74834) Make 1.24 branch directly installable under PostgreSQL. == MediaWiki 1.24.0 == === Configuration changes in 1.24 === * MediaWiki will no longer run if register_globals is enabled. It has been deprecated for 5 years now, and was removed in PHP 5.4. For more information about why, see . * MediaWiki now requires PHP's iconv extension. openSUSE users may need to install the php5-iconv package. Users of other systems may need to add extension=iconv.so to php.ini or recompile PHP without --without-iconv. * MediaWiki will no longer function if magic quotes are enabled. It has been deprecated for 5 years now, and was removed in PHP 5.4. * The server's canonical hostname is available as $wgServerName, which is exposed in both mw.config and ApiQuerySiteInfo. * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch, for using the old schema of the page_props table, in case the respective schema update was not applied. * $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything' user option was removed. Use $wgNamespacesToBeSearchedDefault instead or if you used to have $wgDefaultUserOptions['searcheverything'] = 1. * $wgMasterWaitTimeout has been deprecated. * $wgDBClusterTimeout has been removed. * $wgProxyKey has been removed. It is no longer used by MediaWiki core. Ensure $wgSecretKey is set in LocalSettings.php. * $wgExtraInterlanguageLinkPrefixes is a new configuration variable that contains an array of interwiki prefixes that should be treated as language prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set to true). * $wgParserTestRemote has been removed. * $wgCountTotalSearchHits has been removed. If you're concerned about efficiency of search, you should use something like CirrusSearch instead of built in search. * Users in the 'sysop' group have access to Special:MergeHistory by default. * $wgFileStore was removed after having been deprecated in 1.17. Alternative configurations are $wgDeletedDirectory and $wgHashedUploadDirectory. * The deprecated $wgUseCommaCount variable has been removed. * $wgEnableSorbs and $wgSorbsUrl have been removed. * The UserCryptPassword and UserComparePassword hooks are no longer called. Any extensions using them must be updated to use the Password Hashing API. * $wgCompiledFiles has been removed. * $wgSortSpecialPages was removed, the listing on Special:SpecialPages is now always sorted. * $wgSpecialPages may now use callback functions as an alternative to plain class names. This allows more control over constructor parameters. * $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed. * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort and $wgRC2UDPPrefix have been removed. * The default password type for MediaWiki has been changed from MD5 to PBKDF2. Password hashes will automatically be updated as users log in. If necessary, the old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'. In addition, there is a maintenance script wrapOldPassword.php that can wrap all passwords in PBKDF2 (or the hashing algorithm of your choice) if you don't want to wait for your users to log in. * $wgImportSources can now either be a regular array, or an associative map specifying subprojects on the interwiki map of the target wiki, or a mix of the two. Existing configurations will still work. * Users must be able to edit through a page's protection to be able to delete it. * The default thumb size ($wgDefaultUserOptions['thumbsize']) is now 300px, up from 180px. If you have altered the number of entries in $wgThumbLimits for your wiki, you may need to adjust your default user settings to compensate for the index change. * $wgDeferredUpdateList is now deprecated, you should use DeferredUpdates::addUpdate() instead. * $wgCanonicalLanguageLinks has been removed. Per Google recommendations, we will not send a rel=canonical pointing to a variant-neutral page, however we will send rel=alternate. * $wgResourceLoaderLESSFunctions has been deprecated and will be removed in the future. * $wgGoToEdit has been removed. Use the SpecialSearchNogomatch hook for similar functionality. === New features in 1.24 === * Added new hook WatchlistEditorBeforeFormRender, allowing subscribers to manipulate the list of pages and/or preload lots of data at once. * Added new argument &$link in hook WatchlistEditorBuildRemoveLine, allowing the link to the title to be changed. * Added a new hook, "WhatLinksHereProps", to allow extensions to annotate WhatLinksHere entries. * Added a new hook, "ContentGetParserOutput", to customize parser output for a given content object. * Deprecated the hook "ShowRawCssJs", use "ContentGetParserOutput" instead. * HTMLForm's HTMLTextField now supports the 'url' type. * HTMLForm fields may now be dynamically hidden based on the values of other fields in the form. * HTMLForm now supports multiple copies of an input field or set of input fields, e.g. the form may request "one or more usernames" without having to have the user enter delimited list of names into a text field. * Added a new hook, "SidebarBeforeOutput", to allow to edit the structure of the sidebar just before its display. * (bug 49156) Added the mediawiki.cookie ResourceLoader module, which wraps jquery.cookie so that getting/setting a cookie is syntactically and functionally similar to using the WebRequest::getCookie() and WebResponse::setcookie() methods. * (bug 44740) jQuery upgraded from 1.8.3 to 1.11.1. A new configuration option, $wgIncludejQueryMigrate, also loads the jQuery Migrate hack to let extensions and gadgets use the long-deprecated functions that were removed in jQuery 1.9. This option is turned off by default, and will be removed in MediaWiki 1.25. * (bug 47076) jQuery UI upgraded from 1.8.24 to 1.9.2. * Changes to content typography (fonts, etc.). See https://www.mediawiki.org/wiki/Typography_refresh for further information. * WikitextContent will now render redirects with the expected "redirect" header, rather than as an ordered list. Code calling Article::viewRedirect can probably be changed to no longer special-case redirects. * Header font set to a serif font stack. See https://www.mediawiki.org/wiki/Typography_refresh for further information. * (bug 65567) Added a new hook, "BeforeHttpsRedirect", to allow cancellation of the HTTP to HTTPS redirect due to forceHTTPS cookie, userRequires, etc. This is only for page views, since this hook doesn't affect UserLogin, OAuth, CentralAuth, etc. ATTENTION: This hook is likely to be removed soon due to overall design of the system. * (bug 17367) It is now possible to add pages to your watchlist from Special:UnwatchedPages without reloading the special page. * New methods setVolatile and isVolatile are added to PPFrame, so that extensions such as Cite.php can mark that their output is volatile and shouldn't be cached. * (bug 52817) Advanced search options are now saved on the search page itself, rather than in a dedicated pane in the preferences panel. * (bug 44591) The dropdown actions menu (little triangle next to page tabs) in the Vector skin has gained a label that should make it more discoverable. * MWCryptHKDF added for fast, cryptographically secure random number generation that won't deplete openssl's entropy pool. * ResourceLoader: File modules can now provide a skip function that uses an inline feature test to bypass loading of the module. * (bug 20210) Special pages may now provide autocompletion of their subpage names in search suggestions. Right now the only useful implementation is in Special:Log, but more are to come. * Special:MostLinkedTemplates is no longer limited to transclusions from the Template namespace. * Skins can now use 'remoteSkinPath' when defining ResourceLoader modules. This works the same as 'remoteExtPath' but is relative to the skins/ folder instead of the extensions/ folder. * Added the json2.js polyfill for the ES5 JSON.stringify and JSON.parse methods. Exposed as module "json" with a skip function to optimise loading. * Extensions and skins may now use 'namemsg' in $wgExtensionCredits in addition to 'name', to allow for the name to be localizable. 'name' should still be specified for backwards-compatibility and to define the path Special:Version uses to find extension license information. * Browser tests are now included to verify basic wiki functionality in developer environments. For details on running tests, see tests/browser/README.mediawiki. * Upgrade jStorage to v0.4.10. * {{!}} is now a magic word that produces the | character. This removes the need for Template:! for purposes such as passing pipes inside of parameters. * (bug 20790) The block log snippet on Special:Contributions and while editing user and user talk pages now works for IP range blocks. * (bug 9360) Added ability to change the page language for MediaWiki pages using Special:PageLanguage. All pages are set to wiki language by default. The feature needs to be enabled with $wgPageLanguageUseDB=true and permission needs to be set for 'pagelang'. * Upgrade Moment.js to v2.8.3. * (bug 67042) Added support for the HTML5 tag for East Asian typography. * Upgrade Sinon.JS to 1.10.3. * Added the es5-shim polyfill for older or non-compliant javascript engines. * Upgrade jQuery Cookie to v1.3.1. * (bug 20476) Add a "viewsuppressed" user right to be able to view suppressed content but not suppress it ("suppressrevision" right). * (bug 66440) The MediaWiki web installer will now allow you to choose the skins to enable (from the ones included in download tarball) and decide which one should be the default. * (bug 68085, 68802) Links like [[localInterwikiPrefix:languageCode:pageTitle]], where localInterwikiPrefix is a member of the $wgLocalInterwikis array, will no longer be displayed in the sidebar when $wgInterwikiMagic is true. In a similar way, links like [[localInterwikiPrefix:File:Image.png]] and [[localInterwikiPrefix:Category:Hello]] will now render as regular links, and will not include the file or add the page to the category. * New special page, MyLanguage, to redirect users to subpages with localised versions of a page. (Integrated from Extension:Translate) * MediaWiki now supports multiple password types, including bcrypt and PBKDF2. The default type can be changed with $wgPasswordDefault and the type configurations can be changed with $wgPasswordConfig. * Skins can now define custom styles for default ResourceLoader modules using the $wgResourceModuleSkinStyles global. See the Vector skin for examples. * (bug 4488) There is now a preference to watch pages where the user has rollbacked an edit by default. * (bug 15484) Users will now be redirected to the login page when they need to log in, rather than being shown a page asking them to log in and having to click another link to actually get to the login page. * A JsonContent and JsonContentHandler were added for extensions to extend. * (bug 35045) Redirects to sections will now update the URL in browser's address bar using the HTML5 History API. When [[Dog]] redirects to [[Animals#Dog]], the user will now see "Animals#Dog" in their browser instead of "Dog#Dog". * API token handling has been rewritten. Any API module using tokens will need to be updated. See the entry below under "Action API internal changes". * Added HTMLAutoCompleteSelectField. * Added a new hook, "SkinPreloadExistence", to allow extensions to add titles to link existence cache before the page is rendered. * Config::set() was moved to its own interface, MutableConfig. GlobalVarConfig::set() is now deprecated, does not implement MutableConfig. * A MutableConfig named HashConfig was added, that stores an array of configuration settings. * (bug 69418) A MultiConfig implementation was added that supports fallback to multiple Config instances. * Update CSSJanus to v1.1.0. * Added FormatJson::parse() returning status with result or localized error message * Added DeletedContribsPager::reallyDoQuery hook allowing extensions to data to Special:DeletedContributions * Added DeletedContributionsLineEnding hook allowing extensions to format Special:DeletedContributions lines * (T69525) You can now make MediaWiki speed up its thumbnail rendering by using intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will find the smallest bucket smaller than the original but larger than the target width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail, rather than the original, down to the target size at greater speed in return for minor loss of fidelity. === Bug fixes in 1.24 === * (bug 50572) MediaWiki:Blockip should support gender * (bug 49116) Footer copyright notice is now always displayed in user language rather than content language (same as copyright notice for editing interface). * (bug 62258) A bug was fixed in File::getUnscaledThumb when a height restriction was present in the parameters. Images with both the "frame" option and a size specification set will now always ignore the provided size and display an unscaled image, as the documentation has always claimed it would. * (bug 39035) Improved Vector skin performance by removing collapsibleNav, which used to collapse some sidebar elements by default. This removes -list id suffixes like p-lang-list: instead of using things like #p-lang-list, you can do #p-lang .body ul. * (bug 890) Links in Special:RecentChanges and Special:Watchlist no longer follow redirects to their target pages. * Parser now dies early if called recursively, instead of producing subtle bugs. * (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the remaining page content. * (bug 52587) Maintenance script deleteBatch.php no longer follows redirects in the file namespace and delete the file on the target page. It will still however delete the redirect page. * (bug 22683) {{msgnw:}} and other uses of PPFrame::RECOVER_ORIG will correctly recover the original code of extension tags. * (bug 65757) MSSQL: Update script drops unnamed constraints to be prepared for future updates. Because it's doing so heuristically, it may fail or drop wrong constraints. * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes. * $wgRunJobsAsync now works with private wikis (e.g. read requires login). * (bugs 57238, 65206) Blank pages can now be directly created. * (bug 69789) Title::getContentModel() now loads from the database when necessary instead of incorrectly returning the default content model. * (bug 69249) wfBaseConvert() now works around PHP Bug #50175 when using GMP. * (bug 57909) URLs in the externallinks table will no longer have certain characters decoded in the query string. * (bug 67368) LESS mixins like .background-image() correctly flip image references for RTL stylesheets now. === Action API changes in 1.24 === * action=parse API now supports prop=modules, which provides the list of ResourceLoader modules that should be used to enhance the parsed content. * action=query&meta=siteinfo&siprop=interwikimap returns a new "protorel" field which is true if protocol-relative urls can be used to access a particular interwiki map entry. * list=logevents now provides logpage, which is the page ID from the logging table, if ids are requested and the user has the permissions. * action=edit now requires that appendtext, prependtext, or section=new be used when using the 'redirect' parameter, to prevent clients accidentally overwriting the target page with the content of the redirect. * list=logevents will now return an error if both letitle and leprefix are specified. * list=logevents has a new parameter, lenamespace, to allow filtering by namespace. * action=expandtemplates has a new parameter, prop, and a new output format. The old format is still used if prop isn't provided, but this is deprecated. * meta=userinfo can now return the count of unread pages on the watchlist. * list=watchlist can now filter by unread status. * The deprecated action=parse&prop=languageshtml has been removed. * (bug 48071) action=setnotificationtimestamp no longer throws PHP or database errors when no pages are given. * (bug 60734) Actions that use ApiPageSet (e.g. purge, watch, setnotificationtimestamp) will now include continuation information when using a generator. * Removed 'props' and 'errors' from action=paraminfo, as they have extremely limited use and are generally inaccurate, unmaintained, and impossible to properly maintain. * Formats dbg, dump, txt, wddx, and yaml are now deprecated. * action=paraminfo now indicates when a parameter is specifying a submodule. * The iwurl parameter to prop=iwlinks is deprecated in favor of iwprop=url, for parallelism with prop=langlinks. * All tokens should be fetched from action=query&meta=tokens; all other methods of fetching tokens are deprecated. The value needed for meta=tokens's 'type' parameter for each module is documented in the action=help output and is returned from action=paraminfo. * New action ClearHasMsg that can be used to clear HasMsg flag. * The cmstartsortkey and cmendsortkey parameters to list=categorymembers are deprecated in favor of cmstarthexsortkey and cmendhexsortkey. * (bug 63326) Add blockedtimestamp field to output of blockinfo property for the list=allusers and list=users modules. * prop=imageinfo no longer requires iiurlwidth to be set when using iiurlparam. * Added prop=linkshere, prop=fileusage, and prop=transcludedin, which are roughly equivalent to list=backlinks, list=imageusage, and list=embeddedin but can work on a list of titles (including titles from a generator). * prop=redirects can now filter returned redirects by namespace. === Action API internal changes in 1.24 === * Methods for handling continuation are added to ApiResult, so actions other than query that use generators can easily support continuation. * $wgAPIModules (and the related $wgAPIFormatModules, $wgAPIMetaModules, $wgAPIPropModules, and $wgAPIListModules settings) now allow API modules to be specified using a "module spec" array instead of a plain class name. A "module spec" is an associative array containing at least the 'class' key for the module's class, and optionally a 'factory' key for the factory function to use for the module. This is intended for extensions that want control over the instantiation of their API modules, to allow for proper dependency injection. * A new param type 'submodule' is available. Parameters of this type will take the list of valid values from the module's ApiModuleManager for the group corresponding to the parameter name. * The 'APIGetPossibleErrors' and 'APIGetResultProperties' hooks are no longer used. * API token handling has been rewritten. Any API module using tokens will need to be updated: * ApiBase::needsToken now returns a token type instead of boolean true when a token is needed. Returning true will throw an exception. See documentation of that method for details. * Information for the 'token' parameter is automatically set by ApiBase getFinalParams and getFinalParamDescription. * ApiBase::getTokenSalt has been removed. * The hooks APIQueryInfoTokens, APIQueryRevisionsTokens, APIQueryRecentChangesTokens, APIQueryUsersTokens, and ApiTokensGetTokenTypes are deprecated, but are still called to support backwards-compatible token access. * ApiBase::validateLimit and ApiBase::validateTimestamp are now protected. * ApiQueryRedirects was removed; prop=redirects is now implemented by ApiQueryBacklinksProp along with the newly-added prop modules. * The following methods have been deprecated and may be removed in a future release: * ApiBase::getResultProperties * ApiBase::getFinalResultProperties * ApiBase::addTokenProperties * ApiBase::getRequireOnlyOneParameterErrorMessages * ApiBase::getRequireMaxOneParameterErrorMessages * ApiBase::getRequireAtLeastOneParameterErrorMessages * ApiBase::getTitleOrPageIdErrorMessage * ApiBase::getPossibleErrors * ApiBase::getFinalPossibleErrors * ApiBase::parseErrors * ApiQuery::setGeneratorContinue * ApiQueryBase::checkRowCount * ApiQueryBase::titleToKey * ApiQueryBase::keyToTitle * ApiQueryBase::keyPartToTitle * ApiQueryInfo::getTokenFunctions * ApiQueryInfo::resetTokenCache * ApiQueryInfo::getEditToken * ApiQueryInfo::getDeleteToken * ApiQueryInfo::getProtectToken * ApiQueryInfo::getMoveToken * ApiQueryInfo::getBlockToken * ApiQueryInfo::getUnblockToken * ApiQueryInfo::getEmailToken * ApiQueryInfo::getImportToken * ApiQueryInfo::getWatchToken * ApiQueryInfo::getOptionsToken * ApiQueryRecentChanges::getTokenFunctions * ApiQueryRecentChanges::getPatrolToken * ApiQueryRevisions::getTokenFunctions * ApiQueryRevisions::getRollbackToken * ApiQueryUsers::getTokenFunctions * ApiQueryUsers::getUserrightsToken * The following classes have been deprecated and may be removed in a future release: * ApiFormatDbg * ApiFormatDump * ApiFormatTxt * ApiFormatWddx * ApiFormatYaml * ApiTokens * The following class constants have been deprecated and may be removed in a future release: * ApiBase::PROP_ROOT * ApiBase::PROP_LIST * ApiBase::PROP_TYPE * ApiBase::PROP_NULLABLE === Languages updated in 1.24 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports. === Other changes in 1.24 === * The deprecated jquery.delayedBind ResourceLoader module was removed. * The deprecated function mw.util.toggleToc was removed. * The Special:Search hooks SpecialSearchGo and SpecialSearchResultsAppend were removed as they were unused. * (bug 65477) User::pingLimiter() now has an additional profile point varying by action being used. * mediawiki.util.$content no longer supports old versions of the Vector, Monobook, Modern and CologneBlue skins that don't yet implement the "mw-body" and/or "mw-body-primary" class name in their html. * Added pp_sortkey column to page_props table, so pages can be efficiently queried and sorted by property value (bug 58032). See $wgPagePropsHaveSortkey if you want to postpone the schema change. * BREAKING CHANGE: All four built-in MediaWiki skins (Vector, MonoBook, Modern and Cologne Blue) were moved out of MediaWiki core to their own respective repositories. They will be installed with the release tarball, but you must install them separately if installing MediaWiki from source code. A warning message displayed until you do it should guide you through the process. See also . * BREAKING CHANGE: Skins built for MediaWiki 1.15 and earlier that do not use the "headelement" template key are no longer supported. Setting $useHeadElement = false; is no longer supported and will not cause old keys like "headlinks", "skinnameclass", etc. to be defined. * BREAKING CHANGE: The files commonElements.css, commonContent.css and commonInterface.css (in skins/common/) have been removed. Skins may no longer rely on their presence and include them in their style modules. ResourceLoader modules introduced in MediaWiki 1.23 should be loaded instead: - skins/common/commonElements.css → 'mediawiki.skinning.elements' module - skins/common/commonContent.css → 'mediawiki.skinning.content' module - skins/common/commonInterface.css → 'mediawiki.skinning.interface' module * The deprecated 'SpecialVersionExtensionTypes' hook was removed. * (bug 63891) Add 'X-Robots-Tag: noindex' header in action=render pages. * SpecialPage no longer supports the syntax for invoking wfSpecial*() functions. Special pages should subclass SpecialPage and implement the execute() method. * (bug 63755) The deprecated constants RC_MOVE and RC_MOVE_OVER_REDIRECT were removed. * Special:MostLinkedTemplates has been renamed to Special:MostTranscludedPages. * The skin autodiscovery mechanism has been deprecated and will be removed in MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for migration guide for creators and users of custom skins that relied on it. * ResourceLoaderFileModule#getAllStyleFiles now returns all style files and all skin style files used by the module. * Removed getLang() from IContextSource and subclasses. (deprecated since 1.19) * Removed setLang() from subclasses of IContextSource. (deprecated since 1.19) * Removed WebRequest::escapeAppendQuery(). (deprecated since 1.20) * Removed info(), purge(), revert() and rollback() from the Article class; they have since become subclasses of the Action class. (deprecated since 1.19) * SearchEngineReplacePrefixesComplete hook was removed. * The "jquery.json" module has been deprecated. Use the "json" module instead. * Removed HTMLForm::addJS(). (deprecated since 1.18) * Removed LogEventsList::showHeader(). (deprecated since 1.19) * Removed ImageGalleryBase::useSkin(). (deprecated since 1.18) * Removed DatabaseMysqlBase::getLagFromProcesslist(). (deprecated since 1.19) * Removed LoadBalancer::closeConnecton(). (deprecated since 1.18) * Removed ApiBase::createContext(). (deprecated since 1.19) * BREAKING CHANGE: The undocumented Special{$this->getName()}BeforeFormDisplay set of hooks has been removed and replaced by a single new hook SpecialPageBeforeFormDisplay. * (bug 65781) Removed block warning on included {{Special:Contributions}} * Removed Skin::makeGlobalVariablesScript(). (deprecated since 1.19) * Removed MWNamespace::isMain(). (deprecated since 1.19) * Removed Preferences::loadOldSearchNs(). (deprecated since 1.19) * Removed OutputPage::getStatusMessage(). (deprecated since 1.18) * Removed OutputPage::isUserJsAllowed(). (deprecated since 1.18) * Removed Title::updateTitleProtection(). (deprecated since 1.19) * Removed ParserOptions::setSkin(). (deprecated since 1.19) * Removed Title::escapeCanonicalURL(). (deprecated since 1.19) * Removed Title::escapeLocalURL(). (deprecated since 1.19) * Removed Title::escapeFullURL(). (deprecated since 1.19) * Removed User::isValidEmailAddr(). (deprecated since 1.18) * Removed Title::getEscapedText(). (deprecated since 1.19) * Removed Language::getFallbackLanguageCode(). (deprecated since 1.19) * Removed WikiPage::isBigDeletion(). (deprecated since 1.19) * Removed MWInit class which contained functions related to a now discontinued PHP compiler called hphpc. (deprecated since 1.22) * ApiResult::enableSizeCheck() and disableSizeCheck() are now obsolete. * Removed ResourceLoaderGetStartupModules hook. (deprecated since 1.23) * Removed getFormFields(), onSubmit() and onSuccess() from FormlessAction, as these were meant specifically for FormAction instead. * Removed Action::execute(). * Removed AjaxAddScript which has been obsolete since ResourceLoader and is unused by any modern extension. * Removed maintenance/nextJobDB.php; no longer in use. * Removed global function wfViewPrevNext(). (deprecated since 1.19) * Removed global function xmlsafe() from Export.php. (moved to OAIRepo extension) * Removed Title::userCanRead(). (deprecated since 1.19) * Removed maintenance script importTextFile.php. Use edit.php script instead. * A _from_namespace field has been added to the templatelinks, pagelinks, and filelinks tables. Run update.php to apply this change to the schema. * Removed File::sha1Base36(). (deprecated since 1.19) * Removed File::getPropsFromPath(). (deprecated since 1.19) * Removed functions blockedPage(), noCreatePermission(), readOnlyPage() and userNotLoggedInPage() from EditPage.php. (deprecated since 1.19) * Removed functions getContent(), getPreloadedText(), mergeChangesInto() and setPreloadedText() from EditPage.php. (deprecated since 1.21) * Removed global functions wfArrayLookup(), wfArrayMerge(), wfDebugDieBacktrace() and wfTime(). (deprecated since 1.22) * Browser support for Internet Explorer 6 and 7 lowered from Grade A to Grade C, meaning that JavaScript is no longer executed in these browser versions. * Browser support for Opera 11 lowered from Grade A to Grade C. * Removed IEFixes module which existed purely to provide support for MSIE versions below 7 (conditionally loaded only for those browsers). * Deprecated SpecialPageFactory::getList() in favor of SpecialPageFactory::getNames() * Action::checkCanExecute() no longer has a return value. * Removed cleanupForIRC(), loadFromCurRow(), newFromCurRow(), notifyRC2UDP() and sendToUDP() from RecentChange.php. (deprecated since 1.22) * Removed EnhancedChangesList::arrow(), sideArrow(), downArrow(), spacerArrow(). * Removed Xml::namespaceSelector(). (deprecated since 1.19) * Removed WikiPage::estimateRevisionCount(). (deprecated since 1.19) * MYSQL: Enum item added to "major MIME type" columns. Running update.php on MySQL < v5.1 may result in heavy processing. * RSS and Atom feeds generated by MediaWiki no longer include a fallback stylesheet. It was ignored by most browsers these days anyway. * SpecialSearchNoResults hook has been removed. SpecialSearchResults is now called unconditionally. * TablePager::getBody() is now 'final' and can't be overridden in subclasses. * TablePager::getBody() is deprecated, use getBodyOutput() or getFullOutput(). * Added $outputPage parameter to the SkinTemplateGetLanguageLink hook. * log_page for move log entries store the original page ID, rather than that of the new redirect page. This is not retroactive. * LCStoreAccel was removed. $wgLocalisationCacheConf can no longer be set to use this store class. * Html::infoBox() no longer accepts paths relative to skins/common/images/. * Deprecated defunct Skin::getCommonStylePath(). * Some extensions had their ResourceLoader modules depend on the "mediawiki" and "jquery" modules. In the past, this behavior was undefined, now it will throw an error. * Removed BagOStuff::replace(). (deprecated since 1.23) * In Linker.php, link(), linkText() and makeBrokenImageLinkObj() now display warnings if their first parameter is not a Title object. Also makeImageLink() now requires a Parser as its first parameter. * (bug 67368) LESS functions embed() and embeddable(), added in MediaWiki 1.23 and broken by design, have been removed. Use appropriate LESS mixins instead. * Removed cssjanus.py from maintenance directory as it was unused. * Removed maintenance/purgeOldText.inc and the PurgeRedundantText() function it contained (superseded by Maintenance::purgeRedundantText() in 1.16). The purgeOldText.php maintenance script has been retained. * PHPUnit tests can be found by directory discovery, by adding the directory path from your UnitTestsList callback. Older versions of MediaWiki core will barf at this usage. ==== Renamed classes ==== * CLDRPluralRuleConverter_Expression to CLDRPluralRuleConverterExpression * CLDRPluralRuleConverter_Fragment to CLDRPluralRuleConverterFragment * CLDRPluralRuleConverter_Operator to CLDRPluralRuleConverterOperator * CLDRPluralRuleEvaluator_Range to CLDRPluralRuleEvaluatorRange * CSSJanus_Tokenizer to CSSJanusTokenizer * MediaWiki_I18N to MediaWikiI18N * Parser_DiffTest to ParserDiffTest * RevDel_ArchiveItem to RevDelArchiveItem * RevDel_ArchiveList to RevDelArchiveList * RevDel_ArchivedFileItem to RevDelArchivedFileItem * RevDel_ArchivedFileList to RevDelArchivedFileList * RevDel_ArchivedRevisionItem to RevDelArchivedRevisionItem * RevDel_FileItem to RevDelFileItem * RevDel_FileList to RevDelFileList * RevDel_Item to RevDelItem * RevDel_List to RevDelList * RevDel_LogItem to RevDelLogItem * RevDel_LogList to RevDelLogList * RevDel_RevisionItem to RevDelRevisionItem * RevDel_RevisionList to RevDelRevisionList * WebInstaller_Complete to WebInstallerComplete * WebInstaller_Copying to WebInstallerCopying * WebInstaller_DBConnect to WebInstallerDBConnect * WebInstaller_DBSettings to WebInstallerDBSettings * WebInstaller_Document to WebInstallerDocument * WebInstaller_ExistingWiki to WebInstallerExistingWiki * WebInstaller_Install to WebInstallerInstall * WebInstaller_Language to WebInstallerLanguage * WebInstaller_Name to WebInstallerName * WebInstaller_Options to WebInstallerOptions * WebInstaller_Readme to WebInstallerReadme * WebInstaller_ReleaseNotes to WebInstallerReleaseNotes * WebInstaller_Restart to WebInstallerRestart * WebInstaller_Upgrade to WebInstallerUpgrade * WebInstaller_UpgradeDoc to WebInstallerUpgradeDoc * WebInstaller_Welcome to WebInstallerWelcome ==== Removed classes ==== * IPBlockForm - Use SpecialBlock directly * WatchlistEditor - Use SpecialEditWatchlist directly * FormatExif - Use FormatMetadata directly * RevertFileAction - Use RevertAction directly * HistoryPage - Use HistoryAction directly * RawPage - Use RawAction directly * StubContLang - Use Language::factory() instead * XMLReader2 - Use XMLReader directly * ResourceLoaderLESSFunctions - No longer in use, not intended for public usage ==== Removed files ==== The skins/common/ directory, previously containing some assets intended to be used by skins and a number of legacy styles and scripts, has been removed. Its contents have been deleted or relocated into the resources/ directory. Full list of files that are no longer available follows. * skins/common/ajax.js * skins/common/commonContent.css * skins/common/commonElements.css * skins/common/commonInterface.css * skins/common/commonPrint.css * skins/common/config-cc.css * skins/common/config.css * skins/common/config.js * skins/common/feed.css * skins/common/IEFixes.js * skins/common/oldshared.css * skins/common/protect.js * skins/common/shared.css * skins/common/upload.js * skins/common/wikibits.js * skins/common/images/add.png * skins/common/images/ajax-loader.gif * skins/common/images/arrow_disabled_first_25.png * skins/common/images/arrow_disabled_last_25.png * skins/common/images/arrow_disabled_left_25.png * skins/common/images/arrow_disabled_right_25.png * skins/common/images/arrow_first_25.png * skins/common/images/arrow_last_25.png * skins/common/images/arrow_left_25.png * skins/common/images/arrow_right_25.png * skins/common/images/Arr_.png * skins/common/images/Arr_d.png * skins/common/images/Arr_l.png * skins/common/images/Arr_r.png * skins/common/images/Arr_u.png * skins/common/images/bullet.gif * skins/common/images/button_bold.png * skins/common/images/button_extlink.png * skins/common/images/button_headline.png * skins/common/images/button_hr.png * skins/common/images/button_image.png * skins/common/images/button_italic.png * skins/common/images/button_link.png * skins/common/images/button_media.png * skins/common/images/button_nowiki.png * skins/common/images/button_sig.png * skins/common/images/button_template.png * skins/common/images/cc-0.png * skins/common/images/cc-by-nc-sa.png * skins/common/images/cc-by-sa.png * skins/common/images/cc-by.png * skins/common/images/Checker-16x16.png * skins/common/images/closewindow.png * skins/common/images/closewindow19x19.png * skins/common/images/critical-32.png * skins/common/images/diffunderline.gif * skins/common/images/download-32.png * skins/common/images/feed-icon.png * skins/common/images/feed-icon.svg * skins/common/images/gnu-fdl.png * skins/common/images/help-question-hover.gif * skins/common/images/help-question.gif * skins/common/images/info-32.png * skins/common/images/link_icon.gif * skins/common/images/magnify-clip-rtl.png * skins/common/images/magnify-clip.png * skins/common/images/mediawiki.png * skins/common/images/nextredirectltr.png * skins/common/images/nextredirectrtl.png * skins/common/images/poweredby_mediawiki_88x31.png * skins/common/images/public-domain.png * skins/common/images/question-small.png * skins/common/images/question.svg * skins/common/images/redirectltr.png * skins/common/images/redirectrtl.png * skins/common/images/remove.png * skins/common/images/spinner.gif * skins/common/images/tick-32.png * skins/common/images/tipsy-arrow.gif * skins/common/images/tooltip_icon.png * skins/common/images/warning-32.png * skins/common/images/wiki.png * skins/common/images/Zoom_sans.gif * skins/common/images/ar/button_bold.png * skins/common/images/ar/button_headline.png * skins/common/images/ar/button_italic.png * skins/common/images/ar/button_link.png * skins/common/images/ar/button_nowiki.png * skins/common/images/be-tarask/button_bold.png * skins/common/images/be-tarask/button_italic.png * skins/common/images/be-tarask/button_link.png * skins/common/images/cyrl/button_bold.png * skins/common/images/cyrl/button_italic.png * skins/common/images/cyrl/button_link.png * skins/common/images/de/button_bold.png * skins/common/images/de/button_italic.png * skins/common/images/fa/button_bold.png * skins/common/images/fa/button_headline.png * skins/common/images/fa/button_italic.png * skins/common/images/fa/button_link.png * skins/common/images/fa/button_nowiki.png * skins/common/images/icons/fileicon-c.png * skins/common/images/icons/fileicon-cpp.png * skins/common/images/icons/fileicon-deb.png * skins/common/images/icons/fileicon-djvu.png * skins/common/images/icons/fileicon-djvu.xcf * skins/common/images/icons/fileicon-dvi.png * skins/common/images/icons/fileicon-exe.png * skins/common/images/icons/fileicon-h.png * skins/common/images/icons/fileicon-html.png * skins/common/images/icons/fileicon-iso.png * skins/common/images/icons/fileicon-java.png * skins/common/images/icons/fileicon-mid.png * skins/common/images/icons/fileicon-mov.png * skins/common/images/icons/fileicon-o.png * skins/common/images/icons/fileicon-ogg.png * skins/common/images/icons/fileicon-ogg.xcf * skins/common/images/icons/fileicon-pdf.png * skins/common/images/icons/fileicon-ps.png * skins/common/images/icons/fileicon-psd.png * skins/common/images/icons/fileicon-rm.png * skins/common/images/icons/fileicon-rpm.png * skins/common/images/icons/fileicon-svg.png * skins/common/images/icons/fileicon-tar.png * skins/common/images/icons/fileicon-tex.png * skins/common/images/icons/fileicon-ttf.png * skins/common/images/icons/fileicon-txt.png * skins/common/images/icons/fileicon.png * skins/common/images/ksh/button_S_italic.png = MediaWiki 1.23 = == MediaWiki 1.23.13 == This is a maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.12 === * (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12. == MediaWiki 1.23.12 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.11 === * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. * (T119309) SECURITY: Use hash_compare() for edit token comparison * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads * (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki == MediaWiki 1.23.11 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.10 === * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails == MediaWiki 1.23.10 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.9 === * (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions * (bug 67644) Make AutoLoaderTest handle namespaces * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. == MediaWiki 1.23.9 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.8 === * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. * (T88310) SECURITY: Always expand xml entities when checking SVG's. * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. * (T85855) SECURITY: Don't execute another user's CSS or JS on preview. * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. * (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. == MediaWiki 1.23.8 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.7 === * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. * (bug T74222) The original patch for T74222 was reverted as unnecessary. == MediaWiki 1.23.7 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.6 === * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy. * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. * (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario. * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff. * (bug 71621) Make allowing site-wide styles on restricted special pages a config option. * (bug 42723) Added updated version history from 1.19.2 to 1.22.13 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable. == MediaWiki 1.23.6 == This is a maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.5 === * (Bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header * (Bug 67440) Allow classes to be registered properly from installer == MediaWiki 1.23.5 == This is a security release of the MediaWiki 1.23 branch. === Changes since 1.23.4 === * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. == MediaWiki 1.23.4 == This is a security and maintenance release of the MediaWiki 1.23 branch. === Changes since 1.23.3 === * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter