summaryrefslogtreecommitdiff
path: root/RELEASE-NOTES-1.26
blob: fd2e5e697802fc533425fdfc5d5554e39b255806 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
Security reminder: If you have PHP's register_globals option set, you must
turn it off. MediaWiki will not work with it enabled.

== MediaWiki 1.26.3 ==

This is a maintenance release of the MediaWiki 1.26 branch.

== Changes since 1.26.2 ==
* (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
* (T123166) Fix fatal error when importing pages to titles which cannot be
  created, such as invalid titles or titles the user is not allowed to edit.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to
  m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after
  SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in
  (many?) parser tags
* (T116030) Increase pbkdf2 parameter strengths
* (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
* (T126685) Globally throttle password attempts

== MediaWiki 1.26.2 ==

This is a maintenance release of the MediaWiki 1.26 branch.

== Changes since 1.26.1 ==
* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.

== MediaWiki 1.26.1 ==

This is a maintenance release of the MediaWiki 1.26 branch.

=== Changes since 1.26.0 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that do not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
  with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki
* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
* Fixed stray literal \n in Special:Search.
* Fix issue that breaks HHVM Repo Authorative mode.
* (T120267) Work around APCu memory corruption bug

== MediaWiki 1.26 ==

=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
  instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
  in non-talk namespaces. A new configuration variable,
  $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
  the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
  feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
  This experimental feature was never enabled by default and is obsolete as of
  MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
  in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
  the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
  blocked users to edit their talk pages unless explicitly disabled
  when they are being blocked.

=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
  See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
  to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
  "tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
  are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
  search results are rendered. The initial use case is to append a "give us
  feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
  reject an otherwise-successful parser cache lookup. The intent is to allow
  extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
  ($wgExtendedLoginCookieExpiration) can be configured independently of the
  expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
  if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
  of WebP images still disabled by default. Add $wgFileExtensions[] =
  'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
  'EnhancedChangesListModifyBlockLineData', to modify the data used to build
  lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
  This corresponds to a new $wgMainWANCache setting, which defaults to using
  the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
  the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
  memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
  by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
  for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
  startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
  page. During the deprecation period, the styles will only be loaded on pages
  which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
  only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
  suggestion, results for suggestion will be shown. Can be disabled by setting
  $wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
  from the client-side. See documentation for mw.Upload and its
  subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
  documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
  subclasses for more information.

== extension.json changes in 1.26 ==
* (T99344) The extension.json schema is now versioned. All extensions
  and skins should set a "manifest_version" property corresponding to
  the schema version they were written for. The only supported version
  currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
  which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
  can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
  depend upon.
* (T105236) The extension.json schema now validates custom classes in
  the "ResourceModules" property properly.

=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.

==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.

==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.

=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
  value if set to an empty string.

=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
  tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
  to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
  revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
  with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
  sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
  information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
  rnfilterredir parameter that also allows for listing both redirects and
  non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
  and will honor corresponding If-None-Match and If-Modified-Since on such
  requests.

=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
  into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
  Last-Modified headers. The API will check these against If-None-Match and
  If-Modified-Since request headers on GET requests and avoid executing the
  module when appropriate.

=== Languages updated in 1.26 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
   मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
   Ilja.mos, and Mashoi7

=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
  for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
  ContentHandler, to provide a way for ApiEditPage and EditPage to check
  if direct editing of content is allowed. These methods return false,
  by default for the ContentHandler base class and true for TextContentHandler
  and it's derivative classes (everything in core). For Content types that
  do not support direct editing, an alternative mechanism should be provided
  for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
  one function. The callback can't be called directly any more. The callback
  function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
  ResourceLoaderModule::getDependencies(). Extension classes that override that
  method should be updated. If they aren't updated, PHP Strict standards
  warnings will appear when E_STRICT error reporting is enabled. Note: in the
  near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
  ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
  items that were stripped during parsing. It will use a fixed string instead.
  This causes the parser to re-use the regular expressions it uses to search
  and replace markers rather than generate novel expressions on each parse.
  Re-using regular expressions will improve performance on HHVM and the
  forthcoming PHP 7. The interfaces changes accompanying this change are:
  - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
    $prefix argument for StripState::_construct() are deprecated and their
    value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
  mediawiki/at-ease, and are now deprecated. Callers should use
  MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
  instead of many optional positional arguments. Calling the constructor the old
  way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
  a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
  are deprecated. Applications using those can work via the OAuth
  extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.

== Compatibility ==

MediaWiki 1.26 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.26 has several database changes since 1.25, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.25.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

	https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.