adds a defense-in-depth feature to stop an attacker who has found a bug in
the parser allowing them to insert malicious attributes. Disabled by default,
you can configure this via $wgCSPHeader and $wgCSPReportOnlyHeader.
+ * New configuration variable has been added: $wgCookieSetOnIpBlock.
+ This determines whether to set a cookie when an IP user is blocked. Doing so means
+ that a blocked user, even after moving to a new IP address, will still be blocked.
=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
* Added 'ApiParseMakeOutputPage' hook.
* (T174313) Added checkbox on Special:ListUsers to display only users in
temporary user groups.
+ * (T152462) A cookie can now be set when an IP user is blocked to track that user if
+ they move to a new IP address. This is disabled by default.
=== External library changes in 1.32 ===
* …
* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
removed. Use mediawiki.widgets.visibleLengthLimit instead.
* The jquery.farbtastic module, unused since 1.18, was removed.
+* (T181318) The $wgStyleVersion setting and its appendage to various script and
+ style URLs in OutputPage, deprecated in 1.31, was removed.
+* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
+ any HTMLForm object rather than PreferencesForm.
+* The non namespaced TimestampException class, deprecated in 1.29, was removed.
+ Use Wikimedia\Timestamp\TimestampException instead.
+* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
+ utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
+ The UtfNormal\Utils class from the utfnormal library should be used instead.
+* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
+ from the UtfNormal\Constants class from the utfnormal library should be used
=== Deprecations in 1.32 ===
* Use of a StartProfiler.php file is deprecated in favour of placing
to use it.
* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
with the 'unwatch' action parameter instead.
+* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
+ constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
=== Other changes in 1.32 ===
* Soft hyphens (U+00AD) are now automatically removed from titles; these
* …
== Compatibility ==
-MediaWiki 1.32 requires PHP 5.5.9 or later. Although HHVM 3.18.5 or later is
-supported, it is generally advised to use PHP 5.5.9 or later for long term
+MediaWiki 1.32 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
+supported, it is generally advised to use PHP 7.0.0 or later for long term
support.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
*/
$wgGitInfoCacheDirectory = false;
-/**
- * Bump this number when changing the global style sheets and JavaScript.
- *
- * It should be appended in the query string of static CSS and JS includes,
- * to ensure that client-side caches do not keep obsolete copies of global
- * styles.
- *
- * @deprecated since 1.31
- */
-$wgStyleVersion = '303';
-
/**
* This will cache static pages for non-logged-in users to reduce
* database traffic on public sites. ResourceLoader requests to default
$wgUseMediaWikiUIEverywhere = false;
/**
- * Temporary variable that determines whether the EditPage class should use OOjs UI or not.
- * This will be removed later and OOjs UI will become the only option.
+ * Temporary variable that determines whether Special:Preferences should use OOUI or not.
+ * This will be removed later and OOUI will become the only option.
*
* @since 1.32
*/
*/
$wgCookieSetOnAutoblock = false;
+ /**
+ * Whether to set a cookie when a logged-out user is blocked. Doing so means that a blocked user,
+ * even after moving to a new IP address, will still be blocked. This cookie will contain an
+ * authentication code if $wgSecretKey is set, or otherwise will just be the block ID (in which
+ * case there is a possibility of an attacker discovering the names of revdeleted users, so it
+ * is best to use this in conjunction with $wgSecretKey being set).
+ */
+ $wgCookieSetOnIpBlock = false;
+
/** @} */ # end of cookie settings }
/************************************************************************//**
$permErrors = $this->getEditPermissionErrors( $this->save ? 'secure' : 'full' );
if ( $permErrors ) {
wfDebug( __METHOD__ . ": User can't edit\n" );
+
+ // track block with a cookie if it doesn't exists already
+ $this->context->getUser()->trackBlockWithCookie();
+
// Auto-block user's IP if the account was "hard" blocked
if ( !wfReadOnly() ) {
DeferredUpdates::addCallableUpdate( function () {
$script .= '});';
- $nonce = $wgOut->getCSPNonce();
- $wgOut->addScript( ResourceLoader::makeInlineScript( $script, $nonce ) );
-
$toolbar = '<div id="toolbar"></div>';
if ( Hooks::run( 'EditPageBeforeEditToolbar', [ &$toolbar ] ) ) {
// Only add the old toolbar cruft to the page payload if the toolbar has not
// been over-written by a hook caller
+ $nonce = $wgOut->getCSPNonce();
$wgOut->addScript( ResourceLoader::makeInlineScript( $script, $nonce ) );
};