-Change notes from older releases. For current info see RELEASE-NOTES-1.32.
+Change notes from older releases. For current info see RELEASE-NOTES-1.33.
+
+= MediaWiki 1.32 =
+
+== MediaWiki 1.32.0 ==
+
+=== Changes since MediaWiki 1.32.0-rc.2 ===
+* (T188327) Fix slow queries in migrateActors.php.
+* (T102320) Fix $magicWords for the Sanskrit language.
+
+=== Changes since MediaWiki 1.32.0-rc.1 ===
+* Fix addition of ug_expiry column to user_groups table on MSSQL.
+* (T210307) Fix the cache timestamp for forced updates.
+* (T210621) User: Bypass repeatable-read when creating an actor_id.
+* (T197535) Extensions can now specify PHP versions and PHP extensions they
+ depend on.
+* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
+* (T212356) When using action=delete on pages with many revisions, the module
+ may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
+ deletion will be processed via the job queue.
+* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
+ recentchanges.rc_cur_time from the PostgreSQL schema.
+
+=== Changes since MediaWiki 1.32.0-rc.0 ===
+* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
+ has been started.
+* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
+ if --lang is used with the command-line installer (install.php).
+
+=== Configuration changes in 1.32 ===
+
+==== New configuration ====
+* $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
+ this setting. The default is 80, which matches the quality of JPEG thumbnails
+ previously generated by ImageMagick. The quality of JPEG thumbnails generated
+ by GD was previously 95, but now uses the $wgJpegQuality setting as well.
+* $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
+ user is blocked. Doing so means that a blocked user, even after moving to a
+ new IP address, will still be blocked.
+* $wgRawHtmlMessages – This new configuration setting is added for listing
+ messages which are displayed as raw HTML.
+* $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
+ "Content Security Policy" for your wiki. This adds a defense-in-depth feature
+ to stop an attacker who has found a bug in the parser allowing them to insert
+ malicious attributes. Disabled by default. (T135963)
+* $wgGroupPermissions – A new user group, 'interface-admin', is added for
+ controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
+ other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
+ by default.
+* $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
+ granting the above rights.
+* $wgDBDefaultGroup – A default database group for use by maintenance scripts.
+* $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
+ enable client-side profiling of JavaScript modules; it is off by default.
+* (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
+ setting allows sysadmins to gradually migrate the database table schema for
+ how change tags are stored.
+* (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
+ allows sysadmins to enable the caching of Special:Tags via the new
+ change_tag_def table.
+
+==== Changed configuration ====
+* $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
+* $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
+ been increased from 3 to 7 days. (T194414)
+* $wgGroupPermissions – The right to edit sitewide Javascript
+ (e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
+ and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
+ 'editinterface' is still necessary to edit such pages.
+* $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
+ old and the new schema, but reading the new schema, so Multi-Content Revisions
+ (MCR) are now functional per default. The new default value of the setting is
+ SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
+* $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
+ MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
+ SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
+ for intermediate stages of migration.
+* $wgDBTableOptions – The default table options now use the binary charset. The
+ default was already overridden in the installer-generated LocalSettings.php,
+ and so is always set to binary after the installer UI option was removed. The
+ default value is only used when the installer installs an extension.
+* $wgPopularPasswordFile — The location of the default popular passwords file
+ has been moved to be in line with other non-PHP files used by libraries and
+ classes.
+* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
+ potential privacy leaks by administrators. You can check
+ "MediaWiki:External image whitelist" on your wiki to see whether the feature
+ was ever used, and whether it needs to be re-enabled.
+
+==== Removed configuration ====
+* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
+ have been removed. (T115414)
+* $wgSiteSupportPage – This setting, unused since 1.5, was removed.
+* $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
+* $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
+ The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
+* $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
+ most extensions, is no longer set. Instead, you can modify the system
+ message `emailsender`.
+* $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
+ were removed. RemexHtml, which is the default, should be used instead.
+* (T181318) The $wgStyleVersion setting and its appendage to various script and
+ style URLs in OutputPage, deprecated in 1.31, was removed.
+* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
+ from ResourceLoader. Instead, use `@import` statements in LESS to import
+ files directly from nearby directories within the same project.
+* (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
+ since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
+ the ResourceLoaderModule::getLessVars() method.
+* $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
+ was removed.
+* Two temporary variables for deploying the feature of filters on change lists,
+ $wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
+ $wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
+
+=== New features in 1.32 ===
+* (T112474) Generalized the ResourceLoader mechanism for overriding modules
+ using a particular page during edit previews.
+* (T12331) You can now log page creation events by setting $wgPageCreationLog
+ to true.
+* Added 'ApiParseMakeOutputPage' hook.
+* (T174313) Added checkbox on Special:ListUsers to display only users in
+ temporary user groups.
+* (T152462) A cookie can now be set when an IP user is blocked to track that
+ user if they move to a new IP address. This is disabled by default.
+* (T194950) Added 'ApiMaxLagInfo' hook.
+* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
+ reauthenticating.
+* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
+ getLoginSecurityLevel() returns non-false.
+* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
+ &$query and &$widthOption, allowing extensions even finer control over the
+ resulting HTML code.
+* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
+ if the [mark as patrolled] link should be shown at the footer of patrollable
+ pages.
+* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
+ is now passed by reference, allowing extensions to modify or even unset it.
+* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
+ modify the return value of OutputPage#getHeadLinksArray in order to add,
+ remove or otherwise alter the elements to be output in the page <head>.
+* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
+ additional links to the subtitle of a history page.
+* The 'GetLinkColours' hook now receives an additional $title parameter,
+ the Title object of the page being parsed, on which the links will be shown.
+* (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
+ render diffs between two Content objects, and DifferenceEngine::setRevisions()
+ to render diffs between two custom (potentially multi-content) revisions.
+ Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
+* Added a temporary action=mcrundo to the web UI, as the normal undo logic
+ can't yet handle MCR and deadlines are forcing is to put off fixing that.
+ This action should be considered deprecated and should not be used directly.
+* Extensions overriding ContentHandler::getUndoContent() will need to be
+ updated for the changed method signature.
+* Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
+ from user. Unlike the 'UserGetRights' it will ensure that removed rights
+ will not be reinserted.
+* (T197535) Extensions can now specify PHP versions and PHP extensions they
+ depend on.
+
+=== External library changes in 1.32 ===
+
+==== New external libraries ====
+* Added pear/Net_SMTP v1.8.0.
+* Added wikimedia/xmp-reader v0.6.0.
+
+* Added cache/integration-tests v0.16.0 (dev-only).
+* Added giorgiosironi/eris v0.10.0 (dev-only).
+* Added seld/jsonlint v1.7.1 (dev-only).
+
+* Added EasyDeflate (unversioned).
+
+==== Changed external libraries ====
+* Updated OOUI from v0.26.3 to v0.29.2.
+* Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
+* Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
+* Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
+** ScopedCallback objects can no longer be serialized.
+* Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
+* Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
+* oyejorge/less.php replaced with our fork wikimedia/less.php
+* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
+
+* Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
+* Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
+* Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
+
+* Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
+* Updated jquery from v3.2.1 to v3.3.1.
+* Updated jquery.client from v2.0.0 to v2.0.1.
+* Updated jquery.i18n from v1.0.4 to v1.0.5.
+* Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
+* Updated OOjs from v2.2.0 to v2.2.2.
+* Updated qunitjs from v2.4.0 to v2.6.2.
+* Updated sinonjs from v1.17.3 to v1.17.7.
+
+==== Removed external libraries ====
+* pear/mail_mime-decode was removed.
+
+=== Bug fixes in 1.32 ===
+* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
+ getLoginSecurityLevel() returns non-false.
+* (T43720, T46197) Improved page display title handling for category pages
+* (T65080) Fixed resetting options of some types via API action=options.
+
+=== Action API changes in 1.32 ===
+* Added templated parameters.
+ * A module can define a templated parameter like "{fruit}-quantity", where
+ the actual parameters recognized correspond to the values of a multi-valued
+ parameter. Then clients can make requests like
+ "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
+ * action=paraminfo will return templated parameter definitions separately
+ from normal parameters. All parameter definitions now include an "index"
+ key to allow clients to maintain parameter ordering when merging normal and
+ templated parameters.
+* It is now an error to submit too many values for a multi-valued parameter.
+ This has generated a warning since MediaWiki 1.14.
+* Assertion failures from the 'assert' and 'assertuser' parameters will no
+ longer use the action module's custom response format, for the few modules
+ that use custom formatters that handle errors.
+* (T198935) User list preferences such as `email-blacklist` and similar
+ extension preferences are no longer represented as arrays when returned by
+ action=query&meta=userinfo&uiprop=options.
+* 'missingparam' errors will now use the prefixed parameter name in the code
+ and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
+ than "nofoo" and "The 'foo' parameter must be set".
+* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
+ multi-content revision slots for which content should be returned. It also
+ has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
+ warning will be issued if rvprop=content or rvprop=contentmodel are used
+ without rvslots.
+* The rvcontentformat parameter to action=query&prop=revisions has been
+ deprecated. Clients should be prepared to deal with the default format for
+ relevant models.
+* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
+ rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
+ rvprop=parsetree is forbidden with the new 'rvslots' parameter.
+* action=query&prop=deletedrevisions, action=query&list=allrevisions, and
+ action=query&list=alldeletedrevisions are changed similarly to
+ &prop=revisions (see the three previous items).
+* (T174032) action=compare now supports multi-content revisions.
+ * It has a 'slots' parameter to select diffing of individual slots. The
+ default behavior is to return one combined diff.
+ * The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
+ 'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
+ are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
+ slots have text supplied and the corresponding templated parameters for
+ each slot.
+ * The behavior of 'fromsection' and 'tosection' of extracting one section's
+ content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
+ instead expand the given text as if for a section edit. This effectively
+ declines T183823 in favor of T185723.
+* (T198214) The 'disabletidy' parameter to action=parse has been
+ deprecated; untidy output will not be supported by future wikitext
+ parsers.
+* Added intestactionsdetail to action=query&prop=info to allow retrieving the
+ reasons an action is not allowed.
+* Deprecated action=query&prop=info inprop=readable in favor of
+ intestactions=read.
+* (T212356) When using action=delete on pages with many revisions, the module
+ may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
+ deletion will be processed via the job queue.
+
+=== Action API internal changes in 1.32 ===
+* Added 'ApiParseMakeOutputPage' hook.
+* Parameter names may no longer contain '{' or '}', as these are now used for
+ templated parameters.
+* (T194950) Added 'ApiMaxLagInfo' hook.
+* The following methods now take a RevisionRecord rather than a Revision. No
+ external callers are known.
+ * ApiFeedContributions::feedItemAuthor()
+ * ApiFeedContributions::feedItemDesc()
+ * ApiQueryRevisionsBase::extractRevisionInfo()
+* The following deprecated methods have been removed:
+ * ApiBase::profileIn() (deprecated in 1.25)
+ * ApiBase::profileOut() (deprecated in 1.25)
+ * ApiBase::safeProfileOut() (deprecated in 1.25)
+ * ApiBase::profileDBIn() (deprecated in 1.25)
+ * ApiBase::profileDBOut() (deprecated in 1.25)
+ * ApiBase::dieUsage() (deprecated in 1.29)
+ * ApiBase::dieUsageMsg() (deprecated in 1.29)
+ * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
+ * ApiBase::getErrorFromStatus() (deprecated in 1.29)
+ * ApiBase::parseMsg() (deprecated in 1.29)
+ * ApiBase::setWarning() (deprecated in 1.29)
+ * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
+ * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
+ * ApiUsageException::getCodeString() (deprecated in 1.29)
+ * ApiUsageException::getMessageArray() (deprecated in 1.29)
+* Class UsageException, deprecated in 1.29, has been removed.
+* ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
+ can now easily test $formatter->getFormat() === 'bc', and then call
+ $formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
+
+=== Languages updated in 1.32 ===
+MediaWiki supports over 350 languages. Many localisations are updated regularly.
+Below only new and removed languages are listed, as well as changes to languages
+because of Phabricator reports.
+
+* (T193566) Added language support for Ambonese Malay (abs).
+* (T194047) Added language support for Shawiya, Latin script (shy-latn).
+* (T195940) Added language support for Batak Mandailing (btm).
+* (T137491) Added language support for Standard Moroccan Amazigh (zgh).
+* (T198132) Added language support for Manipuri (mni).
+* (T201276) Added language support for Western Armenian (hyw).
+* (T201583) Added language support for Mon (mnw).
+
+=== Breaking changes in 1.32 ===
+* $wgRequestTime, deprecated in 1.25, was removed. Use
+ $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
+* The MediaWikiI18N class, deprecated in 1.31, was removed.
+* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
+ Skin::msg() instead.
+* wfInitShellLocale(), deprecated in 1.30, was removed.
+* wfShellExecDisabled(), deprecated in 1.30, was removed.
+* The type string for the parameter $lang of DateFormatter::getInstance,
+ deprecated in 1.31, was removed.
+* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
+ MediaWiki\Session\Token::SUFFIX instead.
+* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
+* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
+ instead.
+* (T61113) The following methods and constants from the Revision class, which
+ were deprecated in 1.25, have now been removed:
+ * Revision::getRawUser()
+ * Revision::getRawUserText()
+ * Revision::getRawComment()
+* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
+ mw.msg() or mw.message() instead.
+* mw.util.escapeId(), deprecated in 1.30, was removed. Use
+ mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
+* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
+ jquery.accessKeyLabel instead.
+* The SqlDataUpdate class, deprecated in 1.28, has been removed.
+* The Html5Internal and Html5Depurate tidy driver classes were removed, along
+ with the Balancer tidy implementation. Both implementations were experimental,
+ and were replaced by RemexHtml.
+* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
+ removed. Use JobQueueGroup::singleton()->push() instead.
+* The jquery.footHovzer module, for mediawiki.debug, was removed.
+* The es5-shim module, empty and deprecated since 1.29, was removed.
+* the dom-level2-shim module, empty and deprecated since 1.29, was removed.
+* the json module, empty and deprecated since 1.29, was removed.
+* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
+ removed. Use mediawiki.widgets.visibleLengthLimit instead.
+* The jquery.farbtastic module, unused since 1.18, was removed.
+* The 'jquery.expandableField' module, unused since 1.22, was removed.
+* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
+ any HTMLForm object rather than PreferencesForm.
+* The non namespaced TimestampException class, deprecated in 1.29, was removed.
+ Use Wikimedia\Timestamp\TimestampException instead.
+* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
+ utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
+ The UtfNormal\Utils class from the utfnormal library should be used instead.
+* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
+ from the UtfNormal\Constants class from the utfnormal library should be used
+* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
+ only needed for PHP5 compatibility, have been removed. It now uses the boolean
+ values `true` and `false` respectively.
+* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
+ were removed. Use the ParserCache class instead.
+* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
+ instead.
+* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
+ deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
+* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
+ and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
+ is no longer loaded by default. The Vector and MonoBook skins have made a
+ minor change to implement the toggle feature with CSS instead. To restore
+ prior functionality, either explicitly load "jquery.mw-jump" in your skin
+ or refer to T195256 for details on how to make the same change.
+* Hook 'EditPageBeforeEditChecks' was removed;
+ use 'EditPageGetCheckboxesDefinition' instead.
+* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
+ 1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
+* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
+ been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
+ instead.
+* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
+ CapsuleMultiselectWidget. The following methods may no longer be used:
+ * setItemsFromData: Use setValue instead
+ * getItemsData: Use getItems instead and get the data property
+* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
+ removed. Use addLink() instead.
+* Another two OutputPage methods, setPageTitleActionText() and
+ getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
+ ten years). Use setHTMLTitle() directly.
+* The return value of OutputPage::adaptCdnTTL() has been removed. The
+ value returned was misleading and probably not what any caller would
+ have wanted.
+* All MagicWord static member variables have been removed. Use appropriate
+ hooks or MagicWordFactory methods instead.
+* MagicWord::clearCache() has been removed. Instead, create a new
+ MagicWordFactory, such as by calling
+ resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
+* mw.util.init() has been removed. This function is not needed anymore and was
+ a no-op function since 1.30.
+* SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
+ instead.
+* MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
+ $wgProfiler and $wgEnableProfileInfo.
+* The mw.loader.addSource() is now considered a private method, and no longer
+ supports the `id, url` signature. Use the `Object` parameter instead.
+* The backwards-compatibility code in HTMLForm to add a drop-down control to an
+ option that is not set to be a drop-down if the "mw-chosen" class is present,
+ is now removed.
+* Several collations were removed. They were workarounds for bugs in the ICU
+ library and they are no longer needed (as of ICU 57.1):
+ * 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
+ * 'xx-uca-et' (CollationEt) - use 'uca-et' instead
+ * 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
+* LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
+ that some MediaWiki-specific language codes, such as `simple`, are mapped
+ into valid BCP 47 codes (eg `en-simple`).
+* The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
+ in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
+ The ChangesListSpecialPage code for these legacy hooks, and their use in
+ SpecialRecentchanges.php and SpecialWatchlist, was also removed:
+ * ChangesListSpecialPage->getCustomFilters()
+ * ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
+ * ChangesListSpecialPage::customFilters
+* The global function wfUseMW, deprecated since 1.26, has now been removed. Use
+ the "requires" property of static extension registration instead.
+* $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
+* The MailAddress constructor can no longer be called with a User object,
+ behaviour which has been deprecated since 1.24.
+* LBFactory, deprecated since 1.28, has been removed. Instead, use
+ Wikimedia\Rdbms\LBFactory.
+* The MimeMagic class, deprecated since 1.28 has been removed. Get a
+ MimeAnalyzer instance from MediaWikiServices instead.
+* The '--tidy' option to maintenance/parse.php has been removed. Tidying
+ the output is now the default. Use '--no-tidy' to bypass the tidy
+ phase.
+* The global function wfErrorLog, deprecated since 1.25, has now been removed.
+ Use MWLoggerLegacyLogger::emit or UDPTransport.
+* The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
+ 1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
+ ChangesListSpecialPageQuery.
+* The global function wfUsePHP, deprecated since 1.30, has now been removed. To
+ assert a newer version of PHP than MediaWiki does, use extension registration.
+* The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
+ removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
+* DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
+* File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
+* The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
+ the hook 'SkinEditSectionLinks' instead.
+* The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
+* The global function wfRunHooks, deprecated since 1.25, has now been removed.
+ Use Hooks::run().
+* The hook 'UnknownAction', deprecated since 1.19, has now been removed.
+* The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
+ the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
+* The following deprecated API methods have been removed:
+ * ApiBase::profileIn() (deprecated in 1.25)
+ * ApiBase::profileOut() (deprecated in 1.25)
+ * ApiBase::safeProfileOut() (deprecated in 1.25)
+ * ApiBase::profileDBIn() (deprecated in 1.25)
+ * ApiBase::profileDBOut() (deprecated in 1.25)
+ * ApiBase::dieUsage() (deprecated in 1.29)
+ * ApiBase::dieUsageMsg() (deprecated in 1.29)
+ * ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
+ * ApiBase::getErrorFromStatus() (deprecated in 1.29)
+ * ApiBase::parseMsg() (deprecated in 1.29)
+ * ApiBase::setWarning() (deprecated in 1.29)
+ * ApiPageSet::getInvalidTitles() (deprecated in 1.26)
+ * ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
+ * ApiUsageException::getCodeString() (deprecated in 1.29)
+ * ApiUsageException::getMessageArray() (deprecated in 1.29)
+* Class UsageException, deprecated in 1.29, has been removed.
+* MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
+ old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
+ been removed, and instead sysadmins will be required to choose one (or more)
+ of the several extensions available for this purpose if they need the
+ functionality. The MediaWiki "tarball" releases have included the replacement
+ extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
+ for many years now. As part of this, several parts of MediaWiki have been
+ removed or simplified:
+ * The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
+ available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
+ hook, it will be shown; extensions should provide a specific user preference
+ to disable themselves as needed.
+ * The public methods Language::getImageFile() and ::getImageFiles(), and the
+ related specification of $imageFiles within individual languages' code file,
+ as well as the referenced static media assets, all of which were only used
+ inside MediaWiki itself for providing the icons for the old toolbar, have
+ been removed without explicit deprecation.
+ * The internal ResourceLoader module "mediawiki.toolbar", which is unused
+ except by MediaWiki itself and back-compatibility code, has been removed.
+ * The internal ResourceLoaderEditToolbarModule class has been removed.
+
+=== Deprecations in 1.32 ===
+* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
+ button is already marked as progressive.
+* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
+ has been centralised to Skin::getDefaultModules(), which is now capable
+ of queueing style modules as well.
+* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
+ deprecated. Use addModules() instead.
+* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
+ in extending classes is deprecated. Extend related doSearch* methods
+ instead.
+* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
+ and deprecated: mediawiki.api.category, mediawiki.api.edit,
+ mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
+ mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
+ mediawiki.api.messages, and mediawiki.api.rollback.
+* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
+ to use it.
+* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
+ with the 'unwatch' action parameter instead.
+* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
+ constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
+* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
+* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
+* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
+ of the namespaced classes provided by the wikimedia/xmp-reader library.
+* SearchResultSet::{next,rewind} are deprecated. Calling code should
+ use foreach on the SearchResultSet, or the extractResults method. Extending
+ code should override extractResults.
+* Instantiating SearchResultSet directly is deprecated. SearchEngine
+ implementations must subclass SearchResultSet for their purposes.
+* SearchResult::setExtensionData argument has been changed from accepting an
+ array to accepting a Closure that returns the array when called.
+* Class CryptRand, everything in MWCryptRand except generateHex() and function
+ MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
+ random_bytes() to generate cryptographically secure random byte sequences.
+* Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
+ instead.
+* Language::markNoConversion() is deprecated. It confused readers because
+ it had unexpected behavior (only marking text if it looked like a URL)
+ and was only used in a single place in the code. Use
+ LanguageConverter::markNoConversion() instead.
+* (T197492) Language::truncate() was soft deprecated in 1.31 and is
+ hard deprecated in this release. It has been split into two similar
+ methods, Language::truncateForVisual() and Language::truncateForDatabase(),
+ which measure length in characters and bytes, respectively. Use
+ Language::truncateForVisual() when possible to provide equity to users
+ of multibyte scripts.
+* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
+ context title is unset is now deprecated; anything creating an EditPage
+ instance should set the context title via ::setContextTitle().
+* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
+* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
+ are deprecated. These concepts are obsolete and have no replacement.
+* String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
+* The following methods of OutputPage are now deprecated in favour
+ of using showFatalError directly: OutputPage::showFileDeleteError()
+ OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
+ OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
+* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
+ classes are now deprecated. Use a Closure instead.
+* (T194263) ContentHandler::makeParserOptions() is deprecated. Use
+ WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
+* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
+ MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
+ the Parsoid v3 API in May 2015.
+* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
+ $formDescriptor instead.
+* SearchEngine::transformSearchTerm( $term ) should no longer be called prior
+ to running searchText. This method was mainly implemented to support the
+ 'prefix' URI param in SpecialSearch, but there are no reasons to expose this
+ logic as it should be handled internally by SearchEngine implementations
+ supporting this feature. SearchEngine implementations should no longer
+ override this methods.
+* SearchEngine::replacePrefixes( $query ) should no longer be called prior
+ to running searchText/searchTitle.
+* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
+ 'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
+* Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
+ use array_filter() directly.
+* The $wgShowSQLErrors global is deprecated and nonfunctional.
+ Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
+* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
+ Set $wgShowExceptionDetails instead.
+* Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
+ mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
+ mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
+ getOldRevision() / getNewRevision() for the first four (note that the
+ revision ones return a RevisionRecord, not a Revision), do your own lookup
+ for page/content.
+* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
+ just enable the PHP extension, and it will be autodetected.
+* (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
+ setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
+ are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
+ subclass it to customize diff rendering); to diff custom (e.g. unsaved)
+ content, use setRevisions(). Subclassing DifferenceEngine should only be done
+ to customize page-level diff properties (such as the navigation header).
+* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
+* All MagicWord static methods are now deprecated. Use the MagicWordFactory
+ methods instead.
+* PasswordFactory::init is deprecated. To get a password factory with the
+ standard configuration, use
+ MediaWikiServices::getInstance()->getPasswordFactory.
+* $wgContLang is deprecated, use
+ MediaWikiServices::getInstance()->getContentLanguage() instead.
+* $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
+ instead.
+* wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
+ instead.
+* wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
+* All SpecialPageFactory static methods are deprecated. Instead, call the
+ methods on a SpecialPageFactory instance, which may be obtained from
+ MediaWikiServices.
+* mw.user.stickyRandomId was renamed to the more explicit
+ mw.user.getPageviewToken to better capture its function.
+* Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
+ Content object should be passed instead.
+* (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
+ previously used by OOUI HTMLForm fields, are now deprecated. Use
+ 'help', 'help-message', 'help-messages' instead.
+* (T197179) HTMLFormField::getNotices() is now deprecated.
+* The jquery.localize module is now deprecated. Use jquery.i18n instead.
+* The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
+ or overriding ContentHandler::getSecondaryDataUpdates (T194038).
+* The WikiPageDeletionUpdates hook was deprecated in favor of
+ PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
+ (T194038).
+* Content::getSecondaryDataUpdates has been deprecated in favor of
+ ContentHandler::getSecondaryDataUpdates() for overriding by extensions
+ (T194038).
+ Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
+* Content::getDeletionUpdates has been deprecated in favor of
+ ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
+ Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
+* (T198214) Old Tidy-related configuration settings, which were soft-deprecated
+ in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
+ $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
+ $wgTidyConfig instead.
+* All Tidy configurations other than Remex have been hard deprecated;
+ future parsers will not emit compatible output for these configurations.
+ In particular, running MediaWiki with tidy disabled has been deprecated.
+* (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
+ and OutputPage::addWikiTextTitle() have been deprecated, since they
+ can result in untidy output. In addition OutputPage::addWikiTextTidy()
+ and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
+ methods consistent. Use OutputPage::addWikiTextAsInterface() or
+ OutputPage::addWikiTextAsContent() instead, which ensures the output is
+ tidy and clarifies whether content-language specific postprocessing should
+ be done on the text.
+* OutputPage::parse() and OutputPage::parseInline() have been deprecated
+ due to untidy output and inconsistent handling of wrapper divs and
+ interface/content language defaults. Use OutputPage::parseAsContent(),
+ OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
+ as appropriate.
+* QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
+ as they promote bad practises. I18n messages should always be properly
+ escaped.
+* Skin::getDynamicStylesheetQuery() has been deprecated. It always
+ returns action=raw&ctype=text/css which callers should use directly.
+* Class LegacyFormatter is deprecated.
+* Use of CommentStore::insertWithTempTable() with 'img_description' is
+ deprecated. Use CommentStore::insert() instead.
+* Language::setCode is deprecated as public function. Use Language::factory
+ to create a new Language object with a different language code.
+* Several classes have been moved from the MediaWiki\Storage\ namespace to the
+ MediaWiki\Revision\ namespace. The old class names are aliased for
+ compatibility, but are deprecated. Classes are IncompleteRevisionException,
+ MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
+ RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
+ RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
+ SuppressedDataException.
+* When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
+ option, it is now deprecated to give its contents (the 'default' option)
+ as a string. They should be given as a OOUI\FieldLayout object instead.
+ Notably, this affects fields defined in the 'GetPreferences' hook, because
+ Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
+* In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
+ deprecated. For the $lang parameter, types other than Language are
+ deprecated.
+* The $wgUseKeyHeader configuration option and the
+ OutputPage::getKeyHeader() method have been deprecated; the relevant
+ draft IETF spec expired without becoming a standard.
+* Deprecated API action=query&prop=info inprop=readable in favor of
+ intestactions=read.
+
+=== Other changes in 1.32 ===
+* (T198811) The following tables have had their UNIQUE indexes turned into
+ proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
+ protected_titles and site_identifiers.
+* OOUI HTMLForm will now display help text inline after the input field,
+ rather than in a popup. Previous behavior can be restored by using
+ `'help-inline' => false`.
+* The archive table's ar_rev_id field is now unique.
+* Special:BotPasswords now requires reauthentication.
+* (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
+ storage layer and have basic support for display. No user interface exists
+ yet for creating or managing content in slots beides the main slot. See
+ <https://www.mediawiki.org/wiki/Multi-Content_Revisions> for more
+ information.
+* The image_comment_temp database table has been removed. Since all access
+ should be mediated by the CommentStore class, this change shouldn't affect
+ external code.
+* (T206147) Database::close() will no longer commit any open transactions.
+* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
+ recentchanges.rc_cur_time from the PostgreSQL schema.
= MediaWiki 1.31 =
+== MediaWiki 1.31.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.31 branch.
+
+=== Changes since MediaWiki 1.31.0 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
+* (T197229) Bundle Nuke extension, it was accidentally omitted.
+* (T193995) Fix undefined patchPath() method call in parser tests.
+* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T198037) GitInfo: Don't try shelling out if it's disabled.
+* (T151415) Log email changes.
+* (T197206) Fix performance regression when multiple DB used without caching.
+* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
+* (T182377, T196793) Exif: Guard against uncountable tag values.
+* (T200861) Fix total breakage of SQLite web upgrade.
+* (T200864) Fix pingback over-reporting on non-MySQL databases
+* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
+ hooks.
+
== MediaWiki 1.31.0 ==
=== Changes since MediaWiki 1.31.0-rc.2 ===
= MediaWiki 1.30 =
+== MediaWiki 1.30.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.30 branch.
+
+=== Changes since MediaWiki 1.30.0 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
+* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
+* (T167507) selenium: Run Chrome headlessly.
+* selenium: Pass -no-sandbox to Chrome under Docker.
+* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
+* oojs/oojs-ui updated to remove an unnecessary dependancy.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
+* (T196672) The mtime of extension.json files is now able to be zero
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* (T193995) Fix undefined patchPath() method call in parser tests.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T200861) Fix total breakage of SQLite web upgrade.
+* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
+ hooks.
+* (T190539) Explicitly require Postgres 9.1.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.30.0 ==
=== Changes since MediaWiki 1.30.0-rc.0 ===
= MediaWiki 1.29 =
+== MediaWiki 1.29.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.29 branch.
+
+=== Changes since 1.29.2 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* (T180551) Fix LanguageSrTest for language converter
+* (T180552) Fix langauge converter parser test with self-close tags
+* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
+* (T180485) InputBox: Have inputbox langconvert certain attributes
+* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
+* (T172927) Drop vendor from MW release branch
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
+* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T182381) Mask deprecated call in WatchedItemUnitTest
+* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
+* The karma qunit tests would fail on some configuration due to headers already
+ sent. Check headers_sent() before sending cpPosTime headers
+* (T167507) selenium: Run Chrome headlessly.
+* selenium: Pass -no-sandbox to Chrome under Docker
+* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
+* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
+ fails under SQLite.
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* (T179190) selenium: Move test running logic from package.json to selenium.sh.
+* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T196672) The mtime of extension.json files is now able to be zero
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* (T194237) Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.29.2 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
= MediaWiki 1.27 =
+== MediaWiki 1.27.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.27 branch.
+
+=== Changes since 1.27.4 ===
+* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
+ 'newbie'.
+* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
+ account lock.
+* Upgraded Moment.js from v2.8.4 to v2.19.3.
+* (T160298) Fixed Special:ActiveUsers due to bad backport.
+* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
+* Updated list of SPDX licenses for extensions.
+* (T189567) the CLI installer (maintenance/install.php) learned to detect and
+ include extensions. Pass --with-extensions to enable that feature.
+* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
+* Add default edit rate limit of 90 edits/minute for all users.
+* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
+* (T196672) The mtime of extension.json files is now able to be zero.
+* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
+* (T180403) Validate $length in padleft/padright parser functions.
+* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
+* Special:BotPasswords now requires reauthentication.
+* (T191608, T187638) Add 'logid' parameter to Special:Log.
+* (T193829) Indicate when a Bot Password needs reset.
+* (T151415) Log email changes.
+* (T118420) Unbreak Oracle installer.
+
== MediaWiki 1.27.4 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
* Localisation updates from http://translatewiki.net.
* mwdocgen.php: Implement --version option.
* Remove svnstat stuff used in Doxygen generation
-* (bug 43594) Correctly supress warnings that were missed after the upstream
+* (bug 43594) Correctly suppress warnings that were missed after the upstream
* PHP change to E_STRICT being included in E_ALL.
== MediaWiki 1.20.4 ==
== MediaWiki 1.16 ==
+== MediaWiki 1.16.5 ==
+=== Changes since 1.16.4 ===
+
+* (bug 28534) Fixed XSS vulnerability for IE 6 clients. This is the third
+ attempt at fixing bug 28235.
+* (bug 28639) Fixed potential privilege escalation when $wgBlockDisablesLogin
+ is enabled.
+
+== MediaWiki 1.16.4 ==
+=== Changes since 1.16.3 ===
+
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
+ clients) was not actually sufficient to fix that bug. This release contains
+ a second attempt, hopefully we have fixed it this time.
+
+== MediaWiki 1.16.3 ==
+=== Changes since 1.16.2 ===
+
+* (bug 28449) Fixed permissions checks in Special:Import which allowed users
+ without the 'import' permission to import pages from the configured import
+ sources.
+* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those
+ browsers looking for a file extension in the query string of the URL, and
+ ignoring the Content-Type header if one is found.
+* (bug 28450) Fixed a CSS validation issue involving escaped comments, which
+ led to XSS for Internet Explorer clients and privacy loss for other clients.
+
+== MediaWiki 1.16.2 ==
+=== Changes since 1.16.1 ===
+
+* (bug 26642) Fixed incorrect translated namespace due to a regression in the
+ language converter.
+* The interface translations were updated.
+* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
+* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
+ Affects Windows servers only. A malicious file with extension ".php" must
+ exist on the server for the exploit to be effective.
+
+== MediaWiki 1.16.1 ==
+=== Changes since 1.16.0 ===
+
+* (bug 24981) Allow extensions to access SpecialUpload variables again
+* (bug 24724) list=allusers was out by 1 (shows total users - 1)
+* (bug 24166) Fixed API error when using rvprop=tags
+* For wikis using French as a content language, Special:Téléchargement works
+ again as an alias for Special:Upload.
+* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0)
+* (bug 25248) Fixed paraminfo errors in certain API modules.
+* The installer now has improved handling for situations where safe_mode is
+ active or exec() and similar functions are disabled.
+* (bug 19593) Specifying --server in now works for all maintenance scripts.
+* Fixed $wgLicenseTerms register globals.
+* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for
+ X-Frame-Options. The header value can be configured using $wgBreakFrames and
+ $wgEditPageFrameOptions.
+
+== MediaWiki 1.16.0 ==
+=== Changes since 1.16 beta 3 ===
+
+* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in
+ 1.16 beta 1, but is currently poorly supported by browsers.
+* (bug 23175) Re-added window.ta variable for backwards compatibility.
+* (bug 23264) Fixed breakage of various command line scripts due to extra line
+ endings being inserted by Maintenance::output().
+* Fixed HTTP client functionality with safe_mode=On.
+* Fixed parser tests broken in 1.16 beta 3.
+* For Oracle DB backend: fixed parser tests and table prefix feature.
+* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue).
+* Fixed plural function for Northern Sami (se)
+* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and
+ parser-generated heading IDs. Renamed head, panel, head-base and page-base.
+* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet.
+* (bug 23465) Don't ignore the predefined destination filename on
+ Special:Upload after following a red link to a file.
+* In SQLite full-text search feature: fixed "move page" feature, was non-
+ functional.
+* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
+ user privacy in the case where an attacker can access the wiki through the
+ same HTTP proxy as a logged-in user.
+* Fixed an XSS vulnerability in profileinfo.php for installations with
+ $wgEnableProfileInfo = true (false by default)
+* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
+ false. Fixed a minor header parsing issue when $wgUseXVO = true.
+* Fixed a register_globals arbitrary inclusion vulnerability in
+ MediaWikiParserTest.php, introduced in 1.16 beta 1.
+
+=== Changes since 1.16 beta 2 ===
+
+* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of
+ invalid usernames.
+* Fixed sorting in [[Special:Allmessages]]
+* (bug 23113) Fixed title in the show/hide links on diff pages
+* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests
+* (bug 23127) Re-added missing $1 parameter to the uploadtext message
+* Fixed a bug in the Vector skin where personal tools display behind the logo
+* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes
+ showed the same text.
+* (bug 23115, bug 23124) Fixed various problems with <title> and <h1> elements
+ in page views and previews when the language converter is enabled.
+* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image
+ scaling, which was introduced in 1.16 beta 1.
+* Improved error checking on installer.
+* (bug 22970) Fixed a JavaScript error in the upload destination conflict
+ check.
+* (bug 23167) Check the watch checkbox by default if the watchcreations
+ preference is set.
+* (bug 23171) Improve IE6 version check to avoid false positives.
+* (bug 23176) Fixed upload warning override feature "upload new version",
+ broken in 1.16 beta 1.
+* Fixed regression in unwatch links sent out in notification emails. When the
+ mailing job was deferred via the job queue, the title was incorrect.
+* (bug 23534) Fixed SQL query error in API list=allusers.
+* Fixed a bug in uploads for non-JavaScript clients. An empty string was used
+ as the default destination filename, instead of the source filename as
+ expected.
+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
+ account" and "create by e-mail" features of [[Special:Userlogin]]
+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick
+ expanded wildcard characters "?" and "*" in image filenames, potentially
+ causing large numbers of images to be scaled in response to a single request.
+ The fix for this involves breaking the scaling of such image filenames until
+ ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details.
+* (bug 23608) Fixed invalid HTML in diff pages.
+
+=== Changes since 1.16 beta 1 ===
+
+* Fixed errors in maintenance/patchSql.php
+* (bug 19627) Fix regression from r57867 where HTMLForm would output
+ <element classes="foo bar"> rather than <element class="foo bar">
+* Fixed broken "-r" option to maintenance/lag.php
+* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
+ be submitted along with the user name and password.
+
=== Configuration changes in 1.16 ===
* (bug 18222) $wgMinimalPasswordLength default is now 1
== MediaWiki 1.15 ==
+== MediaWiki 1.15.5 ==
+=== Changes since 1.15.4 ===
+
+* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
+ user privacy in the case where an attacker can access the wiki through the
+ same HTTP proxy as a logged-in user.
+* Fixed a minor cookie header parsing issue causing incorrect Cache-Control
+ headers to be sent.
+* Fixed an XSS vulnerability in profileinfo.php for installations with
+ $wgEnableProfileInfo = true (false by default)
+* For backwards compatibility with extensions from 1.14.x or before, restored
+ the original function ApiMain::requestWriteMode().
+* In API login "need token" responses, added the cookieprefix and sessionid
+ fields, as in MediaWiki 1.16.x. This is an improvement to the CSRF fix
+ introduced in 1.15.3.
+
+== MediaWiki 1.15.4 ==
+=== Changes since 1.15.3 ===
+
+* (bug 23534) Fixed SQL query error in API list=allusers.
+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
+ account" and "create by e-mail" features of [[Special:Userlogin]]
+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+
+== MediaWiki 1.15.3 ==
+=== Changes since 1.15.2 ===
+
+* (bug 22828) Fixed deletion on SQLite.
+* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
+ be submitted along with the user name and password.
+
+== MediaWiki 1.15.2 ==
+=== Changes since 1.15.1 ===
+
+* The installer now includes a check for a data corruption issue with certain
+ versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug
+ present in the official release of PHP 5.3.1.
+* (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which
+ was displayed to the user
+* (bug 21150) SQLite no longer raise an error when deleting files
+* (bug 20880) Fixed updater failure on SQLite backend
+* upgrade1_5.php now requires to be run --update option to prevent confusion
+* Fixed a CSS validation issue which allowed external images to be included
+ into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
+ similar image access authentication schemes. Check user permissions before
+ streaming out scaled images from thumb.php.
+
+== MediaWiki 1.15.1 ==
+=== Changes since 1.15.0 ===
+* Fixed fatal errors for unusual file repository configurations, such as
+ ForeignAPIRepo.
+* Fixed the "change password" link on Special:Preferences to have the correct
+ returnto parameter.
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
+
+== MediaWiki 1.15.0 ==
+=== Changes since 1.15.0rc1 ===
+
+* Removed category redirect feature, implementation was incomplete.
+* (bug 18846) Remove update_password_format(), unnecessary, destroys all
+ passwords if a wiki with $wgPasswordSalt=false is upgraded with the web
+ installer.
+* (bug 19127) Documentation warning for PostgreSQL users who run update.php:
+ use the same user in AdminSettings.php as in LocalSettings.php.
+* Fixed possible web invocation of some maintenance scripts, due to the use of
+ include() instead of require(). A full exploit would require a very strange
+ web server configuration.
+* Localisation updates.
+
=== Configuration changes in 1.15 ===
* Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to
== MediaWiki 1.14 ==
+== MediaWiki 1.14.1 ==
+=== Changes since 1.14.0 ===
+
+* (bug 17737) Fixed russian URLs for Special:BookSources
+* (bug 17713) Using links with only an anchor no longer add an dummy entry in
+ the pagelinks table
+* (bug 17897) Fixed string offset error in <pre> tags
+* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
+ 'permissiondenied' when the user is blocked
+* Fixed performance regression when accessing deleted (archived) files
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
+
+== MediaWiki 1.14.0 ==
+=== Changes since 1.14.0rc1 ===
+
+* Fixed the performance of the backlinks API module
+* (bug 17420) Send the correct content type from action=raw when the HTML file
+ cache is enabled.
+* (bug 17437) Fixed incorrect link to web-based installer
+* (bug 17527) Fixed missing MySQL-specific options in installer
+
=== Configuration changes in 1.14 ===
* $wgExemptFromUserRobotsControl is an array of namespaces to be exempt from
* (bug 11082) Fix check for fully-specced table names in Database::tableName
* (bug 11067) Fix regression in upload conflict thumbnail display
* (bug 10985) Resolved cached entries on Special:DoubleRedirects were being
- supressed, breaking paging - now strikes out "fixed" results
+ suppressed, breaking paging - now strikes out "fixed" results
* (bug 8393) <sup> and <sub> need to be preserved (without attributes) for
entries in the table of contents
* (bug 11114) Fix regression in read-only mode error display during editing
* (bug 1241) Don't show 'cont.' for first entry of the category list
* (bug 1240) Special:Preferences was broken in Slovenian locale when
$wgUseDynamicDates is enabled
-* Added magic word MAG_NOCONTENTCONVERT to supress the conversion of the
+* Added magic word MAG_NOCONTENTCONVERT to suppress the conversion of the
content of an article. Useful in zh:
* write-lock for updating the zh conversion tables in memcache
* recursively parse subpages of MediaWiki:Zhconversiontable