File mediawiki.changes of Package mediawiki
-------------------------------------------------------------------
Thu Jul 31 18:17:04 UTC 2025 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.13
Security and maintenance release
* Localisation updates.
* (T386175, CVE-2025-32072) SECURITY: Escape newpage message
in FeedUtils.
* (T391867) http: Handle accept header with incomplete q.
* Update Pingback address.
* (T393879) objectcache: Cast explicitly to integer.
* (T394989) FormatMetadata::formatFraction: Don't risk passing
null to preg_match.
* (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
* (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param
to string.
* (T221560) Remove hyphens from legal search characters for
MySQL-based database searches.
* ParserCache forward-compatibility: anticipate removal
of OutputHooks.
* Protect against ParserOutput/CacheTime re-namespacing.
* ParserCache forward-compatibility: anticipate removal
of TOCHTML.
* SerializationTestUtils: handle 1.xx_wmf* versions; don't
fail immediately.
* AuthManager: Be consistent about the remember flag
on autocreate.
* (T397883, T397643) htmlform: fix min/max validations on empty
input in int/float fields.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in
HTMLUserTextField validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages
in action=feedcontributions.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to
unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected
XSS when invalid 'format' is provided.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation
as login for reauthentication.
-------------------------------------------------------------------
Fri Apr 18 10:50:13 UTC 2025 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.12
Security and maintenance release
* Localisation updates.
* (T380755) session: Do not set session.use_trans_sid.
* (T382987) $wgDnsBlacklistUrls now defaults to an empty array.
See the comment in the "Configuration changes for system
administrators" section.
* (T382484) dumps: Use proc_close() to close proc_open()
subprocess.
* (T315202) Account for null values in Exif data.
* (T384879) FormatMetadata: Prevent running preg_match()
on null.
* (T384995) specialpage: Improve handling of invalid lang codes
on login/signup.
* (T385169) MultiUsernameFilter: Don't try to split ids if
they're not a string.
* (T319219) Fix Site::getPath() + MediaWikiSite::getFileUrl()
confusion.
* (T385332) feeds: Fix str_replace() deprecation warnings
on PHP 8.
* (T379125) exception: Suppress dependency loop exception.
* (T381033) RateLimiter: Fix peek mode.
* (T387130, CVE-2025-32699) SECURITY: Update wikimedia/parsoid
to 0.16.5.
* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace
error.
* (T387638) RevDelList: Ensure setVisibility always includes
itemStatuses in value if applicable.
* (T388296) ImportImages: Exit with non-zero code if import
fails.
* Request: Improve log message when headers already sent.
* (T388066) Avoid trying to load the session user in
MW_NO_SESSION endpoints.
* (T388171) HttpError: Cast Message to string.
* (T388255) ApiLogin: Don't break BotPasswords if password or
user is blank, just error.
* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace:
Apply same anti-null fix as 270499b.
* (T387690) upload: Suppress warnings from iconv().
* (T388733) Sanitizer::normalizeWhitespace: simplify redundant
preg_replace.
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions
on file revert action.
* (T388924) MagicWord::replace*: Make sure we don't pass null
into preg_match/preg_replace.
* (T390063, T277675) ResourceLoader: update wikimedia/minify
to 2.9.0.
* (T368921) ResourceLoader: Set "math=always" before Less.php
5.0 upgrade.
* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null
to parameter #1 ($haystack).
* In .htaccess deny files, use "Satisfy All".
* (T389028) block: Fix DBS::acquireTarget() race using
GET_LOCK().
* permissions: Check cascade protection only if page can exists.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction
enforcer functions do not correctly enforce suppression
restrictions
* (T387130, CVE-2025-32699) SECURITY: Potential javascript
injection attack enabled by Unicode normalization in
Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
-------------------------------------------------------------------
Sun Jan 12 06:11:57 UTC 2025 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.11
Security and maintenance release
* Localisation updates.
* (T377450) [DatabaseUpdater] Don't interact with updatelog on
virtual domains.
* (T377916) specials: Avoid passing null to str_replace().
* (T378006, T372500) AutoLoader: Use require_once rather
than require.
* (T378304) GlobalIdGenerator: Update str_getcsv() call
for PHP 8.4.
* Upgrade php-session-serializer from 2.0.1 to 3.0.0.
* Upgrade xmp-reader from 0.8.6 to 0.9.2.
* (T372569) installer: Consistently use double quotes when
outputting settings.
* (T362829) Correct range error in regexp of formatmetadata.
* (T381068) ButtonAuthenticationRequest:
Add AllowDynamicProperties directive.
-------------------------------------------------------------------
Tue Oct 15 16:32:48 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.10
* Fix issue related to backport of AbuseFilter patch for T372998.
- Changes in Mediawiki 1.39.9
Security and maintenance release
* Localisation updates.
* (T303007) skins: Fix Skin::buildSidebar to not share cache
between skins.
* (T367918) When using the 'runMaintenance' method in a
LoadExtensionSchemaUpdates hook handler, only the script's
class name is required, not its path.
* Clarify that $wgAllowCrossOrigin only applies to REST.
* (T370380) installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES
in update.php.
* composer.json: Add 5 more ext- to suggests.
* resources: Fix 404 Not Found for foreign
Financial-Times/polyfill-library.
* ResourceLoader: Fix regression of color mapping in Less.php.
* ResourceLoader: Upgrade wikimedia/less.php to 4.4.1.
* SpecialExport: Prevent passing null to strtolower.
-------------------------------------------------------------------
Thu Sep 12 05:29:32 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Update mod_php_any requires, php < 8.4.0 is supported
-------------------------------------------------------------------
Sun Jun 30 18:37:44 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.8
Security and maintenance release
* Localisation updates.
* tests: Skip failing tests on php8.2 (and make pass).
* (T326480) ApiResult: Make array ordering consistent across
PHP versions.
* (T352789, T287972) build: Raise TestingAccessWrapper
from 2.0.0 to 3.0.0.
* (T326478) tests: Create new classes to hold dynamic properties
in auth tests.
* (T326478) tests: Avoid dynamic properties in
AuthenticationProvider Test.
* (T326466) Introduce and use DynamicPropertyTestHelper.
* tests: Skip failing tests on php8.3 (and make pass).
* (T352910) tests: Use TestingAccessWrapper::newFromClass in
session tests.
* (T326478) tests: Avoid dynamic properties in auth tests.
* (T326479, T361985) StatusValue: Allow passing arbitrary data
to augment result.
* tests: Remove dead code from
WikiPageDbTest::assertPreparedEditNotEquals.
* (T326478) tests: Avoid dynamic properties in
SessionManagerTest.
* (T361990) Upgrading wikimedia/parsoid (v0.16.3 => v0.16.4).
* (T357760) Use i18n strings for truncated subpage message in
SpecialMovePage.
* ArticleTest: Skip testGetOrSetOnNewProperty() if PHP >= 8.2.
* (T361982) Update wikimedia/less.php from 3.1.0 to 3.2.1.
* debug: Update PsySH 0.11.1 -> 0.12.3.
* (T361991) Fix slash-delimited regex from CLI on
maintenence/grep.php.
* (T362078) Improve RestAPIAdditionalRouteFiles path expansion.
* (T352695) tests: Only set $dbSetup if setupTestDB() ends
without throwing.
* (T302186) Add title cache for Title::newMainPage().
* objectcache: Fix flaky WANObjectCacheTest::testLockTSESlow
case.
* (T362272) api: Replace null $httpCode by 0 in
ApiBase::dieWithErrorOrDebug.
* (T150647, T216682) Make EncryptedPassword work with
Argon2Password.
* (T327220) Special:ApiHelp: Move widths and floats in CSS to
media query.
* (T364270) Fix long param names overlapping docs in API help
pages.
* MaintenanceRunner.php: Add trailing newline to error message.
* wrapOldPasswords: Improve progress output and decrease
batch size.
* (T361367) ApiFeedWatchlist: Fix handling of array parameters.
* (T132418) ResourceLoader: Add 1min grace via
stale-while-revalidate Cache-Control.
* (T366130) EncryptedPassword: Store default parameters
as strings.
* Name the PagerTools array entries to allow hooks to
unset them.
-------------------------------------------------------------------
Sun Apr 21 09:33:38 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.7
Security and maintenance release
* Localisation updates.
* (T334992) Headings in the license pickers should not
be selected.
* (T353929) ActiveUsersPager: Count actions only once.
* composer: Use @php instead of php.
* (T326065) Indent JsonContent using tabs.
* (T354541) authmanager: Improve AuthenticationRequest docs.
* (T355017) Add missing space in Special:RecentChangesLinked.
* (T355003) composer.json Add ext-bcmath and ext-gmp
to suggests.
* PHPVersionCheck: Update text to match currently supported
upstream PHP versions (8.1+).
* (T354045) API: mark HTML output as non-cacheable.
* (T355530) filerepo: Fix img_major_mime for files with a
non-standard extensions.
* (T355530) MimeAnalyzer: Add @since to isValidMajorMimeType.
* (T317489, T319202) Mark some parserTests on talk pages
Parsoid only on REL1_39.
* (T350594) Update wikimedia/parsoid to 0.16.3.
* (T352554) ZhConverter: Fix language variant fallback chain.
* (T357668) Parser::getExternalLinkAttribs: Don't set rel
attribute to null.
* LockManagerGroupIntegrationTest: Remove test depending
on DBLockManager.
* (T357808) LinkRendererTest: Add missing import for LinkTarget.
* (T353305) ApiResetPassword: Allow both user and email
parameters to be passed for reset.
* (T358949) updateCollation: Explicitly cast $scale to int.
* (T359055) api: Improve linking of language codes lists in
top level i18n messages.
* (T359294) Make sure MovePage::isValidFileMove matches
UploadBase::getTitle.
* (T230245) Respect $maxConcurrency when queuing async FileOps.
* (T352554) Follow-up "ZhConverter: Fix language variant
fallback chain".
* (T292237, T317451) build: Restore Doxygen output for
MediaWiki release tags.
* (T324903) HistoryPager: Add #[AllowDynamicProperties].
* (T360850) Update Apache config syntax in .htaccess files.
* (T309714, T354274) mime: Add support for 'font/woff' and
'font/woff2' mime type.
* (T309714) mime: Make test cases use data provider.
* (T331608) installer: Bear with schema drift caused by running
old updater.
* docs: Remove use of $IP from mwdocgen.php.
* (T317451) build: Restore Doxygen output for MediaWiki
release tags (take 3).
* docs: Set stable permalink on markdown files.
* (T357019) allow maintenance/deleteBatch.php to accept page ID.
* (T355538, CVE-2024-PENDING) XSS in edit summary parser.
* (T357760, CVE-2024-PENDING) Denial of service vector via GET
request to Special:MovePage on pages with thousands of
subpages.
-------------------------------------------------------------------
Fri Feb 23 18:12:38 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN, prepare for RPM 4.20
-------------------------------------------------------------------
Sun Jan 14 11:04:22 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.6
Security and maintenance release
* Localisation updates.
* Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0.
* Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0.
* (T344912) mail: Encode period (ascii 46) if it appears in
encoded email header.
* Added symfony/polyfill-php82.
* Added symfony/polyfill-php83.
* Updated symfony/yaml from 5.4.10 to 5.4.23.
* (T329609) ApiQueryLanguageinfoTest: Do not pass a float to
setFakeTime.
* Updated wikimedia/timestamp from 4.0.0 to 4.1.1.
* tests: Provide coverage for StatusValue::__toString.
* StatusValue: Improve logging/debug output with multibyte
characters.
* (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped
messages used in rights log.
* Updated wikimedia/parsoid from 0.16.1 to 0.16.2.
* (T229992) LocalisationCache: Preserve fallback source
language info.
* (T275085) Fix logging Status objects to 'authevents' channel.
* (T341310) DEVELOPERS.md: mention git clone and WSL.
* (T351758) DEVELOPERS.md: reword WSL instructions to include
best practices.
* (T349115) LocalisationCache: Fix a rare case in fallback
source language.
* SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null
to parameter #1 ($string) of type string is deprecated".
* maintenance: Add missing parenthesis to SQL
in attachLatest.php.
* (T353472) maintenance: Fix join condition in
DeduplicateArchiveRevId.
-------------------------------------------------------------------
Mon Oct 9 05:25:32 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.5
Security and maintenance release
* Localisation updates.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
* docs: Fix a few typos in MainConfigSchema.
* (T309714) mime: Add support for 'font/sfnt' mime type.
* (T341434) WikiImporter: Improve error message output.
* (T317255) VueComponentParser: Use Zest's getElementsByTagName()
rather than PHP's.
* (T341737) ApiBase: Cast $id to string in filterIDs.
* (T286291, T296188) Merge zh and zh-tw namespace translations
back to zh-hans, zh-hant, zh-hk respectively.
* (T337875) WRStats: Round up SequenceSpec::hardExpiry to the
nearest integer.
* (T237898) installer: Check MariaDB version in updater/installer.
* (T342632) ApiComparePages: Add help url.
* (T326182, T324903) EditPage: Add #[AllowDynamicProperties].
* (T342351) rdbms: Fix postgres db function call.
* (T343675) user: Use {@} to escape annotation when writting
about annotation.
* (T343797) LanguageWa: Fix double timezone adjustment.
* (T326454) Update pear/mail to 1.5.1.
* (T343622) docs: Set the <comment> tag back to optional.
* (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
* (T337463) wdio-mediawiki: await saveScreenshot.
* (T274041) Include core PSR-4 classes in the generated classmap.
* (T208477) $wgPrivilegedGroups – Users belonging in some of the
listed groups will be audited more aggressively.
* doc: Improve description of "type" in extension.schema.v2.json.
* Added PrivilegedGroups attribute for extension.json / skin.json,
which lets you add any new user groups you define to
wgPrivilegedGroups (see above).
* HTMLForm: Fix E_NOTICE when hide-if is used with
setFormIdentifier.
* (T288624) MultiHttpClient: Unset $this->cmh after closing it.
* (T345039) Do not run SkinAfterBottomScripts hook twice
unconditionally.
* (T265734) API Help: Note that parameters may be inherited from
other context.
* API: Make continue parameter help description more specific.
* (T285545) i18n: Split apihelp for standard dir parameter.
* (T285545) i18n: Split apihelp for
redirects/linkshere/transcludedin/fileusage show.
* (T285545) i18n: Split apihelp for parameter
list=deletedrevs&drprop=.
* (T285545) i18n: Split apihelp for parameter
list=allpages&apprexpiry=.
* (T285545) i18n: Split apihelp for parameter
action=opensearch&redirects=.
* (T285545) i18n: Split apihelp for parameter
action=managetags&operation=.
* (T285545) api: Add message for list=watchlist&wlprop=expiry.
* (T334011) ApiComparePages: expose 'difftype' param if wikidiff2
is installed.
* (T342633) api: Add message for action=compare&prop=timestamp.
* API: revids=… does not necessarily return the queried revisions.
* (T326696) user: Truncate option value in UserOptionsManager.
* (T326696) ApiOptions: Give warning if the value is too long.
* API i18n: Add {{PLURAL:}} for byte count messages.
* (T235207) Get correct main page in API call examples.
* doc: Make extension.schema.v2.json a valid JSON schema.
* updateSpecialPages.php: Avoid implicit float conversion
on modulo.
* (T347227) ImportReporter: Make callback functions public.
* (T346898) importDump: Unconditionally call
$importer->setUsernamePrefix().
* doc: Improve description of type in extension.schema.v1.json.
* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous
unescaped messages leading to potential XSS.
* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022:
vector-intro-page message is assumed to yield a valid title.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser
("X intermediate revisions by the same user not shown") ignores
username suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading
crafted XML file to Special:Upload (non-standard configuration).
-------------------------------------------------------------------
Wed Jul 5 05:35:42 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.4
Security and maintenance release
* Localisation updates.
* (T333990) composer.json: Explicitly pin psr/http-message to
1.0.1.
* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
(2.4.0 => 2.4.5).
* (T333776) Template:ACTIVEUSERS wasn't being updated without
updateSpecialPages.php.
* (T258860) Prevent LogicCache exception from message cache
during IO errors from memcache.
* (T336868) Improve idempotency of postgres index upgrades.
* (T322944) Add Authorization to default $wgAllowedCorsHeaders.
* (T332889, CVE-2023-36675) SECURITY: Fix escaping in
BlockLogFormatter.
* A fake MessageLocalizer for use in unit tests.
* (T338114) Title: Add forward alias.
* composer: Add symfony/polyfill-php81 like
symfony/polyfill-php80.
* (T330464) Work around argument corruption bug in
XMLReader::open.
* Fix frame and frameless rdfa depending on file existing.
* Fixes for the phan upgrade, part 1.
* Fixes for the phan upgrade, part 2.
* (T298571) build: Update mediawiki/mediawiki-phan-config
to 0.12.0.
* build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
* (T329214) Pass whether current rev of file exists to
Linker::makeBrokenImageLinkObj.
* (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
* A manualthumb that doesn't exist should be considered a
thumb error.
* (T313157) IndexPager: Also protect against $offset being 0.
* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup
to Linker.
-------------------------------------------------------------------
Fri Mar 31 04:47:38 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.3
Security and maintenance release
* Localisation updates.
* (T225218) LinksUpdate: Use DB key for category links table.
* GlobalFunctions: Remove check for MEDIAWIKI constant.
* (T329484) API: Fix query+allimages user parameter description.
* (T330529) SpecialEditTags: Set default of '' for wpReason.
* (T330382) postgres: Make the upgrade ignore dropping indexes
that might not exist.
* (T330526) htmlform: Handle null from HTMLFormField::getDefault
in multiselects.
* (T291753) rdbms: escape backslashes in makeConnectionString
for PostgreSQL.
* (T325529) Fix total breakage of wgCanonicalServer fallback.
* (T318103) mediawiki.storage: Disable async GC during
integration test.
* (T332461, T332397) TempFSFile: Keep the WeakMap alive.
* (T332902) page: fix InvalidArgumentException in
SQLPlatform::makeList.
* (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to
untrusted XFF headers.
- Fix some rpmlint warnings
-------------------------------------------------------------------
Sun Mar 19 11:26:11 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.2
Maintenance release
* Localisation updates.
* (T325872) ChangeTags: Remove table name from condition.
* (T324895) MWCallbackStream: Add explicit $stream property.
* (T297031, T326039) PostgresUpdater: Move setDefault ahead of
changeNullableField.
* (T321319) Produce HTML for invalid JSON.
* (T215466, T326071) MigrateActors: Write to revision table
(Follow-up 24115a8).
* (T223027) ReservedUsernames config: Add reserved names from
maintenance scripts.
* (T325000, T324896, T307631) Updated OOUI from v0.44.3
to v0.44.5.
* Remove /images .htaccess rules that are no longer relevant.
* Disable php in .htaccess of images directory as a hardening
measure.
* (T322583) Include missing message parameter in message.
* LocalFileTest: use encodeBlob/decodeBlob for img_metadata.
* DatabaseSqlite: fix null blobs.
* rdbms: avoid pg_escape_bytea() call-style deprecation notices.
* (T322278) Improve LocalisationCache post-merge validation check.
* (T324408, T326367) Updated wikimedia/remex-html from 3.0.2
to 3.0.3.
* (T322278) Fix the remaining Phan failures on PHP 8.1.
* (T322278, T326367) Respond to some messages from Phan on
PHP 8.1.
* Fix phan error when Excimer is enabled.
* (T326021) Add matrix: to $wgUrlProtocols.
* (T314099) stream wrapper: Declare $context class property.
* (T314099) libs\jsminplus: Declare JSNode::$expression.
* (T314096) composer.json: Updated composer/spdx-licenses from
1.5.6 to 1.5.7.
* (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1).
* (T308536) rdbms: Remove deprecation mark for $wgSharedDB.
* (T215466, T326071) installer: Split drop action out of the SQL
patch for actor migration.
* (T322603) SqliteMaintenance.php: Fix fatally broken instanceof
check.
* (T326377) rdbms: Use DBConnRef in SelectQueryBuilder.
* api/en.json: api-help-datatype-expiry add missing 'may'.
* (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect
code.
* (T328222) Pass empty string to strlen() if schema is null for
PostgresDatabase.
* (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
* (T155582, T328503) Fix XML dumps for content types with
non-string getNativeData().
* (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being
released.
* (T314099) revisiondelete: Replace dynamic property
Status::$itemStatuses
* (T327821) skin: Restore default 'value' attribute in
makeSearchButton().
* (T329198) ParamValidator: Improve paramvalidator-help-multi-max
message.
* (T329415) Clear the statsd data buffer regardless of
StatsdServer config.
* (T292348) WikiImporter: do not fail if upload entry in dump
lacks 'text' tag.
* (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if
no path.
* (T324894 TempFSFile: Use a WeakMap for reference tracking
if available.
* (T295637) Add no to fallback chain of nb and nn.
-------------------------------------------------------------------
Sat Dec 24 06:32:21 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.1
Security and maintenance release
* Localisation updates.
* PostgresUpdater: Remove trailing space from 'user_id ' column.
* (T304515) LCStoreStaticArray: atomically replace the cache file.
* (T324516) postgres: Fix upgrade for templatelinks primary key.
* (T324890, T324891, T324901) Parser: Allow dynamic properties
on PHP 8.2.
* (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists.
* (T314099) OutputPage: Remove unused dynamic property
ParserOptions->isBogus.
* (T314099) api: Remove use of undeclared property in
action=comparepages.
* Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6).
* (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1).
* Updated pear/mail (v1.4.1 => v1.5.0).
* Removed wikimedia/dodo (v0.4.0).
* (T324910) On pages using multi-content revisions, the raw
content of a specific slot can be retrieved using the
action=raw&slot=<role-name> query parameters.
* (T322637) SECURITY: sqlite should not create DB file
world-readable.
-------------------------------------------------------------------
Sun Dec 4 07:13:30 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.39.0
* MediaWiki 1.39 is an LTS and is due to be supported until the
end of November 2025.
* Please visit and read before update:
https://www.mediawiki.org/wiki/Release_notes/1.39
- Update Requires to php > 7.4.3 and < 8.2.0
- Rebase and rename mediawiki-use-localsettings-from-webroot.patch
-------------------------------------------------------------------
Fri Sep 30 15:07:49 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.37.6
Maintenance release
* Fix missing use statement from backport of fix for T307278.
- Changes in Mediawiki 1.37.5
Security and maintenance release
* Localisation updates.
* (T312519, T312520) Parser::extensionSubstitution() Don't run
substr() on null.
* (T287564) populateInterwiki: Include not null columns
iw_api/iw_wikiid.
* (T312302) SpecialRedirect: Don't pass null to explode.
* RemoveInvalidEmails: Fix quoting for postgres.
* (T312678) import: UploadSourceAdapter::stream_read() don't
pass null to strlen().
* (T312300) SpecialDiff: Don't pass null to explode().
* (T312680) parser: Fix CoreParserFunctions::urlencode() null
coalescence $arg.
* (T289926) Handle null passed to wfShorthandToInteger()
and Html::element().
* (T289926) Ensure that strlen() does not get passed a
(valid) null.
* (T312301) SpecialDiff: Don't pass null to trim().
* Hooks: Use more meaningful name for SkinAfterPortlet hook
parameter.
* (T289926) Ensure we don't pass null to mb_strlen.
* (T312305, T311572, T311571, T311578) HtmlForm: Null
coalescence in trim() calls.
* (T289926) site: Consistently return null from
Site::getDomain().
* (T307304, T289879) filebackend,jobqueue: Add signature for
FilterIterator::accept().
* (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test
mock for PHP 8.1.
* Add application/vnd.ms-opentype to MIME list.
* Allow composer/installers plugin in composer.json.
* Change type hints for BatchRowIterator and NotRecursiveIterator
for compatibility with PHP 8.1.
* (T313663) [php8.1] Change override of $wgResourceBasePath for
CSP tests.
* (T313663) parser: Mock WikiPage::getContentModel in
ParserCacheTest to fix php8.1.
* (T313663) [php8.1] Make WikiImporterFactoryTest use better
mock for ImportSource.
* Fix tests so getName() doesn't return null.
* (T313663) [php8] Don't use strlen on potentially null string.
* (T313663) [php8.1] Suppress test warning about providing null.
* (T313663) Parser will use current timestamp instead of null
if passed a RevisionRecord that does not have a timestamp.
* (T313663) Add explicit null check for $sha in FileBackend
[php8.1].
* (T313663) LogFormatter: Cast argument of ctype_digit to string
[php8.1].
* (T313663) Mock UserOptionsManager::getOption for php8.1.
* (T289879, T289926) Get rid of warnings on PHP 8.1.
* (T313663) Check for null return of preg_replace in
MediaWikiTitleCodec.
* (T313663) cast db name to string when checking if it is read
only [php8.1].
* (T313663) Avoid testing strlen on null in ApiQuerySiteinfo
[php 8.1 compat].
* Fix a couple deprecation warnings in the installer under
PHP 8.1.
* (T313663) Use default timezone UTC for SpecialWatchlistTest
[php 8.1].
* (T313663) Mock User::getTitleKey in SpecialPreferencesTest
[php 8.1].
* (T314096) Migrate use of ${var}-style string interpolation.
* (T314099) preprocessor: Add missing field declarations.
* (T313663, T313662) Make default value for optional args
{{PAGESINCAT:..}} be '' not null.
* (T314225) SpecialCategories: Null coalescene $par.
* (T314099) User: Allow dynamic properties on PHP 8.2.
* (T314397) SpecialBlock: Better handle null in
getTargetUserTitle.
* (T314099) phpunit: Fix trivial dynamic property usages
in tests.
* (T314405) UploadStash: Check if us_prop is set in the
fileMetadata.
* (T313663) Make ChangesListSpecialPageTest cast to string
for php 8.1.
* (T313663) Do not test giving a null fragment to
Title::makeTitle.
* (T314550) SpecialMergeHistory: Set timestamp to '' if no
mergepoint.
* (T314551) SpecialMergeHistory: Set defaults for target and
dest parameters.
* api: Add rel=nofollow to help examples.
* (T307613) Validate length of user email on
Special:ChangeEmail/Special:CreateAccount.
* (T314226) LoginSignupSpecialPage: Check if $value is a string
before length.
* (T314824) tests: Update parser test after i18n change.
* (T295958, T278847) MediaWiki-Docker: Switch PHP images to
PHP7.4.
* (T314906, T314907) SpecialBlock: Set defaults for
wpPageRestrictions and wpNamespaceRestrictions.
* (T315309) ImportStreamSource::newFromURL() Prevent passing
null to fwrite.
* (T315892) composer.json: Pin phpunit to 8.5.28.
* (T313049) Bump wikimedia/parsoid to v0.14.2.
* (T317750) session: Fix broken SessionTest case due to PHPUnit
dependency change.
* (T318079) SpecialEditTags: Set default value of wpTagsToRemove
to empty array.
* (T318460) SpecialChangeEmail: Set default for returntoquery.
* (T318307) Update docs for HTMLFormField::validate() to permit
all data types.
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't
update results in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes
existence of hidden users.
* (T307278, CVE-2022-41766) SECURITY: On action=rollback the
message "alreadyrolled" can leak revision deleted user name.
-------------------------------------------------------------------
Sat Jul 9 17:02:25 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.37.4
Maintenance release
* Localisation updates.
* (T311568) UploadBase::setTempFile() handle $tempPath being
passed as null.
* (T311559) SpecialListFiles: user parameter isn't always present.
* (T311561) ImageListPager: Don't call htmlspecialchars() on null.
* (T311920) SpecialBlockList: Prevent passing null to trim().
* (T311921) SpecialUserrights: Don't pass null to str_replace.
* (T311570) SpecialWithoutInterwiki: Don't pass null through to
Title::capitalize().
* (T311574, T311576) SpecialLinkSearch: Don't pass null through
to the parser.
* (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
* (T296435, T297669) cache: Add four fields to
LinkCache::getSelectFields.
- Changes since Mediawiki 1.37.3
Security and maintenance release
* Localisation updates.
* (T289879) Type hints for ArrayAccess and JsonSerializable.
* (T304783) TemplateParser: avoid warnings when called by
NoLocalSettings.
* Rebuilt vendor with composer 2.3.3.
* Fix old_name in UserLogoutComplete hook.
* (T289879) Address some deprecations for PHP 8.1.
* (T193565) UserGroupManager: Fix dbDomain in addUserToGroup()
deferred update.
* (T309114) LocalFile::prerenderThumbnails: Limit the number of
thumbnail jobs triggered.
* (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
* (T308471) SECURITY: Escape welcomeuser message passed to
showSuccessPage().
* (T308473) SECURITY: Escape contributions-title msg for use
within page title.
* (T311272) Call parent constructor of AddSite maintenance
script first.
* MediaWiki: Don't eagerly initialize action name.
* Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
* (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0
to 7.4.5.
* (T289926) Avoid passing null to trim() in SkinTemplate.
* (T311473) rollbackEdits: Pass user identity to RollbackPage.
* (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
* (T311551) ShellboxClientFactory::getUrl(): Check if $this->key
is null.
* (T311552) ChangesListSpecialPage: Don't pass null to
FormatJson::decode().
* (T311569) FileBackend::isStoragePath() Handle being passed null.
* (T311544) Pass int to ApiUsageException::newWithMessage()'s
$httpCode param.
* (T311678) SpecialEditWatchlist: Prevent passing null to
strtolower().
* (T281741) ChangeTags: Fix adding CSS classes for hidden tags.
* (T296642) changetags: Fix management of a '0' tag.
* (T311554) ChangeTags: Return early in formatSummaryRow() if
$tags === null.
* (T303033) Handle null in ChangeTags::modifyDisplayQuery.
* Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.
-------------------------------------------------------------------
Sun Apr 10 06:11:51 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.37.2
Security and maintenance release
* (T298261) Fix support for Composer 2.2.
* (T298283) composer.json: Add wikimedia/composer-merge-plugin
to allow-plugins.
* Update doctrine/dbal (3.0.0 => 3.1.5).
* (T296898) Add entry point name to disabled Session exception
if possible.
* (T298564) MemcachedClient: Add support for IPv6.
* (T297543, CVE-2022-28202) SECURITY: properly escape output used
within galleries and Special:RevisionDelete.
* (T289956) WatchAction: Fix bug that prevents showing proper
success message in the noscript fallback mode.
* (T268847) Suppress deprecation warnings from
libxml_disable_entity_loader().
* (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest.
* (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
* (T275673) objectcache: Avoid getCurrentTime() call in
MapCacheLRU::has().
* (T275673) objectcache: split up MapCacheLRU::getAge() to avoid
conditional overhead.
* Fix the json schema and the extension processor for Parsoid
extension modules.
* (T299696) update.php: Avoid passing null to substr.
* (T195807, T256401) Fix signature of
DatabasePostgres::buildGroupConcatField.
* In PHP 8.1 don't throw exceptions from mysqli.
* (T289926) SiteConfiguration: Don't pass null to str_replace().
* (T264735) Fix deprecation warning from CURLPIPE_HTTP1.
* (T260735) Stop using is_resource() where possible.
* (T289879) Apply ReturnTypeWillChange to various implementations
of built in interfaces.
* (T299312) Implement __serialize/__unserialize for
PHP 8.1 support.
* ExtensionRegistry: Add process cache for lazy attributes.
* (T301041) ApiPageSet: Add "missing": true to missing revisions.
* Allow ParsoidModules extension schema to register services.
* (T300462) SpecialUndelete: Do not show empty comments
as deleted.
* (T297708) Allow setting max execution time to several
special pages.
* (T205349) LinkCache: Try invalidating cache before throwing.
* (T302540) composer.json: Add ext-calendar to require.
* (T302540) composer.json: Add ext-simplexml to require-dev.
* (T302540) composer.json: Add various PHP extensions to suggests.
* Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
* (T304008) Don't re-check "Move subpages" on Special:MovePage
after a warning.
* (T293576) listFiles: Display file name instead of version.
* (T303871) Fix @since of Title::getId().
* (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
* wrapOldPasswords: add \n to two output calls.
* (T297571, CVE-2022-28201) Title::newMainPage() goes into an
infinite recursion loop if it points to a local interwiki.
* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki
with many file uploads with actor as a condition can result
in a DoS.
* (T297754, CVE-2022-28204) Special:WhatLinksHere can result in
a DoS when a page is used on a extremely large number of other
pages.
-------------------------------------------------------------------
Sun Dec 19 11:19:59 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.37.1
Security and maintenance release
* (T296112) Allow inserting new sections named '0'.
* Fix path for ZhConversion.php.
* nukeNS: don't run purgeRedundantText() after every change.
* (T286779, T297031) installer: Fix Postgres mistakes in using
changeField method.
* (T225888) RollbackAction: fix missing pagetitle.
* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix
permissions checks in undo actions.
* (T297574, CVE-2021-45038) SECURITY: Fix permissions check
in action=rollback.
* (T34716, T297416) SECURITY: Require 'read' right for most
actions.
* (T271037, CVE-2021-44856) SECURITY: Fix use of
EditFilterMergedContent hook when changing content model.
-------------------------------------------------------------------
Fri Nov 19 11:36:11 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to Mediawiki 1.37.0
Read the full release notes at
https://www.mediawiki.org/wiki/Release_notes/1.37
-------------------------------------------------------------------
Sun Oct 10 18:32:02 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.36.2
Security and maintenance release
* Don't access MWServices prematurely in Maintenence.php.
* (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode.
* Installer: Fix foundation.wikimedia.org link in
config-pingback-help.
* (T283273) Make postgres IRC channel point to libera.chat.
* composer.json: Promote and pin monolog/monolog to require
from require-dev.
* (T287526) JavaScriptMinifer: Recognize `...` as a single token.
* (T287526) Update wikimedia/minify to 2.2.4.
* (T289108) ExtensionProcessor: Remove loaderScripts from
extension.json schemas.
* (T281549) Installer: Fix mediawiki-announce auto subscription
code.
* FormatJson: Optimize encode() for supported PHP versions.
* (T290398) renameRestrictions.php: Update protected_titles
as well.
* (T290489) objectcache: Fix PHP warning for
ReplicatedBagOStuff::setMulti.
* $wgMimeTypeBlacklist - This configuration array now prohibits
the RFC 4329 form of JavaScript, 'application/javascript',
as well as previous MIME types.
* (T51097, T290273) resourceloader: Call getStyleFiles from
FileModule::getFileHashes.
* (T277788) parser: Avoid calling ParserOptions::getOption()
too many times.
* (T291244) Unserialize objects in ParserCache->mExtensionData
as objects.
* MysqlUpdater: Add updatelog entries for dropDefault.
* (T290776) Fix $phase check in OutputHandler.
* The wikimedia/parsoid library has been upgraded from v0.13.0
to v0.13.1.
* (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in
Special:Search.
* (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause
a full table scan.
* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection
of Special:Contributions.
-------------------------------------------------------------------
Fri Jun 25 05:32:16 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to Mediawiki 1.36.1
Security release
* (T283942) DatabaseInstaller.php: Only run core schema file if specified table
doesn't already exist.
* (T247223) Optimise MessageCache::isMainCacheable() for the single-message
case.
* (T283244) JavaScriptMinifer: Fix handling of "delete" as object property.
* (T284391) Fix SkinModule to correctly prepend remote path on document root
installs.
* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
* (T278579) Don't send headers on ob_end_clean().
* (T285287) MultiHttpClient: Replace PHP version check with defined().
* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.
-------------------------------------------------------------------
Fri Jun 4 12:36:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to version 1.36.0
* Upgrade notes
- MediaWiki 1.36 now requires the PHP internationalization extension
(commonly referred to as Intl, ext-intl, or php-intl).
- The MediaWiki:Autoblock_whitelist block exemption control has been
moved to MediaWiki:Block-autoblock-exemptionlist. If you use this
feature, please move the MediaWiki:Autoblock_whitelist page.
- (T275334) $wgExtensionFunctions is sometimes used to change
configuration settings. This is not safe; extension functions are
run relatively late, some services are already initialized by that
point and so they use the old configuration. Changes in 1.36 make
this kind of breakage even more common. You can use the
MediaWikiServices hook instead. (In the future there might be a
dedicated hook for configuration changes.)
- The MediaWiki update script, maintenance/update.php, used to accept
`--nopurge` as an option to prevent clearing caches stored in the
database during upgrade. This is no longer encouraged, and the option
has been removed.
* New features
- The logo of MediaWiki has changed. This means that the "Powered By
MediaWiki" button shown in the skin footer will be different.
- All HTML5 named entities are now accepted in wikitext.
- (T106263) The file description page's alternate sizes now include 2048px.
* Action API changes
- `Access-Control-Max-Age` was added to the default list of headers allowed
for cross-origin API requests ($wgAllowedCorsHeaders).
- Accounts with the 'bot' right no longer have pages automatically added
to the watchlist when making API edits, regardless of their preferences.
This is to reduce the size of the watchlist data in the database.
To add API bot edits to the watchlist, explicitly set the 'watch' option.
* New configuration options
- (T256001) $wgManualRevertSearchRadius – This setting controls a new
feature that marks edits as reverts if they restore the page to an exact
previous state. This configuration variable sets the maximum number of
revisions of a page that will be checked against every new edit. Set this to 0
to disable the feature entirely.
- (T244058) $wgOldRevisionParserCacheExpireTime — This setting was added to
control caching of ParserOutput for old (non-current) revisions.
- (T265263) $wgRememberMe - This setting configures the "remember me"
checkbox on account log-in systems via RememberMeAuthenticationRequest.
- (T157145) $wgSkinMetaTags – This setting lets sysadmins configure skins
that support meta tags. These tags make sharing of MediaWiki pages on a
variety of social platforms more contentful and thus useful.
- (T280944) $wgIncludejQueryMigrate - This setting lets sysadmins disable
the jQuery Migrate plugin. It has been enabled by default since MediaWiki
1.27. In future releases it will be disabled by default.
* Changed configuration options
- $wgLogos – This setting selects the logo shown on the site. The default
value for the site logo, which is shown in an install if you have not set
one, will now be the new logo of MediaWiki.
- (T274695) $wgAjaxEditStash — This setting, to disable the edit stashing
feature when users start writing an edit summary, has been deprecated. In
future releases, this feature will always be enabled.
- $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand
media scaling, was deprecated. Use the `thumbProxyUrl` setting in
$wgLocalFileRepo instead.
- $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been
renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical
respectively. The former configuration variable names are deprecated, but will
be used as the fall back if they are still set, and remain temporarily
available for extensions which try to read them.
- $wgWANObjectCaches - The "coalesceKeys" option was removed without
deprecation and replaced by a new "coalesceScheme" option, set to
"hash_stop" by default. If you use Dynomite, then set the new "coalesceKeys"
option to "hash_tag". The "cluster" and "mcrouterAware" options were also
removed without deprecation. Use "broadcastRoutingPrefix" instead.
* Removed configuration options
- $wgUseTwoButtonsSearchForm — This setting, deprecated in 1.35, has been removed.
- $wgAllowImageMoving — This setting, deprecated in 1.35, has been removed.
Use group permission settings instead. For example, to prevent sysops from
moving files, set $wgGroupPermissions['sysop']['movefile'] = false;`
- $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields,
$wgExtPGAlteredFields, $wgExtModifiedFields — These settings were removed. They
became obsolete after 1.17 overhauled the database updater, but were kept for
backwards compatibility. The LoadExtensionSchemaUpdates hook should be used
instead.
- $wgParserConf - This setting, deprecated in 1.35, has been removed. The
last use of this setting was for pre-processor configuration, which was
deprecated in 1.34 and removed in 1.35.
- $wgEnableRestAPI - This setting, ignored since 1.35, has been removed.
- $wgPagePropsHaveSortkey – This temporary setting has been removed, along
with the schema change upgrade path it controlled. If your site is still using
it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24,
you must now apply it before upgrading.
- The deprecated password policies PasswordCannotMatchBlacklist and
PasswordNotInLargeBlacklist were removed. Please use
PasswordCannotMatchDefaults and PasswordNotInCommonList respectively instead.
-------------------------------------------------------------------
Wed Apr 21 10:48:28 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to version 1.35.2
* (T270450) The confusingly-named User->isLoggedIn() method has been
deprecated in favour of the method it wraps, User->isRegistered().
* Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support.
* Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support.
* Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support.
* (T270734) Fix display of Special:Preferences URL in password reset email.
* (T252774, T271441) resourceloader: Give SkinModule 'features' option an extensible default.
* (T271441) Unknown features shouldn't break style output.
* (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0.
* DefaultSettings.php: Update $wgPingback documentation.
* Fix docs for LanguageConverter::translate.
* (T272250) Don't rely on implicit string->int cast in comparison.
* (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine.
* (T272328) UploadBase: Don't call MimeAnalyzer if mTempPath is null.
* Remove nonfunctional default sampling for WANObjectCache metrics.
* (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook.
* (T270852) Hooks: Map dash character to underscore when generating hook names.
* (T271551, T270145) Fix fetching ipblock-exempt within BlockManager::getUserBlock.
* PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
* (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests.
* (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs.
* (T248925) Special:Contributions reports negative namespace error on PHP 8.
* (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8.
* (T248925) Fix CacheTime::getCacheExpiry for PHP 8.
* (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking.
* (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of SQLite write lock.
* (T272326) Fix DeprecationHelperTest on PHP 8.
* Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support.
* (T236639) OutputPage: Make $wgDebugRedirects work again.
* (T274648) registration: Allow reusing cached metadata between wikis.
* CdnCacheUpdate: Send full URL instead of path to Curl for purge.
* Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support.
* FileBackend: Do not use SOCKET_ENOENT on windows.
* (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once.
* (T275261) Escape wikitext in the title in invalid title error messages.
* (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL.
* (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above minimum.
* (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support.
* (T269293) Record all used options in metadata.
* Allow usage of Composer 2.0 to install MediaWiki's dependencies.
* (T259872) skins: Call headElement() after getTemplateData() in SkinMustache.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens.
* (T272412) Add "Account data" section to user preferences.
* (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
* (T277520) registration: Allow specifying immovable namespaces in extension.json.
* (T275619) Maintenance::hasOption and Maintenance::getOption now behave
as documented and are not altered by previous calls to these methods.
* (T254688) Remove page inner join from subquery in SpecialWhatLinksHere.
* (T122124) signup: added help message for security.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages.
* (T277414) HTMLFormField: Use non namespaced class name rather than static::class.
* (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php for page_namespace below 0.
* (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8.
* (T268230) Switch to new MediaWiki logo by Serhio Magpie.
* (T271735) Expand config-pingback-help, link to privacy policy in config-pingback.
* Fix documentation of user-global in $wgRateLimits.
* BackupDumper: Add -o as shortcode for --output.
* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages.
* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.
-------------------------------------------------------------------
Sun Feb 21 09:23:23 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Fixed invocation of upgrade script
- Hard-Code main version - scripts don't work nicely with osc
-------------------------------------------------------------------
Sun Feb 21 08:26:23 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>
- Update to version 1.35.1
* (T263929) purgeList.php Fix all-namespaces option to match one
used in code.
* (T248719) ParserCache::get - fix wfDeprecated call.
* (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown
after hitting Tab.
* Preload mediawiki.watchstar.widgets before api request.
* (T261030) ApiEditPage: Show existing watchlist expiry if status
is not being changed.
* (T264502) Fix PHP 8 compat with strcspn() $length parameter
exceeding string.
* (T248925) Remove final modifier on private function.
* (T264683) Remove ipb_anon_only from ipb_address_unique index
addition.
* (T261415) Add days left messages to changes-lists' clock icons.
* Fix order of wfDeprecated parameters in
ExternalStoreDB::getSlave.
* (T261260) Preload class used in HeaderCallback.
* (T260868, T260009) Normalize WatchedItem expiry field.
* (T264683) Remove doTable check from
(Mysql|Sqlite)Updater::indexHasFields.
* (T264534) ApiPageSet: Avoid infinite loop when merging
redirects.
* (T196906) Empty Monolog loggers are now real blackholes.
* (T258649) WatchAction: avoid UPDATE when old and new watch
period is indefinite.
* Parser: Adjust typehint to show that getTitle can return null.
* (T263592) media: Fix case of FlashPixVersion in
FormatMetadata::makeFormattedData().
* (T265223) BaseTemplate: Guard against passing zero arg to
array_merge().
* (T264965) Fix base path handling for MessagePosterModule
registration.
* (T252183) Fix Database::getTempTableWrites for multi table
DDLs.
* (T182546) Fix switch/case indentation per mediawiki coding
conventions.
* Flip Yoda conditionals.
* (T263213) Move SkinTemplate::getFooterLinks() to Skin.
* build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
* (T267105) Make ImageBuilder::checkMissingImage public.
* Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
* (T266681) Support new style hook registration on install
and update.
* (T266980) Fix unsetting of copyright icon in FooterIcons.
* upload.js: Don't assume that warnings array will include
'code' key.
* upload.js: Fix typo in upload API.
* (T264333, T190988, T266903) Pass along ignorewarnings param
to all individual chunks being uploaded.
* (T267558) importTextFiles.php: Replace deprecated
WikiRevision:setText().
* (T266418) composer.json: add requirement for
composer-plugin-api ^1.1.
* (T261431) Add ARIA attributes to watchlink and its
notification.
* (T258877) Change invalid 'Content-Encoding: none' header.
* Fix trailing ; in patch-sites-site_language-35.sql.
* (T248852) wfAssembleUrl: Handle empty query field in URL bits.
* (T268846) Updating wikimedia/testing-access-wrapper
(1.0.0 => 2.0.0).
* (T268887) migrateComments: Cast array keys back to string
before passing to the DB.
* (T266619) Introduce new $wgThumbPath config.
* (T269178) MemcachedClient: Cast Resource to integer.
* (T263925) Use the old HookContainer to set up the
post-reset services.
* Change "site cache" to just "cache" in the right-purge
message.
* [UploadedFileStreamTest] Skip test with chmod.
* (T269710) Updating composer/semver (1.5.1 => 1.7.2).
* (T269710) Updating mediawiki/mediawiki-codesniffer
(33.0.0 => 34.0.0).
* (T260631, T260633), BotPassword::save() now returns a Status
object for the result rather than a bool. The length of the
bot password grants and restriction fields are now validated,
and an error will be thrown if it would be truncated by
the database.
* (T265778) Fix English/*nix specific error messages in
FSFileBackend.
* (T267543) Split dropping of image.img_user_timestamp.
* [FileTest] Do not assume /tmp exists on windows.
* Clean up temp files correctly after unit tests.
* Skip undo related phpunit tests when diff3 is missing.
* (T269964) rdbms: Remove outer parentheses in insert query
for Postgres.
* (T263911) In MWExceptionHandler::report(), catch all throwables.
* (T268894, CVE-2020-35474) SECURITY: Use Html::element in
ChangeListSpecialPage for sanity.
* (T268917) Use Xml::element in SpecialUserrights for sanity.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass
escaped html to LogFormatter::makePageLink for sanity.
* (T268938) Fixed mixed escaping in
Language::translateBlockExpiry.
* (T263911) UserOptionsManager: don't differentiate anons caches.
* (T261260) HeaderCallback: pre-cache request ID.
* Parsoid updated to v0.12.1.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility
of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for
contributions and user pages of hidden users and missing users.
* (T270145) Fix condition that can lead to using APCOND_BLOCKED
in $wgAutopromote to cause an OOM in PHP.
- Add requires cron, fix missing-dependency-to-cron for cron
script /etc/cron.d/mediawiki
-------------------------------------------------------------------
Tue Dec 15 17:12:36 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- New cronjob must run as root
-------------------------------------------------------------------
Mon Dec 14 16:52:16 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Extract main version from version
-------------------------------------------------------------------
Mon Dec 14 14:06:30 UTC 2020 - root <root@vie.weberhofer.at>
- Updated to version 1.35.0
Changelogs:
* https://www.mediawiki.org/wiki/Release_notes/1.35
* https://www.mediawiki.org/wiki/Release_notes/1.34
- Don't forget to always back up your database before upgrading!
- The minimum PHP Version is mow 7.3.19
- Replaced mediawiki-1.33-use-localsettings-from-webroot.patch by updated
Created mediawiki-1.35-use-localsettings-from-webroot.patch
- merged, improved and refactored script files
- resolves bnc#1179340
-------------------------------------------------------------------
Fri Dec 11 10:49:14 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Put Apache configuration in separate subpackage
-------------------------------------------------------------------
Fri Dec 11 09:23:02 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Don't Require: mod_php_any as this creates a hard dependency on
apache2-prefork (use php-session instead)
-------------------------------------------------------------------
Wed Dec 9 19:04:21 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Use system apache rpm macros
-------------------------------------------------------------------
Mon Jul 6 06:47:55 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Updated to version 1.33.4
Security and maintenance release:
* (T247017) PasswordReset performance improvements.
* The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked.
* (T250568) Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
* Remove some rotten and out of date documentation.
* (T252311) Improvements to some older SQLite update patches.
* (T240307) Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
* rdbms: Add callback for atomic section cancellation.
* (T191668) NameTableStoreTest::getCallCheckingDb simplification.
* Make NameTableStore use LoadBalancer::getConnectionRef().
* (T224949) NameTableStore: ensure consistency upon rollback.
* (T199474) Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
* (T229461) Update the change_tag table in rebuildrecentchanges.php.
* (T234450) Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately.
* (T248947) SECURITY: img_auth.php may leak private extension images into the public cache.
-------------------------------------------------------------------
Thu Apr 02 14:58:06 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Updated Documentation
-------------------------------------------------------------------
Sun Mar 29 07:02:06 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Updated to version 1.33.3
Security fixes:
* (T232932) User content can redirect the logout button to different URL.
* (T246602) jquery.makeCollapsible allows applying event handler to any CSS selector.
-------------------------------------------------------------------
Sun Mar 8 21:45:23 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Updated to version 1.33.2
Changelogs:
* https://www.mediawiki.org/wiki/Release_notes/1.34
* https://www.mediawiki.org/wiki/Release_notes/1.33
* https://www.mediawiki.org/wiki/Release_notes/1.32
- Refactored the maintenance scripts which are now installed in /usr/bin.
The scripts have been renamed to mediawiki-update.sh and mediawiki-makealias.sh
- BREAKING CHANGES:
Read /usr/share/doc/packages/mediawiki/README.DISTRIBUTION
-------------------------------------------------------------------
Sat Mar 7 12:50:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Renamed scripts and moved the scripts to /usr/bin
-------------------------------------------------------------------
Sat Feb 15 07:28:00 UTC 2020 - Carsten Ziepke <kieltux@gmail.com>
- Updated mediawiki-1.31-use-localsettings-from-web-path.patch.
Fix for "PHP Warning: Use of undefined constant MW_CONFIG_FILE".
-------------------------------------------------------------------
Sat Dec 21 10:13:57 UTC 2019 - ecsos@opensuse.org
- Update to version 1.31.6
This is a security and maintenance release of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.5
- (T181658) Do not insert page titles into querycache.qc_value.
- (T206013) Suppress errors when reading invalid XML file properties.
- (T237931) Remove references to pg_attrdef.adsrc in Postgres code.
- Use correct value for 'sslmode' in DatabasePostgres.
- (T232866) Fix support for HTTP/2 in MultiHttpClient.
- (T227461) Stop calling deprecated Redis delete functions.
- (T239561) Mark options as requiring parameters in addSite.php.
- (T239734) Replace deprecated lSize with lLen in Redis code.
- (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset.
- (T239428) ApiEditPage: Test for bad redirect targets.
- (T233342) rdbms: Log debug message traces as 'exception.trace' instead of 'trace'
- (T226751) media: Log and fail gracefully on invalid EXIF coordinates.
- (T212067) Work around PHP bug in parse_url.
- Changes from version 1.31.5
This is a maintenance release of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.4
- Fix extra newlines in installer.
- Followup T230402, PermissionManager doesn't exist until 1.33,
so fix the backported patches to use User::isAllowed() instead.
-------------------------------------------------------------------
Sun Oct 13 12:27:58 UTC 2019 - ecsos@opensuse.org
- Update to version 1.31.4
This is a security and maintenance release of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.3
- (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3.
- The ImgAuthModifyHeaders hook was added to img_auth.php to allow
modification of headers in private wikis.
- (T230402) SECURITY: Add permission check for suppressed account
to Special:Redirect.
- Add helper for HTTPFileStreamer header syntax.
- (T118799) Fix XMP parser errors due to trailing nullchar.
- (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy.
- (T202183) Give more specific error messages on Special:Redirect.
- Cache redirects from Special:Redirect.
- (T231386) dispatchUser() should use a 302 http status code.
- (T227662) Split down patch-comment-table.sql and patch-actor-table.sql
into separate files to help allieviate potential migration problems.
- Make SQLite's patch-add-3d.sql a no-op to prevent clobbering
other database updates.
-------------------------------------------------------------------
Wed Jul 31 06:40:16 UTC 2019 - ecsos@opensuse.org
- Update to version 1.31.3
This is a maintenance release of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.2
- (T225558) Update installer link to PHP intl.
- (T225496) Detect APC for MainCacheType in CLI installer.
- (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
- (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.
- Changes from version 1.31.2
This is a security and maintenance release
of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.1
- (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail
would allow for bypassing reauthentication, allowing for
potential account takeover.
- (T204729, CVE-2019-12473) Passing invalid titles to the API
could cause a DoS by querying the entire `watchlist` table.
- (T207603, CVE-2019-12471) Loading user JavaScript from
a non-existent account allows anyone to create the account,
and XSS the users' loading that script.
- (T208881) blacklist CSS var().
- (T199540, CVE-2019-12472) It is possible to bypass the limits
on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
- (T212118, CVE-2019-12474) Privileged API responses that include
whether a recent change has been patrolled may be cached
publicly.
- (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail
to send out spam with no rate limiting or ability to block
them.
- (T25227, CVE-2019-12466) An account can be logged out without
using a token (CSRF).
- (T222036, CVE-2019-12469) Exposed suppressed username or log
in Special:EditTags.
- (T222038, CVE-2019-12470) Exposed suppressed log in
RevisionDelete page.
- (T221739, CVE-2019-11358) Fix potential XSS in jQuery.
- Required PHP version has been increased from 7.0.0 to 7.0.13.
-------------------------------------------------------------------
Thu Nov 29 11:37:27 UTC 2018 - jweberhofer@weberhofer.at
- mediawiki-1.31-use-localsettings-from-web-path.patch
fixes the handling of locations in our directories
- cleaned up spec
- cleaned up admin scripts
-------------------------------------------------------------------
Fri Nov 2 08:59:31 UTC 2018 - ecsos@opensuse.org
- Update to version 1.31.1
This is a security and maintenance release
of the MediaWiki 1.31 branch.
Changes since MediaWiki 1.31.0
- (task T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry
for 'user' overrides 'newbie'.
- (task T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass
CentralAuth's account lock.
- (task T199029, CVE-2018-13258) SECURITY: Tarball was missing
.htaccess files.
- (task T197229) Bundle Nuke extension, it was accidentally
omitted.
- (task T193995) Fix undefined patchPath() method call in parser
tests.
- (task T198687) Fix various selectFields methods to use
the string 'NULL', not null.
- Special:BotPasswords now requires reauthentication.
- (task T191608, (task T187638) Add 'logid' parameter
to Special:Log.
- (task T193829) Indicate when a Bot Password needs reset.
- (task T198037) GitInfo: Don't try shelling out if it's disabled.
- (task T151415) Log email changes.
- (task T197206) Fix performance regression when multiple DB
used without caching.
- (task T197030) PHPSessionHandler: Suppress headers warnings in
initialize().
- (task T182377, task T196793) Exif: Guard against uncountable
tag values.
- (task T200861) Fix total breakage of SQLite web upgrade.
- (task T200864) Fix pingback over-reporting on non-MySQL
databases
- (task T202550) Unbreak SpecialListusersHeaderForm and
SpecialListusersHeader hooks.
- rebase makealias.sh for apache >= 2.4 and new .htaccess
-------------------------------------------------------------------
Mon Jun 18 17:21:05 UTC 2018 - ecsos@opensuse.org
- Update to version 1.31.0
- requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is supported
See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.31
(There are too many changes to list here)
-------------------------------------------------------------------
Mon May 28 16:11:59 UTC 2018 - jweberhofer@weberhofer.at
- Clean-up spec file
- Do no longer require php-ssl
- Removed sections for suse < 10.x
-------------------------------------------------------------------
Mon Feb 19 15:14:04 UTC 2018 - jweberhofer@weberhofer.at
- Updated dependencies
- Update to version 1.30.0
See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.30
Configuration changes:
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to
avoid unexpected behavior when code uses locale-sensitive string
comparisons. For example, the Scribunto extension considers "bar" < "Foo"
in most locales since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
class names. This is intended for extensions that want control over the
instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative to
plain class names, using the 'factory' key in the module description array.
This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T45547) $wgUsePigLatinVariant added (off by default).
* $wgRangeContributionsCIDRLimit was introduced to control the size of IP
ranges that can be queried at Special:Contributions.
New Features:
* (T163562) Added the ability to search for contributions within an IP range
at Special:Contributions. References to revisions made by IPs are stored in
the ip_changes table to make querying for ranges more efficient.
* (T37247) Output from Parser::parse() will now be wrapped in a <div> with
class="mw-parser-output" by default. This may be changed or disabled using
ParserOptions::setWrapOutputClass().
* Added the 'ChangeTagsAllowedAdd' hook, enabling extensions to allow
software- specific tags to be added by users.
* Added the 'ParserOptionsRegister' hook to allow extensions to register
additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
LanguageConverter variant. This allows English-speaking developers to
develop and test LanguageConverter more easily. Pig Latin can be enabled by
setting $wgUsePigLatinVariant to true.
* Added the 'RecentChangesPurgeRows' hook to allow extensions to purge data
that depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
Action API changes:
* (T37247) action=parse output will be wrapped in a <div> with
class="mw-parser-output" by default. This may be changed or disabled using
the new 'wrapoutputclass' parameter.
* When errorformat is not 'bc', abort reasons from action=login will be
formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and
returning users and edit comments.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
parameters to prop=revisions are deprecated, as are the similarly named
parameters to prop=deletedrevisions, list=allrevisions, and
list=alldeletedrevisions. Use action=compare, action=parse, or
action=expandtemplates instead.
And sereral other changes
-------------------------------------------------------------------
Tue Nov 21 17:17:16 UTC 2017 - ecsos@opensuse.org
- Update to version 1.29.2
This is a security and maintenance release
of the MediaWiki 1.29 branch.
Changes since 1.29.1
* (T166757) Avoid scoped lock errors in Category::refreshCounts()
due to nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for
a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency
to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when
$wgShowExceptionDetails = false and browser sends non-standard
url escaping. (CVE-2017-8808)
* (T165846) SECURITY: BotPassword login attempts weren't
throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
(CVE-2017-8809)
* (T134100) SECURITY: Do not reveal if user exists during login
failure. (CVE-2017-8810)
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
(CVE-2017-8811)
* (T125163) SECURITY: Make anchor for headlines escape > and <.
(CVE-2017-8812)
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if
exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits
pcre.backtrack_limit. (CVE-2017-8814)
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
(CVE-2017-8815)
* (T180488) (T125177) "api.log contains passwords in plaintext"
wasn't correctly fixed in all branches in the previous security
release. (CVE-2017-0361)
-------------------------------------------------------------------
Thu Oct 12 04:47:13 UTC 2017 - jweberhofer@weberhofer.at
- Require php-openssl instead of php-mcrypt
- Update to version 1.29.1. Changelog: https://www.mediawiki.org/wiki/MediaWiki_1.29
Configuration changes
* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days. $wgUserEmailUseReplyTo is now true by
default to work around restrictive DMARC policies.
* Subpages are now enabled by default in the Template namespace.
New features
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous
edits from certain IP ranges (e.g. private IPs). Added new magic word
{{PAGELANGUAGE}} which returns the language code of the page being parsed. (bug
T59603)
* Users can now be assigned to user groups for a limited period of time. See
the help page for more information.
Action API changes
* Submitting sensitive authentication request parameters to
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
action=clearhasmsg now requires a POST.
* (task T47843) API errors and warnings may be requested in non-English
languages using the new errorformat, errorlang, and errorsuselocal
parameters.
* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* action=emailuser may return a "Warnings" status, and now returns 'warnings'
and 'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than errormessage.
* action=move now reports errors when moving the talk page as an array under
key talkmove-errors, rather than using talkmove-error-code and
talkmove-error-info. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
and errors for each item. Use errorformat=wikitext if you're wanting parsed
output.
* action=rollback no longer returns a messageHtml property. Use
errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error',
and no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account
creation and password change forms.
Action API internal changes
* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated
- ApiBase::dieUsageMsg() was deprecated
- ApiBase::dieUsageMsgOrDebug() was deprecated
- ApiBase::getErrorFromStatus() was deprecated
- ApiBase::parseMsg() was deprecated
- ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
* result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things
that catch only UsageException to still function properly.
If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-'
prefixes from the message key, and maps some message keys for backwards
compatibility.
Languages updated
* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded.
* No fallback for Ukrainian
* (task T39314) The fallback from Ukrainian to Russian was removed. The
Ukrainian language will now use the default fallback language: English.
When a translation to Ukrainian is not available, an English string will
be shown.
Other changes
* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" URLs to continue to work, set up redirects.
-------------------------------------------------------------------
Mon May 15 11:12:09 UTC 2017 - ecsos@opensuse.org
- update to 1.28.2
This is a security release of the MediaWiki 1.28 branch.
Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did
not contain the fix for SyntaxHighlight_GeSHi.
This new release does contain that fix.
- update to 1.28.1
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.0 ===
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
-------------------------------------------------------------------
Mon Jan 9 18:25:53 UTC 2017 - ecsos@opensuse.org
- update to 1.28.0
=== Breaking changes ===
* Magic links are now disabled by default. They can be enabled by
changing the value of $wgEnableMagicLinks. It has been proposed
to remove magic link functionality from MediaWiki in a future
release, if you depend upon or use them it is requested that you
comment at Requests for comment/Future of magic links.
=== Changes since 1.28.0rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
comment to a machine-readable JavaScript config option 'wgPageParseReport'
have been undone. They caused the human-readable limit report to be shown
incompletely or not at all. ParserOutput::setLimitReportData() and
getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
the text of subheadings on a category page when creating it. This wasn't
working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
canonical pretty URL when a non-pretty URL is used. It resulted in redirect
loops in some clients and in some server configurations. This undoes a change
made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.
=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
signifies local uploads. A value of `[]` (empty array) now means that
no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
for Esperanto language character conversion. You are now recommended to use
input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
instead of just administrators ('sysop'). Documentation for this feature is
available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
a tracking category will be added to help identify usage and make it easier to migrate
away from. If you depend upon magic link functionality, it is requested that you comment
on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
in upcoming Content-Security-Policy feature's reporting.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
upload. Unlike 'UploadVerifyFile' it provides information about upload comment
and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
a 'numeric' collation is also available. If migrating from another
collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
appropriate for sending multi-valued parameters. This defaults to true when
the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
MediaWiki will wait for the replica databases to synchronize with the master database
while it renders the HTML output. However, if the output is a redirect to another wiki
on the wiki farm with a different domain, MediaWiki will instead alter the redirect
URL to include a ?cpPosTime parameter that triggers the database synchronization when
the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules.
=== External library changes in 1.28 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1
=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights()
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
(deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
action=login is now deprecated and outputs a warning. They should be submitted
in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
action=createaccount, action=linkaccount, and action=changeauthenticationdata
in the query string is now deprecated and outputs a warning. They should be
submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
instead of the pipe character. This will be useful if some of the multiple
values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
ApiPageSet may contain entries where the 'from' value is percent-encoded as
the raw value cannot be represented in a valid API response. These are
indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
the 'TitleIsAlwaysKnown' hook) are output in various modules.
=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules. A query module can enable
these hooks by passing an array for $hookData to ApiQueryBase::select() and
by calling ApiQueryBase->processRow() before adding a row's data to the
result.
=== Languages updated in 1.28 ===
MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
* Skin::commentBlock() (use Linker::commentBlock() instead)
* Skin::generateRollback() (use Linker::generateRollback() instead)
* Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
* Skin::userLink() (use Linker::userLink() instead)
* Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
on requests needed by primary providers even if all primaries need them.
Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
will no longer be automatically infused. You should call `OO.ui.infuse()`
on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
Instead of --keep-uploads, use the same option to parserTests.php, but you
must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
migrate to using the same functions on a ProxyLookup instance, obtainable from
MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
instead.
-------------------------------------------------------------------
Fri Sep 2 18:38:48 UTC 2016 - ecsos@opensuse.org
- update to 1.27.1
* (T139565) API: Generate head items in the context of the given
title (CVE-2016-6335)
* (T137264) XSS in unclosed internal links (CVE-2016-6334)
* (T133147) Escape '<' and ']]>' in inline <style> blocks
(CVE-2016-6333)
* (T133147) Require login to preview user CSS pages
(CVE-2016-6333)
* (T132926) Do not allow undeleting a revision deleted file if it
is the top file (CVE-2016-6336)
* (T129738) Make $wgBlockDisablesLogin also restrict logged in
permissions (CVE-2016-6332)
* (T129738) Make blocks log users out if $wgBlockDisablesLogin is
true (CVE-2016-6332)
* (T115333) Check read permission when loading page content in
ApiParse (CVE-2016-6331)
* (T57548) Remove support for $wgWellFormedXml = false, all
output is now well formed
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights() (CVE-2016-6337)
The following fix is for the PdfHandler extension:
* (T136402) Add -dSAFER to ghostscript as hardening measure
-------------------------------------------------------------------
Thu Jul 28 10:47:38 UTC 2016 - jweberhofer@weberhofer.at
- Conflict with php5 < 5.5.9
-------------------------------------------------------------------
Mon Jul 25 09:41:47 UTC 2016 - jslaby@suse.com
- add php-mbstring to requires (does not start w/o that)
- add php-mcrypt to requires (uses slow & unsecure fall-back
if not installed)
-------------------------------------------------------------------
Thu Jul 7 05:56:37 UTC 2016 - jweberhofer@weberhofer.at
- Improved dependencies
-------------------------------------------------------------------
Tue Jul 5 03:36:04 UTC 2016 - jweberhofer@weberhofer.at
- Update to version 1.27.0
- Breaking changes:
* MediaWiki now requires at least PHP 5.5.9. This corresponds with HHVM 3.1.
* Note that this new branch brought breaking changes to a number of extensions,
many of which have not been updated yet.
* If the openssl and mcrypt PHP extensions are both unavailable, secure
session storage (used for login) will raise an exception. This exception
may be bypassed by setting $wgSessionInsecureSecrets = true;. Note that
this bypass is not recommended. It is insecure. You should not use it.
* The RandomRootPage extension has been merged into MediaWiki core. If you
have it installed, you should uninstall it.
* The ApiSandbox extension has been merged into MediaWiki core. If you have
it installed, you should uninstall it.
* AuthManager. If you're writing a new extension, you should definitely follow
Manual:SessionManager and AuthManager and then upgrade to 1.27 to use it. If
you are making sure an existing extension is compatible with 1.27, see the
updating tips.
- New feature:
* InstantCommons will now truly work out of the box, as long as
your users can connect to upload.wikimedia.org
- For a complete list of changes see:
https://www.mediawiki.org/wiki/Release_notes/1.27#MediaWiki_1.27.0
-------------------------------------------------------------------
Fri May 20 20:03:23 UTC 2016 - jweberhofer@weberhofer.at
- Update to version 1.26.3
* T122056: Old tokens are remaining valid within a new session
* T127114: Login throttle can be tricked using non-canonicalized usernames
* T123653: Cross-domain policy regexp is too narrow
* T123071: Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
* T129506: MediaWiki:Gadget-popups.js isn't renderable
* T125283: Users occasionally logged in as different users after
SessionManager deployment
* T103239: Patrol allows click catching and patrolling of any page
* T122807: [tracking] Check php crypto primatives
* T98313: Graphs can leak tokens, leading to CSRF
* T130947: Diff generation should use PoolCounter
* T133507: Careless use of $wgExternalLinkTarget is insecure
* T132874: API action=move is not rate limited
* T110143: strip markers can be used to get around html attribute escaping
in (many?) parser tags (This fix affects both core and SyntaxHighlight_GeSHi)
* T116030: Increase pbkdf2 parameter strengths
* T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
* T126685: Globally throttle password attempts
-------------------------------------------------------------------
Sun Jan 3 01:23:11 UTC 2016 - ecsos@opensuse.org
- Update to version 1.26.2
* (T121892) Fix fatal error on some Special pages.
-------------------------------------------------------------------
Fri Dec 18 02:49:24 UTC 2015 - jweberhofer@weberhofer.at
- Update to version 1.26.1
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
-------------------------------------------------------------------
Sat Nov 28 17:00:46 UTC 2015 - jweberhofer@weberhofer.at
- Added a conflicts section to force installation of mediawiki-math with curren
versioning scheme.
- Update to version 1.26.0
=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
in non-talk namespaces. A new configuration variable,
$wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
This experimental feature was never enabled by default and is obsolete as of
MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
blocked users to edit their talk pages unless explicitly disabled
when they are being blocked.
=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
"tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
search results are rendered. The initial use case is to append a "give us
feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
reject an otherwise-successful parser cache lookup. The intent is to allow
extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
($wgExtendedLoginCookieExpiration) can be configured independently of the
expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
of WebP images still disabled by default. Add $wgFileExtensions[] =
'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
'EnhancedChangesListModifyBlockLineData', to modify the data used to build
lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
This corresponds to a new $wgMainWANCache setting, which defaults to using
the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
page. During the deprecation period, the styles will only be loaded on pages
which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
suggestion, results for suggestion will be shown. Can be disabled by setting
$wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
from the client-side. See documentation for mw.Upload and its
subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
subclasses for more information.
== extension.json changes in 1.26 ==
* (T99344) The extension.json schema is now versioned. All extensions
and skins should set a "manifest_version" property corresponding to
the schema version they were written for. The only supported version
currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
depend upon.
* (T105236) The extension.json schema now validates custom classes in
the "ResourceModules" property properly.
=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.
==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.
==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
use the 'rawcontinue' parameter to receive raw query-continue data, but the
new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
rnfilterredir parameter that also allows for listing both redirects and
non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
and will honor corresponding If-None-Match and If-Modified-Since on such
requests.
=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
Last-Modified headers. The API will check these against If-None-Match and
If-Modified-Since request headers on GET requests and avoid executing the
module when appropriate.
=== Languages updated in 1.26 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
Ilja.mos, and Mashoi7
=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
ContentHandler, to provide a way for ApiEditPage and EditPage to check
if direct editing of content is allowed. These methods return false,
by default for the ContentHandler base class and true for TextContentHandler
and it's derivative classes (everything in core). For Content types that
do not support direct editing, an alternative mechanism should be provided
for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
one function. The callback can't be called directly any more. The callback
function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
ResourceLoaderModule::getDependencies(). Extension classes that override that
method should be updated. If they aren't updated, PHP Strict standards
warnings will appear when E_STRICT error reporting is enabled. Note: in the
near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
items that were stripped during parsing. It will use a fixed string instead.
This causes the parser to re-use the regular expressions it uses to search
and replace markers rather than generate novel expressions on each parse.
Re-using regular expressions will improve performance on HHVM and the
forthcoming PHP 7. The interfaces changes accompanying this change are:
- Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
- The $uniq_prefix argument for Parser::extractTagsAndParams() and the
$prefix argument for StripState::_construct() are deprecated and their
value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
mediawiki/at-ease, and are now deprecated. Callers should use
MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
instead of many optional positional arguments. Calling the constructor the old
way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
are deprecated. Applications using those can work via the OAuth
extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.
-------------------------------------------------------------------
Mon Oct 19 13:23:46 UTC 2015 - jweberhofer@weberhofer.at
Updated to security and maintenance release 1.15.3
* Wikipedia user RobinHood70 reported two issues in the chunked upload API. The
API failed to correctly stop adding new chunks to the upload when the
reported size was exceeded (T91203), allowing a malicious users to upload add
an infinite number of chunks for a single file upload. Additionally, a
malicious user could upload chunks of 1 byte for very large files,
potentially creating a very large number of files on the server's filesystem
(T91205).
* Internal review discovered that it is not possible to throttle file
uploads. (T91850)
* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user right but not the appropriate 'suppressrevision' user right to
unsuppress revisions. (T95589)
* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata. (T108616)
* Fix having multiple callbacks for a single hook.(T98975)
* maintenance/refreshLinks.php did not always remove all links pointing to
nonexistent pages. (T107632)
* $wgEmergencyContact and $wgPasswordSender now use their default value if set
to an empty string. (T104142)
* Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was
causing an error when accessing the api help page if the mbstring PHP
extension was not installed.(T62174)
* Confirmation emails would sometimes contain invalid codes. (T105896)
* Fixed edit stash inclusion queries.(T105597)
-------------------------------------------------------------------
Sun Sep 6 05:37:47 UTC 2015 - jweberhofer@weberhofer.at
- updated to security and maintenance release 1.15.2
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a "manifest_version" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
-------------------------------------------------------------------
Tue May 26 09:43:35 UTC 2015 - jweberhofer@weberhofer.at
- update to release 1.25.1
MediaWiki 1.25 includes all changes released in the smaller 1.25wmf*
software deployments to Wikimedia sites over six months, totaling
approximately 2200 changes.
* Indicators – Templates that add icons to the top right corner of the page
(and more) can be updated to use the new page status indicators feature.
* Enhanced recent changes – MediaWiki now uses by default the extended
watchlist and so called enhanced recent changes (preference "Group changes
by page in recent changes and watchlist"), which also received several
improvements in MediaWiki 1.24 and 1.25 (task 37785). This means that
Special:RecentChanges and Special:Watchlist show all the changes to each
page in a given day, sorted by page rather than chronologically. Changes to
each page are collapsed by default and a compact overview is shown, with
links to collated diffs and counts of each user's actions. Full activity
for an individual page can then be shown with a single click. Users will no
longer need to know in detail how a single change was chosen for display in
order to figure out what else may have happened to the page that day, nor
to scan a long list of non-contiguous lines on the screen in order to get a
complete picture. The change is part of MediaWiki's evolution towards an
interface which is more discoverable and less cluttered by default, while
equally easy to quickly access in full, with the help of JavaScript.
However, the (grouped) layout is an improvement for non-JavaScript users as
well.
* Live preview – While editing, you're not sure what a wikitext syntax will
produce? That's no longer a problem, now that live preview is no longer
experimental. By enabling the feature in your preferences, MediaWiki will
display the effect of your edits without fully reloading the page, so that
you can quickly correct any mistake.
* Import – The import tool is now much easier to use on content from a wiki
which has different namespaces than yours (e.g. because it's in another
language).
* Internationalization – In logging and gender support, continuing the work
in MediaWiki 1.18 and 1.19, multiple log types of Special:Log have been
migrated to the new logging system, which allows full internationalization
including word order and grammatical gender. The migration continues. See
task T26620 for a list.
Locales – The following locales have been added: अवधी, بلوچی رخشانی and
Koyraboro Senni.
* API documentation is localized and easier to access through
Special:ApiHelp.
== What's new for system administrators? ==
* PHP 5.3.3 is now required (from 5.3.2)
* Extensions and skins are now loaded through a new registration system
* Profiling was completely overhauled to use the xhprof module.
Full release notes:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_25/RELEASE-NOTES-1.25
https://www.mediawiki.org/wiki/Release_notes/1.25
-------------------------------------------------------------------
Wed Apr 1 20:00:22 UTC 2015 - jweberhofer@weberhofer.at
- update to security release 1.24.2
- iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
<https://phabricator.wikimedia.org/T85850>
- MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
<https://phabricator.wikimedia.org/T86711>
- MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with
LanguageConverter substitutions. <https://phabricator.wikimedia.org/T73394>
- Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes
from Beyond Security. <https://phabricator.wikimedia.org/T88310>
- iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
MediaWiki now detects and mitigates this issue on older versions of HHVM.
<https://phabricator.wikimedia.org/T85851>
- Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since
1.24) are vulnerable to DoS attacks using extremely long passwords.
<https://phabricator.wikimedia.org/T64685>
- iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
under HHVM, was susceptible to "Billion Laughs" DoS attacks
(iSEC-WMF1214-13). <https://phabricator.wikimedia.org/T85848>
- Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP.
<https://phabricator.wikimedia.org/T71210>
- iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
the SVG. <https://phabricator.wikimedia.org/T85349>
- iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege
escalation (iSEC-WMF1214-10). This feature has been removed.
<https://phabricator.wikimedia.org/T85855>
Additionally, the following extensions have been updated to fix security
issues:
- Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS.
<https://phabricator.wikimedia.org/T85113>
- Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to
look up sensitive information about other users (iSEC-WMF1214-6). Since the
use of CheckUser is logged, the CSRF could be abused to defame a trusted
user or flood the logs with noise. <https://phabricator.wikimedia.org/T85858>
Additiona bug fixes:
- Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
fix loading these special pages when $wgAutoloadAttemptLowercase is false.
- (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
change and running update.php to fix.
- (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
-------------------------------------------------------------------
Sat Jan 17 11:11:17 UTC 2015 - ecsos@opensuse.org
- Upgraded to security release 1.24.1
* Fix case of SpecialAllPages/SpecialAllMessages in
SpecialPageFactory to fix loading these special pages when
$wgAutoloadAttemptLowercase is false.
* (bug T70087) Fix Special:ActiveUsers page for installations
using PostgreSQL.
-------------------------------------------------------------------
Wed Jan 14 08:40:59 UTC 2015 - jweberhofer@weberhofer.at
- Modified update-script to include vector-skin in LocalSettings.php by
default or to move vector-skins location when updating from older
mediawiki versions.
- Release 1.24.0
Full release notes at: https://www.mediawiki.org/wiki/Release_notes/1.24
Preferences made easier: MediaWiki is known to be extremely flexible and
customisable, but few users use its full potential. In 1.24, we aim to make
dozens obscure preferences easily discoverable and obvious to use.
New features:
* Category pages can now be moved (mw#5451).
* MergeHistory for all administrators by default (mw#66155).
* Improvements have been made to the password storage system, allowing improved
security against offline attacks should a wiki's database be compromised by
attackers. Then, the default password storage algorithm was changed to
PBKDF2. PBKDF2 and Bcrypt have built-in support in PHP. The new extensible
password API makes it trivial to implement scrypt support if we wanted to.
Usability:
* The move feature and other actions are now discoverable in Vector, thanks to
a label for the dropdown where they're hidden by default (bug 44591).
* Specify default language on a per-page basis
* Redirect to Special:UserLogin when logging is in required to proceed, instead
of showing an error message
In 2014, MediaWiki development has a new focus on frontend performance:
* Improved Vector skin performance by removing collapsibleNav, which used to
collapse some sidebar elements by default. This removes -list id suffixes
like p-lang-list: instead of using things like #p-lang-list, you can do
#p-lang .body ul. If you would like CollapsibleNav back please use the
CollapsibleVector extension. (mw#39035)
Upgrade notices for MediaWiki administrators:
Breaking changes:
* Upgrade jQuery to version 1.11.x:
[[mailarchive:wikitech-l/2014-June/076842.html]]
* Support for register_globals (deprecated 5 years ago) was dropped, MediaWiki
will no longer run with it enabled.
* {{!}} is now a magic word that results in |, mainly for use in templates and
other complex templates. If your wiki has another template at Template:!, you
will need to change the name and update any usage of it. If your Template:!
is just |, it can be safely deleted.
API changes:
Starting with MediaWiki 1.24, we're cleaning up the API, and working towards an
API 2.0. See the roadmap for more details.
* Rarely used formats deprecated: dbg, dump, txt, wddx, yaml. These may be
removed in a future release.
* Token handling overhauled: the action=tokens module is now deprecated and
replaced by action=query&meta=tokens. Most actions now just take a generic
"csrf" token, and the token type is now properly documented in the
auto-generated documentation.
* And more! See the RELEASE-NOTES-1.24 file for a full list.
Directory changes:
The legacy '''skins/common/''' directory has been emptied and deleted as part
of the skin system cleanup. Files that have been present in it have been moved
elsewhere or deleted (if they were unused). If you loaded any of these files as
part of your custom skin or on-wiki CSS/JS, you should make a copy of the old
files in a non-MediaWiki directory. See the RELEASE-NOTES-1.24 file for the
full list of moved/deleted files.
Browser support deprecated or removed:
Full support for Internet Explorer 6 and Internet Explorer 7 has been removed:
it will browse MediaWiki without JavaScript. JavaScript fixes specific to it
have also been removed. Additional IE6 and IE7 fixes that exist in
MediaWiki:Common.js and similar can be safely removed.
Skins no longer loaded after upgrade?
MediaWiki 1.24 no longer uses the skin autodiscovery mechanism to load default
skins, instead requiring that the skins be manually loaded in
LocalSettings.php, much like extensions
(see [[Manual:Skin configuration#Installing skins]]).
This will require you to update LocalSettings.php after the upgrade - a
prominently displayed warning message should guide you through the process,
suggesting the exact configuration that you need to add. If you're upgrading
via a tarball release, that is all you need to do. If you're upgrading via git
or otherwise from source, note that the skins themselves have been each moved
to a separate repository and will need to be installed separately (much like
extensions, some basic ones are included in the tarball).
Composer:
If you are using extensions managed by composer, make sure to backup your
existing composer.json file as it will be overwritten on upgrade.
-------------------------------------------------------------------
Thu Oct 30 15:23:19 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to bugfix release 1.23.6
* Allow classes to be registered properly from installer (MW#67440)
* Job queue not running (HTTP 411) due to missing Content-Length: header
(MW#72274)
-------------------------------------------------------------------
Fri Oct 3 09:10:23 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to security release 1.23.5
* SECURITY: OutputPage: Remove separation of css and js module allowance.
(MW#70672)
-------------------------------------------------------------------
Thu Sep 25 11:57:47 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to security and maintenance release 1.23.4
* SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements;
normalize style elements and attributes before filtering; add checks for
attributes that contain css; add unit tests for html5sec and reported bugs.
(MW#69008)
* Make MySQLi work with non-standard socket. (MW#65998)
* GlobalVarConfig shouldn't throw exceptions for null-valued config settings.
(MW#66986)
-------------------------------------------------------------------
Mon Sep 1 08:19:06 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.23.3
* Correctly handle incorrect namespace in cleanupTitles.php. (MW#68501)
* Fix support for blobs on DatabaseOracle::update. (MW#64970)
* Display MediaWiki:Loginprompt on the login page. (MW#66574)
* wfShellExec() cuts off stdout at multiples of 8192 bytes. (MW#67870)
* Handle invalid language code gracefully in Language::fetchLanguageNames.
(MW#60629)
* Restore the number of rows shown on Special:Watchlist. (MW#62017)
* Check for boolean false result from database query in SqlBagOStuff.
-------------------------------------------------------------------
Thu Jul 31 11:43:21 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.23.2
* SECURITY: Prepend jsonp callback with comment. (MW#68187)
* SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
for loading a new page in Javascript,instead of relying on the URL in the
link that has been clicked. (MW#66608)
* SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
(MW#65778)
* Preferences: Turn stubthreshold back into a combo box. (MW#68313)
* Fix initSiteStats.php maintenance script. (MW#65214)
* Special:ActiveUsers: Fix to work with PostgreSQL. (MW#67594)
* Inclusion of SpamBlacklist extension
-------------------------------------------------------------------
Thu Jun 26 07:26:06 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.23.1
* SECURITY: Prevent external resources in SVG files. (MW#65839)
* Special:Watchlist: Don't try to render empty row. (MW#67025)
* Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
(MW#66922)
* Filebackend: Avoid using popen() when "parallelize" is disabled.
(MW#66467)
* MimeMagic: Don't seek before BOF. This has weird side effects like only
extracting the tail of the file partially or not at all. (MW#66428)
* Removed -x flag on some php files. (MW#66182)
-------------------------------------------------------------------
Thu Jun 5 09:06:20 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.23.0
* MediaWiki 1.23 includes all changes released in the smaller 1.23wmfX
software deployments to Wikimedia sites.
* Skin autodiscovery deprecated: Skin autodiscovery, the legacy skin
installation mechanism used by MediaWiki since very early versions (around
2004), has been officially deprecated and will be removed in
MediaWiki 1.25.
- MediaWiki 1.23 will emit warnings in production if a skin using the
deprecated mechanism is found.
- See Manual:Skin autodiscovery for more information and a migration guide
for site admins and skin developers.
* Notifications: With 1.23, MediaWiki starts to behave more like a modern
website as regards notifications, to keep the editors of your wiki engaged
and always up to date about what interests them. This used to require
several custom settings.
- (MW#45020) Make preferences "Add pages I create and files I upload to my
watchlist" and "pages and files I edit" true by default.
- (MW#45022) Make preference "Email me when a page or file on my watchlist
is changed" true by default.
- (MW#49719) Watch user page and user talk page by default. This will
allow your new users to immediately start benefiting from the watchlist
and email notification features, without needing to first read all the
docs to find out that they're as useful as they are.
* Merged extensions ===
- ExpandTemplates (bug 28264).
- AssertEdit (bug 27841) - documented at API:Assert.
* Interface ===
- (MW#42026) Add option to only show page creations in
Special:Contributions (and API).
- Add new special page to list duplicate files,
Special:ListDuplicatedFiles.
- (MW#60333) Add new special page listing tracking categories
(Special:TrackingCategories).
* Editing ===
- A new special page Special:Diff was added, allowing users to create
internal links to revision comparison pages using syntax such as
Special:Diff/12345, Special:Diff/12345/prev or Special:Diff/12345/98765.
* Help pages ===
With 1.23, MediaWiki begins a process of consolidation of its help
pages. Now, most are using the Translate extension and can be easily
translated and updated in hundreds languages.
In the coming months, we'll focus on making more of the central help
pages translatable and on linking them from the relevant MediaWiki
interfaces for better discoverability. Please help: add your own
translations; update existing pages and cover missing MediaWiki topics.
Traditionally, help pages have been scattered on countless wikis and
poorly translated; most of those on mediawiki.org were migrated with the
help of some Google Code-in students.
* CSS refresh for Vector ===
- Various Vector CSS properties have been converted to LESS variables.
- The font size of <code>#bodyContent</code>/<code>.mw-body-content
</code> has been increased to 0.875em.
- The line-height of <code>#bodyContent</code>/<code>.mw-body-content
</code> has been increased to 1.6.
- The line-height of superscript (sup) and subscript (sub) are
now set to 1.
- The default color for content text (but not the headers) is now
#252525; (dark grey).
- All headers have updated sizes and margins.
- H1 and H2 headers now use a serif font.
- Body font is "sans-serif" as always.
For more information see Typography refresh.
* Configuration ===
Add Config and GlobalConfig classes:
- Allows configuration options to be fetched from context.
- Only one implementation, GlobalConfig, is provided, which simply
returns $GLOBALS[$name]. There can be more classes in the future,
possibly a database-based one. For convinience the "wg" prefix is
automatically added.
- This adds the $wgConfigClass global variable which is used to determine
which implementation of Config to use by default.
- The ContextSource getConfig and setConfig methods were introduced.
Full release notes:
https://git.wikimedia.org/blob/mediawiki%2Fcore.git/1.23.0/RELEASE-NOTES-1.23
https://www.mediawiki.org/wiki/Release_notes/1.23
-------------------------------------------------------------------
Sat May 31 09:21:57 UTC 2014 - ecsos@schirra.net
- Upgraded to release 1.22.7 - security and maintenance release
* SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
(MW#65501)
* Add space between two feed links. (MW#36356)
* Email notifications were not correctly handling the
[[MediaWiki:Helppage]] message being set to a full URL. This is a
regression from the 1.22.5 point release, which made the default value
for it a URL. If you customized [[MediaWiki:Enotif body]] (the text of
email notifications), you'll need to edit it locally to include the URL
via the new variable $HELPPAGE instead of the parser functions fullurl
and canonicalurl; otherwise you don't have to do anything. (MW#63269)
* Add missing uploadstash.us_props for PostgreSQL.
* Fixed stream wrapper in PhpHttpRequest. (MW#56047)
-------------------------------------------------------------------
Wed Apr 30 10:22:35 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.6 - security release
* SECURITY: escape sortKey in pageInfo. (MW#63251)
-------------------------------------------------------------------
Fri Mar 28 13:48:52 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.5 - security and maintenance release
* SECURITY: Add CSRF token on Special:ChangePassword. (MW#62497)
* Set a title for the context during import on the cli. (MW#62467)
* Fix custom local MediaWiki:Help values.
* mediawiki.js: Fix documentation breakage.
* Make MySQLi work with non standard port. (MW#58153)
* Reintroduced a link to help pages in the default sidebar, that any sysop
can customize by editing [[MediaWiki:Sidebar]] locally. The link now points
to a mediawiki.org page which is guaranteed to exist. Nothing needs to be
done on your end, but remember to adjust [[MediaWiki:Sidebar]] for the
needs of your wikis. Everyone can help with the shared documentation by
translating:
https://www.mediawiki.org/wiki/Special:Translate/agg-Help_pages (MW#53887)
* Corrected a regression in 1.22 which introduced red links on the login
page. If you previously installed 1.22.x and have created a local page to
make the red link blue, write its title as in [[MediaWiki:helplogin-url]]
if you didn't already. Otherwise, you don't need to do anything, but you
can translate the help page at
https://www.mediawiki.org/wiki/Help:Logging_in . (MW#53888)
-------------------------------------------------------------------
Fri Mar 14 05:08:11 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.4 - security update
* The correct branch of each extensions git repository (e.g. REL1_19 for
1.19.13) was used.
-------------------------------------------------------------------
Thu Mar 6 14:21:58 UTC 2014 - jweberhofer@weberhofer.at
- Fixed a bug in the makealias script
-------------------------------------------------------------------
Fri Feb 28 14:25:07 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.3 - security update
* SECURITY: Disallow uploading SVG files using non-whitelisted namespaces.
Also disallow iframe elements. User will get an error including the
namespace name if they use a non- whitelisted namespace. (MW#60771)
* SECURITY: Make token comparison use constant time. It seems like our token
comparison would be vulnerable to timing attacks. This will take constant
time. (MW#61346)
* SECURITY: API: Don't find links in the middle of api.php links. (MW#61362)
* Add sequence support for upsert in DatabaseOracle in the same way as in
selectInsert (MW#53710)
* Various fixes to job running code in Wiki.php: Make it async on Windows.
Fixed possible "invalid filename" errors on Windows. Redirect output to
dev/null to avoid hanging PHP. (MW#60231,MW#58719)
* Correct sequence name for fresh Postgres installation. Spotted by gebhkla
(MW#60083)
* Avoid variable naming conflicts in DatabasePostgres::selectSQLText. Spotted
by gebhkla (MW#60531)
* Fix rebuildall.php fatal error with PostgreSQL. The fix for MW#47055
introduced a fatal error when running rebuildall.php. This is a workaround
suggested by gebhkla on Bugzilla. It just checks to make sure $options is
actually an array before calling array_search on it. (MW#60094)
* Add error handling if descriptionmsg isn't defined for extension.
(MW#43817c12)
* Special:PrefixIndex omits stripprefix=1 for "Next page" link. (MW#60543)
-------------------------------------------------------------------
Wed Jan 29 10:33:57 UTC 2014 - jweberhofer@weberhofer.at
- upgraded to release 1.22.2 - security update
* Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way. (CVE-2014-1610, bug 60339)
* Check for very old PCRE versions in installer and updater (bug 58253)
* Make WikiPage::$mPreparedEdit public (bug 60054)
-------------------------------------------------------------------
Tue Jan 14 09:43:00 UTC 2014 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.1 - security update
* bug MW-55332 allowed insertion of escaped CSS values which could pass the CSS
validation checks, resulting in XSS. (CVE-2013-6451)
* SVG files could be uploaded that include external stylesheets, which could
lead to XSS when an XSL was used to include JavaScript. (CVE-2013-6452) MW-57550
* SVG sanitization could be bypassed when the XML was considered invalid.
(CVE-2013-6453) MW-58553
* CSS sanitization did not filter -o-link attributes, which could be used to
execute JavaScript in Opera 12. (CVE-2013-6454), MW-58472
* MediaWiki displayed some information about deleted pages in the log API,
enhanced RecentChanges, and user watchlists. (CVE-2013-6472, MW-58699)
* Bawolff discovered an XSS vulnerability with the way the extension stored
and used HTML for showing videos. (CVE-2013-4574, MW-56699)
* NULL pointer dereference in php-luasandbox, which could be used for DoS
attacks. (CVE-2013-4570, MW-54527)
* Buffer Overflow in php-luasandbox. It's not know if this could be use for
code execution on the server. (CVE-2013-4571, MW-49705)
* MediaWiki usernames could be leaked to other websites. Javascript returned
for CentralAuth's login would update the page DOM with the username, even
when included on other sites. (CVE-2013-6455, MW-57081)
* Ravindra Singh Rathore reported a missing CSRF check to Mozilla, who
reported the issue to us. Several other forms in the extension were also
fixed. (MW-57025)
* 1.22 tarball offers Extension SimpleAntiSpam which is supposed to be in core.
(MW-59945)
* Restore compatibility with curl < 7.16.2. (MW-58178)
* Updated the plural rules to CLDR 24. They are in new format which is
detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the
JavaScript evaluator were updated to support the new format. Plural rules for
some languages have changed, most notably Russian. Affected software messages
have been updated and marked for review at translatewiki.net. This change is
backported from the development branch of MediaWiki 1.23. (MW-56931)
* The broken installer for database backend Oracle was fixed. (MW-58434)
* The web installer no longer throws an exception when PHP is compiled
without support for MySQL yet with support for another DBMS. (MW-58167)
* Fixed a compatibility issue with PCRE 8.34 that caused pages to appear
blank or with missing text. (MW-58640)
* Changed FOR UPDATE handling in Postgresql (MW-47055)
-------------------------------------------------------------------
Mon Dec 9 08:34:19 UTC 2013 - jweberhofer@weberhofer.at
- Upgraded to release 1.22.0
* Anti-spam and countervandalism improvements ( Newly bundled: SimpleAntiSpam)
* Editing improvements
* Upgrades to Vector and other skins
- The old Vector extension has been merged into core, and the extension has
been discontinued. If you were previously using the Vector extension, you
must uninstall it (the extension, not the skin) before upgrading to 1.22.
* Support for Composer
* PHP JSON extension now required
* Several ancient skins removed
* Blank system messages must be deleted
* Protection rights usage has changed
* Special:Disambiguations has been removed
- For details see releasenotes at:
https://www.mediawiki.org/wiki/Release_notes/1.22
-------------------------------------------------------------------
Wed Sep 4 09:03:33 UTC 2013 - jweberhofer@weberhofer.at
- Updated to release 1.21.2
* SECURITY: Fix extension detection with 2 .'s
* SECURITY: Support for the 'gettoken' parameter to action=block and
action=unblock, deprecated since 1.20, has been removed.
* SECURITY: Sanitize ResourceLoader exception messages
* Purge upstream caches when deleting file assets.
* Unit test suite now runs the AutoLoader tests. Also fixed the autoloading
entry for the PageORMTableForTesting class though it had no impact.
-------------------------------------------------------------------
Tue Jun 11 14:02:10 UTC 2013 - jweberhofer@weberhofer.at
- Updated to release 1.21.1
* An incorrect version number was used for 1.21.0.
1.21.1 has the correct number.
* A problem with the Oracle SQL table creation was fixed.
* PdfHandler extension: Fix warning if pdfinfo fails but pdftext succeeds.
-------------------------------------------------------------------
Mon May 27 14:18:11 UTC 2013 - jweberhofer@weberhofer.at
- Updated to release 1.21.0
* The full release notes can be found here:
Updated to release candidate 1.21.0
- Highlights:
* Clearer email notifications
* The CologneBlue skin has been refactored
* ContentHandler: As part of the Wikidata initiative, 1.21 adopts an
extensible framework ("ContentHandler") so that pages can contain something
other than wikitext.
* Support for high DPI displays
* Ajax patrolling: With this new feature, users can mark revisions or pages
as having been "patrolled" with a single click while staying on the current
page.
* Improved Internationalization
* It's now easier to create accounts for other users by sending a temporary
password via e-mail
* More wikitext now supported in JavaScript messages
* Using semantic headings for the navigation menu
* Extended collation support
* Newly bundled extensions
- Cite
- ImageMap
- Interwiki
- Title Blacklist
- SpamBlacklist
- Poem
- InputBox
- LocalisationUpdate
- SyntaxHighlight GeSHi
-------------------------------------------------------------------
Tue Apr 2 08:28:52 UTC 2013 - jweberhofer@weberhofer.at
- Updated to release candidate 1.21.0rc1
-------------------------------------------------------------------
Mon Mar 4 20:10:58 UTC 2013 - jweberhofer@weberhofer.at
- Maintenance release 1.20.3
* New preference type - 'api'. Preferences of this type are not shown on
Special:Preferences, but are still available via the action=options API.
* #44010 Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
* #40585 Don't drop 'step="any"' in HTML input fields.
* #44024 Fixed problems in ObjectCache when using XCache.
* #44135 Fixed problems in CurlHttpRequest that caused InstantCommons
to longer work by default.
* #44010 FauxRequest leaked cookie data from primary request.
-------------------------------------------------------------------
Wed Dec 5 21:54:34 UTC 2012 - jweberhofer@weberhofer.at
- Maintenance release 1.20.2
* #42638 Fixes action=options&reset=1 in the API, and fixes unit tests.
* #42370 Fixes backport of 60cc060 to use mDoneWrites instead of
mTrxDoneWrites.
-------------------------------------------------------------------
Fri Nov 30 10:18:13 UTC 2012 - jweberhofer@weberhofer.at
- Security release 1.20.1
* #42202: Validate options to prevent html injection
* #40995: Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* #41400: Prevent linker regex from exceeding PCRE backtrack limit
* #40632: Remove CleanupPresentationalAttributes feature
* Javscript Lint fixes
* [Database] Fixed case where trx idle callbacks might be lost.
-------------------------------------------------------------------
Wed Nov 7 16:26:39 UTC 2012 - jweberhofer@weberhofer.at
- openSUSE distribution:
* simplified Apache configuration, using /w/ and /wiki/
directories
* updated documentation
* there was a change in handling file-uploads. See:
README.DISTRIBUTION.
- Minimum PHP version is now 5.3.2.
- New diff view, greatly improved in clarity especially for
whitespace and other small changes and color-blind users.
- New special page Special:MostInterwikis.
- New magic word {{PAGEID}} which gives the current page ID.
- The info action has been reimplemented.
- Internationalization:
* New languages supported: Emilian (egl), Tornedalen Finnish (fit),
Mizo (lus), Santali (sat), Turoyo (tru)
* New Cyrillic-Latin language converter for Uzbek (uz)
-------------------------------------------------------------------
Mon Oct 22 13:30:45 UTC 2012 - jweberhofer@weberhofer.at
- Update documentation (thanks to Platonides)
- Simplyfied Alias-Configuration,
seperated pages (/wiki) and resources (/w)
-------------------------------------------------------------------
Thu Sep 6 14:55:57 UTC 2012 - jweberhofer@weberhofer.at
- Fixed requires ImageMagick-Magick++ --> ImageMagick; the old
requirement was incomplete.
-------------------------------------------------------------------
Fri Aug 31 06:19:20 UTC 2012 - jweberhofer@weberhofer.at
- Security release 1.19.2
* bug #39700: File: link to non-existing file can inject html
* bug #39823: Hidden block text leaking to admins
* bug #39184: LDAP password leakage
* bug #39180: Disallow framing of api results
* bug #37587: Enforce language codes to be html safe
* bug #39824: Check global blocks on account creation
-------------------------------------------------------------------
Mon Jun 25 21:56:00 UTC 2012 - jweberhofer@weberhofer.at
- Release 1.19.1
* (bug 36568) Fixed "Illegal string offset 'LIMIT'" warnings in updater
* (bug 36938) Correctly escape uselang attribute to prevent xss
* Expanded Blacklist for SVG Files
-------------------------------------------------------------------
Fri May 4 20:08:48 UTC 2012 - jweberhofer@weberhofer.at
- Added /extensions folder to the Apache Alias Configuration
-------------------------------------------------------------------
Thu May 3 07:47:30 UTC 2012 - jweberhofer@weberhofer.at
- Release 1.19.0
* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
and render as PNG by default.
* MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache is used (used in the API and the Interwiki extension).
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
content language.
* Time and number-formatting magic words also now depend on the page
content language.
* Bidirectional support further improved after 1.18.
- #36475 - Generating thumbnails does not work when there is no access to /tmp
-------------------------------------------------------------------
Wed May 2 07:12:59 UTC 2012 - jweberhofer@weberhofer.at
- Security release 1.18.3
* (bug 35446) Using "{{nse:}}" with an invalid namespace name no longer throws
a PHP warning.
* (bug 35567) The whole password reminder e-mail is now sent in the same language.
* (bug 35961) Hash comparison should always be strict.
* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php
on line 598.
* Fix broken email confirmation expiration caused by MWCryptRand changes.
-------------------------------------------------------------------
Fri Mar 23 12:51:06 UTC 2012 - jweberhofer@weberhofer.at
- Security release 1.18.2
* #33686 could not get a list of contributor for an article when using
a SQLite database.
* #33865 Exception thrown in action=parse when attempting to use the title
parameter without setting the text parameter.
* UserMailer could potentially throw a fatal error when a MailAddress object had
an empty email address.
* #33087 Exchange server rejected mail sent by MediaWiki
* #34528 Edit section tooltips show correction section name again
* #34246 MediaWiki:Whatlinkshere-summary message is displayed again in
Special:Whatlinkshere
* #22555 Remove or skip strip markers from tag hooks like <nowiki> in
core parser functions which operate on strings, such as formatnum.
* #34212 ApiBlock/ApiUnblock allow action to take place without a token
parameter present.
* #34907 Fixed exposure of tokens through load.php that could have facilitated
CSRF attacks.
* #35317 CSRF in Special:Upload.
-------------------------------------------------------------------
Wed Feb 1 15:04:04 UTC 2012 - jweberhofer@weberhofer.at
- Improved extension handling (use a seperate directory)
- Improved scripts, fixed some minor bugs
- Improved handling of old extension replacement
-------------------------------------------------------------------
Tue Jan 31 11:43:19 UTC 2012 - jweberhofer@weberhofer.at
- Fixed bug 32486 - WebRequest::getPathInfo() broken in img_auth.php on DreamHost (edit)
-------------------------------------------------------------------
Wed Jan 11 22:47:18 UTC 2012 - jweberhofer@weberhofer.at
- 1.18.1
* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
* (bug 32712) Fix for search indexing of pages with certain unicode chars following URL.
* (bug 3901) Lang, hreflang attribs added to sidebar interlanguage links for screen readers.
* (bug 30774) mediawiki.html: Add support for numbers and booleans in the
attribute values and element contents.
* (bug 32473) [[Special:PasswordReset]] can not be used on private wiki.
* (bug 32853) Fixed CACHE_DBA object cache type.
* (bug 32786) Backward compatibility for extension using 1.17's Database::newFromType().
* Fixed exception when using Special:WhatLinksHere on a Media: file.
* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
* (bug 33240) Sort images are missing but referenced in css.
* (bug 31921) Magic words REVISIONDAY, REVISIONMONTH and REVISIONYEAR were
not showing their values on preview.
* (bug 32702) Removed method Skin::makeGlobalVariablesScript() has been readded
for backward compatibility.
* (bug 30172) The check for posix_isatty() in maintenance scripts did not detect
when the function exists but is disabled. Introduced Maintenance::posix_isatty().
* (bug 33305) Make mw.util.addCSS resistant to IE's @font-face bug by setting
cssText after DOM insertion.
* (bug 29102) Upgrades no longer fail with the error "Unknown character set: 'mysql4'.
* (bug 25355) Parser generates edit section links for special pages.
* (bug 33321) Adding a line to MediaWiki:Sidebar that contains a pipe, but doesn't
have any pipes after being transformed by MessageCache, causes exception on
all pages.
* Fixed recentchanges FK violation on page delete and cache purge error in updater
for Oracle DB.
-------------------------------------------------------------------
Mon Dec 19 13:53:06 UTC 2011 - jweberhofer@weberhofer.at
- Fixed a update.sh script error
-------------------------------------------------------------------
Wed Nov 30 08:17:54 UTC 2011 - jweberhofer@weberhofer.at
- Updated Math-installation description
-------------------------------------------------------------------
Tue Nov 29 14:12:58 UTC 2011 - jweberhofer@weberhofer.at
- 1.18.0
* jQuery 1.6.4 is now included as standard
* action=watch / action=unwatch now requires a token
* Included Extensions:
- ConfirmEdit
- Gadgets
- Nuke
- ParserFunctions
- Renameuser
- Vector
- WikiEditor
* Better gender support
* Improved file metadata support
* Improved directionality support
* Easily find where to customize interface messages
* New plugin for collapsible elements
* Protocol-relative URLs
* More personalisable styles and scripts
* $wgEnableDublinCoreRdf and $wgEnableCreativeCommonsRdf
no longer work in core
* $wgUseTeX has been superseded by the Math extension
* New languages
The full announement can be found at
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000105.html
-------------------------------------------------------------------
Tue Nov 29 10:09:31 UTC 2011 - jweberhofer@weberhofer.at
- 1.17.1
* (bug 32276) Page titles on private wikis are exposed with
index.php?curid=
* (bug 32616) - action=ajax bypasses read permissions
-------------------------------------------------------------------
Mon Oct 10 15:15:00 2011 - opendevel@weberhofer.at
- Improved documentation
- Moved texvc to the /usr/bin directory
- Improved pre-configuration
- Fixed some paths which changed with Mediawiki 1.17
- Improved makealias.sh script
-------------------------------------------------------------------
Tue Jul 05 14:51:00 2011 - opendevel@weberhofer.at
- Fixed Bug 29531 - r89628 breaks img_auth.php
-------------------------------------------------------------------
Sun Jul 03 00:23:00 2011 - opendevel@weberhofer.at
- improved update script
-------------------------------------------------------------------
Wed Jun 22 08:29:00 2011 - opendevel@weberhofer.at
- 1.17.0
* Fixed syntax error in generated LocalSettings.php when a non-default
user rights profile is chosen.
* (bug 29399) Fixed PostgreSQL installation when the DB user for
installation is the same as the one for web access.
* (bug 29233) Fixed failover for DB slave servers. When a DB slave
went down, an error was immediately shown to the user, instead of
trying another slave. Was broken since 1.17 beta 1.
* (bug 29278) Fixed PHP fatal error when attempting to add text to a
page via a redirect.
* (bug 29408) Fixed uploads of files with MIME types that aren't
detected by MediaWiki.
-------------------------------------------------------------------
Wed Jun 15 14:22:00 2011 - opendevel@weberhofer.at
- fixed a bug related to the texvc-configuration
- included patch to fix update on oss 11.4
-------------------------------------------------------------------
Wed Jun 15 12:00:00 2011 - opendevel@weberhofer.at
- 1.17.0rc1
* A new installer has been introduced.
* ResourceLoader, a new framework for delivering client-side resources
such as JavaScript and CSS, has been introduced.
* Category sorting has been improved.
* The lowest supported version of PHP is now 5.2.3.
* The full list of features is here:
http://www.mediawiki.org/wiki/Release_notes/1.17
- The update-script removes inclusion of DefaultSettings.php from code
- The update-script moves the cache-folder out of the web-root
- Some improvements within the scripts have been made
-------------------------------------------------------------------
Thu May 05 00:00:00 2011 - opendevel@weberhofer.at
- 1.16.5
* Bug 28534 - XSS in MediaWiki
* Bug 28639 - Trivial account takeover using forged cookies possible
when $wgBlockDisablesLogin = true
- Renamed and cleaned up additional scripts
-------------------------------------------------------------------
Sat Apr 30 00:00:00 2011 - opendevel@weberhofer.at
- Removed building of ZhConversion.php again, removed build-folder
- Added patch #87145, which automatically disables xcache on cli-invokes
-------------------------------------------------------------------
Fri Apr 29 00:00:00 2011 - opendevel@weberhofer.at
- Re-packaged sources in bz2 file
- Build ZhConversion.php
- Deny access to cache-folder
-------------------------------------------------------------------
Thu Apr 14 00:00:00 2011 - opendevel@weberhofer.at
- 1.16.4
* Bug 28507 - XSS: Incorrect patch for bug 28235
- RPM Packaging
* The proposed apache configuration contains the new RewriteRule to
workaround the vulnerability
-------------------------------------------------------------------
Tue Apr 12 00:00:00 2011 - opendevel@weberhofer.at
- 1.16.3
* Bug 28235 - XSS: IE6 looks for the file extension in the query string
* Bug 28450 - Backslash-escaped comments allow CSS injection vulnerability
* Bug 28449 - Unauthorised access to transwiki import
- RPM Packaging
* Mediawiki_MakeAlias.sh script to generate new mediawikis has been added
* Mediawiki_Update.sh script has been added to update all wikis
* spec file has been simplified
* configuration file has been improved
-------------------------------------------------------------------
Wed Feb 02 00:00:00 2011 - opendevel@weberhofer.at
- 1.16.2
- (bug 26642) Fixed incorrect translated namespace due to a regression in the
language converter.
- The interface translations were updated.
- (bug 27093, CVE-2011 --0047): Fixed CSS injection vulnerability.
- (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
Affects Windows servers only. A malicious file with extension ".php" must
exist on the server for the exploit to be effective.
-------------------------------------------------------------------
Mon Jan 24 00:00:00 2011 - opendevel@weberhofer.at
- 1.16.1
- (bug 26561) Clickjacking vulnerabilities
- (bug 24981) Allow extensions to access SpecialUpload variables again
- (bug 24724) list=allusers was out by 1 (shows total users - 1)
- (bug 24166) Fixed API error when using rvprop=tags
- For wikis using French as a content language, Special:Téléchargement
works again as an alias for Special:Upload.
- (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in
1.16.0)
- (bug 25248) Fixed paraminfo errors in certain API modules.
- The installer now has improved handling for situations where
safe_mode is active or exec() and similar functions are disabled.
- (bug 19593) Specifying --server in now works for all maintenance
scripts.
- Fixed $wgLicenseTerms register globals.
-------------------------------------------------------------------
Mon Oct 18 00:00:00 2010 - opendevel@weberhofer.at
- replace image duplicates with symlinks
- move .htaccess rules into central configuration
- add api.php as a direct alias
-------------------------------------------------------------------
Sun Oct 17 00:00:00 2010 - opendevel@weberhofer.at
- move docs to default docs directory
- some fixes in documentation
- Added fdupes
-------------------------------------------------------------------
Sat Oct 16 00:00:00 2010 - opendevel@weberhofer.at
- include math extension's directory in the mediawiki package
- Improve Apache configuration
- Improve Documentation for short URLs
- Make the cache directory visible
-------------------------------------------------------------------
Wed Oct 13 00:00:00 2010 - opendevel@weberhofer.at
- Moved texcv to a seperate package
- build a noarch package
-------------------------------------------------------------------
Mon Oct 11 00:00:00 2010 - opendevel@weberhofer.at
- Initial package derived from an old opensuse version
- New, FHS compliant structure
- Update to mediawiki 1.16
