-Security reminder: If you have PHP's register_globals option set, you must
-turn it off. MediaWiki will not work with it enabled.
-
== MediaWiki 1.27 ==
THIS IS NOT A RELEASE YET
MediaWiki 1.27 is an alpha-quality branch and is not recommended for use in
production.
+=== PHP version requirement ===
+As of 1.27, MediaWiki now requires PHP 5.5.9 or higher. This corresponds with
+HHVM 3.1.
+
=== Configuration changes in 1.27 ===
* $wgUseLinkNamespaceDBFields was removed.
* Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
MediaWiki\Session\SessionProvider.
** The User cannot be loaded from session until after Setup.php completes.
Attempts to do so will be ignored and the User will remain unloaded.
+** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+ the MediaWiki\Session\Token class.
* MediaWiki will now auto-create users as necessary, removing the need for
extensions to do so. An 'autocreateaccount' right is added to allow
auto-creation when 'createaccount' is not granted to all users.
* Most cookie-handling methods in User are deprecated.
* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
experimental feature that has never worked.
+* Login and createaccount tokens now vary by timestamp.
+* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+ return a MediaWiki\Session\Token, and tokens must be checked using that
+ class's methods.
+* $wgEnotifUseJobQ was removed and the job queue is always used.
+* The functionality of the ApiSandbox extension has been merged into core. The
+ extension should no longer be used.
=== New features in 1.27 ===
-* $wgDataCenterId and $wgDataCenterRoles where added, which will serve as
- basic configuration settings needed for multi-datacenter setups.
- $wgDataCenterUpdateStickTTL was also added.
+* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
+ sticks to the primary DC (via cookies) after they make changes to the site.
* Added a new hook, 'UserMailerTransformContent', to transform the contents
of an email. This is similar to the EmailUser hook but applies to all mail
sent via UserMailer.
* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
to assert that the request comes from a particular IP range.
* Added bot passwords, a rights-restricted login mechanism for API-using bots.
+* Whitelisted the following HTML attributes for all elements in wikitext:
+ aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
+* Removed "presentation" restriction on the HTML role attribute in wikitext.
+ All values are now allowed for the role attribute.
+* $wgContentHandlers now also supports callbacks to create an instance of the
+ appropriate ContentHandler subclass.
+* Added $wgAuthenticationTokenVersion, which if non-null prevents the
+ user_token database field from being exposed in cookies. Setting this would
+ be a good idea, but will log out all current sessions.
+* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
+ specifically for reliable CDN url purges.
=== External library changes in 1.27 ===
* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
* ApiQuery::getModules() was removed (deprecated since 1.21).
* ApiMain::getModules() was removed (deprecated since 1.21).
+* ApiBase::getVersion() was removed (deprecated since 1.21).
=== Languages updated in 1.27 ===
* ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
* Gallery images with multiple caption pipes no longer concatenate them all
together but instead pick the final one, similar to image syntax.
+* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
+ rather than consume everything until the end of the page.
+* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
+ a user forgot password/account was stolen.
== Compatibility ==
-MediaWiki 1.27 requires PHP 5.3.3 or later. There is experimental support for
+MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but