Changelog:
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs (bug 1067470)
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7 (Bug 1165732)
Changelog:
WordPress 4.2.2 Security and Maintenance Release
Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.
WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
Thanks to everyone who contributed to 4.2.2:
Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.
rdPress.org
Showcase
Themes
Plugins
Mobile
Support
Get Involved
About
Blog
Hosting
Download WordPress
WordPress 4.2.2 Security and Maintenance Release
Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.
WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
Thanks to everyone who contributed to 4.2.2:
Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.
Share this:
WordPress 4.2.1 Security Release
Posted April 27, 2015 by Gary Pendergast. Filed under Releases, Security.
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.
WordPress 4.2
An easier way to share content
Extended character support
Switch themes in the Customizer
Even more embeds
Streamlined plugin updates
Under the Hood
utf8mb4 support
Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.
JavaScript accessibility
You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.
Shared term splitting
Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.
Complex query ordering
WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.
What's new in Tornado 4.2
=========================
May 26, 2015
------------
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* Certificate validation will now use the system CA root certificates instead
of ``certifi`` when possible (i.e. Python 2.7.9+ or 3.4+). This includes
`.IOStream` and ``simple_httpclient``, but not ``curl_httpclient``.
* The default SSL configuration has become stricter, using
`ssl.create_default_context` where available on the client side.
(On the server side, applications are encouraged to migrate from the
``ssl_options`` dict-based API to pass an `ssl.SSLContext` instead).
* The deprecated classes in the `tornado.auth` module, ``GoogleMixin``,
``FacebookMixin``, and ``FriendFeedMixin`` have been removed.
New modules: `tornado.locks` and `tornado.queues`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These modules provide classes for coordinating coroutines, merged from
`Toro <http://toro.readthedocs.org>`_.
To port your code from Toro's queues to Tornado 4.2, import `.Queue`,
`.PriorityQueue`, or `.LifoQueue` from `tornado.queues` instead of from
``toro``.
Use `.Queue` instead of Toro's ``JoinableQueue``. In Tornado the methods
`~.Queue.join` and `~.Queue.task_done` are available on all queues, not on a
special ``JoinableQueue``.
Tornado queues raise exceptions specific to Tornado instead of reusing
exceptions from the Python standard library.
Therefore instead of catching the standard `queue.Empty` exception from
`.Queue.get_nowait`, catch the special `tornado.queues.QueueEmpty` exception,
and instead of catching the standard `queue.Full` from `.Queue.get_nowait`,
catch `tornado.queues.QueueFull`.
To port from Toro's locks to Tornado 4.2, import `.Condition`, `.Event`,
`.Semaphore`, `.BoundedSemaphore`, or `.Lock` from `tornado.locks`
instead of from ``toro``.
Toro's ``Semaphore.wait`` allowed a coroutine to wait for the semaphore to
be unlocked *without* acquiring it. This encouraged unorthodox patterns; in
Tornado, just use `~.Semaphore.acquire`.
Toro's ``Event.wait`` raised a ``Timeout`` exception after a timeout. In
Tornado, `.Event.wait` raises `tornado.gen.TimeoutError`.
Toro's ``Condition.wait`` also raised ``Timeout``, but in Tornado, the `.Future`
returned by `.Condition.wait` resolves to False after a timeout::
@gen.coroutine
def await_notification():
if not (yield condition.wait(timeout=timedelta(seconds=1))):
print('timed out')
else:
print('condition is true')
In lock and queue methods, wherever Toro accepted ``deadline`` as a keyword
argument, Tornado names the argument ``timeout`` instead.
Toro's ``AsyncResult`` is not merged into Tornado, nor its exceptions
``NotReady`` and ``AlreadySet``. Use a `.Future` instead. If you wrote code like
this::
from tornado import gen
import toro
result = toro.AsyncResult()
@gen.coroutine
def setter():
result.set(1)
@gen.coroutine
def getter():
value = yield result.get()
print(value) # Prints "1".
Then the Tornado equivalent is::
from tornado import gen
from tornado.concurrent import Future
result = Future()
@gen.coroutine
def setter():
result.set_result(1)
@gen.coroutine
def getter():
value = yield result
print(value) # Prints "1".
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
* Improved compatibility with Windows.
* Fixed a bug in Python 3 if a module was imported during a reload check.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* `.run_on_executor` now accepts arguments to control which attributes
it uses to find the `.IOLoop` and executor.
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixed a bug that would cause the client to stop processing requests
if an exception occurred in certain places while there is a queue.
`tornado.escape`
~~~~~~~~~~~~~~~~
* `.xhtml_escape` now supports numeric character references in hex
format (`` ``)
`tornado.gen`
~~~~~~~~~~~~~
* `.WaitIterator` no longer uses weak references, which fixes several
garbage-collection-related bugs.
* `tornado.gen.Multi` and `tornado.gen.multi_future` (which are used when
yielding a list or dict in a coroutine) now log any exceptions after the
first if more than one `.Future` fails (previously they would be logged
when the `.Future` was garbage-collected, but this is more reliable).
Both have a new keyword argument ``quiet_exceptions`` to suppress
logging of certain exception types; to use this argument you must
call ``Multi`` or ``multi_future`` directly instead of simply yielding
a list.
* `.multi_future` now works when given multiple copies of the same `.Future`.
* On Python 3, catching an exception in a coroutine no longer leads to
leaks via ``Exception.__context__``.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* The ``raise_error`` argument now works correctly with the synchronous
`.HTTPClient`.
* The synchronous `.HTTPClient` no longer interferes with `.IOLoop.current()`.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` is now a subclass of `tornado.util.Configurable`.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* `.HTTPHeaders` can now be copied with `copy.copy` and `copy.deepcopy`.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* The `.IOLoop` constructor now has a ``make_current`` keyword argument
to control whether the new `.IOLoop` becomes `.IOLoop.current()`.
* Third-party implementations of `.IOLoop` should accept ``**kwargs``
in their `~.IOLoop.initialize` methods and pass them to the superclass
implementation.
* `.PeriodicCallback` is now more efficient when the clock jumps forward
by a large amount.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* New method `.SSLIOStream.wait_for_handshake` allows server-side applications
to wait for the handshake to complete in order to verify client certificates
or use NPN/ALPN.
* The `.Future` returned by ``SSLIOStream.connect`` now resolves after the
handshake is complete instead of as soon as the TCP connection is
established.
* Reduced logging of SSL errors.
* `.BaseIOStream.read_until_close` now works correctly when a
``streaming_callback`` is given but ``callback`` is None (i.e. when
it returns a `.Future`)
`tornado.locale`
~~~~~~~~~~~~~~~~
* New method `.GettextLocale.pgettext` allows additional context to be
supplied for gettext translations.
`tornado.log`
~~~~~~~~~~~~~
* `.define_logging_options` now works correctly when given a non-default
``options`` object.
`tornado.process`
~~~~~~~~~~~~~~~~~
* New method `.Subprocess.wait_for_exit` is a coroutine-friendly
version of `.Subprocess.set_exit_callback`.
`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Improved performance on Python 3 by reusing a single `ssl.SSLContext`.
* New constructor argument ``max_body_size`` controls the maximum response
size the client is willing to accept. It may be bigger than
``max_buffer_size`` if ``streaming_callback`` is used.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* `.TCPServer.handle_stream` may be a coroutine (so that any exceptions
it raises will be logged).
`tornado.util`
~~~~~~~~~~~~~~
* `.import_object` now supports unicode strings on Python 2.
* `.Configurable.initialize` now supports positional arguments.
`tornado.web`
~~~~~~~~~~~~~
* Key versioning support for cookie signing. ``cookie_secret`` application
setting can now contain a dict of valid keys with version as key. The
current signing key then must be specified via ``key_version`` setting.
* Parsing of the ``If-None-Match`` header now follows the RFC and supports
weak validators.
* Passing ``secure=False`` or ``httponly=False`` to
`.RequestHandler.set_cookie` now works as expected (previously only the
presence of the argument was considered and its value was ignored).
* `.RequestHandler.get_arguments` now requires that its ``strip`` argument
be of type bool. This helps prevent errors caused by the slightly dissimilar
interfaces between the singular and plural methods.
* Errors raised in ``_handle_request_exception`` are now logged more reliably.
* `.RequestHandler.redirect` now works correctly when called from a handler
whose path begins with two slashes.
* Passing messages containing ``%`` characters to `tornado.web.HTTPError`
no longer causes broken error messages.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* The ``on_close`` method will no longer be called more than once.
* When the other side closes a connection, we now echo the received close
code back instead of sending an empty close frame.
4.20 2015-05-29
[ RELEASE NOTES ]
- CGI.pm is now considered "done". See also "mature" and "legacy"
Features requests and none critical issues will be outright rejected.
The module is now in maintenance mode for critical issues only.
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ SPEC / BUG FIXES ]
- make the list context warning in param show the filename rather than
the package so we have more information on exactly where the warning
has been raised from (GH #171)
- correct self_url when PATH_INFO and SCRIPT_NAME are the same but we
are not running under IIS (GH #176)
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from
the environment and not that fiddled with by CGI.pm (which is what
query_string() does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by
the call to the HTML::Entities module - defaults to &<>"' (GH #157 - the
\x8b and \x9b chars have been removed from this list as we are concerned
more about unicode compat these days than old browser support.)
[ DOCUMENTATION ]
- Fix some typos (GH #173, GH #174)
- All *documentation* for HTML functionality in CGI has been moved into
its own namespace: CGI::HTML::Functions - although the functionality
continues to exist within CGI.pm so there are no code changes required
(GH #142)
- Add missing documentation for env variable fetching routines (GH #163)
[ TESTING ]
- Increase test coverage (GH #3)
[ INTERNALS ]
- Cwd made a TEST_REQUIRES rather than a BUILD_REQUIRES in Makefile.PL
(GH #170)
- AutoloadClass variables have been removed as AUTOLOAD was removed in
v4.14 so these are no longer necessary (GH #172 thanks to alexmv)
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
* Update MESSAGES.
Changelog:
5.7.4.2
Behavioral Improvements
Saving only a custom template on a block will no longer wrap that block in a custom design DIV. Better saving and resetting of custom designs on blocks and areas.
Topics improvements: topics can now be created below other topics; the only different between topic categories and topics is that categories cannot be assigned to objects, only topics can.
We now include the page ID in the attributes dialog and panel.
Feature block now contains an instance of the rich text editor (thanks MrKarlDilkington)
Improvements to new update functionality when site can't connect to concrete5.org
Improvements to new update functionality to make it more resilient with failures, but error messaging.
Adding attributes to a page will ask for it be checked back/approved when clicking the green icon.
Theme name and description can now be translated (thanks mlocati)
Added an error notice when deleting a page type that’s in use in your site.
Bug Fixes
Some servers would redirect infinitely when activating a theme or attempting to logout. This has been fixed.
Fix bug with multiple redactor instances on the same page and in the same composer window causing problems.
Better rendering of empty areas in Firefox (thanks JeramyNS)
Fixed problems with “concrete.seo.trailing_slash” set to true leading to an inability to login, other problems.
Attributes that had already been filled out were being shown as still required in page check-in panel.
Fixed bug where full URLs were incorrectly parsed if asset caching was enabled (thanks mlocati)
Fix download file script leading to 404 errors after you go to the dashboard and hit the back button
Fixed https://www.concrete5.org/developers/bugs/5-7-4-1/dont-allow-to-create-file-sets-with-names-containing-forbidden-c/
Fix https://www.concrete5.org/developers/bugs/5-7-4-1/cant-replace-a-file-with-one-in-the-incoming-directory/
Fix XSS in conversation author object; fix author name not showing if a user didn't put in a website (thanks jaromirdalecky)
Searching files, pages and users by topics now works in the dashboard
Picture tag now properly inserted by Redactor when working with themes that use responsive images.
Fixed z-index of message author and status in conversations dashboard page.
Developer Updates
API improvements to the RedactorEditor class.
And many improvements and bugfixes including security bugfixes.
Version 8.0.3 May 1st 2015
Fix several Constrain Violation Exceptions
Fix misleading Maintenance mode message
Timezone fixes for countries with 0.5 and 0.75 offsets
Fix usage of default share folder location
Reenable trashbin after failed rename
Fix disabling of APCu
Do not show update notification on mobile
Fix "Only variables should be passed by reference" error log spam
Add timeout to curl
Makes repair errors and warnings visible for the user when upgrading on the command line or in the web UI
Cron shall not operate in case we are in maintenance mode
Disable the cache updater when doing the encryption migration
Fix "Error while updating app" error
Internal Server Error after attempting to do "occ files:scan"
Several smaller fixes
WebKitGTK+ 2.4.9 released!
This is a bug fix release in the stable 2.4 series.
What’s new in the WebKitGTK+ 2.4.9 release?
o Check TLS errors as soon as they are set in the SoupMessage to prevent any
data from being sent to the server in case of invalid certificate.
o Clear the GObject DOM bindings internal cache when frames are destroyed or web
view contents are updated.
o Add HighDPI support for non-accelerated compositing contents.
o Fix some transfer annotations used in GObject DOM bindings.
o Use latin1 instead of UTF-8 for HTTP header values.
o Fix synchronous loads when maximum connection limits are reached.
o Fix a crash ScrollView::contentsToWindow() when GtkPluginWidget doesn’t have a
parent.
o Fix a memory leak in webkit_web_policy_decision_new.
o Fix g_closure_unref runtime warning.
o Fix a crash due to empty drag image during drag and drop.
o Fix rendering of scrollbars with GTK+ >= 3.16.
o Fix the build on mingw32/msys.
o Fix the build with WebKit2 disabled.
o Fix the build with accelerated compositing disabled.
o Fix clang version check in configure.
o Fix the build with recent versions of GLib that have GMutexLocker.
o Fix the build for Linux/MIPS64EL.
Upstream changes:
== MediaWiki 1.25.1 ==
This is a bug fix release of the MediaWiki 1.25 branch.
== Changes since 1.25.1 ==
* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
== MediaWiki 1.25 ==
=== Configuration changes in 1.25 ===
* $wgPageShowWatchingUsers was removed.
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
* $wgAntiLockFlags was removed.
* $wgJavaScriptTestConfig was removed.
* Edit tokens returned from User::getEditToken may change on every call. Token
validity must be checked by passing the user-supplied token to
User::matchEditToken rather than by testing for equality with a
newly-generated token.
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
for its $context parameter. Formerly it was documented as receiving a
RequestContext specifically.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
See StartProfiler.sample for details.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
might be a flash policy directive configurable.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
longer be used. If extracts and page images are desired, the TextExtracts and
PageImages extensions are required.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* Edits are now prepared via AJAX as users type edit summaries. This behavior
can be disabled via $wgAjaxEditStash.
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
with the jQuery Migrate library, as indicated when this option was provided in
MediaWiki 1.24.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
StartProfiler.php config is updated to reflect this. Xhprof is available
for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
background with white fallback color, rather than just white background.
* MediaWikiBagOStuff class removed, make sure any object cache config
uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
job queues. This means that mediawiki/services/jobrunner service has to
be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
=== New features in 1.25 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
for plural forms in Russian, Prussian, Tagalog, Manx and several languages
that fall back to Russian.
* (T60139) ResourceLoaderFileModule now supports language fallback
for 'languageScripts'.
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
parser output for a content object before links update.
* (T37785) Enhanced recent changes and extended watchlist are now default.
Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions.
* (T69341) SVG images will no longer be base64-encoded when being embedded
in CSS. This results in slight size increase before gzip compression (due to
percent-encoding), but up to 20% decrease after it.
* Update jStorage to v0.4.12.
* MediaWiki now natively supports page status indicators: icons (or short text
snippets) usually displayed in the top-right corner of the page. They have
been in use on Wikipedia for a long time, implemented using templates and CSS
absolute positioning.
- Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
- Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
- Adjusting custom skins to support indicators:
https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
* Edit tokens may now be time-limited: passing a maximum age to
User::matchEditToken will reject any older tokens.
* The debug logging internals have been overhauled, and are now using the
PSR-3 interfaces.
* Update CSSJanus to v1.1.1.
* Update lessphp to v0.5.0.
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
and images for ApiOpenSearch output. The semantics are identical to the
"OpenSearchXml" hook provided by the OpenSearchXml extension.
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
this allows for pagination of prefix results. Extensions using this hook
should implement supporting behavior. Not doing so can result in undefined
behavior from API clients trying to continue through prefix results.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
on Special:Version in their own section. Extensions or skins that are
installed via composer will not be shown in this section as it is assumed
they will add the proper credits to the skins or extensions section. They
can also be accessed through the API via the new siprop=libraries to
ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
"active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
"-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
Special:EditTags, generally accessed via the revision-deletion-like interface
on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
parameters for API log event output. Extensions should implement the new
getParametersForApi() method in their log formatters.
==== External libraries ====
* MediaWiki now requires certain external libraries to be installed. In the past
these were bundled inside the Git repository of MediaWiki core, but now they
need to be installed separately. For users using the tarball, this will be taken
care of and no action will be required. Users using Git will either need to use
composer to fetch dependencies or use the mediawiki/vendor repository which includes
all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
instructions can be found at:
https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
* The following libraries are now required:
** psr/log
This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
which are used by MediaWiki internally via the
MediaWiki\Logger\LoggerFactory class.
See the structured logging RfC (https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging)
for more background information.
** cssjanus/cssjanus
This library was formerly bundled with MediaWiki core and has been removed.
It automatically flips CSS for RTL support.
** leafo/lessphp
This library was formerly bundled with MediaWiki core and has been removed.
It compiles LESS files into CSS.
** wikimedia/cdb
This library was formerly a part of MediaWiki core, and has been moved into a separate library.
It provides CDB functions which are used in the Interwiki and Localization caches.
More information about the library can be found at https://www.mediawiki.org/wiki/CDB.
** liuggio/statsd-php-client
This library provides a StatsD client API for logging application metrics to a remote server.
=== Bug fixes in 1.25 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
10- and 13-digit forms) containing "X".
* Page moving was refactored into a MovePage class. As part of that:
** The AbortMove hook was removed.
** MovePageIsValidMove is for extensions to specify whether a page
cannot be moved for technical reasons, and should not be overridden.
** MovePageCheckPermissions is for checking whether the given user is
allowed to make the move.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
(instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
=== Action API changes in 1.25 ===
* (T67403) XML tag highlighting is now only performed for formats
"xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
explicitly select the language from the current user's preferences, and
"uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
$wgMangleFlashPolicy is in effect. format=php results will cleanly return an
error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
action=query.
* Query page data for generator=search and generator=prefixsearch will now
include an "index" field, which may be used by the client for sorting the
search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
user-modifiable change tags. Actually modifying the tagging of a revision or
log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
list=logevents, and a 'logparams' subkey for list=watchlist and
list=recentchanges.
* Log event details are changing formatting:
* block events now report flags as an array rather than as a comma-separated
list.
* patrol events now report the 'auto' flag as a boolean (absent/empty string
for BC formats) rather than as an integer.
* rights events now report the old and new group lists as arrays rather than
as comma-separated lists.
* merge events use new-style formatting.
* delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
such as json that distinguish between arrays and objects.
* Except for action=opensearch where the spec requires an array.
=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
Most existing modules should continue working without changes, but should do
the following:
* Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
* Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
to replace getParamDescription(). If necessary, the settings array returned
by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
message.
* Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
and will have no effect for modules using i18n messages. Use
'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
has been removed.
* ApiFormatBase now always buffers. Output is done when
ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
revisions as "good" if the user has the 'deletedhistory' right. New methods
ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
the current request was sent with the 'callback' parameter (or any future
method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
on whether a __toString() method exists on the object), and will refuse to
add unsupported value types.
* An informal interface, ApiSerializable, exists to override the default
object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
clients not using the experimental formatversion=2, code using
ApiResult::getResultData() without the transformations for backwards
compatibility may need updating, as will code that wasn't following the old
conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
release:
* ApiBase::getDescription
* ApiBase::getParamDescription
* ApiBase::getExamples
* ApiBase::makeHelpMsg
* ApiBase::makeHelpArrayToString
* ApiBase::makeHelpMsgParameters
* ApiBase::getModuleProfileName
* ApiBase::profileIn
* ApiBase::profileOut
* ApiBase::safeProfileOut
* ApiBase::getProfileTime
* ApiBase::profileDBIn
* ApiBase::profileDBOut
* ApiBase::getProfileDBTime
* ApiBase::getResultData
* ApiFormatBase::setUnescapeAmps
* ApiFormatBase::getWantsHelp
* ApiFormatBase::setHelp
* ApiFormatBase::formatHTML
* ApiFormatBase::setBufferResult
* ApiFormatBase::getDescription
* ApiFormatBase::getNeedsRawData
* ApiMain::setHelp
* ApiMain::reallyMakeHelpMsg
* ApiMain::makeHelpMsgHeader
* ApiResult::setRawMode
* ApiResult::getIsRawMode
* ApiResult::getData
* ApiResult::setElement
* ApiResult::setContent
* ApiResult::setIndexedTagName_recursive
* ApiResult::setIndexedTagName_internal
* ApiResult::setParsedLimit
* ApiResult::beginContinuation
* ApiResult::setContinueParam
* ApiResult::setGeneratorContinueParam
* ApiResult::endContinuation
* ApiResult::size
* ApiResult::convertStatusToArray
* ApiQueryImageInfo::getPropertyDescriptions
* ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
release:
* ApiQueryDeletedrevs
=== Languages updated in 1.25 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
* Languages added:
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
** ses (Koyraboro Senni), thanks to translator Songhay.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
interface language to kk where unexpected.
* The Chinese conversion table was substantially updated to fix a lot of
bugs and ensure better reading experience for different variants.
=== Other changes in 1.25 ===
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
mostly in special pages. Local custom target titles can be placed in the
relevant '(namespace-X|action name|special page name)-helppage' system
message. Extensions can use the addHelpLink() function to do the same.
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
migration guide for creators and users of custom skins that relied on it.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
available on Special:Upload.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
inline styles in the HTML.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
since 1.20)
* Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
since 1.20)
* Removed 'jquery.json' module. (deprecated since 1.24)
Use the 'json' module and global JSON object instead.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
Also, the former will now throw an MWException if called with one or more
arguments.
* Removed hitcounters and associated code.
* The "temp" zone of the upload respository is now considered private. If it
already exists (such as under the images/ directory), please make sure that
the directory is not web readable (e.g. via a .htaccess file).
* BREAKING CHANGE: In the XML dump format used by Special:Export and
dumpBackup.php, the <model> and <format> tags now apprear before the <text>
tag, instead of after the <text> and <sha1> tags.
The new schema version is 0.10, the new schema URI is:
https://www.mediawiki.org/xml/export-0.10.xsd
* MWFunction::call() and MWFunction::callArray() were removed, having being
deprecated in 1.22.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
and getInternalLinkAttributes methods in Linker, and removed
getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
* Changed parsing of variables in schema (.sql) files:
** The substituted values are no longer parsed. (Formerly, several passes
were made for each variable, so depending on the order in which variables
were defined, variables might have been found inside encoded values. This
is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
"A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
does not exist yet variable B does, the latter may not be replaced.
However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
newlines; but they can contain and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
* HTMLForm::isVForm() is now deprecated.
* You can no longer do this:
$form = new HTMLForm( … );
$form->setDisplayFormat( 'vform' ); // throws exception
Instead, do this:
$form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
instead just returns the Status object. Extension calling it should be aware of
this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
It had no effect since MediaWiki 1.18 and should be removed from any cron
jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
configuration variable. Refer to the ".php" files instead. If you want
".php5" URLs to continue to work, set up redirects. In Apache, this can be
done by enabling mod_rewrite and adding the following rules to your
configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)\.php5 $1.php [R=301,L]
* The global importScriptURI and importStylesheetURI functions, as well as the
loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
warnings through mw.log.warn when accessed.
== Compatibility ==
MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.25 has several database changes since 1.24, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
For notes on 1.24.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
2015-05-20 Net-HTTP 6.09
Karen Etheridge (1):
No changes since 6.08_002
2015-05-02 Net-HTTP 6.08_002
Karen Etheridge (1):
fix foolish $VERSION error in 6.08_001
2015-05-01 Net-HTTP 6.08_001
Mark Overmeer (1):
resolve issues with SSL by reading bytes still waiting to be read after
the initial 1024 bytes [RT#104122]
Changelog:
The Apache Tomcat Project is proud to announce the release of version
8.0.23 of Apache Tomcat. Apache Tomcat 8.0.23 includes a numerous fixes
for issues identified in 8.0.22 as well as a number of other enhancements
and changes. The notable changes since 8.0.22 include:
Fixed corruption issues with NIO2 and TLS
Added a workaround for SPNEGO authentication and a JRE regression in Java 8 update 40 onwards
Added the new HttpHeaderSecurityFilter
Changelog:
Tomcat 7.0.62 (violetagg)
Catalina
add Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
fix 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
fix Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
fix Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
fix 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
fix 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
fix 57824: Correct a regression in the fix for 57252 that broke request listeners for non-async requests that triggered an error that was handled by the ErrorReportingValve. (markt/violetagg)
fix 57841: Improve error logging during web application start. (markt)
fix 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
fix 57896: Support defensive copying of "cookie" header so that unescaping double quotes in a cookie value does not corrupt original value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER system property. (kkolinko)
Coyote
fix 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
fix 57833: When using JKS based keystores for NIO, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
fix 57837: Add text/css to the default list of compressable MIME types. (markt)
Jasper
fix 57845: Ensure that, if the same JSP is accessed directly and via a <jsp-file> declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
fix 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)
Cluster
add Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
fix Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)
fix 57338: Improve the ability of the ClusterSingleSignOn valve to handle nodes being added and removed from the Cluster at run time. (markt)
fix Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
WebSocket
fix 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
fix 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
fix Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
fix 57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)
Web applications
add 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
fix 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
Tribes
fix Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)
fix Clarify the handling of Copy message and Copy nodes. (kfujino)
fix Copy node does not need to send the entry data. It is enough to send only the node information of the entry. (kfujino)
fix ReplicatedMap should send the Copy message when replicating. (kfujino)
fix Fix behavior of ReplicatedMap when member has disappeared. If map entrprimary, rebuild the backup members. If primary node of map entry has disappeared, backup node is promoted to primary. (kfujino)
fix When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members.
Changelog:
Fixed in Firefox ESR 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
- Add BUILD_DEPENDS to p5-Catalyst-Plugin-Authorization-Roles for make test
(upstream)
- Update to 0.1506
----------------
0.1506 2014-04-02
* Fix doc bugs. RT#87372
* Fix calling User->can() as a class method. RT#90715
* Fix Catalyst tutorial link. RT#47043
--------------
2.22 Thu May 14 04:04:03 CEST 2015
- ipv6 literals were not correctly parsed (analyzed by Raphael Geissert).
- delete the body when mutating request to GET request when
redirecting (reported by joe trader).
- send proxy-authorization header to proxy when using CONNECT
(reported by dzagashev@gmail.com).
- do not send Proxy-Authroization header when not using a proxy.
- when retrying a persistent request, switch persistency off.
- added t/02_ip_literals.t.
Upstream changes:
1.2.0 2015-04-14 07:13:00+0000
- [core] bundle libyaml #248 (Kazuho Oku)
- [core] implement master-worker process mode and daemon mode (bundles Server::Starter) #258#270 (Kazuho Oku)
- [file] more mime-types by default #250#254#280 (Tatsuhiko Kubo, George Liu, Kazuho Oku)
- [file][http1] fix connection being closed if the length of content is zero #276 (Kazuho Oku)
- [headers] fix heap overrun during configuration #251 (Kazuho Oku)
- [http2] do not delay sending PUSH_PROMISE #221 (Kazuho Oku)
- [http2] reduce memory footprint under high load #271 (Kazuho Oku)
- [http2] fix incorrect error sent when number of streams exceed the limit #268 (Kazuho Oku)
- [proxy] fix heap overrun when building request sent to upstream #266#269 (Moto Ishizawa, Kazuho Oku)
- [proxy] fix laggy response in case the length of content is zero #274#276 (Kazuho Oku)
- [SSL] fix potential stall while reading data from client #268 (Kazuho Oku)
- [SSL] bundle LibreSSL #236#272 (Kazuho Oku)
- [SSL] obtain source-level compatibility with BoringSSL #228 (Kazuho Oku)
- [SSL] add directive `listen.ssl.cipher-preference` for controlling the selection logic of cipher-suites #233 (Kazuho Oku)
- [SSL] disable TLS compression #252 (bisho)
- [libh2o] fix C++ compatibility (do not use empty struct) #225 (Kazuho Oku)
- [libh2o] search external dependencies using pkg-config #227 (Kazuho Oku)
- [misc] fix GCC version detection bug used for controlling compiler warnings #224 (Kazuho Oku)
- [misc] check merory allocation failures in socket pool #265 (Tatsuhiko Kubo)
1.1.1 2015-03-09 06:12:00+0000
- [proxy] fix crash on NetBSD when upstream connection is persistent #217 (Kazuho Oku)
- [misc] fix compile error on FreeBSD #211#212 (Syohei Yoshida)
1.1.0 2015-03-06 06:41:00+0000
- [core][file] send redirects appending '/' as abs-path redirects #209 (Kazuho Oku)
- [headers] add directives for manipulating response headers #204 (Kazuho Oku)
- [http2] do not send a corrupt response if header value is longer than 126 bytes #193 (Kazuho Oku)
- [http2] fix interoperability issue with nghttp2 0.7.5 and above 5c42eb1 (Kazuho Oku)
- [proxy] send `via` header to upstream #191 (Kazuho Oku)
- [proxy] resolve hostname asynchronously #207 (Kazuho Oku)
- [proxy] distribute load between upstream servers (using `rand()`) #208 (Kazuho Oku)
- [proxy] fix a bug that may cause a corrupt `location` header being forwarded #190 (Kazuho Oku)
- [reproxy] add support for `x-reproxy-url` header #187#197 (Daisuke Maki, Kazuho Oku)
1.0.1 2015-02-23 05:50:00+0000
- [core] change backlog size from 65,536 to 65,535 #183 (Tatsuhiko Kubo)
- [http2] fix assertion failure in HPACK encoder #186 (Kazuho Oku)
- [http2] add `extern` to some global variables that were not marked as such #178 (Kazuho Oku)
- [proxy] close persistent upstream connection if client abruptly closes the stream #188 (Kazuho Oku)
- [proxy] fix internal state corruption in case upstream sends response headers divided into multpile packets #189 (Kazuho Oku)
- [SSL] add host header to OCSP request #176 (Masaaki Hirose)
- [libh2o] do not require header files under `deps/` when using libh2o #173 (Kazuho Oku)
- [libh2o] fix compile error in examples when compiled with `H2O_USE_LIBUV=0` #177 (Kazuho Oku)
- [libh2o] in example, add missing / after the reference path #180 (Matthieu Garrigues)
- [misc] fix invalid HTML in sample page #175 (Deepak Prakash)
1.0.0 2015-02-18 20:01:00+0000
- [core] add redirect handler #150 (Kazuho Oku)
- [core] add `pid-file` directive for specifying the pid file #164 (Kazuho Oku)
- [core] connections accepted by host-specific listeners should not be handled by handlers of other hosts #163 (Kazuho Oku)
- [core] (FreeBSD) fix a bug that prevented the standalone server from booting when run as root #160 (Kazuho Oku)
- [core] switch to pipe-based interthread messaging #154 (Kazuho Oku)
- [core] use kqueue on all BSDs #156 (Kazuho Oku)
- [access-log] more logging directives: %H, %m, %q, %U, %V, %v #158 (Kazuho Oku)
- [access-log] bugfix: header values were not logged when specified using uppercase letters #157 (Kazuho Oku)
- [file] add application/json to defalt MIME-types #159 (Tatsuhiko Kubo)
- [http2] add support for the finalized version of HTTP/2 #166 (Kazuho Oku)
- [http2] fix issues reported by h2spec v0.0.6 #165 (Kazuho Oku)
- [proxy] merge the cookie headers before sending to upstream #161 (Kazuho Oku)
- [proxy] simplify the configuration directives (and make persistent upstream connections as default) #162 (Kazuho Oku)
- [SSL] add configuration directive to preload DH params #148 (Jeff Marrison)
- [libh2o] separate versioning scheme using H2O_LIBRARY_VERSION_* #167 (Kazuho Oku)
0.9.2 2015-02-10 04:17:00+0000
- [core] graceful shutdown on SIGTERM #119 (Kazuho Oku)
- [core] less TCP errors under high load #81 (Kazuho Oku)
- [file] add support for HEAD requests #110 (Mark Hoersken)
- [http1] MSIE workaround (send `Cache-Control: private` in place of Vary) #114 (Kazuho Oku)
- [http2] support server-push #133 (Kazuho Oku)
- [http2] fix spurious RST_STREAMS being sent #132 (Kazuho Oku)
- [http2] weight-based distribution of bandwidth #135 (Kazuho Oku)
- [proxy] added configuration directive `proxy.preserve-host` #112 (Masahiro Nagano)
- [proxy] sends X-Forwarded-For and X-Forwarded-Proto headers #112 (Masahiro Nagano)
- [proxy] stability improvements #61 (Kazuho Oku)
- [misc] adjustments to make the source code more analyzer-friendly #113,#117 (Nick Desaulniers, Maks Naumov)
0.9.1 2015-01-19 21:13:00+0000
- added configuration directives: ssl/cipher-suite, ssl/ocsp-update-interval, ssl/ocsp-max-failures, expires, file.send-gzip
- [http2] added support for draft-16 (draft-14 is also supported)
- [http2] dependency-based prioritization
- [http2] improved conformance to the specification
- [SSL] OCSP stapling (automatically enabled by default)
- [SSL] fix compile error with OpenSSL below version 1.0.1
- [file] content negotiation (serving .gz files)
- [expires] added support for Cache-Control: max-age
- [libh2o] libh2o and the header files installed by `make install`
- [libh2o] fix compile error when used from C++
- automatically setuids to nobody when run as root and if `user` directive is not set
- automatically raises RLIMIT_NOFILE
- uses all CPU cores by default
- now compiles on NetBSD and other BSD-based systems
An approximate changelog 5.0.3 to 5.1.2 (resolved issues from Jira):
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Bug ROL-2057
Missing NPE check in Roller PageServlet class
Unassigned Kohei Nozaki Major 30/Mar/15
Bug ROL-2058
No salt renewal on POST request
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2059
Comment preview is invisible in Gaurav theme
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2061
Wrong next month link of Calendar
David Johnson Kohei Nozaki Major 30/Mar/15
Bug ROL-2062
Missing NPE check in IndexOperation#getDocument()
David Johnson Kohei Nozaki Major 30/Mar/15
Improvement ROL-2064
Add viewport meta tag to Gaurav theme
David Johnson Kohei Nozaki Trivial 30/Mar/15
Bug ROL-2065
Gaurav sometimes displaying empty summary as unresolved "$entry.summary"
David Johnson Kohei Nozaki Minor 30/Mar/15
Bug ROL-2066
Comment URLs using https:// not saving properly in Gaurav theme
David Johnson Kohei Nozaki Trivial 30/Mar/15
Bug ROL-2067
Velocity configuration improvement
David Johnson David Johnson Major 30/Mar/15
Documentation ROL-2056
Wrong pointer (section number) in Install Guide at section 11.2
Unassigned Kohei Nozaki Minor 05/Jan/15
Bug ROL-2052
Custom stylesheets not being updated correctly when user switches between shared and custom themes.
Unassigned Glen Mazza Major 06/Oct/14
Bug ROL-2051
Roller not falling back to standard theme renditions when mobile one unavailable.
Unassigned Glen Mazza Critical 02/Oct/14
Bug ROL-1387
In creating tag aggregate counts, count tags only from published blog entries
Glen Mazza linda skrocki Major 02/Oct/14
Bug ROL-1620
Plus signs in categories lead to a 404 category RSS/Atom feeds
Glen Mazza linda skrocki Major 02/Oct/14
Bug ROL-2055
Comment search should be case insensitive
Glen Mazza Glen Mazza Minor 02/Oct/14
Bug ROL-2054
Newly saved categories not appearing on blog
Glen Mazza Glen Mazza Major 02/Oct/14
Bug ROL-1974
Roller's ROME Propono dependency needs updating to use newer JARs
David Johnson Glen Mazza Minor 25/Aug/14
Bug ROL-1973
ROME dependency used by Roller needs updating
David Johnson Glen Mazza Minor 25/Aug/14
Bug ROL-1942
Uploaded media file not selectable in media file view
Greg Huber Budi Ariyanto Major 25/Aug/14
Bug ROL-1948
getRealPath() null not handled
Unassigned Jürgen Weber Major 25/Aug/14
Task ROL-2039
Rename webpage and roller_templatecode tables
Glen Mazza Glen Mazza Major 25/Aug/14
Improvement ROL-2041
gaurav theme -- render full blog entries on main blog page if no summary given
Gaurav Saini Glen Mazza Major 25/Aug/14
Improvement ROL-1999
Switch from Referrers to storing tracking codes (e.g., Google Analytics)
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1980
When deleting categories, Roller allows you to move its entries to invisible "root" category.
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1981
Allow user to specify order of blog categories
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1979
Remove subcategory functionality from Roller 5.1
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1554
Listing Box "Invite a new user to join..." does not have a horizontal scrolling bar
Glen Mazza Davis Nguyen Major 25/Aug/14
Improvement ROL-2038
Add dualTheme element to themes.xml descriptor
Glen Mazza Glen Mazza Blocker 25/Aug/14
Improvement ROL-1938
Switch to mobile template only in standard template's index page
Unassigned Tiger Gui Major 25/Aug/14
Improvement ROL-1937
Standard and Mobile template switch improvement patch
Unassigned Tiger Gui Major 25/Aug/14
New Feature ROL-1934
LDAP Comment Authenticator
Dave Johnson (Inactive) Nick Padilla Major 25/Jan/12 25/Aug/14
Task ROL-1977
Remove unused properties from ApplicationResources.properties
Glen Mazza Anil Gangolli Minor 25/Aug/14
Improvement ROL-1881
Add delete blog entry option to entries page
Unassigned Nicolas Muller Major 25/Aug/14
Bug ROL-1571
missing graphic alt text
Unassigned mike duigou Major 25/Aug/14
Bug ROL-1928
Missing 500-to-510-migration.vm file in Roller Mobile branch
David Johnson David Johnson Major 25/Aug/14
Task ROL-2043
Switch from YUI3 to JQuery UI for autocomplete, tabs, dialogs
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-2022
Add Categories, demote tags from gaurav theme
Gaurav Saini Glen Mazza Major 25/Aug/14
Task ROL-2008
In "switch to (media) folder" drop-down, don't list the current folder the user is in.
Greg Huber Glen Mazza Major 25/Aug/14
Bug ROL-1273
resource item error
Glen Mazza Jian Liu Major 25/Aug/14
Task ROL-1434
lots of UI messaging needs to be converted to i18n keys in resource bundles
Glen Mazza Allen Gilliland Major 25/Aug/14
Bug ROL-2044
Member management page allows user to remove himself from blog.
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1966
Search highlight problem
Glen Mazza Maciej Rumianowski Major 25/Aug/14
Bug ROL-1957
Unable to find RSD template
Unassigned Harsh Gupta Major 25/Aug/14
Bug ROL-1792
Hit count increments with <link rel="stylesheet" type="text/css" media="all" href="$model.weblog.stylesheet">
Greg Huber Greg Huber Trivial 25/Aug/14
Bug ROL-1716
a bug found when call getPopularTags with the limit=-1 (v4 m1)
Unassigned guoweizhan Major 25/Aug/14
Bug ROL-1414
Email scrambler not detecting hyphens in email addresses
Allen Gilliland linda skrocki Major 25/Aug/14
Improvement ROL-1649
Korean translation resource file
Unassigned Woonsan Ko Minor 25/Aug/14
Bug ROL-1930
Saving Template causes Null Pointer Exception
David Johnson David Johnson Blocker 25/Aug/14
Task ROL-1983
Only expose AJAX User List Servlet to admin users
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1986
Stop sending re-confirmation email after blogger approves comment.
Greg Huber Glen Mazza Minor 25/Aug/14
Improvement ROL-1978
Switch to more SEO-friendly hyphens instead of underscores to separate blog titles
Glen Mazza Glen Mazza Minor 25/Aug/14
Bug ROL-1616
Input fields not emptied after creating a new user
Unassigned Ronald Iwema Minor 25/Aug/14
Bug ROL-1638
Problem with themes on case sensitive file systems
Unassigned German Eichberger Major 25/Aug/14
New Feature ROL-1021
Referrer queue warning / filling up in logs. unclosed sessions.
Unassigned Rob Wilson Major 25/Aug/14
Bug ROL-1927
Roller 5 MSSQL Issues/Fixes
David Johnson Nick Padilla Major 25/Aug/14
Improvement ROL-2034
Hide Profile Password fields with SSO
Glen Mazza Jürgen Weber Major 25/Aug/14
Bug ROL-1794
file uploads with spaces in their names are 404ing (incorrect URL escaping?)
Greg Huber Dick Davies Major 25/Aug/14
Improvement ROL-1370
Support of email notifications preference for blog commentors
Unassigned linda skrocki Major 25/Aug/14
Bug ROL-1346
Weblog Calendar incorrectly assuming Sunday is first day of week for every locale.
Unassigned Vahid Zaboli Major 25/Aug/14
Test ROL-2033
Test Roller 5.1 with a weblog client
David Johnson David Johnson Major 25/Aug/14
Task ROL-2010
Update User's Guide with new app screen shots
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-2002
https:// URLs not being processed correctly in the comment URL field
Greg Huber Glen Mazza Major 25/Aug/14
Task ROL-1994
Switch to Apache Commons Collections 4.0
Unassigned Glen Mazza Minor 25/Aug/14
Bug ROL-1870
Duplicate bookmarks not showing
Unassigned Greg Huber Major 25/Aug/14
Bug ROL-1925
Patch for the bug of OpenID only authentication
Glen Mazza Shutra Major 25/Aug/14
Improvement ROL-929
Resign | "Are you sure?" Confirmation
Glen Mazza Greg Hamer Minor 25/Aug/14
Improvement ROL-2015
Add a description element to theme descriptor file (theme.xml)
Greg Huber Glen Mazza Major 25/Aug/14
Task ROL-1997
Switch WeblogEntry's pub status fields (DRAFT, PUBLISHED, PENDING, SCHEDULED) to an enum type
Unassigned Glen Mazza Minor 25/Aug/14
Task ROL-1995
Switch to JPA Typed Queries
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-1984
./app/src/test/resources/WEB-INF/security.xml needs updating to Spring & Spring Security 3.x namespaces
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1738
Charset of E-Mail Subject Needs to be configurable
Unassigned SATO Naoki Major 25/Aug/14
Bug ROL-1715
SiteModel's getWeblogsByLetterPager not documented correctly
Glen Mazza David Johnson Minor 25/Aug/14
Task ROL-2028
Separate the Basic Theme into Basic and Basic Mobile Themes
David Johnson Glen Mazza Major 25/Aug/14
Bug ROL-2018
"Notify me of new comments" not working on trunk.
Glen Mazza Glen Mazza Major 25/Aug/14
Task ROL-2000
Change current rol_ prefix for two newest tables
Unassigned Glen Mazza Minor 25/Aug/14
Bug ROL-1992
Blogroll OPML import page raising 500 Security Error
Unassigned Glen Mazza Major 25/Aug/14
Task ROL-1991
Switch publish date pop-up calendar to one with year entry option
Unassigned Glen Mazza Minor 25/Aug/14
Improvement ROL-1907
Inefficient use of key set iterator.
Unassigned Shelan Perera Minor 25/Aug/14
Bug ROL-2032
Test Roller 5.1 with blogs.apache.org database & themes
David Johnson David Johnson Major 25/Aug/14
Bug ROL-2007
Changing values in Media File Editor frequently results in permissions error.
Greg Huber Glen Mazza Major 25/Aug/14
Bug ROL-1988
Category search not working if space exists in category
Glen Mazza Glen Mazza Major 25/Aug/14
Bug ROL-1952
Roller 5.0.1 does not work with PostgreSQL 9.1
Unassigned Matthias Wimmer Major 25/Aug/14
Bug ROL-1746
Uploaded file names are lower-cased with AtomPub.
Greg Huber Tatsuya Noyori Major 25/Aug/14
Bug ROL-1596
Frontpage theme lose record!
Glen Mazza xiaojf Major 25/Aug/14
Improvement ROL-1430
French Translation (based on version 4.0 files)
Unassigned Denis Balazuc Minor 25/Aug/14
Improvement ROL-1965
Searching with locale on Multi Language blog
Glen Mazza Maciej Rumianowski Major 25/Aug/14
Bug ROL-2016
roller-startup.log not created on startup
Greg Huber Greg Huber Minor 25/Aug/14
Bug ROL-2009
Custom template theme folder creation isn't working
Unassigned Glen Mazza Major 25/Aug/14
Improvement ROL-1947
Provide a blog entry-level description field that can go into HTML header field
Dave Johnson (Inactive) Glen Mazza Major 25/Aug/14
Bug ROL-1956
ValidateSaltFilter not working on file upload
Greg Huber Matthias Wimmer Major 25/Aug/14
Bug ROL-1954
user weblogs cannot be managed when admin logs in and select any user via Server Aministration and clicks on eit
Unassigned Harsh Gupta Major 25/Aug/14
Bug ROL-1795
Posting comments with SchemeEnforcementFilter in operation.
Greg Huber Greg Huber Minor 25/Aug/14
Task ROL-2030
Replace Xinha editor with something more recent
Unassigned Glen Mazza Minor 25/Aug/14
Task ROL-1968
Upgrade Spring Security from 2.0.7 to 3.1.4
Unassigned Glen Mazza Major 25/Aug/14
Improvement ROL-1964
SearchServlet does not preserve locale
Unassigned Maciej Rumianowski Minor 25/Aug/14
Task ROL-2005
Switch to top-level folders only for Media Files
Unassigned Glen Mazza Major 25/Aug/14
Bug ROL-1739
Missing constraint on weblogentrytagagg table
Glen Mazza David Johnson Major 25/Aug/14
Bug ROL-1778
Blog entry preview before first publish not working with Derby database
Glen Mazza José Arthur Benetasso Villanova Major 25/Aug/14
Upstream changelog:
Catalina
++++++++
fix Correct typo in the message shown by HttpServlet for unexpected
HTTP method. (kkolinko)
add Allow to configure RemoteAddrValve and RemoteHostValve to adopt
behavior depending on the connector port. Implemented by
optionally adding the connector port to the string compared with
the patterns allow and deny. Configured using addConnectorPort
attribute on valve. (rjung)
fix 56608: Fix IllegalStateException for JavaScript files when
switching from Writer to OutputStream. The special handling of
this case in the DefaultServlet was broken due to a MIME type
change for JavaScript. (markt)
fix 57675: Correctly quote strings when using the extended access
log. (markt)
Coyote
++++++
fix 57234: Make SSL protocol filtering to remove insecure protocols
case insensitive. Correct spelling of filterInsecureProtocols
method. (kkolinko/schultz)
fix When applying the maxSwallowSize limit to a connection read
that many bytes first before closing the connection to give
the client a chance to read the response. (markt)
fix 57544: Fix a potential infinite loop when preparing a kept
alive HTTP connection for the next request. (markt)
add 57570: Make the processing of chunked encoding trailing headers
optional and disabled by default. (markt)
fix 57581: Change statistics byte counter in coyote Request object
to be long to allow values above 2Gb. (kkolinko)
update Update the minimum recommended version of the Tomcat Native
library (if used) to 1.1.33. (markt)
Jasper
++++++
fix Fix potential issue with BeanELResolver when running under a
security manager. Some classes may not be accessible but may
have accessible interfaces. (markt)
fix Simplify code in ProtectedFunctionMapper class of Jasper
runtime. (kkolinko)
fix 57801: Improve the error message in the start script in case
the PID read from the PID file is already owned by a process.
(rjung)
Web applications
++++++++++++++++
fix Update documentation for CGI servlet. Recommend to copy the
servlet declaration into web application instead of enabling
it globally. Correct documentation for cgiPathPrefix. (kkolinko)
update Improve Tomcat Manager documentation. Rearrange, add section
on HTML GUI, document /expire command and Server Status page.
(kkolinko)
add 54143: Add display of the memory pools usage (including PermGen)
to the Status page of the Manager web application. (kkolinko)
fix Fix several issues with status.xsd schema in Manager web
application, testing it against actual output of
StatusTransformer class. (kkolinko)
update Align algorithm that generates anchor names in Tomcat
documentation with Tomcat 7/8/9. No visible changes, but may
help with future updates to the documentation. (kkolinko)
fix 56058: Add links to the AccessLogValve documentation for
configuring reverse proxies and/or Tomcat to ensure that the
desired information is used entered in the access log when
Tomcat is running behind a reverse proxy. (markt)
fix 57503: Make clear that the JULI integration for log4j only
works with log4j 1.2.x. (markt)
update 57644: Update examples to use Apache Standard Taglib 1.2.5.
(jboynes/kkolinko)
fix 57706: Clarify the documentation for the AJP connector to make
clearer that when using tomcatAuthentication="false" the user
provided by the reverse proxy will not be associated with any
roles. (markt)
fix Correct the documentation for deployOnStartup to make clear
that if a WAR file is updated while Tomcat is stopped and
unpackWARs is true, Tomcat will not detect the changed WAR
file when it starts and will not replace the unpacked WAR file
with the contents of the updated WAR. (markt)
add 57759: Add information to the keyAlias documentation to make
it clear that the order keys are read from the keystore is
implementation dependent. (markt)
fix 57864: Update the documentation web application to make it
clearer that hex values are not valid for cluster send options.
Based on a patch by Kyohei Nakamura. (markt)
Other
+++++
add 57344: Provide sha1 checksum files for Tomcat downloads.
(kkolinko)
fix 57558: Change catalina-tasks.xml to use all jars in
${catalina.home}/lib to define Tomcat Ant tasks. This fixes
a NoClassDefFoundError with validate task. (kkolinko)
update Update to Tomcat Native Library version 1.1.33 to pick up the
Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
(markt)
-------------------
6.11 2015-05-16
- Deprecated build_body and build_headers methods in Mojo::Content.
- Added headers_contain method to Mojo::Content.
- Updated jQuery to version 2.1.4.
- Fixed indentation of ASCII art in documentation browser. (jberger)
- Fixed bug where inline was not considered a reserved stash value.
6.10 2015-04-26
- Removed support for user/group switching, because it never worked
correctly, which means that this security feature has become an attack
vector itself. If you depend on this functionality, you can now use the
CPAN module Mojolicious::Plugin::SetUserGroup instead.
- Removed group and user attributes from Mojo::Server.
- Removed setuidgid method from Mojo::Server.
- Removed group and user settings from Hypnotoad.
- Removed -g/--group and -u/--user options from daemon and prefork commands.
- Added next_tick method to Mojo::Reactor::Poll.
- Improved next_tick callbacks to run in the same order in which they were
registered.
6.09 2015-04-25
- Improved HTML Living Standard compliance of Mojo::Parameters. (riche, sri)
- Fixed bug in Mojolicious::Types where the json MIME type did not specify a
charset. (kaktus)
fhajny
taca
ryoon
joerg
wiz
sborrill
adam
wen
schmonz
mef
kefren
hauke
kim
spz
sevan
tsutsui