= MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it '''off''' if you can. == MediaWiki 1.20.3 == This is a security and maintenance release of the MediaWiki 1.20 branch. === Changes since 1.20.2 === * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. * (bug 44010) Context is passed to UserGetLanguageObject. * The recursion guard on RequestContext::getLanguage() was weakened. * (bug 40585) Don't drop 'step="any"' in HTML input fields. * (bug 44024) Fixed problems in ObjectCache when using XCache. * (bug 44010) FauxRequest leaked cookie data from primary request. * (bug 44135/42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST * (bug 43518) API action=unblock should return the user name, not the full user object * (Bug 45355) Prevent read of arbitrary files through mwdoc-filter.php == MediaWiki 1.20.2 == This is a maintenance release of the MediaWiki 1.20 branch. === Changes since 1.20.1 === * (bug 42638) Fix API action=options&reset=1 & unit tests. * (bug 42370) Fixed backport of 60cc060 to use mDoneWrites. == MediaWiki 1.20.1 == This is a security release of the MediaWiki 1.20 branch. === Changes since 1.20 === * (bug 42202) Validate options to prevent html injection * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391) * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit * Javscript Lint fixes * (bug 40632) Remove CleanupPresentationalAttributes feature * [Database] Fixed case where trx idle callbacks might be lost. == MediaWiki 1.20 == MediaWiki 1.20 is a stable release. === PHP 5.3 now required === Since 1.20, the lowest supported version of PHP is now 5.3.2. Please upgrade PHP if you have not done so prior to upgrading MediaWiki. === Configuration changes in 1.20 === * $wgGitRepositoryViewers defines a mapping from Git remote repository to the Gitweb instance URL used in Special:Version. * `$wgUsePathInfo = true;` is no longer needed to make $wgArticlePath work on servers using like nginx, lighttpd, and apache over fastcgi. MediaWiki now always extracts path info from REQUEST_URI if it's available. * The user right 'upload_by_url' is no longer given to sysops by default. This only affects installations which have $wgAllowCopyUploads set to true. * Removed f-prot support from $wgAntivirusSetup. * New variable $wgDBerrorLogTZ to provide dates in the error log in a different timezone than the wiki timezone set by $wgLocaltimezone. * New variables $wgDBssl and $wgDBcompress to enable SSL and compression for database connections, if either are available for the selected DB type. * $wgUseCombinedLoginLink now defaults to false, making MediaWiki output separate login and create account links by default. === New features in 1.20 === * Added TitleIsAlwaysKnown hook which gets called when determining if a page exists. * Added NamespaceIsMovable hook which gets called when determining if pages in a certain namespace can be moved. * Added SpecialPageBeforeExecute hook which gets called before SpecialPage::execute. * Added SpecialPageAfterExecute hook which gets called after SpecialPage::execute. * Added ORMTable, ORMRow and ORMResult classes for additional abstraction of database interaction. * Added CacheHelper and associated SpecialCachedPage and CachedAction helper classes. * (bug 32341) Add upload by URL domain limitation. * &useskin=default will now always display the default skin. Useful for users with a preference for the non-default skin to look at something using the default skin. * (bug 27619) Remove preference option to display broken links as link? * (bug 34896) jQuery JSON plugin upgraded to v2.3 (2011-09-17). * (bug 34302) Add CSS classes to email fields in user preferences. * Introduced $wgDebugDBTransactions to trace transaction status (currently PostgreSQL only). * (bug 23795) Add parser itself to ParserMakeImageParams hook. * Introduce a cryptographic random number generator source api for use when generating various tokens. * (bug 30963) Option on Special:Prefixindex and Special:Allpages to not show redirects. * (bug 18062) New message when edit or create the local page of a shared file. * (bug 22870) Separate interface message when creating a page. * (bug 17615) nosummary option should be reassigned on preview/captcha. * (bug 34355) Add a variable and parser function for the namespace number. * (bug 35649) Special:Version now shows hashes of extensions checked out from git. * (bug 35728) Git revisions are now linked on Special:Version. * "Show Changes" on default messages shows now diff against default message text * (bug 23006) create #speciale parser function. * generateSitemap can now optionally skip redirect pages. * (bug 27757) New API command just for retrieving tokens (not page-based). * Added GitViewers hook for extensions using external git repositories to have a web-based repository viewer linked to from Special:Version. * Memcached debug logs can now be sent to their own file logs by setting $wgDebugLogFile['memcached'] to some filepath. * (bug 35685) api.php URL and other entry point URLs are now listed on Special:Version * Edit notices can now be translated. * jQuery upgraded to 1.8.2. * jQuery UI upgraded to 1.8.23. * QUnit upgraded from v1.2.0 to v1.10.0. * (bug 37604) jquery.cookie upgraded to 2011 version. * (bug 22887) Add warning and tracking category for preprocessor errors * (bug 31704) Allow selection of associated namespace on the watchlist * (bug 5445) Now remove autoblocks when a user is unblocked. * Added $wgLogExceptionBacktrace, on by default, to allow logging of exception backtraces. * Added device detection for determining device capabilities. * QUnit.newMwEnvironment now supports passing a custom setup and/or teardown function. Arguments signature has changed. First arguments is now an options object of which 'config' can be a property. Previously 'config' itself was the first and only argument. * New getCreator and getOldestRevision methods added to WikiPage class * (bug 4220) the XML dump format schema now have unique identity constraints for page and revision identifiers. Patch by Elvis Stansvik. * cleanupSpam.php now can delete spam pages if --delete was specified instead of blanking them. * Added new hook ChangePasswordForm to allow adding of additional fields in Special:ChangePassword * Added new function getDomain to AuthPlugin for getting a user's domain * (bug 23427) New magic word {{PAGEID}} which gives the current page ID. Will be null on previewing a page being created. * (bug 37627) UserNotLoggedIn() exception to show a generic error page whenever a user is not logged in. * Watched status in changes lists are no longer indicated by tags with class "mw-watched". Instead, each line now has a class "mw-changeslist-line-watched" or "mw-changeslist-line-not-watched", and the title itself is surrounded by tags with class "mw-title". * Added ContribsPager::reallyDoQuery hook allowing extensions to data to MyContribs * Added new hook ParserAfterParse to allow extensions to affect parsed output after the parse is complete but before block level processing, link holder replacement, and so on. * (bug 34678) Added InternalParseBeforeSanitize hook which gets called during Parser's internalParse method just before the parser removes unwanted/dangerous HTML tags. * Added new hook AfterFinalPageOutput to allow modifications to buffered page output before sent to the client. * (bug 36783) Implement jQuery Promise interface in mediawiki.api module. * Make dates in sortable tables sort according to the page content language instead of the site content language * (bug 37926) Deleterevision will no longer allow users to delete log entries, the new deletelogentry permission is required for this. * (bug 14237) Allow PAGESINCATEGORY to distinguish between 'all', 'pages', 'files' and 'subcats' * (bug 38362) Make Special:Listuser includeable on wiki pages. * Added support in jquery.localize for placeholder attributes. * (bug 38151) Implemented mw.user.getRights for getting and caching the current user's user rights. * Session storage can now configured independently of general object cache storage, by using $wgSessionCacheType. $wgSessionsInMemcached has been renamed to $wgSessionsInObjectCache, with the old name retained for backwards compatibility. When this feature is enabled, the expiry time can now be configured with $wgObjectCacheSessionExpiry. * Added a Redis client for object caching. * Implemented mw.user.getGroups for getting and caching user groups. * (bug 37830) Added $wgRequirePasswordforEmailChange to control whether password confirmation is required for changing an email address or not. * HTMLForm mutators can now be chained (they return $this) * A new message, "api-error-filetype-banned-type", is available for formatting API upload errors due to the file extension blacklist. * New hook 'ParserTestGlobals' allows to set globals before running parser tests. * Allow importing pages as subpage. * Add lang and hreflang attributes to language links on Login page. * (bug 22749) Create Special:MostInterwikis. * Show change tags when transclude Special:Recentchanges(linked) or Special:Newpages. * (bug 23226) Add |class= parameter to image links in order to add class(es) to HTML img tag. * (bug 39431) SVG animated status is now shown in long description. * (bug 39376) jquery.form upgraded to 3.14. * SVG files will now show the actual width in the SVG's specified units in the metadata box. * Added ResourceLoader module "jquery.jStorage" (v0.3.0, http://jStorage.info/). * (bug 39273) Added AJAX support for "Show changes" (diff) in LivePreview. * Added ResourceLoader module "jquery.badge". * mw.util.$content now points to the overall content area in the skin rather than just page text content area. If you need the old behaviour please use $( '#mw-content-text'). * jsMessage has been replaced with a floating bubble notification system complete with auto-hide, multi-message support, and message replacement tags. * jquery.messageBox which appears to be unused by both core and extensions has been removed. * (bug 34939) Made link parsing insensitive ([HttP://]). * (bug 40072) Add CSS classes to items in output of ChangesList pages. * Added $wgCopyUploadProxy global to define which proxy to use for copy uploads. * (bug 40448) mediawiki.legacy.mwsuggest has been replaced with a new module, mediawiki.searchSuggest, based on SimpleSeach from Extension:Vector. * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. === Known issues in 1.20.0 === These are issues that we're targeting to be fixed in a later release in the 1.20 series. Issues may be added or removed from this list as we see fit. For now, it is comprised of those bugs on the 1.20.0 milestone in Bugzilla. * (bug 35894): Reports of secret key generation "hanging" on windows This is probably a bug that has been fixed in PHP. If you run into this, try upgrading your PHP. * (bug 38334): PHP Notice: Undefined index: href in /www/w/skins/Vector.php on line 416 We think this is a problem in some extension. If you see this, try disabling your extensions and check out the logging patch on this bug. Or try this patch: * (bug 39268): [Regression] Toolbar inserts in main textarea only (instead of the focussed textarea) This should only be an issue if you are using the ProofreadPage extension. * (bug 40641): Clicking "others" in Special:Version asks to download a file If you encounter this, you can tell your webserver to serve the CREDITS file with text/plain MIME type to fix it. === Bug fixes in 1.20 === * (bug 40939): [Regression] InfoAction: Call to a member function getUserText() on a non-object * (bug 40780): searchsuggest-containing line ("containing...") doesn't include the entered text * (bug 37714): [Regression] Incomplete log entries * (bug 27202): API: Add timestamp sort to list=allimages * (bug 30245) Use the correct way to construct a log page title. * (bug 34237) Regenerate an empty user_token and save to the database when we try to set the user's cookies for login. * (bug 32210) New edit emails for watched pages always provide a link to the edit which triggered the mail. * (bug 12021) Added user talk link on Special:Listusers. * (bug 34445) section edit and TOC hide/show links are excluded from selection and copy/paste on supporting browsers. * (bug 34428) Fixed incorrect hash mismatch errors in the DiffHistoryBlob history compression method. * (bug 34702) Localised parentheses are now used in more special pages. * (bug 34723) When editing a script page on a RTL wiki the textbox should be LTR. * (bug 34762) Calling close() on a DatabaseBase object now clears the connection. * (bug 34863) Show deletion log extract on non-existent file pages if applicable. * (bug 28019) Let ?preloadtitle=foo be passed on to target of Special:MyPage and Special:MyTalk. * (bug 34929) Show the correct diff when a section edit is rejected by the spam filter. * (bug 15816) Add a switch for SETting the search_path (Postgres). * (bug 34521) Returning to the previous page after logging in loses any array- valued parameters in the query string. * (bug 34735) Updated compressOld.php documentation to mention the different usages of -s and -n parameters depending on compression type. * (bug 13896) Rendering of devanagari numbers in automatic '#' number lists. * (bug 33689) Upgrade to 1.19 on Postgres fails due to incomplete query when. trying to defer foreign key for externallinks. * (bug 32748) Printer friendly version of article decode Unicode chars as a pretty IRI in footer. * Removed white border around thumbnails in galleries. * (bug 31236) "Next" and "Previous" buttons are shown incorrectly in an RTL environment. * (bug 35749) Updated maintenance/checkSyntax.php to use Git instead of Subversion when invoked with the --modified option. * (bug 35069) On history pages, the " . . " separator after the number of characters changed in a revision is now suppressed if no text would follow. * (bug 18704) Add a unique CSS class or ID to the tagfilter table row at RecentChanges * (bug 33564) transwiki import sometimes result in invalid title. * (bug 35572) Blocks appear to succeed even if query fails due to wrong DB structure * (bug 31757) Add a word-separator between help-messages in HTMLForm * (bug 30410) Removed deprecated $wgFilterCallback and the 'filtered' API error. * (bug 32604) Some messages needs escaping of wikitext inside username. * (bug 36537) Rename wfArrayToCGI to wfArrayToCgi for consistency with wfCgiToArray. * (bug 25946) The message on the top of Special:RecentChanges is now displayed. in user language instead of content language. * (bug 35264) Wrong type used for in export.xsd * (bug 24985) Use $wgTmpDirectory as the default temp directory so that people who don't have access to /tmp can specify an alternative. * (bug 27283) SqlBagOStuff breaks PostgreSQL transactions. * (bug 35727) mw.Api ajax() should put token parameter last. * (bug 37708) mw.Uri.clone() should make a deep copy. * (bug 38024) ResourceLoader should not create empty stylesheets for modules that don't have stylesheets. * (bug 36812) Special:ActiveUsers "Hide bots" should hide users from any group having the "bot" user right, instead of just the default "bot" user group. * (bug 35082) mw.util.addPortletLink incorrectly adds link to mutiple