Send a cookie with autoblocks to prevent vandalism.
[lhc/web/wiklou.git] / RELEASE-NOTES-1.28
1 == MediaWiki 1.28 ==
2
3 THIS IS NOT A RELEASE YET
4
5 MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
6 production.
7
8 === Changes since 1.28.0rc0 ===
9 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
10 comment to a machine-readable JavaScript config option 'wgPageParseReport'
11 have been undone. They caused the human-readable limit report to be shown
12 incompletely or not at all. ParserOutput::setLimitReportData() and
13 getLimitReportData() behave as they did in MediaWiki 1.27 again.
14 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
15 the text of subheadings on a category page when creating it. This wasn't
16 working correctly.
17 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
18 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
19 loops in some clients and in some server configurations. This undoes a change
20 made in MediaWiki 1.26.
21
22 === Configuration changes in 1.28 ===
23 * $wgSend404Code now affects status code of action=history if the page is not there.
24 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
25 made by MediaWiki via a proxy. Relying on the http_proxy environment
26 variable is no longer supported.
27 * The load.php entry point now enforces the existing policy of not allowing
28 access to session data, which includes the session user and the session
29 user's language. If such access is attempted, an exception will be thrown.
30 * The number of internal PBKDF2 iterations used to derive the session secret
31 is configurable via $wgSessionPbkdf2Iterations.
32 * Upload dialog's file upload log comment can now be configured separately for
33 local and foreign uploads.
34 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
35 signifies local uploads. A value of `[]` (empty array) now means that
36 no upload targets are allowed, effectively disabling the upload dialog.
37 * The deprecated $wgEditEncoding variable has been removed; it was only used
38 for Esperanto language character conversion. You are now recommended to use
39 input methods provided by the UniversalLanguageSelector extension.
40 * When $wgPingback is true, MediaWiki will periodically ping
41 https://www.mediawiki.org/beacon with basic information about the local
42 MediaWiki installation. This data includes, for example, the type of system,
43 PHP version, and chosen database backend. This behavior is off by default.
44 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
45 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
46 if false, the default, they will be "Save page"/"Save changes".
47 * The 'editcontentmodel' permission is now granted to all logged-in users ('user').
48 instead of just administrators ('sysop'). Documentation for this feature is
49 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
50 * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
51 * Magic links are now disabled by default, and can be re-enabled by modifying the value
52 of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
53 a tracking category will be added to help identify usage and make it easier to migrate
54 away from. If you depend upon magic link functionality, it is requested that you comment
55 on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
56 explain your use case(s).
57 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
58 in upcoming Content-Security-Policy feature's reporting.
59 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
60 determines whether to set a cookie when a user is autoblocked. Doing so means
61 that a blocked user, even after logging out and moving to a new IP address,
62 will still be blocked.
63
64 === New features in 1.28 ===
65 * User::isBot() method for checking if an account is a bot role account.
66 * Added a new 'slideshow' mode for galleries.
67 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
68 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
69 interact with API parsing.
70 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
71 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
72 and the file description page, but does not run for uploads to stash.
73 * (T141604) Extensions can now provide a better error message when their
74 maintenance scripts are run without the extension being installed.
75 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
76 to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
77 a 'numeric' collation is also available. If migrating from another
78 collation, you will need to run the updateCollation.php maintenance script.
79 * Two new codes have been added to #time parser function: "xit" for days in current
80 month, and "xiz" for days passed in the year, both in Iranian calendar.
81 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
82 appropriate for sending multi-valued parameters. This defaults to true when
83 the mw.Api instance seems to be for the local wiki.
84 * After a client performs an action which alters a database that has replica databases,
85 MediaWiki will wait for the replica databases to synchronize with the master database
86 while it renders the HTML output. However, if the output is a redirect to another wiki
87 on the wiki farm with a different domain, MediaWiki will instead alter the redirect
88 URL to include a ?cpPosTime parameter that triggers the database synchronization when
89 the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
90 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
91 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
92 'show' parameters to existing API query modules.
93 * (T5233) A cookie can now be set when a user is autoblocked, to track that user if
94 they move to a new IP address. This is disabled by default.
95
96 === External library changes in 1.28 ===
97
98 ==== Upgraded external libraries ====
99 * Updated es5-shim from v4.1.5 to v4.5.8
100 * Updated composer/semver from v1.4.1 to v1.4.2
101 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
102
103 ==== New external libraries ====
104 * Added wikimedia/scoped-callback v1.0.0
105 * Added wikimedia/wait-condition-loop v1.0.1
106
107 ==== Removed and replaced external libraries ====
108
109 === Bug fixes in 1.28 ===
110 * (T146496) action=history pages should return 404 HTTP error code if the page does not exist
111 * (T137264) SECURITY: XSS in unclosed internal links
112 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
113 * (T133147) SECURITY: Require login to preview user CSS pages
114 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
115 the top file
116 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
117 permissions
118 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
119 * (T139670) Move 'UserGetRights' call before application of
120 Session::getAllowedUserRights()
121
122 === Action API changes in 1.28 ===
123 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
124 the value of $wgMaxArticleSize.
125 * Property 'modulemessages' from action=parse&prop=modules was removed
126 (deprecated since 1.26).
127 * The following response properties from action=login, deprecated in 1.27, are
128 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
129 to properly manage session state.
130 * Submitting the lgtoken and lgpassword parameters in the query string to
131 action=login is now deprecated and outputs a warning. They should be submitted
132 in the POST body instead.
133 * Submitting sensitive authentication request parameters to action=clientlogin,
134 action=createaccount, action=linkaccount, and action=changeauthenticationdata
135 in the query string is now deprecated and outputs a warning. They should be
136 submitted in the POST body instead.
137 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
138 instead of the pipe character. This will be useful if some of the multiple
139 values need to contain pipes, e.g. for action=options.
140 * The API will now warn if input is not NFC-normalized Unicode or if it
141 contains invalid characters.
142 * The 'normalized' list output by action=query and other modules that use
143 ApiPageSet may contain entries where the 'from' value is percent-encoded as
144 the raw value cannot be represented in a valid API response. These are
145 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
146 * (T28680) action=paraminfo can now return info about all submodules of a
147 module without listing them all explicitly.
148 * (T146770) It is now possible to assert that the current user is a specific
149 named user, using the 'assertuser' parameter.
150 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
151 the 'TitleIsAlwaysKnown' hook) are output in various modules.
152
153 === Action API internal changes in 1.28 ===
154 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
155 interact with ApiParse and ApiExpandTemplates.
156 * (T139565) SECURITY: API: Generate head items in the context of the given title
157 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
158 * ApiBase::getResultData() was removed (deprecated since 1.25)
159 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
160 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
161 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
162 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
163 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
164 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
165 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
166 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
167 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
168 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
169 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
170 * ApiMain::setHelp() was removed (deprecated since 1.25)
171 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
172 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
173 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
174 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
175 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
176 * ApiResult::endContinuation() was removed (deprecated since 1.25)
177 * ApiResult::getData() was removed (deprecated since 1.25)
178 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
179 * ApiResult::setContent() was removed (deprecated since 1.25)
180 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
181 * ApiResult::setElement() was removed (deprecated since 1.25)
182 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
183 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
184 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
185 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
186 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
187 * ApiResult::setRawMode() was removed (deprecated since 1.25)
188 * ApiResult::size() was removed (deprecated since 1.25)
189 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
190 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
191 'show' parameters to existing API query modules. A query module can enable
192 these hooks by passing an array for $hookData to ApiQueryBase::select() and
193 by calling ApiQueryBase->processRow() before adding a row's data to the
194 result.
195
196 === Languages updated in 1.28 ===
197
198 MediaWiki supports over 350 languages. Many localisations are updated
199 regularly. Below only new and removed languages are listed, as well as
200 changes to languages because of Phabricator reports.
201
202 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
203 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
204 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
205 Saiddzone Saimawnkham, Saosukham, and Sengwan.
206 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
207 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
208 * Karelian (krl), thanks to translators Flrn, Ilja.mos, Likopiän tyttö, Mashoi7, Matma Rex,
209 Ontoi, Theunitedstatesofme, and Varvana.
210 * Gorontalo (gor), thanks to translators Ilham, Lukman Tomayahu, Marwan Mohamad, Matma Rex,
211 NoiX180, and Zhoelyakin.
212
213 === Other changes in 1.28 ===
214 * (T128697) Improved handling of large diffs.
215 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
216 use or update a custom session provider if needed.
217 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
218 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
219 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
220 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual
221 login and visiting the login page while already logged in.
222 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
223 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
224 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
225 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
226 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
227 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
228 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
229 respectively. See docs/hooks.txt for the specific changes needed for those hooks.
230 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
231 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
232 * Skin::commentBlock() (use Linker::commentBlock() instead)
233 * Skin::generateRollback() (use Linker::generateRollback() instead)
234 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
235 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
236 * Skin::userLink() (use Linker::userLink() instead)
237 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
238 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
239 disabled.
240 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
241 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
242 Use ...->stashFile()->getFileKey() instead.
243 * "Public domain" was removed as a wiki license option from the installer, in
244 favour of CC-0.
245 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
246 on requests needed by primary providers even if all primaries need them.
247 Primary providers are discouraged from returning multiple REQUIRED requests.
248 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
249 will no longer be automatically infused. You should call `OO.ui.infuse()`
250 on them yourself from your JavaScript code.
251 * parserTests.php has moved to tests/parser/parserTests.php
252 * The command line options specific to parser tests have been removed from
253 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
254 Instead of --keep-uploads, use the same option to parserTests.php, but you
255 must specify a directory with --upload-dir.
256 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
257 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
258 migrate to using the same functions on a ProxyLookup instance, obtainable from
259 MediaWikiServices.
260 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
261 ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
262 ShowRawCssJs hooks will now emit deprecation warnings if used.
263 * (T68404) CSS3 attr() function with url type is no longer allowed
264 in inline styles.
265
266 == Compatibility ==
267
268 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
269 HHVM 3.6.5 or later.
270
271 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
272 support for them is somewhat less mature. There is experimental support for
273 Oracle and Microsoft SQL Server.
274
275 The supported versions are:
276
277 * MySQL 5.0.3 or later
278 * PostgreSQL 8.3 or later
279 * SQLite 3.3.7 or later
280 * Oracle 9.0.1 or later
281 * Microsoft SQL Server 2005 (9.00.1399)
282
283 == Upgrading ==
284
285 1.28 has several database changes since 1.27, and will not work without schema
286 updates. Note that due to changes to some very large tables like the revision
287 table, the schema update may take quite long (minutes on a medium sized site,
288 many hours on a large site).
289
290 If upgrading from before 1.11, and you are using a wiki as a commons
291 repository, make sure that it is updated as well. Otherwise, errors may arise
292 due to database schema changes.
293
294 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
295 new database fields are filled with data.
296
297 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
298 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
299 with MediaWiki 1.21.
300
301 Don't forget to always back up your database before upgrading!
302
303 See the file UPGRADE for more detailed upgrade instructions.
304
305 For notes on 1.27.x and older releases, see HISTORY.
306
307 == Online documentation ==
308
309 Documentation for both end-users and site administrators is available on
310 MediaWiki.org, and is covered under the GNU Free Documentation License (except
311 for pages that explicitly state that their contents are in the public domain):
312
313 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
314
315 == Mailing list ==
316
317 A mailing list is available for MediaWiki user support and discussion:
318
319 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
320
321 A low-traffic announcements-only list is also available:
322
323 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
324
325 It's highly recommended that you sign up for one of these lists if you're
326 going to run a public MediaWiki, so you can be notified of security fixes.
327
328 == IRC help ==
329
330 There's usually someone online in #mediawiki on irc.freenode.net.