forked from dogtagpki/pki-wiki
-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELEASE-NOTES-1.23
808 lines (712 loc) · 39.6 KB
/
RELEASE-NOTES-1.23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
== MediaWiki 1.23.17 ==
=== Changes since 1.23.16 ===
* Fix syntax errors introduced in 1.23.16 when running PHP 5.3.
== MediaWiki 1.23.16 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.15 ===
* (T68404) CSS3 attr() function with url type is no longer allowed
in inline styles.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Submitting the lgtoken and lgpassword parameters in the query string to
action=login is now deprecated and outputs a warning. They should be submitted
in the POST body instead.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
== MediaWiki 1.23.15 ==
This is a maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.14 ==
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* Remove support for $wgWellFormedXml = false, all output is now well formed
== MediaWiki 1.23.13 ==
This is a maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.12 ==
* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after
SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in
(many?) parser tags
* (T126685) Globally throttle password attempts
== MediaWiki 1.23.12 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.11 ==
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that do not begin with a slash. This enabled trivial XSS attacks.
Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
"/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
== MediaWiki 1.23.11 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.10 ==
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
== MediaWiki 1.23.10 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.9 ==
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* (bug 67644) Make AutoLoaderTest handle namespaces
* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
== MediaWiki 1.23.9 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.8 ==
* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
to prevent various DoS attacks.
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
likelihood of DoS.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
prevent XSS and protect viewer's privacy.
* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
update.php to fix.
* (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.
== MediaWiki 1.23.8 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.7 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
could lead to xss. Permission to edit MediaWiki namespace is required to
exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
== MediaWiki 1.23.7 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
== Changes since 1.23.6 ==
* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
into API clients that used format=php to process pages that underwent flash
policy mangling. This was fixed along with improving how the mangling was done
for format=json, and allowing sites to disable the mangling using
$wgMangleFlashPolicy.
* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
the content model for a page could allow an unprivileged attacker to edit
another user's common.js under certain circumstances. The user right
"editcontentmodel" was added, and is needed to change a revision's content
model.
* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
HTML, it is not safe to preview wikitext coming from an untrusted source such
as a cross-site request. Thus add an edit token to the form, and when raw HTML
is allowed, ensure the token is provided before showing the preview. This
check is not performed on wikis that both allow raw HTML and anonymous
editing, since there are easier ways to exploit that scenario.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
public RFC about the desired functionality. This issue was reported by user
Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a
config option.
* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
might be a flash policy directive configurable.
== MediaWiki 1.23.6 ==
This is a maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.5 ===
* (Bug 72274) Job queue not running (HTTP 411) due to missing
Content-Length: header
* (Bug 67440) Allow classes to be registered properly from installer
== MediaWiki 1.23.5 ==
This is a security release of the MediaWiki 1.23 branch.
=== Changes since 1.23.4 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
allowance.
== MediaWiki 1.23.4 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.3 ===
* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
elements; normalize style elements and attributes before filtering; add
checks for attributes that contain css; add unit tests for html5sec and
reported bugs.
* (bug 65998) Make MySQLi work with non-standard socket.
* (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
settings.
== MediaWiki 1.23.3 ==
This is a maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.2 ===
* (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
* (bug 64970) Fix support for blobs on DatabaseOracle::update.
* (bug 66574) Display MediaWiki:Loginprompt on the login page.
* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
* (bug 60629) Handle invalid language code gracefully in
Language::fetchLanguageNames.
* (bug 62017) Restore the number of rows shown on Special:Watchlist.
* Check for boolean false result from database query in SqlBagOStuff.
== MediaWiki 1.23.2 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.1 ===
* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
for loading a new page in Javascript,instead of relying on the URL in the link
that has been clicked.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
ParserOutput.
* (bug 68313) Preferences: Turn stubthreshold back into a combo box.
* (bug 65214) Fix initSiteStats.php maintenance script.
* (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
== MediaWiki 1.23.1 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.
=== Changes since 1.23.0 ===
* (bug 65839) SECURITY: Prevent external resources in SVG files.
* (bug 67025) Special:Watchlist: Don't try to render empty row.
* (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
* (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
like only extracting the tail of the file partially or not at all.
* (bug 66182) Removed -x flag on some php files.
== MediaWiki 1.23 ==
MediaWiki 1.23.0 is the stable branch and is recommended for use in production.
MediaWiki 1.23 is a large release that contains many new features and bug
fixes. This is the full list of changes in this version.
Our thanks go to everyone who helped to improve MediaWiki by testing the beta
release and submitting bug reports.
=== Configuration changes in 1.23 ===
* (bug 13250) Restored method for clearing a watchlist in web UI
so that users with large watchlists don't have to perform
contortions to clear them.
* When $wgJobRunRate is higher than zero, jobs are now executed via an
asynchronous HTTP request to a MediaWiki entry point. This may require
increasing the number of server worker threads. $wgRunJobsAsync has been
added to disable this feature if needed, falling back to executing the job
on the same process but making the execution synchronously.
* $wgDebugLogGroups values may be set to an associative array with a
'destination' key specifying the log destination. The array may also contain
a 'sample' key with a positive integer value N indicating that the log group
should be sampled by dispatching one in every N messages on average. The
sampling is random.
* In addition to the current exception log format, MediaWiki now serializes
exception metadata to JSON and logs it to the 'exception-json' log group.
This makes MediaWiki easier to integrate with log aggregation and analysis
tools.
* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
addresses that should be trusted to provide X-Forwarded-For headers.
* Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add
pages I create and files I upload to my watchlist", "Add pages and files I
edit to my watchlist", "Email me when a page or file on my watchlist is
changed") are now enabled by default. In addition new user accounts' personal
and talk pages are now watched by them by default.
* $wgLBFactoryConf: Class names have had underscores removed. The configuration
should be updated if LBFactory_Simple or LBFactory_Multi is configured.
* $wgPasswordSenderName has been removed and is no longer functional. To set a
custom mailer name, the system message 'emailsender' should be modified
(default: "{{SITENAME}}").
* (bug 63269) Email notifications were not correctly handling the
[[MediaWiki:Helppage]] message being set to a full URL (the default).
If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
you'll need to edit it locally to include the URL via the new variable
$HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
you don't have to do anything.
* $wgDBAhandler was removed as the only class using it was also removed
* The 'max threads' setting was removed from $wgDBservers.
* Support for AdminSettings.php has been completely removed. All configuration
belongs in LocalSettings.php.
* $wgSkipSkin, which has been replaceable by $wgSkipSkins since 2005 (r9249), is
now formally deprecated.
* Removed deprecated $wgDisabledActions as it is hardly used anywhere.
* $wgRateLimitLog has been deprecated and replaced by
$wgDebugLogGroup['ratelimit'].
* $wgLocalInterwikis is an array containing multiple local interwiki prefixes
(interwiki prefixes that point back to the current wiki). This effectively
allows more than one value of $wgLocalInterwiki to be specified and
understood by the parser. The value of $wgLocalInterwiki is automatically
prepended to the start of this array.
* $wgQueryPages has been removed. Query Pages should be added to by using the
wgQueryPages hook.
* $wgHttpOnlyBlacklist has been removed.
* $wgLicenseTerms has been removed as it was unused.
* $wgProfileOnly is now deprecated; set the log file in
$wgDebugLogGroups['profileoutput'] to replace it.
* $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
* Deprecated ResourceLoaderGetStartupModules hook.
=== New features in 1.23 ===
* ResourceLoader can utilize the Web Storage API to cache modules client-side.
Compared to the browser cache, caching in Web Storage allows ResourceLoader
to be more granular about evicting stale modules from the cache while
retaining the ability to retrieve multiple modules in a single HTTP request.
This capability can be enabled by setting $wgResourceLoaderStorageEnabled to
true. This feature is currently considered experimental and should only be
enabled with care.
* (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}}
and {{REVISIONTIMESTAMP:}} (with friends).
* Add "wgRelevantUserName" to mw.config containing the current
Skin::getRelevantUser value.
* (bug 56033) Add content model to the page information.
* Added Article::MissingArticleConditions hook to give extensions a chance to
hide their (unrelated) log entries.
* Added LonelyPagesQuery hook to let extensions modify the query used to
generate Special:LonelyPages.
* Added $wgOpenSearchDefaultLimit defining the default number of entries to show
on action=opensearch API call.
* For namespaces with $wgNamespaceProtection (including the MediaWiki
namespace), the "protect" tab will be shown only if there are restriction
levels available that would restrict editing beyond what
$wgNamespaceProtection already applies. The protection form will offer only
those protection levels.
* Added $wgAPIFormatModules, allowing extensions to add additional output
formatting modules for the API.
* (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add
custom CSS or JavaScript enabled only for registered users.
* (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist
now include a legend describing the symbols used in lists of changes.
* Improved the accessibility of the tabs in Special:Preferences.
* Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook:
it's called after everything is set up but before any major processing
happens.
* The jquery.client module now performs a component-wise version comparison in
its #test method when strings are used in the browser map: version '1.10' is
now correctly considered larger than '1.2'. Using numbers in the version map
is not affected.
* All API modules now support an assert parameter, which can either be
'user' or 'bot'. The API will throw an error if the user is not logged
in (user) or does not have the 'bot' userright (bot). Based off of the
AssertEdit extension by Steve Sanbeg.
* [[Special:Diff]] was added, allowing users to create internal links to
revision comparison pages using syntax such as [[Special:Diff/12345]],
[[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
* New user accounts' personal and talk pages are now watched by them by default.
* Added SkinTemplateGetLanguageLink hook to allow changing the html of language
links.
* Added MessageCache::get hook as a new way to customize messages across
multiple sites.
* Added jquery.throttle-debounce ResourceLoader module to limit the number of
callbacks for frequently occurring events.
* Special:ProtectedPages shows now a table. The timestamp, the reason and
the protecting user is also shown.
* Added experimental support for using Microsoft SQL Server as the database
backend.
** Added new Microsoft SQL Server-specific configuration variable
$wgDBWindowsAuthentication, which makes the web server authenticate against
the database server using Integrated Windows Authentication instead of
$wgDBuser/$wgDBpassword.
* HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and
'radio' fields can now use message keys as labels via the 'options-messages'
parameter, which overrides the 'options' parameter.
* Admins can expire users users passwords manually, or on a schedule using the
$wgPasswordExpirationDays configuration setting.
* Add new hook SendWatchlistEmailNotification, this will be used to determine
whether to send a watchlist email notification.
* (bug 42026) Special:Contributions now includes an option to filter page
creations, similar to the topOnly option.
* Add mediawiki.ui.button styling to all pages so wiki content can use styled
buttons.
* Special:UserLogin/signup now does AJAX checks for invalid and taken usernames,
displaying the error live.
* Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
* Support has been added for a JSON based localisation file format. The
installer has been updated to use it.
* Changes to content typography (colors, line-height etc.). See
https://www.mediawiki.org/wiki/Typography_refresh for further information.
* The Vector skin's visual treatment of external links has been simplified to a
single icon (from nine). This should not affect local rules unless they were
re-using these icons, which have now been deleted.
* ResourceLoader: mw.loader.using() now implements a Promise interface.
* Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows.
If called by the ChangesList consumer this gives extensions a chance to batch
process the result set prior to rendering.
* A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf.
This requires at least one Redis 2.6+ server.
* $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB
in StartProfiler.php instead of using this.
* (bug 63444) Made it possible to change the indent string (default: 4 spaces)
used by FormatJson::encode().
=== Bug fixes in 1.23 ===
* (bug 41759) The "updated since last visit" markers (on history pages, recent
changes and watchlist) and the talk page message indicator are now correctly
updated when the user is viewing old revisions of pages, instead of always
acting as if the latest revision was being viewed.
* (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code"
when the email address is already confirmed. Also, consistently use
"confirmed", rather than "authenticated", when messaging whether or not the
user has confirmed an email address.
* (bug 19415) action=render no longer shows section edit links. This affects
behavior of several other features where (bogus) section edit links will
disappear, such as file description pages loaded via $wgUseInstantCommons or
pages transcluded cross-wiki via $wgEnableScaryTranscluding.
* (bug 56912) Show correct link color on cached result of Special:DeadendPages.
* Classes TitleListDependency and TitleDependency have been removed, as they
have been found unused in core and extensions for a long time.
* (bug 57098) SpecialPasswordReset now obeys returnto parameter
* (bug 37812) ResourceLoader will notice when a module's definition changes and
recompile it accordingly.
* (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
to appear blank or with missing text.
* (bug 56931) Updated the plural rules to CLDR 24. They are in new format
which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
the JavaScript evaluator were updated to support the new format. Plural rules
for some languages have changed, most notably Russian. Affected software
messages have been updated and marked for review at translatewiki.net.
* (bug 23542) imagelinks now stores both the redirect and target (as
templatelinks does).
* (bug 58167) The web installer no longer throws an exception when PHP is
compiled without support for MySQL yet with support for another DBMS.
* (bug 56199) Raw option of parser functions must now match complete word,
to take effect.
* (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
* (bug 29762) Undoing an already-undone edit will now display an appropriate
message instead of leading the user to make a null edit.
* (bug 52659) mediawiki.notification: Notification area remained visible when
empty and thus was stealing pointer events from links on the page.
* (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now
hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace
no longer applies in such cases.
* (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause
warnings to be printed on Windows due to large path length.
* (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold
the wrong path to the placeholder logo (skins/common/images/wiki.png).
* (bug 64289) jquery.textSelection: Don't throw errors on empty collections.
=== Web API changes in 1.23 ===
* (bug 54884) action=parse&prop=categories now indicates hidden and missing
categories.
* action=query&meta=filerepoinfo now returns additional information for each
repo.
* action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in
MediaWiki 1.24.
* action=parse now has disabletoc flag to disable table of contents in output.
* (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages,
list=deletedrevs and list=filearchive did not handle case-sensitivity
properly for all parameters.
* ApiQueryBase::titlePartToKey allows an extra parameter that indicates the
namespace in order to properly capitalize the title part.
* (bug 57874) action=feedcontributions no longer has one item more than limit.
* All API modules now support an assert parameter. See the new features section
for more details.
* Added prop=contributors to fetch the list of contributors to the page.
* The following API modules will now return entries where fields have been
revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges,
list=watchlist. "hidden" indicators will be included, in the same style as is
already done for prop=revisions.
* The following API modules will now return the content of revision-deleted
fields, in addition to the "hidden" indicators, if the querying user has the
necessary rights: list=logevents, list=usercontribs, prop=imageinfo,
prop=revisions.
* The above modules, where applicable, will now return entries filtered by
revision-deleted fields if the querying user has the necessary rights. For
example, prop=revisions with rvuser or rvexcludeuser will no longer skip
revisions where the user was revision-deleted if the current user has the
deletedhistory right.
* The 'hideuser' right, used when blocking, is no longer necessary or
sufficient for seeing contributions with revision-deleted in
list=usercontribs.
* list=watchlist now uses the querying user's rights rather than the wlowner's
rights when checking whether wlprop=patrol is allowed.
* (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators).
Title parameter is now deprecated.
* (bug 23005) Added action=revisiondelete.
* Added siprop=restrictions to API action=query&meta=siteinfo for querying
possible page restriction (protection) levels and types.
* Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
* (bug 58627) Provide language names on action=parse&prop=langlinks.
* Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
* Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
* prop=redirects is added, to return redirects to the pages in the query.
* list=allredirects is added, to list all redirects pointing to a namespace.
* (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs.
Also added newonly to action=feedcontributions.
* (bug 42026) Deprecated uctoponly in favor of ucshow=top.
* list=search no longer has a "srredirects" parameter. Redirects are now
included in all searches.
* Added list=prefixsearch that works like action=opensearch but can be used as
a generator.
* (bug 24782) Various modules will now use unique continuation parameters.
* (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.
=== Languages updated in 1.23 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
* Support was added for Algerian Spoken Arabic (arq).
* Support was added for Riograndenser Hunsrückisch (hrx).
* Support was added for Northern Luri (lrc).
=== Other changes in 1.23 ===
* The rc_type field in the recentchanges table has been superseded by a new
rc_source field. The rc_source field is a string representation of the
change type where rc_type was a numeric constant. This field is not yet
queried but will be in a future release.
** Utilize update.php to create and populate this new field. On larger wikis
which do not wish to update recentchanges table in one large update please
review the SQL and comments in maintenance/archives/patch-rc_source.sql.
** The rc_type field of recentchanges will be deprecated in a future release.
* The global variable $wgArticle has been removed after a lengthy deprecation.
* The global functions addButton and insertTags (for mw.toolbar.addButton and
mw.toolbar.insertTags) now emits mw.log.warn when accessed.
* The ExpandTemplates extension has been moved into MediaWiki core.
* (bug 52812) Removed "Disable search suggestions" from Preference.
* (bug 52809) Removed "Disable browser page caching" from Preference.
* Three new modules intended for use by custom skins were added:
'mediawiki.skinning.elements', 'mediawiki.skinning.content', and
'mediawiki.skinning.interface', representing three levels of standard
MediaWiki styling. Previously skin creators wishing to use them had to refer
to the file names of appropriate files directly, which is now discouraged.
* The modules 'skins.vector' and 'skins.monobook' have been renamed to
'skins.vector.styles' and 'skins.monobook.styles', respectively,
and their definition was changed not to include the common*.css files;
the two skins now load the 'mediawiki.skinning.interface' module instead.
* A page_links_updated field has been added to the page table.
* SpecialPage::getTitle has been deprecated in favor of
SpecialPage::getPageTitle.
* BREAKING CHANGE: Two potentially backwards-incompatible changes have been made
to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make
the hook more consistent with the 'SpecialRecentChangesQuery' one:
** Several array keys have been renamed: hideMinor → hideminor,
hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu,
hidePatrolled → hidepatrolled, hideOwn → hidemyself.
** The parameter value is now a FormOptions object, not a plain array (array
access operators should continue to work, as it implements the ArrayAccess
interface).
* Option to mark hooks as deprecated has been added.
* (bug 52811) Preference "Enable section editing via [edit] links" was removed.
* (bug 52813) Preference "Show table of contents (for pages with more than
3 headings)" was removed.
* (bug 52810) Preference "Justify paragraphs" was removed.
* OutputPage::showErrorPage raises a notice if arguments are incoherent.
* Thumbnails that keep failing to render in thumb.php will be rate-limited
againt further render attempts for 1 hour. $wgAttemptFailureEpoch can be
altered to reset all rate-limited thumbnails at once.
* (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
* mw.loader.go and mw.loader.version have been removed.
* (bug 52815) Preference "Enable simplified search bar (Vector skin only)"
was removed.
* A user_password_expires column has been added to the user table. The User
object expects this column to exist. Use update.php to create this new field.
* The jquery.delayedBind ResourceLoader module was deprecated in favor of the
jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
* mw.user.bucket has been deprecated.
* On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to
table.mw-prefixindex-list-table to avoid duplicate ids when the special page
is transcluded.
* (bug 62198) window.$j has been deprecated.
* Preference "Disable link title conversion" was removed.
* SpecialRecentChanges no longer includes any functionality for generating feeds
- it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new
ones.
* RecentChange::mExtra['lang'] is no longer set and should no longer be used.
Extensions should read from other configuration variables, including
$wgLocalInterwikis, to identify the current wiki.
* Sections in the parser test framework have been renamed and the old
section names are deprecated. Please use "!!wikitext" and "!!html"
(or "!!html/php") instead of "!!input" and "!!result". This allows
us to extend parser tests to accommodate additional input/output
pairs, such as "!!html/parsoid" (for the output of the Parsoid
parser, where it differs from the PHP parser).
* Special:Search no longer has an "include redirects" option on the advanced
tab. Redirects are now included in all searches.
* mediawiki.api.category's getCategories() 'async' parameter was deprecated.
* The locations of resources have been split between upstream libraries, now in
resources/lib/, local libaries in resources/src/, and local forks of upstream
libraries, also in resources/src/.
* BREAKING CHANGE: The automatically-generated function closure with which
ResourceLoader wraps all modules' JavaScript code now binds the identifier
names 'jQuery' and '$' to the jQuery object of the version of jQuery that is
bundled with MediaWiki. If you bind these names to other objects in global
scope (like Zepto.js or document.querySelectorAll, for example) you will need
to use different names to or re-bind them at the top of each
ResourceLoader-loaded module.
* (bug 52342) Preference "Remember my login" was removed.
* The skin autodiscovery mechanism has been deprecated and will be removed in
MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
for migration guide for creators and users of custom skins that relied on it.
==== Removed classes ====
* FakeMemCachedClient (deprecated in 1.18)
* RdfMetaData (unused)
* TitleDependency (unused)
* TitleListDependency (unused)
* WikiError (deprecated in 1.17)
* WikiXmlError (deprecated in 1.17)
* WikiErrorMsg (deprecated in 1.17)
==== Renamed classes ====
* CdbReader_DBA to CdbReaderDBA
* CdbReader_PHP to CdbReaderPHP
* CdbWriter_DBA to CdbWriterDBA
* CdbWriter_PHP to CdbWriterPHP
* DiffOp_Add to DiffOpAdd
* DiffOp_Change to DiffOpChange
* DiffOp_Copy to DiffOpCopy
* DiffOp_Delete to DiffOpDelete
* HWLDF_WordAccumulator to HWLDFWordAccumulator
* LBFactory_Fake to LBFactoryFake
* LBFactory_Multi to LBFactoryMulti
* LBFactory_Simple to LBFactorySimple
* LBFactory_Single to LBFactorySingle
* LCStore_Accel to LCStoreAccel
* LCStore_CDB to LCStoreCDB
* LCStore_DB to LCStoreDB
* LCStore_Null to LCStoreNull
* LoadBalancer_Single to LoadBalancerSingle
* LoadMonitor_MySQL to LoadMonitorMySQL
* LoadMonitor_Null to LoadMonitorNull
* LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
* csvStatsOutput to CsvStatsOutput
* extensionLanguages to ExtensionLanguages
* languages to Languages
* statsOutput to StatsOutput
* textStatsOutput to TextStatsOutput
* wikiStatsOutput to WikiStatsOutput
==== Removed methods ====
* ApiBase::getValidNamespaces() (deprecated in 1.17)
* ApiMain::setCachePrivate() (deprecated in 1.17)
* ApiMain::setVaryCookie (deprecated in 1.17)
* Article::doRedirect() (deprecated in 1.18)
* Article::doUnwatch() (deprecated in 1.18)
* Article::doWatch() (deprecated in 1.18)
* Article::forUpdate() (deprecated in 1.18)
* Article::markpatrolled() (deprecated in 1.18)
* Article::unwatch() (deprecated in 1.18)
* Article::watch() (deprecated in 1.18)
* Block::clear() (deprecated in 1.18)
* Block::decodeExpiry() (deprecated in 1.18)
* Block::encodeExpiry() (deprecated in 1.18)
* Block::forUpdate() (deprecated in 1.18)
* Block::infinity() (deprecated in 1.18)
* Block::load() (deprecated in 1.18)
* Block::newFromDB() (deprecated in 1.18)
* Block::normaliseRange() (deprecated in 1.18)
* Block::parseExpiryInput() (deprecated in 1.18)
* CategoryViewer::addSubcategory() (deprecated in 1.17)
* EditPage::spamPage() (deprecated since 1.17)
* Exif::getFormattedData() (deprecated in 1.18)
* Exif::makeFormattedData() (deprecated in 1.18)
* in_string (deprecated in 1.21)
* Language::convertLinkToAllVariants() (deprecated in 1.17)
* LanguageConverter::convertLinkToAllVariants() (deprecated in 1.17)
* Linker::makeBrokenLink() (deprecated in 1.16)
* Linker::makeBrokenLinkObj() (deprecated in 1.16)
* Linker::makeColouredLinkObj() (deprecated in 1.16)
* Linker::makeSizeLinkObj() (deprecated in 1.17)
* MediaWiki::articleFromTitle() (deprecated in 1.18)
* ParserOptions::getkin() (deprecated 1.18)
* ProfilerSimple::getCpuTime (deprecated in 1.20)
* Revision::revText() (deprecated in 1.17)
* SkinTemplate::jstext() (deprecated in 1.21)
* SpecialPage::__call() (deprecated in 1.17)
* SpecialPage::executePath() (deprecated in 1.18)
* SpecialPage::exists() (deprecated in 1.18)
* SpecialPage::file() (deprecated in 1.18)
* SpecialPage::func() (deprecated in 1.18)
* SpecialPage::getGroup() (deprecated in 1.18)
* SpecialPage::getPage() (deprecated in 1.18)
* SpecialPage::getPageByAlias() (deprecated in 1.18)
* SpecialPage::getLocalNameFor() (deprecated in 1.18)
* SpecialPage::getRegularPages() (deprecated in 1.18)
* SpecialPage::getRestrictedPages() (deprecated in 1.18)
* SpecialPage::getTitleForAlias() (deprecated in 1.18)
* SpecialPage::getUsablePages() (deprecated in 1.18)
* SpecialPage::includable() (deprecated in 1.18)
* SpecialPage::init()
* SpecialPage::initAliasList() (deprecated in 1.18)
* SpecialPage::initList() (deprecated in 1.18)
* SpecialPage::name() (deprecated in 1.18)
* SpecialPage::removePage() (deprecated in 1.18)
* SpecialPage::resolveAlias() (deprecated in 1.18)
* SpecialPage::resolveAliasWithSubpage() (deprecated in 1.18)
* SpecialPage::restriction() (deprecated in 1.18)
* SpecialPage::setGroup() (deprecated in 1.18)
* SpecialRecentChanges::feedSetup()
* SpecialRevisionDelete::extractBitField() (deprecated in 1.22)
* User::getPageRenderingHash() (deprecated in 1.17)
* WebRequest::getFileSize() (deprecated in 1.17)
* WebRequest::isPathInfoBad() (deprecated in 1.17)
* wfGenerateToken (deprecated in 1.20)
* wfStreamFile (deprecated in 1.19)
* wfUILang (deprecated in 1.18)
* WikiPage::createUpdates() (deprecated in 1.18)
* WikiPage::quickEdit() (deprecated in 1.18)
* WikiPage::useParserCache() (deprecated in 1.18)
* WikiPage::viewUpdates() (deprecated in 1.18)
==== Removed globals ====
* $wgBetterDirectionality (deprecated in 1.18)
== Compatibility ==
MediaWiki 1.23 requires PHP 5.3.2 or later.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.2 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.23 has several database changes since 1.22, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.22.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.