Commit graph

79 commits

Author SHA1 Message Date
wen
b05c94b8a8 Update to 1.32.0
Upstream changelog is too long, please visit:
https://www.mediawiki.org/wiki/Release_notes/1.32
2019-01-15 23:46:24 +00:00
wen
eb1b5a4bd0 Update to 1.31.1
Update my email

Upstream changelog is too long, please visit :
https://www.mediawiki.org/wiki/Release_notes/1.31
2018-09-23 03:33:29 +00:00
wiz
93b46879c7 Recursive bump for perl5-5.28.0 2018-08-22 09:43:40 +00:00
jperkin
5393242c73 *: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
2018-07-04 13:40:07 +00:00
wen
66e982bd26 Update to 1.30.0
Upstream changes:
MediaWiki 1.30.0
Changes since MediaWiki 1.30.0-rc.0

    Upgraded Moment.js from v2.15.0 to v2.19.3.
    Add ip_changes to postgres/tables.sql.
    Skip null shell parameters.
    Add wfWaitForSlaves() to maintenance/migrateComments.php.
    (T182245) Fix join conditions in ImageListPager.
    (T178626) Revert #contentSub and #jump-to-nav margin changes.

MySQL version requirement in 1.30

As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility section).
Configuration changes in 1.30

    The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid unexpected behavior when code uses locale-sensitive string comparisons. For example, the Scribunto extension considers "bar" < "Foo" in most locales since it ignores case.
    $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See documentation of $wgShellLocale for details.
    $wgShellLocale is now applied for all requests. wfInitShellLocale() is deprecated and a no-op, as it is no longer needed.
    $wgJobClasses may now specify callback functions as an alternative to plain class names. This is intended for extensions that want control over the instantiation of their jobs, to allow for proper dependency injection.
    $wgResourceModules may now specify callback functions as an alternative to plain class names, using the 'factory' key in the module description array. This allows dependency injection to be used for ResourceLoader modules.
    $wgExceptionHooks has been removed.
    (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size of IP ranges that can be queried at Special:Contributions.
    (T45547) $wgUsePigLatinVariant added (off by default).
    (T152540) MediaWiki now supports a section ID escaping style that allows to display non-Latin characters verbatim on many modern browsers. This is controlled by the new configuration setting, $wgFragmentMode.
    $wgExperimentalHtmlIds is now deprecated and will be removed in a future version, use $wgFragmentMode to migrate off it to a modern alternative.
    $wgExternalInterwikiFragmentMode was introduced to control how fragments in sinterwikis going outside of current wiki farm are encoded.
    (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly requested through the configuration parameter $wgDBservers. However some maintenance scripts (bitnami?) still may rely on "mysql".
    $wgOOUIEditPage was removed, as it is now the default. This was documented as a temporary variable during the migration period.

New features in 1.30

    (T37247) Output from Parser::parse() will now be wrapped in a div with class="mw-parser-output" by default. This may be changed or disabled using ParserOptions::setWrapOutputClass().
    (T163562) Added ability to search for contributions within an IP ranges at Special:Contributions.
    Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software- specific tags to be added by users.
    Added a 'ParserOptionsRegister' hook to allow extensions to register additional parser options.
    (T45547) Included Pig Latin, a language game in English, as a LanguageConverter variant. This allows English-speaking developers to develop and test LanguageConverter more easily. Pig Latin can be enabled by setting $wgUsePigLatinVariant to true.
    Added RecentChangesPurgeRows hook to allow extensions to purge data that depends on the recentchanges table.
    Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
    (T2424) Added direct unwatch links to entries in Special:Watchlist (if the 'watchlistunwatchlinks' preference option is enabled). With JavaScript enabled, these links toggle so the user can also re-watch pages that have just been unwatched.
    Added $wgParserTestMediaHandlers, where mock media handlers can be passed to MediaHandlerFactory for parser tests.
    Edit summaries, block reasons, and other "comments" are now stored in a separate database table. Use the CommentFormatter class to access them.
        This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis can set this to MIGRATION_NEW and run maintenance/migrateComments.php as soon as any necessary extensions are updated.
    (T138166) Added ability for users to prohibit other users from sending them emails with Special:Emailuser. Can be enabled by setting $wgEnableUserEmailBlacklist to true.
    (T67297) $wgBrowserBlackList is deprecated, and changing it will have no effect. Instead, users using browsers that do not support Unicode will be unable to edit and should upgrade to a modern browser instead.

External library changes in 1.30
Upgraded external libraries

    Updated justinrainbow/json-schema from v3.0 to v5.2.
    Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
    Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
    Updated wikimedia/relpath from v1.0.3 to v2.0.0.
    Updated OOjs from v2.0.0 to v2.1.0.
    Updated OOUI from v0.21.1 to v0.23.0.
    Updated QUnit from v1.23.1 to v2.4.0.
    Updated phpunit/phpunit from v4.8.35 to v4.8.36.
    Upgraded Moment.js from v2.15.0 to v2.19.3.

New external libraries

    The class \TestingAccessWrapper has been moved to the external library wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
    Purtle, a fast, lightweight RDF generator.

Removed and replaced external libraries

    …

Bug fixes in 1.30

    (T151633) Ordered list items use now Devanagari digits in Nepalese (thanks to Sfic)

Action API changes in 1.30

    (T37247) action=parse output will be wrapped in a div with class="mw-parser-output" by default. This may be changed or disabled using the new 'wrapoutputclass' parameter.
    When errorformat is not 'bc', abort reasons from action=login will be formatted as specified by the error formatter parameters.
    action=compare can now handle arbitrary text, deleted revisions, and returning users and edit comments.
    (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto', 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree' parameters to prop=revisions are deprecated, as are the similarly named parameters to prop=deletedrevisions, list=allrevisions, and list=alldeletedrevisions. Use action=compare, action=parse, or action=expandtemplates instead.

Action API internal changes in 1.30

    ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are deprecated. The existing message should be split between "apihelp-*-summary" and "apihelp-*-extended-description".
    (T123931) Individual values of multi-valued parameters can now be marked as deprecated.

Languages updated in 1.30

MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

    Added: kbp (Kabɩyɛ / Kabiyè)
    Added: skr (Saraiki, سرائیکی)
    Added: tay (Tayal / Atayal)
    Removed: tokipona (Toki Pona)

Pig Latin added

    (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin), for easier variant development and testing. Disabled by default. It can be enabled by setting $wgUsePigLatinVariant to true.

Other changes in 1.30

    The use of an associative array for $wgProxyList, where the IP address is in the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]). Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
    mw.user.bucket (deprecated in 1.23) was removed.
    LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are deprecated. There are no known callers.
    File::getStreamHeaders() was deprecated.
    MediaHandler::getStreamHeaders() was deprecated.
    Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be used instead.
    MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace() should be used instead.
    The ExtractThumbParameters hook (deprecated in 1.21) was removed.
    The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both deprecated in 1.24) were removed.
    wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and BagOStuff::makeGlobalKey() should be used instead.
    (T146304) Preprocessor handling of LanguageConverter markup has been improved. As a result of the new uniform handling, '-{' may need to be escaped (for example, as '-<nowiki/>{') where it occurs inside template arguments or wikilinks.
    (T163966) Page moves are now counted as edits for the purposes of autopromotion, i.e., they increment the user_editcount field in the database.
    Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for manipulating Special:Log and Special:NewPages lines.
    The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding hooks have an additional parameter, for manipulating HTML data attributes of RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the $data['attribs'] subarray.
    (T130632) The OutputPage::enableTOC() method was removed.
    WikiPage::getParserOutput() will now throw an exception if passed ParserOptions that would pollute the parser cache. Callers should use WikiPage::makeParserOptions() to create the ParserOptions object and only change options that affect the parser cache key.
    Article::viewRedirect() is deprecated.
    IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
    DeprecatedGlobal no longer supports passing in a direct value, it requires a callable factory function or a class name.
    The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton() are all deprecated. The main ParserCache instance should be obtained from MediaWikiServices instead. Access to the underlying BagOStuff is possible through the new ParserCache::getCacheStorage() method.
    .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
    Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(), escapeIdForLink() or escapeIdForExternalInterwiki() instead.
    Title::escapeFragmentForURL() was deprecated, use one of the aforementioned Sanitizer functions or, if possible, Title::getFragmentForURL().
    Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does nothing and is deprecated.
    mw.util.escapeId() was deprecated, use escapeIdForAttribute() or escapeIdForLink().
    MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
    WikiImporter now requires the second parameter to be an instance of the Config, class. Prior to that, the Config parameter was optional (a behavior deprecated in 1.25).
    Removed 'jquery.mwExtension' module. (deprecated since 1.26)
    mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette any more.
    CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed. The namespaced classes in the Cdb namespace should be used instead.
    IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet should be used instead.
    RunningStat class (deprecated in 1.27) was removed. The namespaced RunningStat\RunningStat should be used instead.
    MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed. The MemcachedClient class should be used instead.
    EditPage underwent some refactoring and deprecations:
        EditPage::isOouiEnabled() is deprecated and will always return true.
        EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please use ::getSummaryInputWidget() instead.
        EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please use ::getCheckboxesWidget() instead.
        Creating an EditPage instance without calling EditPage::setContextTitle() should be avoided and will be deprecated in a future release.
        EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
        EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The corresponding methods from Title should be used instead.
        EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
        EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters ::getArticle() and ::getTitle() should be used instead.
        Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The IContextSource returned from EditPage::getContext() must be modified instead.
    Parser::getRandomString() (deprecated in 1.26) was removed.
    Parser::uniqPrefix() (deprecated in 1.26) was removed.
    Parser::extractTagsAndParams() now only accepts three arguments. The fourth, $uniq_prefix was deprecated in 1.26 and has now been removed.
    (T172514) The following tables have had their UNIQUE indexes turned into proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats, templatelinks, text, transcache, user_former_groups, user_properties.
    IDatabase::nextSequenceValue() is no longer needed by any database backends (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
    (T146591) The lc_lang_key index on the l10n_cache table has been changed into a PRIMARY KEY.
    (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id, page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and user_properties.up_user have all been made unsigned on MySQL.
    DB_SLAVE is deprecated. DB_REPLICA should be used instead.
    wfUsePHP() is deprecated.
    wfFixSessionID() was removed.
    wfShellExec() and related functions are deprecated, use Shell::command(). This also slightly changes the behavior of how execution time limits are calculated when only some of defaults are overridden per-call. When in doubt, always override both wall clock and CPU time.
    (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending user object. Using the method without the second argument is deprecated.
    (T67297) Browsers that don't support Unicode will have their edits rejected.
    (T178450) The module 'jquery.badge' is deprecated and will be removed in a future release. For notifying the user of an event, the Notifications ("Echo") system should be used instead.
    (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
    (T165846) SECURITY: BotPassword login attempts weren't throttled

Compatibility

MediaWiki 1.30 requires PHP 5.5.9 or later. There is experimental support for HHVM 3.6.5 or later.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:

    MySQL 5.5.8 or later
    PostgreSQL 8.3 or later
    SQLite 3.3.7 or later
    Oracle 9.0.1 or later
    Microsoft SQL Server 2005 (9.00.1399)

Upgrading

1.30 has several database changes since 1.29, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take a long time (minutes on a medium sized site, many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including important information when upgrading from versions prior to 1.11.

For notes on 1.29.x and older releases, see HISTORY.
2017-12-30 13:43:32 +00:00
wen
f178820d13 Update to 1.29.2
Upstream changes:
MediaWiki 1.29.2

This is a security and maintenance release of the MediaWiki 1.29 branch.
Changes since 1.29.1

    (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
    (T175439) Unbreak Postgres Updater when setting defaults for a column.
    (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
    Fixed login button label to accept RawMessage.
    Fixed case of SpecialRecentChanges class usage.
    (T174255) Declare uploadCount property in importDump.php.
    (T163646) Pass a string not an int to mysql_real_escape_string().
    (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
    Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
    (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
    (T165846) SECURITY: BotPassword login attempts weren't throttled.
    (T128209) SECURITY: Reflected File Download from api.php.
    (T134100) SECURITY: Do not reveal if user exists during login failure.
    (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
    (T125163) SECURITY: Make anchor for headlines escape > and <.
    (T180237) SECURITY: Protect vendor folder with .htaccess.
    (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
    (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
    (T119158) SECURITY: Handle -{}- syntax in attributes safely.
    (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all branches in the previous security release.
2017-11-19 08:36:57 +00:00
wen
69af7b59e6 Update to 1.29.1
Upstream changes:
MediaWiki 1.29.1
Changes since 1.29.0

    (T171197) Fix bundled extensions; SimpleAntiSpam and Vector (the extension) shouldn't have been included but were, and PdfHandler and SpamBlacklist should but weren't.
    (T164999) mw.Upload.Dialog: Define .static.name
    (T172061) refreshLinks.php: Fix fatal when using --category parameter
2017-08-24 14:02:39 +00:00
wen
f1ae7f8908 Update to 1.29.0
Upstream changes:
RELEASE-NOTES-1.29
== MediaWiki 1.29 ==

=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
  expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
  determines whether to set a cookie when a user is autoblocked. Doing so means
  that a blocked user, even after logging out and moving to a new IP address,
  will still be blocked.
* The resetpassword right and associated password reset capture feature has
  been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
  or boolean false. This should be compatible with at least MediaWiki 1.23 if
  not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
  policies.
* Subpages are now enabled by default in the Template namespace. Set
  $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
  added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
  fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
  'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.

=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
  if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
  exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
  dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
  downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
  via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
  from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
  of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
  browsers had poor support for them, but modern browsers handle them fine.
  This might affect some forms that used them and only worked because the
  attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
  structures filters into user-friendly groups.  This has corresponding
  changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
  Because this change can cause problems for extensions and on-wiki
  scripts depending on the exact HTML, the old version is still available
  and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
  This will be removed later and OOjs UI will become the only option.
  To make testing easier, users can also force either mode by adding
  &ooui=true or &ooui=false to the action=edit URL.

=== External library changes in 1.29 ===

==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.

==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.

==== Removed and replaced external libraries ====

=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
  to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
  highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
  action=clientlogin, action=createaccount, action=linkaccount, and
  action=changeauthenticationdata in the query string is now an error. They
  should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
  using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
  parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
  'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
  'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
  key 'talkmove-errors', rather than using 'talkmove-error-code' and
  'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
  and errors for each item. Use errorformat=wikitext if you're wanting parsed
  output.
* action=rollback no longer returns a "messageHtml" property. Use
  errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
  'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
  no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
  and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
  which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
  query in miser mode. This may result in less results being returned than were
  requested.

=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
  keys. Methods for using hard-coded English messages were deprecated:
  * ApiBase::dieUsage() was deprecated
  * ApiBase::dieUsageMsg() was deprecated
  * ApiBase::dieUsageMsgOrDebug() was deprecated
  * ApiBase::getErrorFromStatus() was deprecated
  * ApiBase::parseMsg() was deprecated
  * ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
  being ApiUsageException is a subclass of UsageException to allow things that
  catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
  ApiErrorFormatter_BackCompat, note that the result format has changed and
  various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
  from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
  the logs.

=== extension.json changes in 1.29 ===
* Extensions must set a value for "manifest_version" in their extension.json
  or skin.json files. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
  for details.
* Extensions can now specify dependencies upon other extensions by using the
  "requires" key. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
  more details.
* (T151136) Functions set as the "callback" now recieve that extension's credits
  information as the first argument.
* (T149597) "PasswordPolicy" can be set in extension.json.

=== Languages updated in 1.29 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Based as always on linguistic studies on intelligibility and language
  knowledge by geography, language fallbacks have been expanded. When a
  translation is missing in the user's preferred interface language, the
  corresponding translation for the fallback language will be used instead.
  English will only be used as last resort when there are no translations.
  Some configurations (such as date formats and gender namespaces) have also
  been updated when using the fallback language's configuration was inadequate.
  The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
  ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
  sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.

==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
  language will now use the default fallback language: English. When a translation
  to Ukrainian is not available, an English string will be shown.

=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
  SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
  required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
  Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
  were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
  were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
  instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
  \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
  Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
  emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
  and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed.  Refer to index.php instead. If you want "wiki.phtml"
  URLs to continue to work, set up redirects. In Apache, this can be done by enabling
  mod_rewrite and adding the following rules to your configuration:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
  Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
  Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
  Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
  Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
  Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
  Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
  or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
  or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
  now required to have a getGroupMemberships() method. See UserRightsProxy for
  an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
  instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
  User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
  Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
  User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
  UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
  see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
  and subclasses.  It should only break if you call buildMainQueryConds
  (changed to buildQuery with new signature) or doMainQuery (new
  signature).  Subclasses are likely to call at least doMainQuery
  (possibly both), but other classes might too, because they were
  public.
  Also, some related hooks were deprecated, but this is not yet a
  breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  WikiPage::PURGE_* constants are deprecated, and the functions will always
  return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
  'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
  if you don't actually care about checkboxes and just want to add some HTML
  to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
  rather than <strong> tags. The old class name, "selflink", was deprecated
  and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
  Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
  is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
  webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
  opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
  ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
  addClickHandler, removeHandler, getElementsByClassName, getInnerText,
  setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
  mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
  escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
  tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
  'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
  deprecated (T30856). This old code dates from 2006, and was replaced in the
  MediaWiki release tarball and in Wikimedia production by the WikiEditor
  extension in 2010. It is only shown to users if no other editor was
  installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
  addModuleStyles() is deprecated and will log a warning server-side.

== Compatibility ==

MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.29 has several database changes since 1.28, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

For notes on 1.28.x and older releases, see HISTORY.
2017-07-22 12:41:38 +00:00
wen
2e33991dd2 Update to 1.28.2(security update)
Upstream changes:
MediaWiki 1.28.2

This is a security release of the MediaWiki 1.28 branch.

Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did not contain the fix for SyntaxHighlight_GeSHi. This new release does contain that fix.
2017-05-11 14:13:41 +00:00
taca
6a3be6b0e6 Switch to use php-mysqli and remove PHP version restriction.
Bump PKGREVISION.
2017-04-15 15:42:32 +00:00
wen
ef5bf638d1 Update to 1.18.1
Upstream changes:
MediaWiki 1.28.1
Changes since 1.28.0

    $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
    Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
    (T152717) Better escaping for PHP mail() command
    (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
    (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
    (T158766) Avoid SQL error on MSSQL when using selectRowCount()
    (T145635) Fix too long index error when installing with MSSQL
    (T156184) $wgRawHtml will no longer apply to internationalization messages.
    (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
    (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
    (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
    (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
    (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
    (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
    (T156184) SECURITY: Escape content model/format url parameter in message.
    (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
    (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
    (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
2017-04-09 01:26:46 +00:00
fhajny
2d1e7331a3 Remove traces of textproc/php-dom which is not needed anymore, now that dom is built into PHP. Bump resp. PKGREVISION. 2017-04-05 12:33:47 +00:00
wen
24be4b8657 Update to 1.28.0
Upstream changes:
== MediaWiki 1.28 ==

=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
  errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.

=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
  comment to a machine-readable JavaScript config option 'wgPageParseReport'
  have been undone. They caused the human-readable limit report to be shown
  incompletely or not at all. ParserOutput::setLimitReportData() and
  getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
  the text of subheadings on a category page when creating it. This wasn't
  working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
  canonical pretty URL when a non-pretty URL is used. It resulted in redirect
  loops in some clients and in some server configurations. This undoes a change
  made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.

=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
  access to session data, which includes the session user and the session
  user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
  is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
  local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  signifies local uploads. A value of `[]` (empty array) now means that
  no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
  for Esperanto language character conversion. You are now recommended to use
  input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
  https://www.mediawiki.org/beacon with basic information about the local
  MediaWiki installation. This data includes, for example, the type of system,
  PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
  to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
  instead of just administrators ('sysop'). Documentation for this feature is
  available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
  of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
  a tracking category will be added to help identify usage and make it easier to migrate
  away from. If you depend upon magic link functionality, it is requested that you comment
  on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
  explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
  in upcoming Content-Security-Policy feature's reporting.

=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
  maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  a 'numeric' collation is also available. If migrating from another
  collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
  month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  appropriate for sending multi-valued parameters. This defaults to true when
  the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
  MediaWiki will wait for the replica databases to synchronize with the master database
  while it renders the HTML output. However, if the output is a redirect to another wiki
  on the wiki farm with a different domain, MediaWiki will instead alter the redirect
  URL to include a ?cpPosTime parameter that triggers the database synchronization when
  the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules.

=== External library changes in 1.28 ===

==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1

=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
  Session::getAllowedUserRights()

=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
  (deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now deprecated and outputs a warning. They should be
  submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  instead of the pipe character. This will be useful if some of the multiple
  values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
  contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
  ApiPageSet may contain entries where the 'from' value is percent-encoded as
  the raw value cannot be represented in a valid API response. These are
  indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
  module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
  named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
  the 'TitleIsAlwaysKnown' hook) are output in various modules.

=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules. A query module can enable
  these hooks by passing an array for $hookData to ApiQueryBase::select() and
  by calling ApiQueryBase->processRow() before adding a row's data to the
  result.

=== Languages updated in 1.28 ===

MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
  BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
  Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
  use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
  login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
  MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
  were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
  respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
  * Skin::commentBlock() (use Linker::commentBlock() instead)
  * Skin::generateRollback() (use Linker::generateRollback() instead)
  * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::userLink() (use Linker::userLink() instead)
  * Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
  disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
  Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
  favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
  on requests needed by primary providers even if all primaries need them.
  Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
  will no longer be automatically infused. You should call `OO.ui.infuse()`
  on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
  phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
  Instead of --keep-uploads, use the same option to parserTests.php, but you
  must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
  migrate to using the same functions on a ProxyLookup instance, obtainable from
  MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
  ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
  ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
  in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
  instead.

== Compatibility ==

MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.28 has several database changes since 1.27, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.27.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.
2016-12-03 03:06:50 +00:00
taca
5f84ee3fc6 Drop "55" (php55) from PHP_VERSIONS_ACCEPTED. 2016-09-11 17:03:25 +00:00
wen
99466c8d2c Update to 1.27.1
Upstream changes:
MediaWiki 1.27.1

This is a security and maintenance release of the MediaWiki 1.27 branch.
Changes since 1.27.0

    BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
    (T139565) SECURITY: API: Generate head items in the context of the given title
    (T137264) SECURITY: XSS in unclosed internal links
    (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
    (T133147) SECURITY: Require login to preview user CSS pages
    (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
    (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
    (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
    (T115333) SECURITY: Check read permission when loading page content in ApiParse
    (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
    (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()
2016-08-24 00:15:09 +00:00
wen
d76724d6fe Update to 1.27.0
Update DEPENDS

Upstream changelog is too long, please visit:
https://www.mediawiki.org/wiki/Release_notes/1.27
2016-07-09 06:18:26 +00:00
wen
0dfe1ff9b3 Update to 1.26.3
Upstream changes:
MediaWiki 1.26.3

This is a maintenance release of the MediaWiki 1.26 branch.
Changes since 1.26.2

    (bug T116266) Fixed undefined property notices in DairikiDiff under HHVM.
    (bug T123166) Fix fatal error when importing pages to titles which cannot be created, such as invalid titles or titles the user is not allowed to edit.
    (bug T122056) Old tokens are remaining valid within a new session
    (bug T127114) Login throttle can be tricked using non-canonicalized usernames
    (bug T123653) Cross-domain policy regexp is too narrow
    (bug T123071) Incorrectly identifying http link in a's href attributes, due to m modifier in regex
    (bug T129506) MediaWiki:Gadget-popups.js isn't renderable
    (bug T125283) Users occasionally logged in as different users after SessionManager deployment
    (bug T103239) Patrol allows click catching and patrolling of any page
    (bug T122807) [tracking] Check php crypto primatives
    (bug T98313) Graphs can leak tokens, leading to CSRF
    (bug T130947) Diff generation should use PoolCounter
    (bug T133507) Careless use of $wgExternalLinkTarget is insecure
    (bug T132874) API action=move is not rate limited
    (bug T110143) strip markers can be used to get around html attribute escaping in (bug many?) parser tags
    (bug T116030) Increase pbkdf2 parameter strengths
    (bug T127420) Pbkdf2Password does not check if hash_pbkdf2(bug ) succeeded
    (bug T126685) Globally throttle password attempts
2016-05-21 11:58:12 +00:00
wen
cd6fd92f5a Update to 1.26.2
Upstream changes:
MediaWiki 1.26.2

This is a maintenance release of the MediaWiki 1.26 branch.
Changes since 1.26.1
    (bug T121892) Various special pages resulted in fatal errors.
2015-12-26 10:45:45 +00:00
wen
d8a7a974f9 Update to 1.26.1(security update)
Upstream changes:
MediaWiki 1.26.1

This is a security and bug fix release of the MediaWiki 1.26 branch.
Changes since 1.26

    (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
    (bug T119309) SECURITY: Use hash_compare() for edit token comparison
    (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
    (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
    (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
    (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki
    Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
    Fixed stray literal \n in Special:Search.
    Fix issue that breaks HHVM Repo Authorative mode.
    (bug T120267) Work around APCu memory corruption bug
2015-12-20 02:31:05 +00:00
taca
c4d7c37e80 Explicitly restrict PHP_VERSIONS_ACCEPTED to 55 and 56 for packages which
use php-mysql package.
2015-12-06 12:13:12 +00:00
wen
3f75f86ffb Update to 1.26.0
Update DEPENDS

Upstream changes:
== MediaWiki 1.26 ==

=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
  instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
  in non-talk namespaces. A new configuration variable,
  $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
  the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
  feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
  This experimental feature was never enabled by default and is obsolete as of
  MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
  in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
  the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
  blocked users to edit their talk pages unless explicitly disabled
  when they are being blocked.

=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
  See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
  to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
  "tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
  are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
  search results are rendered. The initial use case is to append a "give us
  feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
  reject an otherwise-successful parser cache lookup. The intent is to allow
  extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
  ($wgExtendedLoginCookieExpiration) can be configured independently of the
  expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
  if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
  of WebP images still disabled by default. Add $wgFileExtensions[] =
  'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
  'EnhancedChangesListModifyBlockLineData', to modify the data used to build
  lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
  This corresponds to a new $wgMainWANCache setting, which defaults to using
  the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
  the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
  memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
  by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
  for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
  startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
  page. During the deprecation period, the styles will only be loaded on pages
  which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
  only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
  suggestion, results for suggestion will be shown. Can be disabled by setting
  $wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
  from the client-side. See documentation for mw.Upload and its
  subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
  documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
  subclasses for more information.

== extension.json changes in 1.26 ==
* (T99344) The extension.json schema is now versioned. All extensions
  and skins should set a "manifest_version" property corresponding to
  the schema version they were written for. The only supported version
  currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
  which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
  can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
  depend upon.
* (T105236) The extension.json schema now validates custom classes in
  the "ResourceModules" property properly.

=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.

==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.

==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.

=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
  value if set to an empty string.

=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
  tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
  to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
  revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
  with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
  sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
  information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
  rnfilterredir parameter that also allows for listing both redirects and
  non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
  and will honor corresponding If-None-Match and If-Modified-Since on such
  requests.

=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
  into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
  Last-Modified headers. The API will check these against If-None-Match and
  If-Modified-Since request headers on GET requests and avoid executing the
  module when appropriate.

=== Languages updated in 1.26 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
   मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
   Ilja.mos, and Mashoi7

=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
  for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
  ContentHandler, to provide a way for ApiEditPage and EditPage to check
  if direct editing of content is allowed. These methods return false,
  by default for the ContentHandler base class and true for TextContentHandler
  and it's derivative classes (everything in core). For Content types that
  do not support direct editing, an alternative mechanism should be provided
  for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
  one function. The callback can't be called directly any more. The callback
  function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
  ResourceLoaderModule::getDependencies(). Extension classes that override that
  method should be updated. If they aren't updated, PHP Strict standards
  warnings will appear when E_STRICT error reporting is enabled. Note: in the
  near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
  ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
  items that were stripped during parsing. It will use a fixed string instead.
  This causes the parser to re-use the regular expressions it uses to search
  and replace markers rather than generate novel expressions on each parse.
  Re-using regular expressions will improve performance on HHVM and the
  forthcoming PHP 7. The interfaces changes accompanying this change are:
  - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
    $prefix argument for StripState::_construct() are deprecated and their
    value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
  mediawiki/at-ease, and are now deprecated. Callers should use
  MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
  instead of many optional positional arguments. Calling the constructor the old
  way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
  a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
  are deprecated. Applications using those can work via the OAuth
  extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.

== Compatibility ==

MediaWiki 1.26 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.26 has several database changes since 1.25, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.25.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

  https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

  https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

  https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.
2015-12-01 16:03:21 +00:00
wen
a36a780a6f Update to 1.25.3
Upstream changes:
== Security fixes ==

* Wikipedia user RobinHood70 reported two issues in the chunked upload API.
The API failed to correctly stop adding new chunks to the upload when the
reported size was exceeded (T91203), allowing a malicious users to upload add an
infinite number of chunks for a single file upload. Additionally, a
malicious user could upload chunks of 1 byte for very large files, potentially
creating a very large number of files on the server's filesystem (T91205).
<https://phabricator.wikimedia.org/T91203>
<https://phabricator.wikimedia.org/T91205>

* Internal review discovered that it is not possible to throttle file
uploads.
<https://phabricator.wikimedia.org/T91850>

* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user right but not the appropriate 'suppressrevision' user right to unsuppress
revisions.
<https://phabricator.wikimedia.org/T95589>

* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata.
<https://phabricator.wikimedia.org/T108616>

== Bug Fixes in 1.25.3 ==

* Fix having multiple callbacks for a single hook.
<https://phabricator.wikimedia.org/T98975>
* maintenance/refreshLinks.php did not always remove all links pointing to
  nonexistent pages.
<https://phabricator.wikimedia.org/T107632>
* $wgEmergencyContact and $wgPasswordSender now use their default value if
set to an empty string.
<https://phabricator.wikimedia.org/T104142>
* Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It
was causing an error when accessing the api help page if the mbstring PHP
  extension was not installed.
<https://phabricator.wikimedia.org/T62174>
* Confirmation emails would sometimes contain invalid codes.
<https://phabricator.wikimedia.org/T105896>
* Fixed edit stash inclusion queries.
<https://phabricator.wikimedia.org/T105597>
2015-10-18 03:11:26 +00:00
wen
51e8a514ff Update to 1.25.2
Upstream changes:
== Security fixes ==

* Internal review discovered that Special:DeletedContributions did not
properly
protect the IP of autoblocked users. This fix makes the functionality of
Special:DeletedContributions consistent with Special:Contributions and
Special:BlockList.
<https://phabricator.wikimedia.org/T106893>

* Internal review discovered that watchlist anti-csrf tokens were not being
compared in constant time, which could allow various timing attacks. This
could
allow an attacker to modify a user's watchlist via csrf.
<https://phabricator.wikimedia.org/T94116>

* John Menerick reported that MediaWiki's thumb.php failed to sanitize
various
error messages, resulting in xss.
<https://phabricator.wikimedia.org/T97391>

Additionally, the following extensions have been updated to fix security
issues:

* Extension:SemanticForms - MediaWiki user Grunny discovered multiple
reflected
xss vectors in SemanticForms. Further internal review discovered and fixed
other reflected and stored xss vectors.
<https://phabricator.wikimedia.org/T103391>
<https://phabricator.wikimedia.org/T103765>
<https://phabricator.wikimedia.org/T103761>

* Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal
review discovered that the contib directory for GeSHi was re-included in
MediaWiki 1.25. Some scripts could be potentially be used for DoS, and
DAU Huy Ngoc discovered an xss vector. All contrib scripts have been
removed.
<https://phabricator.wikimedia.org/T108198>

* Extension:TimedMediaHandler - User:McZusatz reported that resetting
transcodes deleted the transcode without creating a new one, which could be
used for vandalism or potentially DoS.
<https://phabricator.wikimedia.org/T100211>

* Extension:Quiz - Internal review discovered that Quiz did not properly
escape
regex metacharacters in a user controlled regular expression, enabling a DoS
vector.
<https://phabricator.wikimedia.org/T97083>

* Extension:Widgets - MediaWiki developer Majr reported a potential HTML
injection (xss) vector.
<https://phabricator.wikimedia.org/T88964>


== Bug Fixes in 1.25.2 ==
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
  false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
  $wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
  a "manifest_version" property for 1.26 compatability will no longer
  trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
  page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
  named variable. Add an additional check that an index is defined.
2015-08-12 13:49:40 +00:00
wiz
2e65d464e8 Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
2015-06-12 10:50:58 +00:00
wen
e129fefd0d Update to 1.25.1
Upstream changes:
== MediaWiki 1.25.1 ==

This is a bug fix release of the MediaWiki 1.25 branch.

== Changes since 1.25.1 ==

* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension

== MediaWiki 1.25 ==

=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
* $wgAntiLockFlags was removed.
* $wgJavaScriptTestConfig was removed.
* Edit tokens returned from User::getEditToken may change on every call. Token
  validity must be checked by passing the user-supplied token to
  User::matchEditToken rather than by testing for equality with a
  newly-generated token.
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
  for its $context parameter. Formerly it was documented as receiving a
  RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
  See StartProfiler.sample for details.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
  might be a flash policy directive configurable.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
  longer be used. If extracts and page images are desired, the TextExtracts and
  PageImages extensions are required.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* Edits are now prepared via AJAX as users type edit summaries. This behavior
  can be disabled via $wgAjaxEditStash.
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
  with the jQuery Migrate library, as indicated when this option was provided in
  MediaWiki 1.24.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
  StartProfiler.php config is updated to reflect this. Xhprof is available
  for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
  rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
  background with white fallback color, rather than just white background.
 * MediaWikiBagOStuff class removed, make sure any object cache config
   uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
  job queues. This means that mediawiki/services/jobrunner service has to
  be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
  compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
  other than $IP/extensions (as $wgStyleDirectory does with the skins directory).

=== New features in 1.25 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
  for plural forms in Russian, Prussian, Tagalog, Manx and several languages
  that fall back to Russian.
* (T60139) ResourceLoaderFileModule now supports language fallback
  for 'languageScripts'.
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
  parser output for a content object before links update.
* (T37785) Enhanced recent changes and extended watchlist are now default.
  Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
  and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions.
* (T69341) SVG images will no longer be base64-encoded when being embedded
  in CSS. This results in slight size increase before gzip compression (due to
  percent-encoding), but up to 20% decrease after it.
* Update jStorage to v0.4.12.
* MediaWiki now natively supports page status indicators: icons (or short text
  snippets) usually displayed in the top-right corner of the page. They have
  been in use on Wikipedia for a long time, implemented using templates and CSS
  absolute positioning.
  - Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
  - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
  - Adjusting custom skins to support indicators:
    https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
* Edit tokens may now be time-limited: passing a maximum age to
  User::matchEditToken will reject any older tokens.
* The debug logging internals have been overhauled, and are now using the
  PSR-3 interfaces.
* Update CSSJanus to v1.1.1.
* Update lessphp to v0.5.0.
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
  and images for ApiOpenSearch output. The semantics are identical to the
  "OpenSearchXml" hook provided by the OpenSearchXml extension.
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
  this allows for pagination of prefix results. Extensions using this hook
  should implement supporting behavior. Not doing so can result in undefined
  behavior from API clients trying to continue through prefix results.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
  on Special:Version in their own section. Extensions or skins that are
  installed via composer will not be shown in this section as it is assumed
  they will add the proper credits to the skins or extensions section. They
  can also be accessed through the API via the new siprop=libraries to
  ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
  tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
  and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
  tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
  "active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
  dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
  and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
  to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
  pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
  used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
  links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
  interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
  proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
  when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
  editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
  "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
  Special:EditTags, generally accessed via the revision-deletion-like interface
  on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
  parameters for API log event output. Extensions should implement the new
  getParametersForApi() method in their log formatters.

==== External libraries ====
* MediaWiki now requires certain external libraries to be installed. In the past
  these were bundled inside the Git repository of MediaWiki core, but now they
  need to be installed separately. For users using the tarball, this will be taken
  care of and no action will be required. Users using Git will either need to use
  composer to fetch dependencies or use the mediawiki/vendor repository which includes
  all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
  instructions can be found at:
  https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
* The following libraries are now required:
** psr/log
   This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
   which are used by MediaWiki internally via the
   MediaWiki\Logger\LoggerFactory class.
   See the structured logging RfC (https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging)
   for more background information.
** cssjanus/cssjanus
   This library was formerly bundled with MediaWiki core and has been removed.
   It automatically flips CSS for RTL support.
** leafo/lessphp
   This library was formerly bundled with MediaWiki core and has been removed.
   It compiles LESS files into CSS.
** wikimedia/cdb
   This library was formerly a part of MediaWiki core, and has been moved into a separate library.
   It provides CDB functions which are used in the Interwiki and Localization caches.
   More information about the library can be found at https://www.mediawiki.org/wiki/CDB.
** liuggio/statsd-php-client
   This library provides a StatsD client API for logging application metrics to a remote server.

=== Bug fixes in 1.25 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
  SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
  10- and 13-digit forms) containing "X".
* Page moving was refactored into a MovePage class. As part of that:
** The AbortMove hook was removed.
** MovePageIsValidMove is for extensions to specify whether a page
   cannot be moved for technical reasons, and should not be overridden.
** MovePageCheckPermissions is for checking whether the given user is
   allowed to make the move.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
   and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
  on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
  (instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
  This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
  HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
  output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().

=== Action API changes in 1.25 ===
* (T67403) XML tag highlighting is now only performed for formats
  "xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
  querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
  default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
  rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
  the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
  explicitly select the language from the current user's preferences, and
  "uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
  when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
  better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
  list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
  rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
  revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
  will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
  $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
  error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
  action=query.
* Query page data for generator=search and generator=prefixsearch will now
  include an "index" field, which may be used by the client for sorting the
  search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
  in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
  for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
  with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
  interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
  property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
  user-modifiable change tags. Actually modifying the tagging of a revision or
  log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
  sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
  Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
  been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
  to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
  list=logevents, and a 'logparams' subkey for list=watchlist and
  list=recentchanges.
* Log event details are changing formatting:
  * block events now report flags as an array rather than as a comma-separated
    list.
  * patrol events now report the 'auto' flag as a boolean (absent/empty string
    for BC formats) rather than as an integer.
  * rights events now report the old and new group lists as arrays rather than
    as comma-separated lists.
  * merge events use new-style formatting.
  * delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
  such as json that distinguish between arrays and objects.
  * Except for action=opensearch where the spec requires an array.

=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
  Most existing modules should continue working without changes, but should do
  the following:
  * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
  * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
    to replace getParamDescription(). If necessary, the settings array returned
    by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
    message.
  * Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
  override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
  and will have no effect for modules using i18n messages. Use
  'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
  'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
  extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
  has been removed.
* ApiFormatBase now always buffers. Output is done when
  ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
  revisions as "good" if the user has the 'deletedhistory' right. New methods
  ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
  provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
  to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
  used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
  the current request was sent with the 'callback' parameter (or any future
  method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
  on whether a __toString() method exists on the object), and will refuse to
  add unsupported value types.
  * An informal interface, ApiSerializable, exists to override the default
    object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
  metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
  parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
  clients not using the experimental formatversion=2, code using
  ApiResult::getResultData() without the transformations for backwards
  compatibility may need updating, as will code that wasn't following the old
  conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
  release:
  * ApiBase::getDescription
  * ApiBase::getParamDescription
  * ApiBase::getExamples
  * ApiBase::makeHelpMsg
  * ApiBase::makeHelpArrayToString
  * ApiBase::makeHelpMsgParameters
  * ApiBase::getModuleProfileName
  * ApiBase::profileIn
  * ApiBase::profileOut
  * ApiBase::safeProfileOut
  * ApiBase::getProfileTime
  * ApiBase::profileDBIn
  * ApiBase::profileDBOut
  * ApiBase::getProfileDBTime
  * ApiBase::getResultData
  * ApiFormatBase::setUnescapeAmps
  * ApiFormatBase::getWantsHelp
  * ApiFormatBase::setHelp
  * ApiFormatBase::formatHTML
  * ApiFormatBase::setBufferResult
  * ApiFormatBase::getDescription
  * ApiFormatBase::getNeedsRawData
  * ApiMain::setHelp
  * ApiMain::reallyMakeHelpMsg
  * ApiMain::makeHelpMsgHeader
  * ApiResult::setRawMode
  * ApiResult::getIsRawMode
  * ApiResult::getData
  * ApiResult::setElement
  * ApiResult::setContent
  * ApiResult::setIndexedTagName_recursive
  * ApiResult::setIndexedTagName_internal
  * ApiResult::setParsedLimit
  * ApiResult::beginContinuation
  * ApiResult::setContinueParam
  * ApiResult::setGeneratorContinueParam
  * ApiResult::endContinuation
  * ApiResult::size
  * ApiResult::convertStatusToArray
  * ApiQueryImageInfo::getPropertyDescriptions
  * ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
  release:
  * ApiQueryDeletedrevs

=== Languages updated in 1.25 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.

* Languages added:
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
   Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
** ses (Koyraboro Senni), thanks to translator Songhay.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
  interface language to kk where unexpected.
* The Chinese conversion table was substantially updated to fix a lot of
  bugs and ensure better reading experience for different variants.

=== Other changes in 1.25 ===
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
  mostly in special pages. Local custom target titles can be placed in the
  relevant '(namespace-X|action name|special page name)-helppage' system
  message. Extensions can use the addHelpLink() function to do the same.
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
  removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
  migration guide for creators and users of custom skins that relied on it.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
  available on Special:Upload.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
  inline styles in the HTML.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
  since 1.20)
* Removed 'async' parameter from the  mw.Api#getCategories() method. (deprecated
  since 1.20)
* Removed 'jquery.json' module. (deprecated since 1.24)
  Use the 'json' module and global JSON object instead.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
  Also, the former will now throw an MWException if called with one or more
  arguments.
* Removed hitcounters and associated code.
* The "temp" zone of the upload respository is now considered private. If it
  already exists (such as under the images/ directory), please make sure that
  the directory is not web readable (e.g. via a .htaccess file).
* BREAKING CHANGE: In the XML dump format used by Special:Export and
  dumpBackup.php, the <model> and <format> tags now apprear before the <text>
  tag, instead of after the <text> and <sha1> tags.
  The new schema version is 0.10, the new schema URI is:
  https://www.mediawiki.org/xml/export-0.10.xsd
* MWFunction::call() and MWFunction::callArray() were removed, having being
  deprecated in 1.22.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
  and getInternalLinkAttributes methods in Linker, and removed
  getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
  ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
  ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Changed parsing of variables in schema (.sql) files:
** The substituted values are no longer parsed. (Formerly, several passes
   were made for each variable, so depending on the order in which variables
   were defined, variables might have been found inside encoded values. This
   is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
   If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
   "A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
   does not exist yet variable B does, the latter may not be replaced.
   However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
  characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
  rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
  newlines; but they can contain &nbsp; and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
  toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
  relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
  * HTMLForm::isVForm() is now deprecated.
  * You can no longer do this:
      $form = new HTMLForm( … );
      $form->setDisplayFormat( 'vform' ); // throws exception
    Instead, do this:
      $form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
  The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
  renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
  Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
  This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
  addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
  since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
  updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
  instead just returns the Status object. Extension calling it should be aware of
  this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
  It had no effect since MediaWiki 1.18 and should be removed from any cron
  jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
  thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
  retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
  protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
  can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
  configuration variable. Refer to the ".php" files instead. If you want
  ".php5" URLs to continue to work, set up redirects. In Apache, this can be
  done by enabling mod_rewrite and adding the following rules to your
  configuration:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^(.*)\.php5 $1.php [R=301,L]

* The global importScriptURI and importStylesheetURI functions, as well as the
  loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
  warnings through mw.log.warn when accessed.


== Compatibility ==

MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.25 has several database changes since 1.24, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.24.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

  https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

  https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

  https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.
2015-05-28 00:42:56 +00:00
wen
49355a3707 Update to 1.24.2
Upstream changes:
MediaWiki 1.24.2
This is a security and maintenance release of the MediaWiki 1.24 branch.

Changes since 1.24.1
(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
(bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
(bug T88310) SECURITY: Always expand xml entities when checking SVG's.
(bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
(bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
2015-04-06 15:30:03 +00:00
wen
bebe5be3d5 Update to 1.24.1(security update)
Upstream changes:
MediaWiki 1.24.1
This is a security and maintenance release of the MediaWiki 1.24 branch.

Changes since 1.24.0
(bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
(bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
(bug T74222) The original patch for T74222 was reverted as unnecessary.
Fixed a couple of entries in RELEASE-NOTES-1.24.
(bug T76168) OutputPage: Add accessors for some protected properties.
(bug T74834) Make 1.24 branch directly installable under PostgreSQL.
2014-12-20 02:26:59 +00:00
wen
3d63cd3083 Update to 1.24.0
Upstream changelog is too long, please visit:
https://git.wikimedia.org/blob/mediawiki%2Fcore.git/1.24.0/RELEASE-NOTES-1.24
2014-11-29 05:08:33 +00:00
wen
8215acfcff Update to 1.23.6
Upstream changes:
== Bugfixes in 1.23.6 ==
* (Bug 67440) Allow classes to be registered properly from installer
* (Bug 72274) Job queue not running (HTTP 411) due to missing
  Content-Length: header
2014-10-31 03:05:21 +00:00
wiz
cda18437be Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles. 2014-10-09 14:05:50 +00:00
wen
1359bab0c5 Update to 1.23.5
Upstream changes:
MediaWiki 1.23.5
This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.4
(bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
2014-10-02 11:03:03 +00:00
wen
67b0790fa1 Update to 1.23.4(security update)
Upstream changes:
MediaWiki 1.23.4
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.3
(bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
(bug 65998) Make MySQLi work with non-standard socket.
(bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config settings.
2014-09-28 04:30:00 +00:00
wen
6f0993628f Update to 1.23.3
Upstream changelog is too long, please visit:
https://www.mediawiki.org/wiki/Release_notes/1.23
2014-08-31 05:10:05 +00:00
wen
7604787fd6 Update to 1.22.9
Upstream changes:
MediaWiki 1.22.9
This is a security and maintenance release of the MediaWiki 1.22 branch.

Changes since 1.22.8
(bug 68187) SECURITY: Prepend jsonp callback with comment.
(bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
(bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
(bug 59147) The img_metadata field was not being decoded from bytea into text.
2014-08-01 23:46:03 +00:00
wen
c961cf7b3c Update to 1.22.8
This is a security update and approved by wiz@.

Upstream changes:
Changes since 1.22.7
(bug 65839) SECURITY: Prevent external resources in SVG files.
(bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
2014-06-26 01:19:54 +00:00
wen
c6d69590a4 Update to 1.22.7
Upstream changes:
1.22.7

== Security ==
* (bug 65501) SECURITY: Don't parse usernames as wikitext on
  Special:PasswordReset.

== Bugfixes in 1.22.7 ==
* (bug 36356) Add space between two feed links.
* (bug 63269) Email notifications were not correctly handling the
  [[MediaWiki:Helppage]] message being set to a full URL. This is a regression
  from the 1.22.5 point release, which made the default value for it a URL.
  If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
  you'll need to edit it locally to include the URL via the new variable
  $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
  you don't have to do anything.
* Add missing uploadstash.us_props for PostgreSQL.
* (bug 56047) Fixed stream wrapper in PhpHttpRequest.
2014-06-01 08:24:32 +00:00
wiz
7eeb51b534 Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
2014-05-29 23:35:13 +00:00
wen
71e35f1aac Update to 1.22.6
Upstream changes:
MediaWiki 1.22.6[edit | edit source]
This is a security release of the MediaWiki 1.22 branch.

Changes since 1.22.5[edit | edit source]
(bug 63251) SECURITY: Escape sortKey in pageInfo.
MediaWiki 1.22.5[edit | edit source]
This is a security and maintenance release of the MediaWiki 1.22 branch.

Changes since 1.22.4[edit | edit source]
(bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
(bug 62467) Set a title for the context during import on the cli.
Fix custom local MediaWiki:Helppage values.
mediawiki.js: Fix documentation breakage.
(bug 58153) Make MySQLi work with non standard port.
(bug 53887) Reintroduced a link to help pages in the default sidebar, that any sysop can customize by editing MediaWiki:Sidebar locally. The link now points to a mediawiki.org page which is guaranteed to exist. Nothing needs to be done on your end, but remember to adjust MediaWiki:Sidebar for the needs of your wikis. Everyone can help with the shared documentation by translating: https://www.mediawiki.org/wiki/Special:Translate/agg-Help_pages .
(bug 53888) Corrected a regression in 1.22 which introduced red links on the login page. If you previously installed 1.22.x and have created a local page to make the red link blue, write its title as in MediaWiki:helplogin-url if you didn't already. Otherwise, you don't need to do anything, but you can translate the help page at https://www.mediawiki.org/wiki/Help:Logging_in
2014-05-01 16:10:05 +00:00
wen
d856f23124 Update to 1.22.4
Add missing DEPENDS

Upstream changelog is too long, please visit:
https://www.mediawiki.org/wiki/Release_notes/1.22
2014-03-13 07:30:34 +00:00
wen
df930e627b Update to 1.21.5
Upstream changes:
Changes since 1.21.4
(bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
2014-02-05 15:21:28 +00:00
wen
5037f20b39 Update to 1.21.4
Upsteam changes:
Changes since 1.21.3[edit | edit source]
(bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
(bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
(bug 58472) SECURITY: Disallow -o-link in styles
(bug 58553) SECURITY: Return error on invalid XML for SVG Uploads
(bug 58699) SECURITY: Fix RevDel log entry information leaks
2014-01-21 15:15:53 +00:00
wen
f61bce0627 Update to 1.21.3
Upstream changes:
Changes since 1.21.2
(bug 53032) SECURITY: Don't cache when a call could autocreate
(bug 55332) SECURITY: Improve css javascript detection
(bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
Fix comma errors in various js files
Translations
2013-11-16 12:00:27 +00:00
wen
60f47ae8ee Update to 1.21.2
Upstream changes:
Changes since 1.21.1[edit | edit source]
SECURITY: Fix extension detection with 2 .'s
SECURITY: Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed.
SECURITY: Sanitize ResourceLoader exception messages
Purge upstream caches when deleting file assets.
Unit test suite now runs the AutoLoader tests. Also fixed the autoloading entry for the PageORMTableForTesting class though it had no impact.
2013-09-07 14:49:42 +00:00
wen
d859e5136f Update to 1.21.1
(Upstream changelog is too long, please visit:https://www.mediawiki.org/wiki/Release_notes/1.21)

Add missing DEPENDS
2013-06-08 07:26:53 +00:00
wiz
d2ca14a3f1 Bump all packages for perl-5.18, that
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package

Like last time, where this caused no complaints.
2013-05-31 12:39:57 +00:00
wen
2cd0df836b Update to 1.20.6
Upstream changes:
MediaWiki 1.20.6 [edit]

This is a security and maintenance release of the MediaWiki 1.20 branch.
Changes since 1.20.5 [edit]
(bug 48306) SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.
(bug 44327) mediawiki.user: Use session ID instead of 1-year cross-session cookies
(bug 47202) wikibits: FF2Fixes.css should not be loaded in Firefox 20.
(bug 31044) Make ResourceLoader behave in read-only mode
2013-05-22 15:04:06 +00:00
wen
3baf208f14 Update to 1.20.5
Upstream changes:
MediaWiki 1.20.5 [edit]

This is a security and maintenance release of the MediaWiki 1.20 branch.
Changes since 1.20.4 [edit]
(bug 46590) Add hook AbortChangePassword to Special:ChangePassword
(bug 47304) SECURITY: Check SVG xml encoding against whitelist
Localisation updates from http://translatewiki.net.
mwdocgen.php: Implement --version option.
Remove svnstat stuff used in Doxygen generation
(bug 43594) Correctly supress warnings that were missed after the upstream
PHP change to E_STRICT being included in E_ALL.
jshint: Allow global mw to be set in mediawiki.js
2013-05-04 08:26:51 +00:00
wen
37728ec7f9 Update to 1.20.4
Changes since 1.20.3
(bug 47251) SECURITY: Disable external entities in Import
(bug 46859) SECURITY: Disable external entities in XMLReader
(bug 46084) SECURITY: Sanitize $limitReport before outputting
2013-04-18 15:26:48 +00:00
obache
778bed8bfb Bump PKGREVISION from default PHP version change to 5.4. 2013-03-16 07:21:18 +00:00
wen
3ba3577dbc Update to 1.20.3
Upstream changes:
MediaWiki 1.20.3

This is a security and maintenance release of the MediaWiki 1.20 branch.
Changes since 1.20.2
New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
(bug 44010) Context is passed to UserGetLanguageObject.
The recursion guard on RequestContext::getLanguage() was weakened.
(bug 40585) Don't drop 'step="any"' in HTML input fields.
(bug 44024) Fixed problems in ObjectCache when using XCache.
(bug 44010) FauxRequest leaked cookie data from primary request.
(bug 44135/bug 42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
(bug 43518) API action=unblock should return the user name, not the full user object
(Bug 45355) Prevent read of arbitrary files through mwdoc-filter.php
2013-03-08 07:57:28 +00:00