Change notes from older releases. For current info, see RELEASE-NOTES-1.41. = MediaWiki 1.40 = PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.40.1 == This is a security and maintenance release of the MediaWiki 1.40 branch. === Changes since MediaWiki 1.40.0 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T290464) Add DiscussionTools bundling to release notes. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively. * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer. * (T237898) installer: Check MariaDB version in updater/installer. * (T342632) ApiComparePages: Add help url. * (T326182, T324903) EditPage: Add #[AllowDynamicProperties]. * (T342351) rdbms: Fix postgres db function call. * (T343675) user: Use {@} to escape annotation when writting about annotation. * (T343797) LanguageWa: Fix double timezone adjustment. * (T343669) skins: Avoid function call on array. * (T326454) Update pear/mail to 1.5.1. * (T343622) docs: Set the tag back to optional. * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated jQuery from v3.6.1 to v3.7.1. * (T337463) wdio-mediawiki: await saveScreenshot. * (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. * doc: Improve description of "type" in extension.schema.v2.json. * Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above). * (T288624) MultiHttpClient: Unset $this->cmh after closing it. * (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally. * (T265734) API Help: Note that parameters may be inherited from other context. * (T285545) i18n: Split apihelp for standard dir parameter. * (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show. * (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=. * (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=. * (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=. * (T285545) i18n: Split apihelp for parameter action=managetags&operation=. * (T285545) api: Add message for list=watchlist&wlprop=expiry. * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed. * (T342633) api: Add message for action=compare&prop=timestamp. * API: revids=… does not necessarily return the queried revisions. * (T235207) Get correct main page in API call examples. * doc: Make extension.schema.v2.json a valid JSON schema. * (T326696) Add since tag to UserOptionsManager::MAX_BYTES_OPTION_VALUE. * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). * doc: Improve description of type in extension.schema.v1.json. * (T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration). == MediaWiki 1.40.0 == === Changes since MediaWiki 1.40.0-rc.0 === * Localisation updates. * (T330464) Work around argument corruption bug in XMLReader::open. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * Fix frame and frameless rdfa depending on file existing. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.40.0-rc.0 == == Upgrading notes for 1.40 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.35. Some specific notes for MediaWiki 1.40 upgrades are below: * Maintenance scripts should now be executed using maintenance/run.php, e.g. maintenance/run.php update not maintenance/update.php as before. * Five extensions have now been bundled with MediaWiki: * The DiscussionTools extension, which provides a forum-like editing experience for wikitext-based discussion pages. * The Echo extension, which provides a system of user notifications. * The Linter extension, which warns about use of deprecated wikitext. * The LoginNotify extension, which warns users about failed attempted logins. * The Thanks extension, which lets users thank editors for edits. * The Renameuser extension has been moved to MediaWiki core. It is now possible to rename users without installing an extension. The extension had already been bundled with MediaWiki since 1.18. For notes on 1.39.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.40 === * When computing PBKDF2 password hashes, MediaWiki now detects and uses OpenSSL support if available, unless $wgPasswordConfig['pbkdf2']['class'] is set in LocalSettings.php. OpenSSL is more efficient, so if that setting is present, you should remove it (or set it to 'Pbkdf2PasswordUsingOpenSSL' if possible). If users get an internal error when trying to log in, you can try setting it to 'Pbkdf2PasswordUsingHashExtension'. In particular, this would be necessary if existing PBKDF2 password hashes were computed using a hash algorithm other than "sha512" or "sha256" (the current and prior defaults). * You should configure your webserver to return the http header 'X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place. * Support for MW_USE_LEGACY_DEFAULT_SETTINGS has been removed, setting this constant will not have any effect. Use of MW_USE_LEGACY_DEFAULT_SETTINGS had been deprecated since 1.39. ==== New configuration ==== * $wgThumbnailNamespaces - This setting lets you define the namespaces for which image thumbnails (or a placeholder in the absence of a thumbnail) will be displayed on Special:Search. * $wgResourceLoaderClientPreferences – This experimental flag lets you enable client-side preferences for logged-out users. * $wgExternalLinksSchemaMigrationStage – This temporary flag lets you control the migration stage for the new schema for the external links database table. Ignore it unless you have a large wiki farm with complex migration needs. * $wgCommentTempTableSchemaMigrationStage – This temporary flag lets you control the migration stage for the temporary comment database table, from revision. Ignore it unless you have a large wiki farm with complex migration needs. * $wgSpecialContributeSkinsEnabled – This setting lets you list skins on which Special:Contribute is available, for where others don't work for the feature. * $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. ==== Changed configuration ==== * $wgPasswordPolicies – This setting, which controls what makes for a valid password for wiki accounts, has been adjusted to raise the minimal password length from 1 to 8 characters. The initial limit of 1 has been in place since MediaWiki 1.26. If you wish to allow shorter passwords, you can over-ride it in your LocalSettings following the guidance on MediaWiki.org. * (T254045) New accounts can no longer use an equals sign (=) in their usernames because of issues it causes in wikitext syntax. This can be adjusted by changing the value of $wgInvalidUsernameCharacters. * (T314318) $wgParserEnableLegacyMediaDOM – This setting has been changed, so the alternative modern HTML structure for media is now the default. You can disable it for now by over-riding this back to `true` in LocalSettings, but this configuration will be removed in future versions of MediaWiki. For more details, see the documentation at: https://www.mediawiki.org/wiki/Parsoid/Parser_Unification/Media_structure/FAQ * $wgWatchlistExpiryMaxDuration – This setting, which controls the maximum allowed duration for users to set their temporary watchlist entries for expiry if that feature is enabled, has been increased from 6 months to 1 year. ==== Removed configuration ==== * $wgShellboxUrl – This setting, deprecated in 1.37, has now been removed; use $wgShellboxUrls instead. * $wgMainWANCache and $wgWANObjectCaches – These never-used settings have been removed. To inject WANObjectCache parameters, use $wgWANObjectCache instead. These variables were introduced for multi-DC wiki farms to add a separate memcached proxy for cross-DC relaying of purges but never used because WANObjectCache works based on route prefixes, which can be transparently handled by the main memcached proxy. * $wgParserTestFiles – This setting, deprecated in 1.30, has now been removed; extensions can place their parser test files in `tests/parser` instead. * (T231412) $wgAutoloadAttemptLowercase – This setting, deprecated in 1.35, no longer has any effect. If you run into difficulties, fix the names of miscased local files. * (T309787) $wgVerifyMimeTypeIE – This setting, to provide extra security checks for very old versions of Internet Explorer clients, was removed. These user agents aren't used in practice, and haven't been served JavaScript content for years. === New user-facing features in 1.40 === * Special:Search can now show thumbnails for results for titles outside NS_FILE. This is controlled via the new onSearchResultProvideThumbnail hook. * A new preference ('search-thumbnail-extra-namespaces') to allow users to control whether to show more thumbnails (per $wgThumbnailNamespaces) * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T313804) The preferences page now provides a search bar to find preferences, regardless of the tab on which they appear. === New developer features in 1.40 === * The MediaWiki-Docker development environment is now configured to run on PHP 8.1 by default, up from PHP 7.4 now that that's EOL. * Vue development mode is enabled by default in DevelopmentSettings.php * (T277618) The @noVarDump annotation from the DebugInfoTrait tool can now be added to references to stop them from being expanded when their object is passed to var_dump(), to make its use for debugging more feasible. * The ApiSandbox will now by default request responses in the latest API format, rather than the original format. Users can set `formatversion` to a different value if needed. * A new hook, GetBlockErrorMessageKeyHook, allows extensions' block error messages to be received and displayed by BlockErrorFormatter. * A new hook, SpecialCreateAccountBenefits, lets extensions and local code set custom content on the signup page about the benefits of using an account. * (T321412) A new 'PageUndeleteComplete' hook has been added for more thorough information about a page post restoration than the 'PageUndelete' hook passes. This provides similar functionality to the 'PageDeleteComplete' hook. * The Linker::specialLink() method can now link to a Special page's with a sub- page or action parameter set, e.g. [[Special:Contributions/JohnDoe]]. * The PHPUnit entrypoints (tests/phpunit/phpunit.php and vendor/bin/phpunit) now check if composer dependencies are up-to-date, like update.php, using CheckComposerLockUpToDate. To disable this check, use MW_SKIP_EXTERNAL_DEPENDENCIES=1 environment flag when running PHPUnit. * ManualLogEntry::setForceBotFlag() has been added to allow the forcing of the bot flag for log entries which are inserted to the recent changes. === External library changes in 1.40 === ==== New external libraries ==== * Added codex-design-tokens at v0.6.2. * Added symfony/polyfill-php81 at v1.27.0. * Added wikimedia/bcp-47-code at v1.0.0. ===== New development-only external libraries ===== * Added wikimedia/langconv at v0.4.2. ==== Changed external libraries ==== * Updated OOUI from v0.44.3 to v0.46.3. * Updated codex, codex-search, and codex-icons from v0.2.2 to v0.6.2. * Updated cssjanus/cssjanus from 2.1.0 to 2.1.1. * Updated guzzlehttp/guzzle 7.4.5 to 7.5.0. * Updated justinrainbow/json-schema from 5.2.11 to 5.2.12. * Updated pear/mail from 1.4.1 to 1.5.1. * Updated pear/net_smtp from 0.10.0 to 0.10.1. * Updated psr/container from 1.1.1 to 1.1.2. * Updated symfony/polyfill-php80 from 1.26.0 to 1.27.0. * Updated symfony/yaml from 5.4.10 to 5.4.17. * Updated wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated wikimedia/less.php from 3.1.0 to 4.0.0. * Updated wikimedia/object-factory from 4.0.0 to 5.0.1. * Updated wikimedia/parsoid from 0.16.0 to 0.17.0. * Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * Updated wikimedia/shellbox from 3.0.0 to 4.0.0. * Updated wikimedia/timestamp from 4.0.0 to 4.1.0. * Updated wikimedia/xmp-reader from 0.8.4 to 0.9.1. ===== Changed development-only external libraries ===== * Updated QUnit from 2.18.2 to 2.19.4. * Updated api-testing from 1.5.0 to 1.5.1. * Updated composer/spdx-licenses from 1.5.6 to 1.5.7. * Updated eslint-config-wikimedia from 0.22.1 to 0.24.0. * Updated giorgiosironi/eris from ^0.10.0 to ^0.13.0. * Updated grunt from 1.5.2 to 1.6.1. * Updated grunt-banana-checker from 0.9.0 to 0.10.0. * Updated grunt-eslint from 24.0.0 to 24.0.1. * Updated karma from 6.3.15 to 6.4.1. * Updated mediawiki/mediawiki-codesniffer from 38.0.0 to 41.0.0. * Updated mediawiki/mediawiki-phan-config from 0.11.1 to 0.12.1. * Updated php-parallel-lint/php-console-highlighter from 0.5 to 1.0.0. * Updated php-parallel-lint/php-parallel-lint from 1.3.1 to 1.3.2. * Updated phpunit/phpunit from 8.5.28 to 9.5.28. * Updated stylelint-config-wikimedia from 0.13.0 to 0.13.1. * Updated wikimedia/alea from 0.9.3 to 1.0.0. ==== Removed external libraries ==== * jquery.throttle-debounce, deprecated since MediaWiki 1.33. * WVUI, deprecated since MediaWiki 1.39. === Action API changes in 1.40 === * New `cancreateaccount` parameter on action=query&meta=userinfo that allows you to check if the user can create an account. Some of the errors that have previously been returned by action=query&list=users&usprop=cancreate are now returned here. === Languages updated in 1.40 === MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T300378) Added language support for Toki Pona (tok). * (T320465) Added language support for Magahi (mag). * (T320912) Added language support for Arakanese (rki). * (T323971) Added language support for Khakas (kjh). * (T326526) Added language support for Igala (igl). * (T329476) Added language support for Kusaal (kus). * (T330266) Added language support for Southern Dagaare (dga). * (T331596) Added language support for Obolo (ann). * (T331597) Added language support for Nogai (nog). * (T331599) Added language support for Wolaytta (wal). * (T295637) Add no to fallback chain of nb and nn. === Breaking changes in 1.40 === * OutputPage::enableClientCache no longer accepts a parameter, nor does it return the current value. It simply sets the OutputPage::mEnableClientCache to true. Use OutputPage::disableClientCache to disable client side caching instead. * ResourceLoader::makeMessageSetScript, unused since 1.26, has been removed without deprecation. * Changes to skins: - The internal protected method Skin::getFooterLinks() was removed. It had no known usages. Different from SkinTemplate::getFooterLinks. - The internal public method Skin::getSiteFooterLinks() was removed. It had no known usages. * The 'oojs-router' module has been removed without deprecation in favour of the 'mediawiki.router' wrapper module. * BagOStuff::makeKeyInternal(), deprecated for public use in 1.36, is now a protected method of MediumSpecificBagOStuff. * WANObjectCache::reap() and WANObjectCache::reapCheckKey(), deprecated since 1.39, have been removed. * The EnqueueJob class, unused since 1.31, has been removed without deprecation. * JobQueueGroup::singleton() and ::destroySingletons(), deprecated since 1.37, have been removed. * JobRunner no longer supports manually calling the constructor, use MediaWikiServices::getInstance()->getJobRunner() instead. * JobRunner::setLogger, deprecated since 1.35, has been removed. * ContextSource::getStats, deprecated since 1.27, has been removed. * The following public properties of Parser, deprecated in 1.35, have been made private: Parser::$mLinkId, Parser::$mIncludeSizes, Parser::$mDoubleUnderscore, Parser::$mShowToc, Parser::$mRevisionId, Parser::$mRevisionTimestamp, Parser::$mRevisionUser, Parser::$mRevisionSize, Parser::$mInputSize, Parser::$mInParse, Parser::$mFirstCall, Parser::$mGeneratedPPNodeCount * The MWGrants class, deprecated since 1.38, has been removed. * PageProps::getInstance(), deprecated since 1.38, has been removed. * Global functions wfReadOnly and wfReadOnlyReason, deprecated since 1.38, have been removed. * Global function wfQueriesMustScale, deprecated since 1.39, has been removed. * Global function wfLogProfilingData, deprecated since 1.38, has been removed. * The HTMLCacheUpdate class, deprecated since 1.34, has been removed. * Linker::normaliseSpecialPage(), deprecated since 1.35, has been removed. * MWTimestamp::getHumanTimestamp(), deprecated since 1.26, has been removed. * Collation::singleton() and ::factory(), deprecated since 1.37, have been removed. * SpecialVersion::listToText() and SpecialVersion::arrayToString() have become private or internal without deprecation. * The 'ParserTestFiles' key in the schema for extension.json has been removed. This was deprecated in 1.30 and the corresponding $wgParserTestFiles configuration variable has also been removed in this release. Extensions can put parser test files in their `tests/parser` directory to have them automatically run. * DBLockManager, MySqlLockManager, and PostgreSqlLockManager have been removed without deprecation. * MediaWikiTestCaseTrait::checkPHPExtension() has been removed without deprecation. Use PHPUnit @requires annotations instead. * EditPage::getCopywarn(), deprecated since 1.38, has been removed. * EditPage::getCopyrightWarning() now requires a MessageLocalizer parameter. Use of other parameter types or omitting it was deprecated since 1.38. * Action constructor now requires Article and IContextSource parameters. Use of other parameter types or omitting them was deprecated since 1.35. * Article::viewRedirect(), deprecated since 1.30, has been removed. * Title::getNotificationTimestamp(), deprecated since 1.35, has been removed. * WikiRevision::$fileIsTemp property, deprecated since 1.29, has been removed. * Use of CommentStore::insertWithTempTable() with 'img_description' is no longer supported, it was deprecated since 1.32. Use CommentStore::insert() instead. * Return values in the parameter $pageLang of the PageContentLanguage hook with other types than a Language object, deprecated since 1.33 & emitting warnings since 1.38, now throws an exception. * FormatMetadata::flattenArrayContentLang(), deprecated since 1.36, has been removed. * WikiRevision::downloadSource() and ::importUpload(), deprecated since 1.31, have been removed. * DataUpdate::runUpdates(), deprecated since 1.28, has been removed. * CdnCacheUpdate::newFromTitles(), deprecated since 1.35, has been removed. * HtmlFileCacheUpdate::newFromTitles(), deprecated since 1.37, has been removed. * BaseTemplate::renderAfterPortlet() and ::getAfterPortlet(), has been removed. Use the corresponding methods in Skin class. * DifferenceEngine::textDiff(), deprecated since 1.32, has been removed. * Skin::getSearchPageTitle() and Skin::setSearchPageTitle(), deprecated since 1.38, have been removed. * DifferenceEngine::getDiffBodyCacheKey(), deprecated since 1.31, has been removed. * ForeignDBViaLBRepo::getMasterDB(), LocalRepo::getMasterDB(), and JobQueueDB::getMasterDB(), deprecated since 1.37, have been removed. * Clarified that the InitializeArticleMaybeRedirect hook should not change its $article parameter; the behavior when doing so was previously undocumented. * IDatabase::ping()'s $rtt parameter was removed without deprecation. * IDatabase::setBigSelects(), unused, was removed without deprecation. * IDatabase::attributesFromType(), unused, was removed without deprecation. * IMaintainableDatabase::deadlockLoop() was removed without deprecation. * DatabasePostgres::remappedTableName(), deprecated since 1.37, has been removed. * ILBFactory::getChronologyProtectorClientId and ::commitAll, unused, were removed without deprecation. * LoadBalancer::haveIndex() and ::isNonZeroLoad(), deprecated in 1.34, have been removed. * LoadBalancer::getLazyConnectionRef(), deprecated in 1.38, has been removed. * ILBFactory::forEachLB(), deprecated in 1.39, has been removed. * LoadBalancer::getTransactionRoundStage and ::commitAll, unused, were removed without deprecation. * ILoadBalancer::getLaggedReplicaMode, unused, was removed without deprecation. Use ILBFactory::laggedReplicaUsed() instead. * Optional parameters of ILoadBalancer::waitForPrimaryPos(), $pos and $timeout have been removed without deprecation as they are unused. * LoadMonitorMysql was removed without deprecation. Use LoadMonitor instead. * IDatabase::selectDB(), deprecated since 1.32, has been removed. Use IDatabase::selectDomain() instead. * The following deprecated hooks have been removed: - BaseTemplateAfterPortlet, deprecated in 1.35 - BeforeParserFetchTemplateAndtitle, deprecated in 1.36 - BeforeParserrenderImageGallery, deprecated in 1.35 - InternalParseBeforeSanitize, deprecated in 1.35 - LinksUpdateConstructed, deprecated in 1.38 - LinksUpdateAfterInsert, deprecated in 1.38 - ParserSectionCreate, deprecated in 1.35 - ResourceLoaderTestModules, deprecated in 1.33 - SpecialMuteSubmit, deprecated in 1.35 - UserLoadFromDatabase, deprecated in 1.37 - UserSetCookies, deprecated in 1.27 * RemexDriver::__construct() now only accepts a ServiceOptions instance as the only argument. Passing an array was deprecated since 1.36. * TidyDriverBase::supportsValidate(), deprecated since 1.36, has been removed. * RevDelList::reloadFromMaster(), deprecated since 1.37, has been removed. * ExternalStoreDB::getMaster(), deprecated since 1.37, has been removed. * DeletePage::deletionWasScheduled(), deprecated since 1.38, has been removed. * The SearchResultProvideThumbnailHook (which was unstable) and now no longer used, has been removed. Use SearchResultProvideThumbnailHook in the search namespace: MediaWiki\Search\Hook\SearchResultProvideThumbnailHook. * Command::cgroup(), deprecated since 1.36, has been removed. * When running tests, the serialize_precision INI setting is now set to -1 (current PHP default) instead of 17. Extension tests may need to be adjusted accordingly; string representations of floating-point numbers in serialized or JSON-encoded data may change. * WikiRevision::$sha1base36 is now private. * IcuCollation::getUnicodeVersionForICU() was removed without deprecation. * LinkFilter::supportsIDN() was removed without deprecation. * The ability to pass null for the errorData parameter of HttpException and LocalizedHttpException was removed without deprecation. * ApiQueryExtLinksUsage::getProtocolPrefix() and ::prepareProtocols() have been moved to LinkFilter with the same name. * .box-sizing() Less mixin, deprecated since 1.37, has been removed. Use CSS box-sizing now. * MimeAnalyzer::getIEMimeTypes() and IEContentAnalyzer were removed. * Language::commafy and mw.language.commafy, deprecated since 1.36, has been removed. * BagOStuff::decr(), deprecated since 1.28, has been removed. * BagOStuff::incr(), deprecated since 1.28, has been removed. === Deprecations in 1.40 === * Changes to skins: - The public Skin::footerLink is deprecated. Use SkinComponentMenuLink::getTemplateData instead. It now emits deprecation warnings. - The protected Skin::lastModified is deprecated, and marked for @internal use and now emits deprecation warnings. * Manipulating $wgHooks after initialization is deprecated. HookContainer::register() or HookContainer::scopedRegister() should be used instead. During initialization, SettingsBuilder::registerHookHandlers can be used. For backwards compatibility, $wgHooks is replaced by a fake array that calls methods on HookContainer. $wgHooks can still be used as a configuration variable, only dynamic manipulation is deprecated. * ParserOptions::{get,set}ExternalLinkTarget() and ParserOptions::{get,set}MaxTemplateDepth() have been deprecated and marked for @internal use only. * ParserOutput::getCategories() has been deprecated; use ::getCategoryNames() and ::getCategorySortKey() instead. * ParserOutput::{get,set}TOCHTML() has been deprecated; use ::{get,set}TOCData() instead. * TransactionProfiler::setSilenced() is deprecated. Use TransactionProfiler::silenceForScope() instead. * The following methods in the Title class, deprecated since 1.37, emits deprecations warnings: - ::areCascadeProtectionSourcesLoaded() - ::areRestrictionsCascading() - ::areRestrictionsLoaded() - ::getAllRestrictions() - ::getCascadeProtectionSources() - ::getFilteredRestrictionTypes() - ::getRestrictionExpiry() - ::getRestrictionTypes() - ::getRestrictions() - ::isCascadeProtected() - ::isProtected() - ::isSemiProtected() - ::loadRestrictionsFromRows() * The class Pbkdf2Password was renamed to Pbkdf2PasswordUsingHashExtension, and the old name is now deprecated. * WikiPage::factory(), ::newFromID() and ::newFromRow, deprecated in 1.36, now emit deprecation warnings. * Manually constructing a LinkBatch object, deprecated in 1.35, now emits deprecation warnings. Use LinkBatchFactory instead. * Calling MediaWikiSite::getFileUrl() without a $path argument is deprecated. If you need the "generic" full file path, with $1 not replaced by anything, call $site->getPath( MediaWikiSite::PATH_FILE ) directly. * In SessionConsistentConnectionManager, the methods getReadConnectionRef() and getWriteConnectionRef() are deprecated; the ConnectionManager methods they override had been deprecated already. * Database::wasErrorReissuable() is deprecated. * MimeAnalyzer::isPHPImageType was not used and will now emit deprecation warnings. * GenericArrayObject, originally developed for Wikibase and SiteList, has been deprecated. Use built-in ArrayObject directly instead. * Parser::getFunctionLang() has been deprecated; use Parser::getTargetLanguage() instead. * MagicWordArray::getVariableRegex(), deprecated in 1.36, now emits deprecation warnings. * AbstractBlock::getId() now emits deprecation warnings in case of cross-wiki access. This use was deprecated in 1.38. * CommentStore::getStore, deprecated in 1.31, now emits deprecation warnings. * BacklinkCache::get(), ::getLinks() and ::getCascadeProtectedLinks(), deprecated in 1.37, now emit deprecation warnings. * LanguageConverterFactory::isTitleConversionDisabled(), deprecated in 1.36, now emits deprecation warnings. * Language::getFileName(), ::getMessagesFileName() and ::getJsonMessagesFileName(), deprecated in 1.34, now emit deprecation warnings. * Language::getLocalisationCache(), deprecated in 1.34, also Language::getMessagesFor(), ::getMessageFor() and ::getMessageKeysFor(), deprecated in 1.35, now emit deprecation warnings. * User::incEditCount(), deprecated in 1.37, now emits deprecation warnings. * User::idFromName(), deprecated in 1.37, now emits deprecation warnings. * The ability to override and use User::$mRights, deprecated in 1.34, now emits deprecation warnings. * IndexPager::getHookContainer is deprecated and emits deprecation warnings. Inject a HookContainer instead. * User::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.34, now emit deprecation warnings. * PermissionManager::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.36, now emit deprecation warnings. * Global function wfShowingResults is deprecated and emits deprecation warnings. * UserGroupMembership::getGroupMemberName is deprecated, the deprecation of UserGroupMembership::getGroupName in 1.38 missed a release note. Use Language::getGroupMemberName or ::getGroupName instead. * AbstractBlock::getPermissionsError(), deprecated in 1.35, now emits deprecation warnings. * SearchEngine::getNearMatcher() and ::getDefaultMatcher() have been deprecated in favor of MediaWikiServices::getInstance()->getTitleMatcher(). * SearchNearMatcher class has been deprecated in 1.40 in favor of TitleMatcher. * The following functions are deprecated: User::isBlockedGlobally and User::getGlobalBlock. Use User::getBlock instead. * The UserIsBlockedGlobally hook is deprecated. Use GetUserBlock hook instead. * The SystemBlock type global-block is deprecated. GlobalBlocks are now added into CompositeBlocks via the GetUserBlock hook. * Language::isWellFormedLanguageTag(), deprecated in 1.39, now emits deprecation notices. Please use LanguageCode::isWellFormedLanguageTag() instead. * Language::fetchLanguageNames() and ::fetchLanguageName(), deprecated in 1.34, now emit deprecation warnings. * Language::getFallbackFor(), ::getFallbacksIncludingSiteLanguage() and ::getFallbacksFor(), deprecated in 1.35, now emit deprecation warnings. * Language::isSupportedLanguage(), ::isValidCode(), ::isValidBuiltInCode() and ::isKnownLanguageTag(), deprecated in 1.34, now emit deprecation warnings. * Language::getConverter(), ::autoConvert(), ::autoConvertToAllVariants(), ::convert(), ::convertNamespace(), ::convertHtml(), ::convertCategoryKey(), ::getVariants(), ::hasVariants(), ::hasVariant(), ::getDefaultVariant(), ::getURLVariant(), ::getExtraHashOptions(), ::getConvRuleTitle(), deprecated in 1.35, now emit deprecation warnings. * Language::factory() and ::getParentLanguage(), deprecated in 1.35, now emit deprecation warnings. * Executing maintenance scripts directly is deprecated. The maintenance/run.php entry point should be used instead. * MWHttpRequest::factory, deprecated in 1.34, now emits deprecation warnings. * Job::factory is deprecated, use JobFactory::newJob instead. * Http::request(), ::get(), ::post(), ::userAgent() and ::isValidURI(), deprecated in 1.34, now emit deprecation warnings. * Title.js's confusingly-named getName() and getNameText() methods, for using media files' pages, have been renamed to getFileNameWithoutExtension() and getFileNameTextWithoutExtension() respectively. The old names are deprecated. * Command::whitelistPaths() should now emit deprecation warnings. Make use of Command::allowPaths/disallowPaths() instead. * When manually creating an HTMLFormField (i.e. not via HTMLForm::factory), it is deprecated to not include the "parent" field as one of the parameters. * The MWException class is deprecated. Use native exceptions, either directly or as base classes. * SelectQueryBuilder::lockForUpdate() is deprecated. Use ::forUpdate() with ::fetchRowCount() or ::acquireRowLocks() instead. * ArticleUndelete hook is deprecated. Use PageUndeleteComplete hook instead. * The global function wfReportTime() is now deprecated. * PrevNextNavigationRenderer, deprecated in 1.39, now emits deprecation warnings. * PagerNavigationBuilder::setMakeLinkCallback(), deprecated in 1.39, now emits deprecation warnings. * IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and IndexPager::buildPrevNextNavigation(), deprecated in 1.39, now emit deprecation warnings. * Overriding the method IndexPager::makeLink(), deprecated in 1.39, now emits deprecation warnings. * The following class names were namespaced (and, for the special pages, also renamed), and the old class names are now deprecated: - MostimagesPage -> MediaWiki\Specials\SpecialMostImages - MovePageForm -> MediaWiki\Specials\SpecialMovePage - UserrightsPage -> MediaWiki\Specials\SpecialUserRights - WantedFilesPage -> MediaWiki\Specials\SpecialWantedFiles - WantedPagesPage -> MediaWiki\Specials\SpecialWantedPages - DerivativeRequest -> MediaWiki\Request\DerivativeRequest - FauxRequest -> MediaWiki\Request\FauxRequest - FauxRequestUpload -> MediaWiki\Request\FauxRequestUpload - PathRouter -> MediaWiki\Request\PathRouter - WebRequestUpload -> MediaWiki\Request\WebRequestUpload - HeaderCallback -> MediaWiki\Request\HeaderCallback - FauxResponse -> MediaWiki\Request\FauxResponse - WebResponse -> MediaWiki\Request\WebResponse - ForeignResourceManager -> MediaWiki\ResourceLoader\ForeignResourceManager - DummyLinker -> MediaWiki\Linker\DummyLinker - Linker -> MediaWiki\Linker\Linker - PageProps -> MediaWiki\Page\PageProps - MagicWord -> MediaWiki\Parser\MagicWord - MagicWordArray -> MediaWiki\Parser\MagicWordArray - MagicWordFactory -> MediaWiki\Parser\MagicWordFactory - RawMessage -> MediaWiki\Language\RawMessage - ActorMigration -> MediaWiki\User\ActorMigration - ActorMigrationBase -> MediaWiki\User\ActorMigrationBase - CategoriesRdf -> MediaWiki\Category\CategoriesRdf - Category -> MediaWiki\Category\Category - CategoryViewer -> MediaWiki\Category\CategoryViewer - TrackingCategories -> MediaWiki\Category\TrackingCategories - EditPage -> MediaWiki\EditPage\EditPage - TemplatesOnThisPageFormatter -> MediaWiki\EditPage\TemplatesOnThisPageFormatter - ContentSecurityPolicy -> MediaWiki\Request\ContentSecurityPolicy - FormOptions -> MediaWiki\Html\FormOptions - Html -> MediaWiki\Html\Html - HtmlHelper -> MediaWiki\Html\HtmlHelper - TemplateParser -> MediaWiki\Html\TemplateParser - FormOptions -> MediaWiki\Html\FormOptions - WikiMap -> MediaWiki\WikiMap\WikiMap - WikiReference -> MediaWiki\WikiMap\WikiReference - MediaWiki\BadFileLookup -> MediaWiki\Page\File\BadFileLookup - FileDeleteForm -> MediaWiki\Page\File\FileDeleteForm - MergeHistory -> MediaWiki\Page\MergeHistory - MovePage -> MediaWiki\Page\MovePage - ProtectionForm -> MediaWiki\Page\ProtectionForm - LinkFilter -> MediaWiki\ExternalLinks\LinkFilter - TitleArray -> MediaWiki\Title\TitleArray - TitleArrayFromResult -> MediaWiki\Title\TitleArrayFromResult - TitleFactory -> MediaWiki\Title\TitleFactory - Title -> MediaWiki\Title\Title - ForkController -> MediaWiki\Maintenance\ForkController - OrderedStreamingForkController -> MediaWiki\Maintenance\OrderedStreamingForkController - AtomFeed -> MediaWiki\Feed\AtomFeed - ChannelFeed -> MediaWiki\Feed\ChannelFeed - FeedItem -> MediaWiki\Feed\FeedItem - FeedUtils -> MediaWiki\Feed\FeedUtils - RSSFeed -> MediaWiki\Feed\RSSFeed - DeprecatedGlobal -> MediaWiki\StubObject\DeprecatedGlobal - StubGlobalUser -> MediaWiki\StubObject\StubGlobalUser - StubObject -> MediaWiki\StubObject\StubObject - StubUserLang -> MediaWiki\StubObject\StubUserLang * ContentHandler::getParserOutputForIndexing() and ::getDataForSearchIndex() now take an optional RevisionRecord parameter. * The SearchDataForIndex hook is deprecated in favor of SearchDataForIndex2 * IDatabase::lastQuery and IReadableDatabase::lastQuery are deprecated without without replacement. === Other changes in 1.40 === * Calling RecentChange::doMarkPatrolled() with $auto = true has no effect and logs a warning. Since 1.31, it would mark the change as manually patrolled, but would not log it as such in patrol log and would still require 'autopatrol' right (not 'patrol'). Generally, whether a change should become autopatrolled, is usually determined before it's inserted in the database. * In versions of MediaWiki before 1.39, the table of contents location was marked internally with ...; in version 1.39 this was changed to an empty tag . In 1.40 this has been changed a final time to use an empty tag for future Parsoid compatibility (see Parser::TOC_PLACEHOLDER). This may affect you if stale content is left in the ParserCache or if your skin did manual ToC replacement without using the recommended Parser::replaceTableOfContentsMarker() function. * Skins can now choose which Codex theme should be loaded by setting the SkinCodexThemes attribute in their skin.json file. * The parser test framework has been updated, and the 'pst', 'ill', 'cat' and 'showflags' options have slight differences in their output. These options are not much used outside core, but third parties may need to update parser tests. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. == Compatibility == MediaWiki 1.40 requires PHP 7.4.3 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can be used instead, but support for them is somewhat less mature. The supported versions are: * MariaDB 10.3 or higher * MySQL 5.7.0 or higher * PostgreSQL 10 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.39 = PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.39.5 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.4 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. * (T317255) VueComponentParser: Use Zest's getElementsByTagName() rather than PHP's. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively. * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer. * (T237898) installer: Check MariaDB version in updater/installer. * (T342632) ApiComparePages: Add help url. * (T326182, T324903) EditPage: Add #[AllowDynamicProperties]. * (T342351) rdbms: Fix postgres db function call. * (T343675) user: Use {@} to escape annotation when writting about annotation. * (T343797) LanguageWa: Fix double timezone adjustment. * (T326454) Update pear/mail to 1.5.1. * (T343622) docs: Set the tag back to optional. * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3. * (T337463) wdio-mediawiki: await saveScreenshot. * (T274041) Include core PSR-4 classes in the generated classmap. * (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. * doc: Improve description of "type" in extension.schema.v2.json. * Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above). * HTMLForm: Fix E_NOTICE when hide-if is used with setFormIdentifier. * (T288624) MultiHttpClient: Unset $this->cmh after closing it. * (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally. * (T265734) API Help: Note that parameters may be inherited from other context. * API: Make continue parameter help description more specific. * (T285545) i18n: Split apihelp for standard dir parameter. * (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show. * (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=. * (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=. * (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=. * (T285545) i18n: Split apihelp for parameter action=managetags&operation=. * (T285545) api: Add message for list=watchlist&wlprop=expiry. * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed. * (T342633) api: Add message for action=compare&prop=timestamp. * API: revids=… does not necessarily return the queried revisions. * (T326696) user: Truncate option value in UserOptionsManager. * (T326696) ApiOptions: Give warning if the value is too long. * API i18n: Add {{PLURAL:}} for byte count messages. * (T235207) Get correct main page in API call examples. * doc: Make extension.schema.v2.json a valid JSON schema. * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). * doc: Improve description of type in extension.schema.v1.json. * (T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). == MediaWiki 1.39.4 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.3 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5). * (T333776) {{ACTIVEUSERS}} wasn't being updated without updateSpecialPages.php. * (T258860) Prevent LogicCache exception from message cache during IO errors from memcache. * (T336868) Improve idempotency of postgres index upgrades. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * A fake MessageLocalizer for use in unit tests. * (T338114) Title: Add forward alias. * composer: Add symfony/polyfill-php81 like symfony/polyfill-php80. * (T330464) Work around argument corruption bug in XMLReader::open. * Fix frame and frameless rdfa depending on file existing. * Fixes for the phan upgrade, part 1. * Fixes for the phan upgrade, part 2. * (T298571) build: Update mediawiki/mediawiki-phan-config to 0.12.0. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.39.3 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.2 === * Localisation updates. * (T328477) LinksUpdate: Use DB key for category links table. * GlobalFunctions: Remove check for MEDIAWIKI constant. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330382) postgres: Make the upgrade ignore dropping indexes that might not exist. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T291753) rdbms: escape backslashes in makeConnectionString for PostgreSQL. * (T325529) Fix total breakage of wgCanonicalServer fallback. * (T318103) mediawiki.storage: Disable async GC during integration test. * (T332461, T332397) TempFSFile: Keep the WeakMap alive. * (T332902) page: fix InvalidArgumentException in SQLPlatform::makeList. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.39.2 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.1 === * Localisation updates. * (T325872) ChangeTags: Remove table name from condition. * (T324895) MWCallbackStream: Add explicit $stream property. * (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField. * (T321319) Produce HTML for invalid JSON. * (T215466, T326071) MigrateActors: Write to revision table (Follow-up 24115a8). * (T223027) ReservedUsernames config: Add reserved names from maintenance scripts. * (T325000, T324896, T307631) Updated OOUI from v0.44.3 to v0.44.5. * Remove /images .htaccess rules that are no longer relevant. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * LocalFileTest: use encodeBlob/decodeBlob for img_metadata. * DatabaseSqlite: fix null blobs. * rdbms: avoid pg_escape_bytea() call-style deprecation notices. * (T322278) Improve LocalisationCache post-merge validation check. * (T324408, T326367) Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * (T322278) Fix the remaining Phan failures on PHP 8.1. * (T322278, T326367) Respond to some messages from Phan on PHP 8.1. * Fix phan error when Excimer is enabled. * (T326021) Add matrix: to $wgUrlProtocols. * (T314099) stream wrapper: Declare $context class property. * (T314099) libs\jsminplus: Declare JSNode::$expression. * (T314096) composer.json: Updated composer/spdx-licenses from 1.5.6 to 1.5.7. * (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1). * (T308536) rdbms: Remove deprecation mark for $wgSharedDB. * (T215466, T326071) installer: Split drop action out of the SQL patch for actor migration. * (T322603) SqliteMaintenance.php: Fix fatally broken instanceof check. * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being released. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses * (T327821) skin: Restore default 'value' attribute in makeSearchButton(). * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T329415) Clear the statsd data buffer regardless of StatsdServer config. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if no path. * (T324894 TempFSFile: Use a WeakMap for reference tracking if available. * (T295637) Add no to fallback chain of nb and nn. == MediaWiki 1.39.1 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.0 === * Localisation updates. * PostgresUpdater: Remove trailing space from 'user_id ' column. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324516) postgres: Fix upgrade for templatelinks primary key. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists. * (T314099) OutputPage: Remove unused dynamic property ParserOptions->isBogus. * (T314099) api: Remove use of undeclared property in action=comparepages. * Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6). * (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1). * Updated pear/mail (v1.4.1 => v1.5.0). * Removed wikimedia/dodo (v0.4.0). * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.39.0 == === Changes since MediaWiki 1.39.0-rc.1 === * Localisation updates. * exception: Tolerate no service container when trying DB rollback. * (T320282) Upgrading wikimedia/xmp-reader (0.8.3 => 0.8.4). * objectcache: Deprecate WANObjectCache::reap() and ::reapCheckKey(). * (T320864) When calling mail(), use an array for headers. * Upgrading wikimedia/xmp-reader (0.8.4 => 0.8.5). * (T321154) Call setFormIdentifier() on LogEventsList form. * When importing revision with same timestamp as latest revision, treat it as the new latest. * (T320726) RandomImageGenerator::getImageSpec: Don't pass a float to mt_rand(), for PHP 8.1. * (T298485, T322360) WikiExporter: Avoid calling reload in processing every row. * (T321551) pager: Fix null used for foreach in Pager::getNavigationBar. * (T321551) pager: Remove unused AlphabeticPager::getOrderTypeMessages() support. * pager: Remove unused PagerNavigationBuilder::setExtra(). * PagerNavigationBuilder: Document that nulls in setLinkQuery() etc. are allowed. * (T322335) ApiQueryRevisionsBase: Fix 'rvdiffto' parameter handling on PHP 8.0. * (T314096) TestFileEditor: Fix string interpolation. * (T289926) api: Fix minor PHP 8.1 incompatibility in ApiOptions. * (T322803) SpecialBotPasswords: Don't pass null to trim(). * (T289926) Fix incomplete ITextFormatter mocks. * Language: Handle ronna and quetta. * (T72510) rdbms: make SqlitePlatform::tableName() apply double quotes. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0. * .gitattributes: Ship docker-compose.yml to the tarball. == MediaWiki 1.39.0-rc.1 == === Changes since MediaWiki 1.39.0-rc.0 === * Localisation updates. * (T318481) composer: Drop symfony/php73-polyfill. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) HTMLFormField::validate(): Update docs to permit all data types * (T306802) docker: update to latest published images. * (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset. * (T227047) Soft-deprecate the remainder of ActorMigration. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. * (T319186) .phan/config.php: Update minimum_target_php_version. * Tests: Explicit cast to int in RandomImageGenerator test (php8 warnings). * (T319186) .phan/config.php: Update minimum_target_php_version. * (T310243) Deprecate use of 'wvui-search' package. * utils: Fix return doc about false/null for UrlUtils::expand. * (T319000) WebInstaller: Don't try and run trim() on null. * In the event of preg failure in MagicWordArray throw exception. * (T318753) Installer: Disable logo dropper for now. == MediaWiki 1.39.0-rc.0 == == Upgrading notes for 1.39 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.31. Some specific notes for MediaWiki 1.39 upgrades are below: * (T278139) Drop PHP 7.3 support in MediaWiki 1.39; require 7.4.3 or higher. For notes on 1.38.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.39 === ==== New configuration ==== * $wgAutoCreateTempUser – This configures automatic user creation on page save. * $wgCopyUploadAllowOnWikiDomainConfig – This configures if administrators can use the MediaWiki:Copyupload-allowed-domains system message to define which domains can be used with the upload-by-url tool. * $wgCdnMatchParameterOrder – This can be set to false if MediaWiki is behind a CDN that re-orders query parameters. This will make the code that matches request URLs to canonical CDN URLs insensitive to parameter order. * $wgMultiShardSiteStats – This allows you to split site_stats across multiple rows. Only useful for very large, heavily edited wikis. (T306589) * $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. ==== Changed configuration ==== * $wgInvalidUsernameCharacters – This setting now contains the char '>', which is now the reserved delimiter for external user names. * $wgLocalFileRepo – The default serialization method for file meta-data has been changed to JSON. You can revert it to PHP by setting the property 'useJsonMetadata' to false. * $wgLBFactoryConf – The 'configCallback' flag can now be set to a callback function that returns an array with keys to update in $wgLBFactoryConf. This can be used to update the database configuration on the fly, e.g. to take replica hosts out of rotation. * $wgDBservers and $wgLBFactoryConf – The DBO_SSL flag in has been deprecated in favour of a boolean "ssl" parameter. * $wgObjectCaches – The 'globalKeyLB' and 'localKeyLB' flags are no longer supported. ==== Removed configuration ==== * $wgMultiContentRevisionSchemaMigrationStage - This transition flag, deprecated since MediaWiki 1.35, has been removed; the data migration is over. * $wgActorTableSchemaMigrationStage - This transition flag has been removed; the data migration is over. * $wgWikiFarmSiteDetector – This experimental setting has been removed without replacement. Use the MW_WIKI_NAME environment variable to specifiy the name of the site for which to load configuration. Using the WIKI_NAME environment variable for this purpose is deprecated. * $wgParserCacheUseJson - The ParserCache now always uses JSON serialization. Reading old non-JSON cache entries is still supported. The setting had been deprecated since 1.36. * $wgAllowJavaUploads - To allow uploads of JAR files, remove application/java from $wgMimeTypeExclusions. * $wgMaxRedirects – This broken feature was removed, as it never worked as intended (T296430). * $wgElementTiming – This experimental, default-disabled feature has been removed without replacement. * $wgPriorityHints and $wgPriorityHintsRatio – The related experimental feature has been removed without replacement. * $wgIncludeLegacyJavaScript – This flag has been removed, without loss of any functionality in this release. Most former "wikibits" functions were removed after deprecation in previous releases. The remaining functions, such as importScript, are now available unconditionally. * $wgLegacySchemaConversion - This unused setting has been removed. * $wgInterwikiPrefixDisplayTypes - This unused setting has been removed. * $wgMangleFlashPolicy – This is no longer functional, and is now deprecated. Users who are somehow still using Flash as a browser extension will be exposed to CSRF vulnerabilities. === New user-facing features in 1.39 === * Optional automatic user creation on page save ($wgAutoCreateTempUser) * Administrators now have the option to delete/undelete the associated "Talk" page when they are (un)deleting a given page. `deletetalk` and `undeletetalk` options were added to the 'delete' and 'undelete' action APIs in MW 1.38. * `{{=}}` is now a wikitext built-in magic word, expanding to `=`. This is conventionally used as an escape mechanism to allow the use of `=` in unnamed template arguments. Defining [[Template:=]] to expand to something other than `=` has been deprecated since 1.36, with affected pages put into a special tracking category for migration. * (T284020) Bot passwords are now supported when using the REST API. === New developer features in 1.39 === * Added optional $size param to SearchResultProvideThumbnail hook. * SearchResultProvideThumbnail hook interface moved from MediaWiki\Rest\Hook namespace to MediaWiki\Search\Hook. * JsonValidateSaveHook has been added to allow extensions to set additional pre-save validations for specific JSON pages (T313254) * Added 'PermissionErrorAudit' hook, enabling extensions to audit permission errors on specfic actions. For instance account registration failed attempts due to a block (T306018). === External library changes in 1.39 === ==== New external libraries ==== * Added Codex v0.1.1. This replaces the now deprecated wvui library. * Added symfony/polyfill-php81. ===== New development-only external libraries ===== * Updated QUnit from 2.18.0 to 2.18.2. ==== Changed external libraries ==== * Updated jQuery from v3.6.0 to v3.6.1. * Updated OOUI from v0.43.2 to v0.44.5. * Updated composer/semver from 3.2.6 to 3.3.2. * Updated cssjanus/cssjanus fromv2.1.0 to v2.1.1. * Updated pear/mail from v1.4.1 to v1.5.1. * Updated symfony/polyfill-php73 from 1.25.0 to 1.26.0. * Updated symfony/polyfill-php80 from 1.25.0 to 1.26.0. * Updated symfony/yaml from 5.4.3 to 5.4.10. * Updated vue/compat from 3.2.23 to 3.2.37. * Updated wikimedia/base-convert from 2.0.1 to 2.0.2. * Updated wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated wikimedia/ip-set from 3.0.0 to 3.1.0. * Updated wikimedia/minify from 2.2.6 to 2.3.0. * Updated wikimedia/php-session-serializer from 2.0.0 to 2.0.1. * Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * Updated wikimedia/running-stat from 1.2.1 to 2.1.0. * Updated wikimedia/scoped-callback from 3.0.0 to 4.0.0. * Updated wikimedia/services from 2.0.1 to 3.0.0. * Updated wikimedia/timestamp from 3.0.0 to 4.0.0. * Updated wikimedia/xmp-reader from 0.8.1 to 0.8.6. ===== Changed development-only external libraries ===== * Updated composer/spdx-licenses from 1.5.5 to 1.5.7. * Updated doctrine/dbal for PHP < 7.3 from 2.13.6 to 2.13.9. * Updated doctrine/dbal for PHP >= 7.3 from 3.1.5 to 3.4.2. * Updated mediawiki/mediawiki-phan-config from 0.11.1 to 0.12.1. ==== Removed external libraries ==== * Removed wikimedia/dodo (v0.4.0). === Bug fixes in 1.39 === * (T314013) $wgExtraNamespaces no longer overrides canonical namespace names specified in extension.json files. While this setting can still be used to rename extension-defined namespaces, system administrators may need to run namespaceDupes.php after upgrading. === Action API changes in 1.39 === * New `undeletetalk` parameter on action=undelete that allows you to restore all revisions of the associated talk page. === Languages updated in 1.39 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * Actual localization was added for several languages, which were already in Names.php and even used for a Wikipedia: ** (T313200) Added language support for Rundi (Kirundi, rn). ** (T310976) Added language support for Tumbuka (ChiTumbuka, tum). ** (T314270) Added language support for Kanuri (kr). * (T313199) Added language support for Sylheti (syl). * (T311975) Added language support for Ghanaian Pidgin (gpe). * (T307080) Added language support for Okinawan (ryu). * (T307887) Added language support for Mooré (mos). * (T308813) Added language support for Nigerian Pidgin (pcm). * (T309763) Added language support for Tai Nüa (tdd). * (T310040) Added language support for Fante (fat). * (T311034) Added language support for Campidanese Sardinian (sro). * (T315406) Fix the autonym of the Iñupiaq language to "Iñupiatun". * (T315677) Removed French fallback from the Fula language (ff). * (T304920) In Swahili, The "Media" namespace is now "Media", as in English, and the "File" namespace is now "Faili". The old name of the "File" namespace was "Picha", and it's kept for backwards compatibility. If you manage a wiki in Swahili, and you use "Faili:" as a namespace anywhere in wikitext, and you mean to use it as "Media:", these need to be replaced to "Media:". * (T309866) Some namespace translations were updated for Kyrgyz (ky). The old ones are retained as aliases for backwards compatibility. * (T117845) Started the renaming of the language codes for Serbian from sr-ec and sr-el to sr-cyrl and sr-latn. * (T295637) Add no to fallback chain of nb and nn. === Breaking changes in 1.39 === * Basic non-JavaScript (Grade C) support has been dropped for Internet Explorer 9-10, Firefox 27-38, and Android 4.3-4.4. * The following methods, deprecated since 1.37, have been removed from IDatabase - ::fetchObject() - ::fetchRow() - ::numRows() - ::freeResult() * Title::getDefaultNamespace(), deprecated since 1.37, has been removed. * The DBPrimaryPos class alias 'DBMasterPos' has been removed. * The global function wfGetLB(), deprecated since 1.27, has been removed. * Passing a db to BlockRestrictionStore::loadByBlockId() is no longer supported. BlockRestrictionStoreFactory should be used to fetch a correct BlockRestrictionStore instead. This was deprecated since 1.38. * The global function wfGetCache(), deprecated since 1.32, has been removed. You can use ObjectCache::getInstance() instead. * The global function wfGetMainCache(), deprecated since 1.32, has been removed. You can use ObjectCache::getLocalClusterInstance() instead. * MovePage::__construct() now requires that all parameters be passed. The fallback to MediaWikiServices emitted deprecation notices since 1.37. * WikiPage::doEditContent(), deprecated since 1.32, was removed. * WikiPage::prepareContentForEdit() now requires a UserIdentity parameter to be provided. Not providing one has been deprecated since 1.37. * EventRelayerKafka, deprecated in 1.38, was removed. * MediaWiki\Logger\Monolog\KafkaHandler, deprecated in 1.38, was removed. * The "trace" option of SectionProfiler, deprecated in 1.38, was removed. * The global function wfWikiID(), deprecated since 1.35, has been removed. * Database::wasKnownStatementRollbackError() was removed. Subclasses should override isKnownStatementRollbackError() instead. * Database::wasQueryTimeoutError() was removed. Subclasses should override isQueryTimeoutError() instead. * Database::buildSuperlative() has been removed without deprecation. * The following methods, deprecated in 1.37, have been removed: - Linker::setStubThreshold(), ::getStubThreshold(). - LinkRendererFactory::createForUser(). - ParserOptions::getStubThreshold(), ::setStubThreshold(). * Changes to ResourceLoader modules: - The mediawiki.viewport module, deprecated in 1.37 has been removed. Use IntersectionObserver instead. * If you manage a wiki in Swahili, and you use "Faili:" as a namespace anywhere, and you mean to use it as "Media:", replace it with "Media:". See T304920. * Changes to skins: - Skin::getCopyrightIcon(), ::getPoweredBy(), deprecated in 1.37 have been removed. - Skin::bottomScripts, deprecated in 1.37, now emits deprecation notices. Skins using SkinTemplate must set bodyOnly as a skin option and remove lines of code generating html, body and head elements. - Skin::makeSearchButton and Skin::makeSearchInput were deprecated in 1.38. Use SkinTemplate methods with the same name or Skin::getTemplateData instead. - Styles for the HTML classes `warningbox`, `errorbox` and `successbox` have been removed in favor of Html class methods. - The feature `legacy` used inside ResourceLoaderSkinModule, deprecated in 1.37, will no longer ship any styles. - Skin::getSkinStylePath, deprecated since 1.36, has been removed. - Skin::getPortletData has been made private. - SkinTemplate::getPersonalToolsList(), deprecated in 1.35 has been removed. - The following SkinTemplate template data, deprecated in 1.37, have been removed: - poweredbyico - copyrightico - The following hooks, deprecated in 1.37, have been removed: - SkinGetPoweredBy: SkinGetPoweredByHook - The following hooks are deprecated and replaced with SkinTemplateNavigation::Universal: - SkinTemplateNavigation::SpecialPage - SkinTemplateNavigation - PersonalUrls - The mediawiki.skinning.content.externallinks module, which was deprecated in 1.36 has been removed. Skins that still rely on it will lose the icon styling of external links by type. * Experimental wiki farm support: Automatic detection of the requested site within a wiki farm based on the requested domain has been removed. Use the MW_WIKI_NAME environment variable to specify the name of the site to load configuration for. Using the WIKI_NAME environment variable for this purpose is deprecated. This is only relevant if you have been using $wgWikiFarmSettingsDirectory to load wiki farm config. * MWExceptionHandler::installHandler was marked @internal and had required arguments added. This method is intended for use in bootstrap code and is unused in known extensions. * MWException::useOutputPage was made private without deprecation. This method was apparently only public for testing and is unused in known extensions. * Calling getId() on a User or UserIdentityValue from the wrong wiki, deprecated since 1.36, now throws an exception. * The following methods have been removed from ExtensionRegistry without deprecation and without replacement. They had been introduced in 1.35 for use in the testing framework, and were not in use by any known extension: - exportAutoloadClassesAndNamespaces - exportTestAutoloadClassesAndNamespaces * The MWNamespace class, deprecated since 1.34, has been removed. Use the NamespaceInfo service instead. * The UnknownContent and UnknownContentHandler class aliases have been removed, use FallbackContent and FallbackContentHandler instead. * IResultWrapper::next() now returns void, to match the Iterator interface that it implements. fetchObject() has the same behavior as next() used to. * In HTMLForm HTMLAutoCompleteSelectFields, the parameters 'autocomplete' and 'autocomplete-messages', which were deprecated in MediaWiki 1.29, were removed. Instead, use 'autocomplete-data' and 'autocomplete-data-messages'. * The global $wgParser, deprecated in 1.32, was removed. Use MediaWikiServices::getInstance()->getParser() instead. * ParserOutput::setText will now set the ParserOutput's text to null if given null. Previously it did nothing if given null. * The default value for the first argument to the ParserOutput constructor is now null instead of ''. * IDatabase::lockTables() and IDatabase::unlockTables(), deprecated since 1.38, have been removed. * The $context parameter to `new HTMLForm( … )` and `HTMLForm::factory( … )` is now required. * The class alias for revision related classes in namespace MediaWiki\Storage has been removed. Classes are IncompleteRevisionException, MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException, RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord, RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and SuppressedDataException. * Calling getBy() on an AbstractBlock from the wrong wiki, deprecated since 1.38, now throws an exception. * Passing a MediaWiki\Linker\LinkTarget to EditPage::makeTemplatesOnThisPageList or TemplatesOnThisPageFormatter::format is no longer supported, a MediaWiki\Page\PageIdentity is required. * The deprecated class alias FakeConverter has been removed, use TrivialLanguageConverter instead. * The deprecated ApiQueryContributions class alias has been removed, use ApiQueryUserContribs instead. * The deprecated MediaWiki\Special\SpecialPageFactory class alias has been removed, use MediaWiki\SpecialPage\SpecialPageFactory instead. * The following skin modules, deprecated in 1.37, have been removed: - mediawiki.skinning.elements - mediawiki.skinning.content - mediawiki.toc.styles - mediawiki.legacy.config - mediawiki.legacy.shared - mediawiki.legacy.commonPrint * FileModule::compileLessFile(), deprecated since 1.35, has been removed. Use ::compileLessString() instead. * LogFormatter::styleRestricedElement(), deprecated since 1.37, has been removed. Use ::styleRestrictedElement() instead. * Title::isNamespaceProtected(), deprecated in 1.34, has been removed. * ApiStashEdit::parseAndStash(), deprecated in 1.34, has been removed. * LinkCache::forUpdate(), deprecated in 1.34, has been removed. * Passing null instead of a NamespaceInfo instance to LinkCache::__construct() is not supported anymore. It is recommended to request an instance from the service container. * ApiQueryBase::showHiddenUsersAddBlockInfo(), deprecated in 1.34, has been removed. Use ApiQueryBlockInfoTrait instead. * ApiQueryBase::prefixedTitlePartToKey(), deprecated in 1.35, has been removed. Use ::parsePrefixedTitlePart() instead. * ExternalStoreDB::getSlave(), deprecated in 1.34, has been removed. Use ExternalStoreDB::getReplica() instead. * ChangesListSpecialPage::checkStructuredFilterUiEnabled() and SpecialWatchlist::checkStructuredFilterUiEnabled() now support UserIdentity as the only argument. Passing Config argument was deprecated in 1.34. * DatabaseUpdater::ifNoActorTable(), deprecated in 1.35, has been removed. Use ::ifTableNotExists() instead. * MediaWiki\Revision\RevisionStoreFactory::getRevisionStore was documented to allow passing bool true as a dbDomain, this is no longer possible, because that is an invalid value for a dbDomain. * LinkHolderArray::__construct() had its signature changed. The class was marked internal in 1.35. * SpecialMute::isTargetBlacklisted(), deprecated in 1.35, has been removed. Use ::isTargetMuted() instead. * WebRequest::checkUrlExtension(), deprecated in 1.35, has been removed. * ContentHandler::cleanupHandlersCache(), deprecated in 1.35, has been removed. * SpecialVersion::getExtAuthorsFileName, deprecated in 1.35, has been removed. Use MediaWiki\ExtensionInfo::getAuthorsFileName. * SpecialVersion::getExtLicenseFileName, deprecated in 1.35, has been removed. Use MediaWiki\ExtensionInfo::getLicenseFileNames. * CategoryPage::getCategoryViewerClass and ::setCategoryViewerClass, deprecated in 1.35, have been removed. * SqlBlobStore::getLegacyEncodingConversionLang(), deprecated in 1.34, has been removed. * wfCanIPUseHTTPS(), deprecated in 1.37, has been removed. * wfGetScriptUrl(), deprecated in 1.35, has been removed. * The following methods of Database class, are no longer stable to override: - ::implicitOrderby() - ::selectSQLText() - ::bitNot() - ::bitAnd() - ::bitOr() - ::buildConcat() - ::buildGreatest() - ::buildLeast() - ::buildSubstring() - ::buildStringCast() - ::buildIntegerCast() - ::tableName() - ::addIdentifierQuotes() - ::buildLike() - ::limitResult() - ::unionSupportsOrderAndLimit() - ::unionQueries() - ::conditional() - ::strreplace() - ::timestamp() - ::getInfinity() - ::setTableAliases() - ::setIndexAliases() - ::buildGroupConcatField() * SpecialUnblock::processUnblock(), deprecated in 1.36, has been removed. Use UnblockUser instead. * wfLocalFile() and wfFindFile(), deprecated in 1.34, have been removed. * Maintenance script resetUserTokens.php, deprecated in 1.27, has been removed. * These methods in Database have been removed without deprecation as they are not used outside core. Users should override corresponding methods in SQLPlatform instead: - Database::doInsert -> SQLPlatform::insertSqlText - Database::doDropTable -> SQLPlatform::dropTableSqlText - Database::doRollback -> SQLPlatform::rollbackSqlText - Database::doSavepoint -> SQLPlatform::savepointSqlText - Database::doReleaseSavepoint -> SQLPlatform::releaseSavepointSqlText - Database::doRollbackToSavepoint -> SQLPlatform::rollbackToSavepointSqlText * The following protected methods of Database class have been removed without deprecation as they are not used outside core. Users should call corresponding methods in SQLPlatform: - Database::makeInsertLists -> SQLPlatform::makeInsertLists - Database::isFlagInOptions -> SQLPlatform::isFlagInOptions - Database::normalizeOptions -> SQLPlatform::normalizeOptions - Database::fieldNameWithAlias -> SQLPlatform::fieldNameWithAlias - Database::isTransactableQuery -> SQLPlatform::isTransactableQuery * $wgCanonicalNamespaceNames no longer includes custom namespaces defined using $wgExtraNamespaces. Extensions should use the NamespaceInfo service instead of accessing this configuration setting directly. * The following hook, deprecated in 1.35, has been removed: - ParserGetVariableValueVarCache: ParserGetVariableValueVarCacheHook * The $variableCache parameter to the ParserGetVariableValueSwitch hook is no longer used; non-standard use of this parameter has been deprecated since 1.35. * These methods have been moved from IDatabase to IMaintainableDatabase: - IDatabase::fieldExists -> IMaintainableDatabase::fieldExists - IDatabase::indexExists -> IMaintainableDatabase::indexExists - IDatabase::tableExists -> IMaintainableDatabase::tableExists * DBConnRef doesn't accept live connection in constructor anymore. Only parameters for getting connection should be provided. * IDatabase::getTopologyRootPrimary() was removed. * User::blockedBy(), deprecated since 1.38, has been removed. * User::getBlockId(), deprecated since 1.38, has been removed. * AlphabeticPager::getOrderTypeMessages(), unused since 1.13, has been removed without deprecation. === Deprecations in 1.39 === * PageProps::getInstance(), deprecated since 1.38, emits deprecations warnings. * The global function wfGetDB() has been deprecated. Use LoadBalancer::getConnection() instead. * SpecialRedirectWithAction::__construct without SearchEngineFactory argument will now emit a deprecation notice. * Use of the SiteStatsUpdate constructor has been deprecated in favor of the ::factory() method. * AuthManager::checkAccountCreatePermissions has been deprecated. Use AuthManager::authorizeCreateAccount or AuthManager::probablyCanCreateAccount instead. * Title::getSelectFields() has been deprecated in favor of PageStore::newSelectQueryBuilder() * Title::newFromTitleValue(), deprecated since in 1.34, now emits deprecation warnings. Use ::newFromLinkTarget() instead. * ExtensionRegistry::readFromQueue() has been marked @internal. Extensions should use ExtensionProcessor instead. * Processor::getExtraAutoloaderPaths() and ExtensionProcessor::getExtraAutoloaderPaths() have been deprecated, use get getExtractedAutoloadInfo() instead. * The following global functions are deprecated in favor of the listed UrlUtils methods. - wfExpandUrl -> UrlUtils::expand - wfGetServerUrl -> UrlUtils::getServer - wfAssembleUrl -> UrlUtils::assemble - wfRemoveDotSegments -> UrlUtils::removeDotSegments - wfUrlProtocols -> UrlUtils::validProtocols - wfUrlProtocolsWithoutProtRel -> UrlUtils::validAbsoluteProtocols - wfParseUrl -> UrlUtils::parse - wfExpandIRI -> UrlUtils::expandIRI - wfMatchesDomainList -> UrlUtils::matchesDomainList These methods are exact replacements except that 1) they return null instead of false or empty string on error (where applicable); 2) UrlUtils::validProtocols does not take a parameter (documentation said not to pass one to wfUrlProtocols anyway); 3) they use type hints (don't try passing null instead of string, etc.). * MaintainableDBConnRef is deprecated, use DBConnRef instead. * Loading DefaultSettings.php is deprecated. To get default values of main config settings, use MainConfigSchema::listDefaultValues() or MainConfigSchema::getDefaultValue(). * AbstractContent::getRedirectChain() and AbstractContent::getUltimateRedirectTarget() are now emitting deprecation warnings (T296430). * (T244138) QueryPage::getSQL() is deprecated. Instead QueryPage::getQueryInfo() should be overridden. * Calling new JobRunner() directly without $serviceOptions now emits deprecation warnings. Use MediaWikiServices::getInstance()->getJobRunner() instead. * Passing an array of targets to Article::getRedirectHeaderHtml() is deprecated. Supply a single redirect target instead (T296430). * The following Less mediawiki.mixins have been deprecated: - .animation() - .animation-delay() - .transform-rotate() * Skin::getAction is deprecated. Use IContextSource::getActionName instead. * User::getOption, deprecated since 1.35, now emits deprecation warnings. Use UserOptionsLookup::getOption instead. * ILBFactory::forEachLB() is deprecated. Use ::getAllLBs(). * LoadBalancer::forEachOpenConnection() and ::forEachOpenPrimaryConnection() are deprecated without replacement. * The following classes were moved from the root namespace to the MediaWiki\ResourceLoader namespace, the old names becoming deprecated aliases: ResourceLoader, MessageBlobStore, VueComponentParser. * The following classes had the "ResourceLoader" prefix stripped while being moved to the MediaWiki\ResourceLoader namespace, the old names becoming deprecated aliases: DerivativeResourceLoaderContext, ResourceLoaderCircularDependencyError, ResourceLoaderClientHtml, ResourceLoaderCodexModule, ResourceLoaderContext, ResourceLoaderFileModule, ResourceLoaderFilePath, ResourceLoaderForeignApiModule, ResourceLoaderImage, ResourceLoaderImageModule, ResourceLoaderLanguageDataModule, ResourceLoaderLessVarFileModule, ResourceLoaderModule, ResourceLoaderMwUrlModule, ResourceLoaderOOUIFileModule, ResourceLoaderOOUIIconPackModule, ResourceLoaderOOUIImageModule, ResourceLoaderOOUIModule, ResourceLoaderSiteModule, ResourceLoaderSiteStylesModule, ResourceLoaderSkinModule, ResourceLoaderStartUpModule, ResourceLoaderUserModule, ResourceLoaderUserOptionsModule, ResourceLoaderUserStylesModule, ResourceLoaderWikiModule. * WANObjectCache::reap() and WANObjectCache::reapCheckKey() have been deprecated without replacement. * The following methods in WikiRevision and their interfaces ImportableUploadRevision and ImportableOldRevision are deprecated: - ::getUserObj() → ::getUser() - ::setUserObj() → ::setUsername() - ::setUserIP() → ::setUsername() * ObjectCache::addBusyCallback() is deprecated and non-functional. * MWTimestamp::getHumanTimestamp(), deprecated in 1.26, now emits deprecation warnings. * Article::viewRedirect(), deprecated in 1.30, now emits deprecation warnings. * Parser::getFreshParser() is deprecated, use ParserFactory::getInstance(). * CoreParserFunctions::mwnamespace() is deprecated and emits deprecation warnings, use CoreParserFunctions::namespace() instead. * Registering magic variables whose names include a colon is deprecated. * User::blockedFor(), deprecated in 1.35, now emits deprecation warnings. * Access to previously public properties AbstractBlock::$mExpiry, AbstractBlock::$mHideName, AbstractBlock::$mTimestamp, DatabaseBlock::$mAuto, and DatabaseBlock::$mParentBlockId, deprecated in 1.34, now emits deprecation warnings. * Access to previously public properties User::$mBlock, User::$mBlockedby, and User::$mHideName, deprecated in 1.35, now emits deprecation warnings. * JobQueueGroup::singleton() and ::destroySingletons(), deprecated in 1.37, now emit deprecation warnings. * Title::getNotificationTimestamp(), deprecated in 1.35, now emits deprecation warnings. * Global functions wfReadOnly and wfReadOnlyReason, deprecated in 1.38, now emit deprecation warnings. * Overriding or calling DifferenceEngine::getDiffBodyCacheKey(), deprecated in 1.31, now emits deprecation warnings. * Access to previously public property WikiRevision::$fileIsTemp, deprecated in 1.29, now emits deprecation warnings. * wfQueriesMustScale() has been deprecated and emits deprecation warnings. * ContextSource::getStats(), RequestContext::getStats(), and DerivativeContext::getStats(), deprecated in 1.27, now emit deprecation warnings. * ManualLogEntry::setTags(), deprecated in 1.33, now emits deprecation warnings. * WikiRevision::downloadSource(), deprecated in 1.31, now emits deprecation warnings. * DifferenceEngine::textDiff(), deprecated in 1.32, now emits deprecation warnings. * FormatMetadata::flattenArrayContentLang(), deprecated in 1.36, now emits deprecation warnings. * SkinTemplate::getNameSpaceKey(), deprecated in 1.35, now emits deprecation warnings. * EnqueueJob::newFromJobsByWiki(), deprecated in 1.33, now emits deprecation warnings. * The following methods of the MWGrants class, all deprecated since 1.38, are now emitting deprecation warnings: - getValidGrants - getRightsByGrant - grantName - grantNames - getGrantRights - grantsAreValid - getGrantGroups - getHiddenGrants - getGrantsLink - getGrantsWikiText * DataUpdate::runUpdates(), deprecated in 1.28, now emits deprecation warnings. * CdnCacheUpdate::newFromTitles(), deprecated in 1.35, now emits deprecation warnings. * Instantiating HTMLCacheUpdate class, deprecated in 1.34, now emits deprecation warnings. * ISQLPlatform::tableNames() (implemented by IDatabase) is now deprecated. None of the tableName*() functions should be used by most users; if you absolutely must use raw SQL, write several tableName() calls instead. * Language::isWellFormedLanguageTag() has been deprecated in favor of LanguageCode::isWellFormedLanguageTag(). * The PrevNextNavigationRenderer helper class has been deprecated in favor of the new PagerNavigationBuilder one. * The methods IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and IndexPager::buildPrevNextNavigation() have been deprecated in favor of IndexPager::getNavigationBuilder(). * Overriding the method IndexPager::makeLink() has been deprecated. * ActorMigration is deprecated. The temporary table is no longer needed, the actor table can be directly joined to the revision table, which is simple enough to not need a helper class. See the methods of ActorMigration for more specific information on replacements. ActorMigrationBase remains usable for migrations in extension tables. === Other changes in 1.39 === * Dynamic default values are now applied before extension registration callbacks are run. This way, extensions have a complete view of config variables, with all defaults applied. For example, when the default value of X used to be static but becomes dynamic, and an extension reads the value of X in the registration callback, it will now continue to function as expected. In some cases however, this may cause an undesired change in behavior: if the dynamic default of setting X depends on the value of setting Y, and an extension changes Y, the changed value of Y will no longer affect the value of X. == Compatibility == MediaWiki 1.39 requires PHP 7.4.3 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can be used instead, but support for them is somewhat less mature. The supported versions are: * MariaDB 10.3 or higher * MySQL 5.7.0 or higher * PostgreSQL 10 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.38 = == MediaWiki 1.38.7 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.6 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5). * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * (T330464) Work around argument corruption bug in XMLReader::open. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.38.6 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.5 === * Localisation updates. * (T325872) ChangeTags: Remove table name from condition. * (T324895) MWCallbackStream: Add explicit $stream property. * (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField. * Remove /images .htaccess rules that are no longer relevent. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * Fix phan error when Excimer is enabled. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0 * (T326021) Add matrix: to $wgUrlProtocols. * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses. * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T295637) Add no to fallback chain of nb and nn. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.38.5 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.4 === * Localisation updates. * Tests: Explicit cast to int in RandomImageGenerator test (php8 warnings). * (T319000) WebInstaller: Don't try and run trim() on null. * (T318753) Installer: Disable logo dropper for now. * (T320864) When calling mail(), use an array for headers. * (T311567) In ManualLogEntry, cast the comment to string. * (T289926) api: Fix minor PHP 8.1 incompatibility in ApiOptions. * (T322803) SpecialBotPasswords: Don't pass null to trim(). * (T323082) Upgrading wikimedia/xmp-reader (0.8.1 => 0.8.5). * Language: Handle ronna and quetta. * PostgresUpdater: Remove trailing space from 'user_id ' column. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.38.4 == This is a maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.3 === * Fix missing use statement from backport of fix for T307278. == MediaWiki 1.38.3 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.2 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T311360) RecentChange: Straight join to actor table when needed. * (T311360) RecentChange: Make join to comment table also straight. * Remove messages in en-gb.json. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HTMLForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T304559) Use page ID from parent revision, improve logging. * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * (T313663) Make ReadOnlyModeTest work in php8. * (T313663) Make HandlerTestTrait compatible with php8.1. * (T313663) [php8] Make DeletePageTest stop giving warnings on php8.1. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1. * (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource. * Fix tests so getName() doesn't return null. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) [php8.1] mock User::getTitleKey() in DeaultPreferencesFactoryTest. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T313663) Mock UserOptionsManager::getOption for php8.1. * (T289879, T289926) Get rid of warnings on PHP 8.1. * (T313663) Check for null return of preg_replace in MediaWikiTitleCodec. * (T313663) cast db name to string when checking if it is read only [php8.1]. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T314099) preprocessor: Add missing field declarations. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T313663) [php8.1] Mock out getLocalDomainID for WatchedItemStore tests. * (T313663) Suppress warnings for the null test of addIdentifierQuotes. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314404) SpecialGoToInterwiki: Null coalescene $par. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1. * (T313663) Do not test giving a null fragment to Title::makeTitle. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * (T313663) Cast results of Sqlite test to string [php 8.1]. * (T314208) Set $wgServer for HttpRequestFactoryTest to prevent warnings on php8.1. * (T314208, T297082) phpunit: Fallback to global default user options. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * Fix a couple deprecation warnings in the installer under PHP 8.1. * api: Add rel=nofollow to help examples. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314226) LoginSignupSpecialPage: Check if $value is a string before length. * (T314824) tests: Update parser test after i18n change. * (T313663, T296083) context: Replace deprecated User::getOption. * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T313663) Do not compare byte-for-byte of serialized items in tests [php8.1]. * objectcache: avoid php 8.1 argument type warnings in genericKeyFromComponents(). * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * ManualLogEntry: Don't pass null to trim() as PHP 8.1 whines. * (T313663) Add a null check VueComponentParser to prevent php8.1 issues. * (T313049) Bump wikimedia/parsoid to v0.15.1. * (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) Update docs for HTMLFormField::validate() to permit all data types. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. == MediaWiki 1.38.2 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.1 === * Localisation updates. * (T309426) Repair language selector for SVGs. * (T310013) Fix default value for $wgShowEXIF and $wgUsePathInfo. * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T308473) SECURITY: Escape contributions-title msg for use within page title. * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.4.1 to 7.4.5. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T289879) Address deprecations for PHP 8.1. * (T311473) rollbackEdits: Pass user identity to RollbackPage. * Upgrade wikimedia/remex-html from 3.0.1 to 3.0.2. * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * Upgrade wikimedia/common-passwords from 0.3.0 to 0.4.0. == MediaWiki 1.38.1 == This is a maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.0 === * (T309860) Add justinrainbow/json-schema to vendor. * (T309933) Drop PHP 7.2 support in MediaWiki 1.38; require 7.3.19. == MediaWiki 1.38.0 == === Changes since MediaWiki 1.38.0-rc.1 === * Localisation updates. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T305779) phpunit: Support setting skin context in BundleSizeTest subclasses. * (T309028) SECURITY: ApiEditPage: update title after redirects. * (T308967) notifications: prevent log spam when invalid user object listed. * composer: Lock Parsoid version to specific 0.15.0 release. * (T306362, T308680) change-your-logo.svg: Resize to 135px square, re-crush, and manually minify. == MediaWiki 1.38.0-rc.1 == === Changes since MediaWiki 1.38.0-rc.0 === * Localisation updates. * (T305028) Undeprecate EditPage::$textbox2. * (T305635) LogActions is a map, not a list. * (T306721) Add wikimedia/equivset to vendor; needed by bundled AbuseFilter. * (T307284) Simplify TransactionManager::pendingWriteQueryDuration. * (T307307) Add symfony/yaml to vendor. * Fix old_name in UserLogoutComplete hook. * REST: don't send stack trace in error responses. * (T307998) SessionManager: stop storing an ObjectFactory instance. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. == Upgrading notes for 1.38 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.29. Some specific notes for MediaWiki 1.38 upgrades are below: * (T191740) The AbuseFilter extension is now bundled with MediaWiki. This is an anti-abuse feature that lets privileged users to set specific actions to be taken when actions by users, such as edits or file uploads, match certain criteria. * (T232948) The Math extension is now bundled with MediaWiki. This is a content feature that lets users create mathematical formulæ, written in a sub-set of LaTeX and rendered in MathML with a fallback SVG image. By default, it will use Wikimedia's mathoid service to render each formula, but local rendering can be set up for network isolation or performance. * (T191743) The Minerva skin is now bundled with MediaWiki. This is a simple, light-weight, and scalable skin that is particularly optimised for mobile use, and integrates well with the MobileFrontend extension (available separately), but can also be used as a regular desktop skin. For notes on 1.37.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.38 === ==== New configuration ==== * (T297708) $wgMaxExecutionTimeForExpensiveQueries - This setting can be used to control the maximum execution time for several expensive query pages (e.g. RecentChanges and UserContribs). * $wgBrowserFormatDetection – This setting allows overriding browsers' automatic detection and handling of formats. It's initially used to prevent auto-linking of possible telephone numbers in wiki pages' output in Safari on iOS; this can be re-enabled if you wish, or locally extended for other browsers' quirks. * (T240685) $wgMetricsTarget, $wgMetricsFormat, $wgMetricsPrefix - These provide configuration for a new MetricsFactory service with support for the dogstatsd format, intended for integration with Prometheus integration. * $wgGroupInheritsPermissions – This setting allows inheriting permissions, both granted and revoked, from another group. * $wgForeignApiRepos – ForeignAPIRepo now has a apiMetadataExpiry option to control for how long file metadata is cached. Additionally the default changed from 1 hour to 4 hours. * $wgSkinsPreferred – This lets you set a list of preferred skins to be listed higher in Special:Preferences. * $wgWikiFarmSettingsDirectory – A directory that contains site-specific configuration files. Setting this will enable multi-tenant ("wiki farm") mode, causing site-specific settings to be loaded based on information from the web request. EXPERIMENTAL. * $wgWikiFarmSettingsExtension – The file extension to be used when looking up site-specific settings files in $wgWikiFarmSettingsDirectory, such as 'json' or 'yaml'. EXPERIMENTAL. * $wgWikiFarmSiteDetector – A callback function that returns the name of the wiki for the current request. This is used in multi-tenant ("wiki farm") mode to determine which settings file to load from $wgWikiFarmSettingsDirectory. EXPERIMENTAL. * $wgEnableRemoteBagOStuffTests – This replaces the environment variable PHPUNIT_USE_BAGOSTUFF. * (T230211) $wgForceDeferredUpdatesPreSend – Force deferred updates to be run before sending a response to the client, instead of attempting to run them after sending the response. Setting this to true is useful for end-to-end testing, to ensure that the effects of a request are visible to any subsequent requests, even if they are made immediately after the first one. Note however that this does not ensure that database replication is complete, nor does it execute any jobs enqueued for later. * $wgTemplateLinksSchemaMigrationStage – Templatelinks table schema migration stage, for normalizing tl_namespace and tl_title fields. ==== Changed configuration ==== * $wgStyleDirectory and $wgExtensionDirectory – These are now set later, so can no longer be used within LocalSettings.php unless explicitly set in that file. * $wgFileBackends – This setting no longer takes 'fileJournal' as an option. * $wgMaxImageArea - This setting may now be set to false to disable size. checking before scaling. Extensions can still override its value by using the BitmapHandlerCheckImageArea hook. * $wgAjaxUploadDestCheck – This is now deprecated, and act as always-true. * $wgInterwikiCache – This no longer supports the string value for CDB files. * $wgParserOutputHooks – This is now deprecated; adjustments using this should be done with OutputPageParserOutputHook instead. (T292321) * $wgExternalStores – This is newly documentated in includes/externalstore/README.md. ==== Removed configuration ==== * $wgShellLocale - This setting has been removed as it was a flawed solution to the problem of locale dependence, MediaWiki will now always set a locale of C.UTF-8 or C and works around the remaining problems of the C locale by not using escapeshellarg. This follows the direction of PHP 8.0, which sets a locale of C by default instead of respecting LC_CTYPE. * $wgLoggedOutMaxAge - Experiment removed, originally added in 1.35. (T293848) * $wgIncludejQueryMigrate - Deprecated in 1.36. We only support jQuery v3. * $wgUseCategoryBrowser - This experimental feature has been removed. If you still need to use this feature, please see [[mw:Extension:CategoryExplorer]]. * $wgStyleSheetPath - alias for $wgStylePath, deprecated since 1.3 (2004). === User-facing changes in 1.38 === * (T284921) The "auto-number headings" feature was removed following a consultation, due to performance reasons. === New operator/developer features in 1.38 === * EXPERIMENTAL: The environment variable MW_CONFIG_FILE can be used to specify the location of the settings file. This allows alternative settings files to be loaded depending on the environment. Settings files may be given as PHP files like the traditional LocalSettings.php file, or they may use JSON or YAML format. See https://www.mediawiki.org/wiki/Manual:YAML_settings_file_format * Added a deleteUserEmail maintenance script - This file enables the deletion of a given user's associated email address. It can be helpful for privacy-preserving operations. * The description array for constructing an HTMLForm now can use 'disable-if' to disable fields on condition easily, supported expressions are the same as 'hide-if'. * There is a new interface, IForeignRepoWithMWApi, to allows you to mark file repos provided by an extension as supporting making API queries against the foreign file repo so that extensions like TimedMediaHandler that depend on this can stop hard-coding looking for specific class names. * Added EXPERIMENTAL support for an easy to configure multi-tenant ("wiki farm") mode: Settings for each site can be placed in a directory specified by $wgWikiFarmSettingsDirectory. Site detection is controlled by $wgWikiFarmSiteDetector and defaults to the requested host name. For example, setting $wgWikiFarmSettingsDirectory = "sites" would cause the settings for wiki.example.com to be loaded from "sites/wiki_example_com.yaml". WARNING: YAML files under the web root may be accessible to browsers, please take appropriate measures to protect them from access via HTTP. * Running QUnit tests for an individual test suite module is possible with `grunt qunit --qunit-component={componentName}`, where {componentName} is "MediaWiki" to run core's QUnit tests or the skin or extension name. * The 'mediawiki.mixins' module now has a `.user-select()` Less mixin. === External library changes in 1.38 === ==== New external libraries ==== * symfony/yaml was promoted from development-only. * justinrainbow/json-schema was promoted from development-only. ==== Changed external libraries ==== * Updated OOUI from v0.42.0 to v0.43.2. * Updated Vue from 2.6.11 to 3.2.23. * Updated WVUI from v0.3.0 to v0.4.0. * Updated composer/semver from 3.2.5 to 3.2.6. * Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Updated pear/net_smtp from 1.9.2 to 1.10.0. * Updated psr/log from 1.1.3 to 1.1.4. * Updated psy/psysh from 0.10.5 to 0.11.1. * Updated symfony/polyfill-php80 from 1.23.1 to 1.25.0. * Updated wikimedia/assert from 0.5.0 to 0.5.1. * Updated wikimedia/cdb from 1.4.1 to 2.0.0. * Updated wikimedia/ip-utils from 3.0.2 to 4.0.0. * Updated wikimedia/minify from 2.2.4 to 2.2.6. * Updated wikimedia/object-factory from 3.0.2 to 4.0.0. * Updated wikimedia/parsoid from v0.14.0-a14 to v0.15.0. * Updated wikimedia/purtle from 1.0.7 to 1.0.8. * Updated wikimedia/request-timeout from 1.1.0 to 1.2.0. * Updated wikimedia/shellbox from 2.0.0 to 3.0.0. * Updated wikimedia/wrappedstring from 3.2.0 to 4.0.1. * Updated wikimedia/remex-html from 3.0.1 to 3.0.2. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. ===== Changed development-only external libraries ===== * Updated QUnit from 2.16.0 to 2.18.0. * Updated composer/semver from 3.5.4 to 3.5.5. * Updated composer/spdx-licenses from 1.5.4 to 1.5.5. * Updated doctrine/dbal for PHP < 7.3 from 2.10.4 to 2.13.6. * Updated doctrine/dbal for PHP >= 7.3 from 3.0.0 to 3.1.5. ==== Removed external libraries ==== * jquery.jStorage, deprecated since MW 1.28; use "mediawiki.storage" instead. === Action API changes in 1.38 === * New `deletetalk` parameter on action=delete that allows you to delete the associated talk page of a subject page. * New `variant` parameter for all API actions, for specifying language variant (akin to the existing `variant` parameter for index.php). Task T117549. === Languages updated in 1.38 === MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T292166) Updated namespace names for the Lombard language. * (T299201) Changed the autonym of the Angika language to अंगिका * (T298309) Changed the autonym of the Abkhaz language to аԥсшәа * (T302972) Changed the autonym of the Kirundi language to ikirundi * (T220303) Show numbered lists with Burmese numerals in relevant languages * (T291899) Added language support for Xiang Chinese (hsn). * (T292612) Added language support for S'gaw Karen (ksw). * (T293656) Added language support for Farefare (gur). * (T294729) Added language support for Pa'O (blk). * (T296286) Added language support for Skolt Sámi (sms). * (T296612) Added language support for Makhuwa (vmw). * (T296707) Added language support for Ga (gaa). * (T297073) Added language support for Nanai (gld). * (T297074) Added language support for Nawdm (nmz). * (T298075) Added language support for Northern Thai (nod). * (T298182) Added language support for Cape Verdean Creole (kea). * (T298385) Added language support for Nheengatu (yrl). * (T299329) Added language support for Fon (fon). * (T300474) Added language support for Nkore (nyn). * (T302556) Added language support for Pannonian Rusyn (rsk). === Breaking changes in 1.38 === * (T291008) The IP class, deprecated since 1.35 in favor of the IPUtils library, has been removed. The IP related regexes which were also deprecated in favor of the IPUtils library were also removed, IPUtils::RE_* should be used instead. * (T293043) The MediaWikiIntegrationTestCase class alias 'MediaWikiTestCase' has been removed. * LinkCache::singleton(), deprecated since 1.28, has been removed. * RepoGroup::singleton(), ::destroySingletons() and setSingleton(), all deprecated since 1.34, have been removed. * The following methods from FileDeleteForm were removed: - ::__construct (the class is no longer newable) - ::execute() - ::haveDeletableFile() Use FileDeleteAction instead. * MessageCache::singleton(), deprecated since 1.34, has been removed. * LockManagerGroup::singleton() and ::destroySingletons(), both deprecated since 1.34, have been removed. * FileBackendGroup::singleton() and ::destroySingletons(), both deprecated since 1.35, have been removed. * TemplateParser used to support disabling the cache with a boolean parameter in its constructor. This was deprecated in 1.35 and has now been removed. * The ArticleUndeleteLogEntry hook, deprecated in 1.37, was removed. * The BeforeResetNotificationTimestamp hook, deprecated in 1.37, was removed. * The global function mimeTypeMatch() has been removed without a deprecation process. * The following JavaScript mw.config keys have been removed: - $wgCookiePrefix - $wgCookieDomain - $wgCookiePath - $wgCookieExpiration Use mw.cookie from the mediawiki.cookie module instead. * The signature of PageUpdater::markAsRevert method was changed. It has never been used outside of MediaWiki core. * If you want to use interwiki titles with HTMLTitleTextField, you now need to pass 'interwiki' => true. In 1.37, the default behavior was to let interwiki title through by default, logging a deprecation warning. * The `UndeleteForm::undelete` hook, deprecated in 1.37, was removed. * BagOStuff::setDebug(), deprecated since 1.36, has been removed. * The `jquery.mw-jump` ResourceLoader module was removed. * The `wgForeignUploadTargets` and `wgEnableUploads` configuration values were removed from mw.config. They had previously been documented as being included for internal use by the mediawiki.ForeignUpload module. *The `&$hasHistory` parameter to WikiPage::getAutoDeleteReason() and ContentHandler::getAutoDeleteReason() was hard-deprecated with no replacement. * Several Skin methods, which have emitted deprecation warnings since 1.36, have been removed. These include: - Skin::privacyLink() - Skin::aboutLink() - Skin::disclaimerLink() For these, instead use Skin::footerLink() to alter footer links. - Skin::getLogo() For this, use ResourceLoaderSkinModule::getAvailableLogos() instead. - Skin::getIndicatorsHTML() For this, use Skin::getIndicatorsData() instead. - Skin::subPageSubtitle() For this, use Skin::prepareSubtitle() instead. - Skin::makeVariablesScript() For this, use ResourceLoader::makeInlineScript() instead. - Skin::getAllowedSkins() - Skin::getSkinNames() For these, use SkinFactory::getAllowedSkins() or ::getInstalledSkins(). - Skin::makeUrl() - Skin::getSearchLink() - Skin::mainPageLink() * Parser::getUser and ::mUser, as well as ParserOptions::getUser, deprecated since 1.37, has been removed. * Parser::$mStripState, deprecated in 1.35, has been made private. Use Parser::getStripState() instead. * The following deprecated features in blocks were removed: - DatabaseBlock constructor 'byText' property with blocker's name, use 'by' property with UserIdentity value instead. - DatabaseBlock constructor 'by' property with blocker's ID, use 'by' property with UserIdentity value instead. - DatabaseBlock::isWhitelistedFromAutoblocks, use ::isExemptedFromAutoblocks. - DatabaseBlock::setBlocker now only accepts UserIdentity. - AbstractBlock::getTargetAndType and ::getTarget, use ::getTargetName, ::getTargetUserIdentity and ::getType instead * The following functions, emitting deprecations since 1.37, have been removed: - Title::isWatchable() - WatchAction::doWatchOrUnwatch(), WatchAction::doWatch(), WatchAction::doUnwatch(), WatchAction::getWatchToken() - User::isWatched(), User::isTempWatched(), User::addWatch(), User::removeWatch() * ParserOptions::setTidy() that had no effect and was deprecated since 1.35 has been removed. * The "YAML" encoding option of EtcdConfig, has been removed without deprecation. * The constant ApiBase::PARAM_VALUE_LINKS, deprecated since 1.35 has been removed. * UserLoadOptions, UserSaveOptions and UserResetAllOptions hooks, deprecated since 1.37, were removed. * The experimental FileJournal system has been removed without deprecation. This includes the FileJournal abstract class, its implementation classes DBFileJournal and NullFileJournal, various minor getters and setters, and the option for the wiki configuration $wgFileBackends. * The return values for each `bind` function in checkboxHack.js has been changed from an object to a function. In addition, the `unbind` function has been removed. A deprecation process was assumed unnecessary as there were no known usages. * File::getUser, ::getImageSize, ArchivedFile::getRawDescription, ::getUser, ::getRawUser and ::getRawDescription, deprecated since 1.37, has been removed. * ShellboxHttpClient class has been removed without deprecation. It was an internal class used by ShellboxClientFactory. * The following hard deprecated User methods have been removed: - ::resetIdByNameCache, - ::getStubThreshold, - ::matchEditTokenNoSuffix, - ::changeableByGroup, - ::changeableGroups, - ::isAllowUsertalk, - ::getRights - ::isAllowUsertalk - ::isIP, - ::isIPRange, - ::isValidUserName, - ::isUsableName, - ::isCreatableName, - ::getCanonicalName, - ::addAutopromoteOnceGroups, - ::getDefaultOptions, - ::getDefaultOption, - ::getOptions, - ::getBoolOption, - ::getIntOption, - ::setOption - ::listOptionKinds - ::getOptionKinds, - ::resetOptions, - ::getEffectiveGroups, - ::getAutomaticGroups, - ::getFormerGroups - ::isLoggedIn - ::getFirstEditTimestamp - ::getLatestEditTimestamp * Http::$httpEngine, deprecated since 1.34, has been removed. The only available HTTP engine is now Guzzle. CurlHttpRequest and PhpHttpRequest classes were removed. * The UserRightsProxy class was deprecated. Pass the correct domain to UserGroupManagerFactory instead. * Parser option enableLimitReport was deprecated. The report is now generated post-parse and can be included by providing 'includeDebugInfo' option to ParserOutput::getText. Thus, ParserOptions::enableLimitReport and ::getEnableLimitReport methods were deprecated. * Ajax action that was deprecated in 1.27 now has been removed. * The following methods have been removed from IDatabase without deprecation as they were completely unused: - ::preCommitCallbacksPending() - ::pendingWriteRowsAffected() - ::getServerUptime() - ::maxListLen() * The following deprecated methods have been removed from IDatabase: - ::aggregateValue() soft-deprecated since 1.33 - ::getTopologyRootMaster() since 1.37 - ::masterPosWait() since 1.37 - ::dataSeek() soft-deprecated since 1.37 - ::numFields() soft-deprecated since 1.37 - ::fieldName() soft-deprecated since 1.37 - ::onTransactionIdle() soft-deprecated since 1.32 - ::getMasterPos() since 1.37 * DatabaseMysqlBase::fieldType() and DatabasePostgres::fieldType(), deprecated since 1.37, have been removed. * Database::assertIsWritableMaster(), deprecated since 1.37, has been removed. * ResultWrapper::getInternalResult(), soft-deprecated since 1.37 and ResultWrapper::unwrap(), deprecated since 1.37, have been removed. * Language::AS_AUTONYMS, deprecated since 1.34, has been removed. You can use the LanguageNameUtils::AUTONYMS constant instead. * Several Language class variables deprecated in 1.35 have been removed; they are each replaced by a constant, as listed after the arrow: - ::$mWeekdayMsgs → WEEKDAY_MESSAGES - ::$mWeekdayAbbrevMsg → WEEKDAY_ABBREVIATED_MESSAGES - ::$mMonthGenMsgs → MONTH_GENITIVE_MESSAGES - ::$mIranianCalendarMonthMsgs → IRANIAN_CALENDAR_MONTHS_MESSAGES - ::$mHebrewCalendarMonthMsgs → HEBREW_CALENDAR_MONTHS_MESSAGES - ::$mHebrewCalendarMonthGenMsgs → HEBREW_CALENDAR_MONTH_GENITIVE_MESSAGES - ::$mHijriCalendarMonthMsgs → HIJRI_CALENDAR_MONTH_MESSAGES * wfIncrStats, deprecated since 1.36, has been removed. * Profiler::profileIn and ::profileOut, deprecated in 1.33, has been removed. * IEditObject::AS_CANNOT_USE_CUSTOM_MODEL, deprecated in 1.35, was removed. * Several protected methods in EditPage were made private. None of these was used outside of EditPage itself. Since the class is not stable to extend, this change happened without a deprecation phase. * The following public methods in EditPage, unused externally, were made private: - ::getCancelLink() - ::isSupportedContentModel() - ::getParentRevId() * EditPage::setApiEditOverride() was marked as @internal for use by ApiEditPage only. * SelectQueryBuilder::straightJoin() was renamed to straightJoinOption(). * The following deprecated methods have been removed from ILBFactory: - ::beginMasterChanges() since 1.37 - ::commitMasterChanges() since 1.37 - ::rollbackMasterChanges() since 1.37 - ::hasMasterChanges() since 1.37 - ::hasOrMadeRecentMasterChanges() since 1.37 * The "groupLoadsByDB" option to LBFactoryMulti has been removed. Consider using "groupLoadsBySection" instead. * The following methods have been removed from ILoadBalancer without deprecation as they were completely unused: - ::waitForOne() - ::allowLagged() - ::forEachOpenReplicaConnection() * The following deprecated methods have been removed from ILoadBalancer: - ::getMasterPos() since 1.37 - ::finalizeMasterChanges() since 1.37 - ::approveMasterChanges() since 1.37 - ::beginMasterChanges() since 1.37 - ::commitMasterChanges() since 1.37 - ::runMasterTransactionIdleCallbacks() since 1.37 - ::runMasterTransactionListenerCallbacks() since 1.37 - ::rollbackMasterChanges() since 1.37 - ::flushMasterSnapshots() since 1.37 - ::hasMasterConnection() since 1.37 - ::hasMasterChanges() since 1.37 - ::lastMasterChangeTimestamp() since 1.37 - ::hasOrMadeRecentMasterChanges() since 1.37 - ::pendingMasterChangeCallers() since 1.37 - ::forEachOpenMasterConnection() since 1.37 - ::waitForMasterPos() since 1.37 * LoadBalancer::safeGetLag() which has been soft-deprecated since 1.34 has been removed. * The following properties of the EditPage class, deprecated since 1.35, were made private: - ::$deletedSinceEdit - ::$lastDelete - ::$mTokenOk - ::$mTriedSave - ::$incompleteForm - ::$tooBig - ::$missingComment - ::$missingSummary - ::$allowBlankSummary - ::$autoSumm - ::$mParserOutput - ::$hasPresetSummary - ::$minoredit - ::$watchthis - ::$recreate - ::$nosummaryparentRevId - ::$editintro - ::$scrolltop - ::$markAsBot * Special:ListFiles and Special:NewFiles no longer allows to search for parts of file names (option was not available for $wgMiserMode = true) * DBAccessBase, deprecated since 1.37, has been removed. * The UserNamePrefixSearch service no longer supports a UserIdentity parameter to search(), to check for a specific audience an Authority object is required. * The methods CoreParserFunctions::register() and CoreTagHooks::register() have been marked @internal, and had a seconds parameter added. These methods are intended for use in Parser's constructor, and are not used by any known extension. * LoadBalancer::openConnection(), deprecated since 1.34, has been removed. * Skin::preloadExistence has been made private. There is no known usages outside of MediaWiki core. === Deprecations in 1.38 === * The MWGrants class is deprecated in favor of the new GrantsInfo and GrantsLocalization services. * The global functions wfReadOnly() and wfReadOnlyReason() have been deprecated in favor of the ReadOnlyMode service. * PageProps::getInstance() has been deprecated. Use MediaWikiServices::getPageProps() instead. * User::setOption(), deprecated since 1.35, now emits deprecation warnings. * Linker::formatComment(), ::formatLinksInComment(), ::commentBlock() and revComment() were deprecated. Use the new CommentFormatter service. * Several Skin methods have been deprecated. - Skin::setSearchPageTitle(), Skin::getSearchPageTitle(). For these, use SpecialPage::newSearchPage() or associated user preference instead. - Skin::getSkinStylePath now triggers deprecation warnings. Direct string path should be used instead. - SkinTemplate::getPersonalToolsList(), deprecated since 1.35, now emits deprecation warnings. - In preparation for SkinTemplate::getPortletData becoming a private function, extending the method is no longer permitted. Use SkinTemplate::getTemplateData instead. - SkinTemplate::buildContentNavigationUrls is now deprecated. Skins can use the runOnSkinTemplateNavigationHooks method or the SkinTemplateNavigation__Universal hook if they need access to this data. * Usage of several template data keys in QuickTemplate are now deprecated: - searchaction, poweredbyico, copyrightico * DatabaseBlock::purgeExpired(), deprecated since 1.36, now emits deprecation warnings. * The following methods from the User class now trigger deprecation warnings: - ::blockedBy - ::getBlockId * Content::getParserOutput and AbstractContent::fillParserOutput was hard-deprecated, use ContentRenderer::getParserOutput instead. Extensions defining a content model should override ContentHandler::fillParserOutput. * Title::newFromIDs and TitleFactory::newFromIDs have been hard deprecated. Use a PageSelectQueryBuilder from a PageStore instead. * Content::getRedirectChain() and Content::getUltimateRedirectTarget() have been deprecated with no replacement because support for $wgMaxRedirect will be removed completely. See T296430 for more information. * WikiPage::getRedirectTarget() has been deprecated. Use the equivalent RedirectLookup::getRedirectTarget() instead. * Article::doDelete() was deprecated. Use WikiPage::doDeleteArticleReal if you only need to delete the article. If you also need things to happen with OutputPage, you may want to check the hooks in DeleteAction instead. * Instantiating the MessageContent class now emits deprecation notices. * Message::content() now triggers deprecation warnings. * Parser::setDefaultSort(), Parser::getDefaultSort(), and Parser::getCustomDefaultSort() now trigger deprecation warnings. Use ParserOutput::{get,set}PageProperty('defaultsort') instead. * The following methods from the ParserOutput class now emit deprecation warnings: - ::hideNewSection() - use ::setHideNewSection() - ::preventClickjacking() - use ::{get,set}PreventClickjacking() - ::getProperty() - use ::getPageProperty() (return value changed) - ::setProperty() - use ::setPageProperty() - ::unsetProperty() - use ::unsetPageProperties() - ::getProperties() - use ::getPageProperties() - ::getCategoryLinks() - use ::getCategoryNames() - ::setCategoryLinks() - use ::setCategories() - ::addTrackingCategory() - use Parser::addTrackingCategory() or TrackingCategories::addTrackingCategory() - ::addWarning() - use ::addWarningMsg() - ::hasDynamicContent() - use ::hasReducedExpiry() * The following methods from the ParserOutput class were deprecated: - ::getFlag() - use ::getOutputFlag() - ::setFlag() - use ::setOutputFlag() - ::getAllFlags() - this method is now marked @internal - ::addJsConfigVars() - use ::setJsConfigVar() or ::appendJsConfigVar() - ::addOutputHook() / ::getOutputHooks() - these hooks should be migrated to use the OutputPageParserOutput hook instead * The use of ParserOutput::setExtensionData() to overwrite previous values stored under a given key has been deprecated; use the new ::appendExtensionData() to collect multiple values in the ParserOutput rather than destructively updating stored values. (T300981) * The signatures of the following methods from the ParserOutput class were narrowed, restricting the permitted argument types: - ::addModules() - if you formerly passed a string, pass an array with the string as the only element. - ::addModuleStyles() - if you formerly passed a string, pass an array with the string as the only element. * Access to the following public or protected properties of OutputPage was deprecated; they will be made private or removed in a future release. Use accessor functions instead. - ::$mCategoryLinks - ::$mCategories - ::$mIndicators - ::$mHeadItems - ::$mModules - ::$mModuleStyles - ::$mJsConfigVars - ::$mTemplateIds - ::$mEnableClientCache - ::$mNewSectionLink - ::$mHideNewSectionLink - ::$mNoGallery * The following methods were deprecated; use ::setPreventClickjacking(..) instead: - OutputPage::preventClickjacking() - OutputPage::allowClickjacking() - ImageHistoryList::preventClickjacking() - ImageHistoryPseudoPager::preventClickjacking() - ContribsPager::preventClickjacking() * OutputPage::enableClientCache() was deprecated, because it is universally used to do the opposite -- use OutputPage::disableClientCache() instead. * Sanitizer::removeHTMLtags() has been deprecated. Its output can include unbalanced or ill-formed HTML and thus external callers may be misled about how to safely incorporate its output into a page. It is recommended to use the new Sanitizer::removeSomeTags() method instead, which will always return balanced HTML. * EventRelayerKafka was deprecated. To use $wgEventRelayerConfig with Kafka, add a similar class to your code. * MediaWiki\Logger\Monolog\KafkaHandler was deprecated. Consider using $wgMWLoggerDefaultSpi with SyslogHandler, or to use Kafka, add a similar Monolog handler class to your code. * Collation::singleton() and ::factory() now trigger deprecation warnings. * The following methods in MWNamespace, all deprecated since 1.34, now emit deprecation warnings: - isTalk() - exists() - subjectEquals() - getCanonicalNamespaces() - getCanonicalName() - getCanonicalIndex() - getValidNamespaces() - isContent() - hasSubpages() - getContentNamespaces() * Return values in the parameter $pageLang of the hook PageContentLanguage with other types than a Language object, deprecated since 1.33, now emmits deprecation warnings. * Passing a db to BlockRestrictionStore::loadByBlockId() is deprecated. BlockRestrictionStoreFactory should be used to fetch a correct BlockRestrictionStore instead. * All external access to ParserOutput and CacheTime classes properties will now emit deprecation warnings. Use getters and setters instead. * The custom jQuery event `watchpage.mw` emitted on #ca-watch and #ca-unwatch is now deprecated in favour of the new `wikipage.watchlistChange` hook. * The global function wfLogProfilingData() has been deprecated without a replacement. The logic has been moved to the MediaWiki class. * The "trace" option of SectionProfiler has been deprecated. * The PageArchive class has had several methods deprecated. The replacements are as follows: - Use UndeletePage instead of ::undeleteAsUser(), ::getFileStatus() and ::getRevisionStatus(). - Use the respective methods of the new ArchivedRevisionLookup service instead of ::listRevisions, ::getRevisionRecordByTimestamp, ::getArchivedRevisionRecord, ::getPreviousRevisionRecord and ::getLastRevisionId. - Use ArchivedRevisionLookup::hasArchivedRevisions instead of ::isDeleted. * PageUpdater::isUnchanged() has been deprecated, use wasRevisionCreated() instead. * The `mediawiki.pager.tablePager` module was deprecated in favor of the more generic `mediawiki.pager.styles`. * wfGetCache() and wfGetMainCache(), both deprecated since 1.32, now emit deprecation warnings. * LinkCache::addGoodLinkObj() has been hard deprecated. * ApiStashEdit::parseAndStash has been hard deprecated. * Content::prepareSave was hard-deprecated, now emits deprecation warnings. Use ContentHandler::validateSave instead. * The hooks LinksUpdateAfterInsert and LinksUpdateConstructed were deprecated. * Access to all public properties in LinksUpdate was deprecated. * The global variable $IP has been deprecated for use in application logic. It will remain available for use in LocalSettings.php for now, though $wgBaseDirectory is preferred. Application logic should use the BaseDirectory setting from the main config. Tests and framework code that need to function without MediaWiki being fully initialized should use the MW_INSTALL_PATH constant. * The global function wfWikiID(), deprecated since 1.35, now emits deprecation warnings. * AbstractBlock::getBy() now takes a wikiId as a parameter and emits deprecation warnings in case of cross-wiki accesses. * The `button` parameter for `bindUpdateAriaExpandedOnInput` and `updateAriaExpanded` in checkboxHack.js have been deprecated. `bindToggleOnSpaceEnter` has also been deprecated in favor of `bindToggleOnEnter`. * IDatabase::lockTables() and IDatabase::unlockTables() have been deprecated with no replacement. Instead, callers should batch updates into atomic transactions, using FOR UPDATE for SELECT queries. * EditPage::addNewLineAtEnd() was deprecated; use TextboxBuilder::addNewLineAtEnd instead. * EditPage::getCopywarn() was deprecated; use EditPage::getCopyrightWarning instead. * EditPage::getCopyrightWarning() without passing a MessageLocalizer parameter has been deprecated. * Passing the $formCallback parameter to EditPage::showEditForm, deprecated in 1.25 and previously emitting a warn notice, now emits a deprecation notice. * EditPage::$action has been deprecated. * The following properties in EditPage now emit deprecation notices when used from another class: - mArticle (use ::getArticle() instead) - mTitle (use ::getTitle() instead) - isNew (no replacement) - allowBlankArticle (no replacement) - selfRedirect (no replacement) - allowSelfRedirect (no replacement) - diff (no replacement) - textbox2 (no replacement) - undoAfter (no replacement) - edit (no replacement) - contentLength (no replacement) * The HTMLForm methods getPreText, setPreText, addPreText, getPostText, setPostText, addPostText, getHeaderText, setHeaderText, addHeaderText, getFooterText, setFooterText and addFooterText have been renamed to getPreHtml, setPreHtml, addPreHtml, getPostHtml, setPostHtml, addPostHtml, getHeaderHtml, setHeaderHtml, addHeaderHtml, getFooterHtml, setFooterHtml and addFooterHtml respectively. * The FormSpecialPage methods preText and postText have been renamed to preHtml and postHtml respectively. * Article::doDelete, deprecated in 1.37, now emits deprecation notices. * The following Less mediawiki.mixins have been deprecated: - .background-image() - .list-style-image() * Category::getPageCount now takes a parameter. Category::COUNT_ALL_MEMBERS return count of all members while Category::COUNT_CONTENT_PAGES return that of content pages. For the former behavior use Category::getMemberCount() * Using `new HTMLForm( … )` or `HTMLForm::factory( … )` without the $context parameter is now deprecated. * BagOStuff::incr() and BagOStuff::decr() are now deprecated. * Action::exists() and ActionFactory::actionExists() are deprecated, use (bool)ActionFactory::getAction(). === Other changes in 1.38 === * The following things were changed in the file deletion form: - The name and ID of the submit button are now `wpConfirmB`, not `mw-filedelete-submit` - The ID of the form is now `deleteconfirm`, not `mw-img-deleteconfirm` - The `mw-filedelete-editreasons` class was replaced with `mw-delete-editreasons` The goal of these changes is to make the HTML more similar to that of normal page deletion. * ParserOptions created with ::newFrom* or ::newCanonical are now identical. * MediaWiki initialization order have been changed to load vendor autoload earlier. This means that extensions that are installed via composer and execute code upon autoloading can not depend on any MediaWiki classes, constants or globals in that code. * The source of truth for configuration defaults is now the MainConfigSchema class. DefaultSettings.php still exists for backwards compatibility. A PHP file generated for optimized loading will be used in Setup.php to initialize configuration variables. Setup.php can be made to load DefaultSettings.php as before by setting MW_USE_LEGACY_DEFAULT_SETTINGS as an environment variable (e.g. via SetEnv in htaccess) or a PHP constant (e.g. via auto_prepend_file in php.ini). == Compatibility == MediaWiki 1.38 requires PHP 7.3.19 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.37 = == MediaWiki 1.37.6 == This is a maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.5 === * Fix missing use statement from backport of fix for T307278. == MediaWiki 1.37.5 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.4 === * Localisation updates. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HTMLForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1. * (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource. * Fix tests so getName() doesn't return null. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T313663) Mock UserOptionsManager::getOption for php8.1. * (T289879, T289926) Get rid of warnings on PHP 8.1. * (T313663) Check for null return of preg_replace in MediaWikiTitleCodec. * (T313663) cast db name to string when checking if it is read only [php8.1]. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T314099) preprocessor: Add missing field declarations. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1. * (T313663) Do not test giving a null fragment to Title::makeTitle. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314226) LoginSignupSpecialPage: Check if $value is a string before length. * (T314824) tests: Update parser test after i18n change. * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T313049) Bump wikimedia/parsoid to v0.14.2. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318079) SpecialEditTags: Set default value of wpTagsToRemove to empty array. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) Update docs for HTMLFormField::validate() to permit all data types. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. == MediaWiki 1.37.4 == This is a maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.3 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor. * (T296435, T297669) cache: Add four fields to LinkCache::getSelectFields. == MediaWiki 1.37.3 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.2 === * Localisation updates. * (T289879) Type hints for ArrayAccess and JsonSerializable. * (T304783) TemplateParser: avoid warnings when called by NoLocalSettings. * Rebuilt vendor with composer 2.3.3. * Fix old_name in UserLogoutComplete hook. * (T289879) Address some deprecations for PHP 8.1. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1. * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T308473) SECURITY: Escape contributions-title msg for use within page title. * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * Updated wikimedia/shellbox from v2.0.0 to v2.1.1. * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T311473) rollbackEdits: Pass user identity to RollbackPage. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T281741) ChangeTags: Fix adding CSS classes for hidden tags. * (T296642) changetags: Fix management of a '0' tag. * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * (T303033) Handle null in ChangeTags::modifyDisplayQuery. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. == MediaWiki 1.37.2 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.1 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T289956) WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest. * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * (T275673) objectcache: Avoid getCurrentTime() call in MapCacheLRU::has(). * (T275673) objectcache: split up MapCacheLRU::getAge() to avoid conditional overhead. * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * (T195807, T256401) Fix signature of DatabasePostgres::buildGroupConcatField. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T300462) SpecialUndelete: Do not show empty comments as deleted. * (T297708) Allow setting max execution time to several special pages. * (T205349) LinkCache: Try invalidating cache before throwing. * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. * (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages. == MediaWiki 1.37.1 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.0 === * (T296112) Allow inserting new sections named '0'. * Fix path for ZhConversion.php. * nukeNS: don't run purgeRedundantText() after every change. * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.37.0 == === Changes since MediaWiki 1.37.0-rc.2 === * Remove justinrainbow/json-schema from vendor. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * (T281972) UserIdentityValue: Correct @since tags. * Updated wikimedia/parsoid from v0.14.0-a19 to v0.14.0. * Localisation updates. * Tweak error message for missing composer dependencies. == MediaWiki 1.37.0-rc.2 == === Changes since MediaWiki 1.37.0-rc.1 === * (T295173) Re-add wikimedia/normalized-exception to vendor. * Remove wikimedia/testing-access-wrapper, psr/simple-cache, psr/http-factory from vendor. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * (T212428) Allow populateContentTables to continue when there are bad blobs. == MediaWiki 1.37.0-rc.1 == === Changes since MediaWiki 1.37.0-rc.0 === * (T294043) checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T293783) ApiQueryImageInfo: don't show empty comments as deleted. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * Remove duplicate settings from DefaultSettings. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. == MediaWiki 1.37.0-rc.0 == == Upgrading notes for 1.37 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.27. Some specific notes for MediaWiki 1.37 upgrades are below: * (T280806) Deprecated methods of fetching API tokens have been removed. This may cause older bots and scripts to fail. Most queries are trivially updateable to using new methods. See the Action API changes section below for more information. For notes on 1.36.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.37 === * (T242768) The PasswordCannotMatchUsername password policy has been removed, please use PasswordCannotBeSubstringInUsername instead. If you have not customised your password policies, there will be nothing to do here. ==== New configuration ==== * $wgBrowserFormatDetection - This setting allows the enabling or disabling of automatic detection of possible phone numbers in a webpage in iOS Safari. * $wgParserEnableLegacyMediaDOM - This setting defaults to true, and enables the legacy media HTML structure in the output from the Parser. The alternative modern HTML structure for media is described at https://www.mediawiki.org/wiki/Parsing/Media_structure In a future release of MediaWiki this option will default to false, so it's a good idea to test this setting on your wiki early and report any issues. ==== Changed configuration ==== * $wgContentHandlerTextFallback - This migration setting, which defines how to react if a plain text version of a non-text Content object is requested using ContentHandler::getContentText(), is deprecated. * $wgActions – This setting lets sysadmins over-ride which actions can be used. It has been re-worked to support injecting dependencies into Action sub- classes as part of wider work on dependency injection. Previously, $wgActions was an array where the keys were the names of actions, and the values had the following impacts (for a given key 'Foo'): - `true`: use the class 'FooAction' unless for a specific page WikiPage::getActionOverrides() wants to override that action - a string: use the class with that name, and do not allow over-riding on a per-page basis - `false`: the action is disabled - a callable: use the Action instance returned by invoking that callback, and do not allow overriding on a per-page basis - an object: use that specific Action instance, and do not allow overr-iding on a per-page basis. As part of T253078, values can now be arrays that are not callables, which are treated as ObjectFactory specs, allowing for services to be injected. Additionally, the distinction between values that allow per-page overrides and those that do not was removed - all actions can now be overridden on a per- page basis using WikiPage::getActionOverrides(). * $wgShellboxUrl – This setting, new in 1.36 to configure the novel Shellbox encapsulation system, is now deprecated; use $wgShellboxUrls as a mapping of service => URL instead. * $wgIncludejQueryMigrate – This setting, introduced in 1.29 to on whether to provide a migration layer for jQuery, has now switched its default value from true to false. This may break gadgets that depended on methods that were removed in jQuery 3 in 2017. See T280944 for more information. * A number of settings have been renamed. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which might try to read them: - $wgFileBlacklist is now $wgProhibitedFileExtensions - $wgMimeTypeBlacklist is now $wgMimeTypeExclusions - $wgEnableUserEmailBlacklist is now $wgEnableUserEmailMuteList - $wgShortPagesNamespaceBlacklist is now $wgShortPagesNamespaceExclusions * $wgMimeTypeExclusions - As well as being renamed, this configuration array now also prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * $wgFragmentMode - This setting, which determines the encoding of section IDs, has now switched its default value from legacy-first to html5-first: both the HTML5 anchor and the legacy percent-encoding-style anchor will still be generated for section titles, but references to them will use the HTML5 version, resulting in human-readable fragments. ==== Removed configuration ==== * $wgLegacyJavaScriptGlobals, deprecated in 1.36. * (T274695) $wgAjaxEditStash, deprecated in 1.36. * $wgShowDBErrorBacktrace, deprecated and non-functional since 1.32. * $wgShowSQLErrors, deprecated and non-functional since 1.32. * $wgLangObjCacheSize, without deprecation; the LanguageFactory service now always retains at most 10 objects in its LRU-cache. * $wgDjvuToXML, without deprecation; the tool it enables is obsolete and abandoned upstream. Use $wgDjvuDump to use that tool instead. === New user-facing features in 1.37 === * (T161934) MediaWiki now supports JPEG2000 files, to a limited extent. === External library changes in 1.37 === ==== New external libraries ==== * Added symfony/polyfill-php80 1.23.1. * Added whatwg-fetch 3.6.2. * Added wikimedia/normalized-exception 1.0.1. ==== Changed external libraries ==== * Updated OOjs from v5.0.0 to v6.0.0 * Updated OOjs-Router from v0.2.0 to v0.3.0 * Updated OOUI from v0.41.3 to v0.42.0 * Updated WVUI from v0.1.0 to v0.3.0 * Updated cssjanus/cssjanus from v1.3.0 to v2.1.0. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Updated psr/container from v1.0.0 to v1.1.1. * Updated wikimedia/minify from v2.2.2 to v2.2.4. * Updated wikimedia/object-factory from v3.0.0 to v3.0.2. * Updated wikimedia/parsoid from v0.13.1 to v0.14.1. * Updated wikimedia/relpath from v2.1.1 to v3.0.0. * Updated wikimedia/remex-html from v2.3.1 to v2.3.2. * Updated wikimedia/shellbox from v1.0.4 to v2.1.1. * Updated wikimedia/wait-condition-loop from v2.0.1 to v2.0.2. * Updated zordius/lightncandy from v1.2.5 to v1.2.6. * Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. ===== Changed development-only external libraries ===== * Updated qunit from 2.10.0 to 2.16.0. ==== Removed external libraries ==== * The pimple/pimple development-only library has been removed. === Action API changes in 1.37 === * (T280806) The API methods for fetching tokens which were deprecated in MediaWiki 1.24 have been removed. action=query&meta=tokens&type= should be used instead. Please note some token types no longer exist, and you should just use type=csrf for those instead. - action=query&prop=info&intoken -> action=query&meta=tokens&type=csrf - action=tokens&type= -> action=query&meta=tokens&type= - action=query&list=recentchanges&rctoken -> action=query&meta=tokens&type=csrf - action=query&prop=revisions&rvtoken=rollback -> action=query&meta=tokens&type=rollback - action=query&meta=userinfo&uiprop=preferencestoken -> action=query&meta=tokens&type=csrf - action=query&list=users&ustoken=userrights -> action=query&meta=tokens&type=userrights === Languages updated in 1.37 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T280435) LRM and RLM characters were removed from names of languages with parentheses in Names.php * (T283422) Add namespace name translations and change the autonym of the Kinyarwanda language to "Ikinyarwanda". * (T283423) Change the autonym of the Lombard language from "lumbaart" to "lombard". * (T279619) Added language support for Dagbani (dag). * (T282085) Added language support for Malay in Arabic (Jawi) script (ms-arab). * (T283053) Added language support for Ojibwe (ojb). * (T283480) Added language support for Wallisian (wls, Fakaʻuvea). * (T284002) Added language support for Paiwan (pwn). * (T284044) Added language support for Carpathian Romani (rmc). * (T286460) Added language support for Gun (guw, Gungbe). * (T287345) Added language support for Baoulé (bci). * (T290126) Added language support for Kildin Sami (sjd). * (T290408) Added language support for Pite Sami (sje). * (T25216) Started the renaming of the language code for Norman from nrm to nrf. === Breaking changes in 1.37 === * The Revision class, emitting deprecation warnings since 1.35, was removed entirely. As part of this, the following hooks that included a Revision object were removed: - ArticleRevisionUndeleted - use RevisionUndeleted - ArticleRollbackComplete - use RollbackComplete - DiffRevisionTools - use DiffTools - DiffViewHeader - use DifferenceEngineViewHeader - HistoryRevisionTools - use HistoryTools - NewRevisionFromEditComplete - use RevisionFromEditComplete - PageContentInsertComplete - use PageSaveComplete - PageContentSaveComplete - use PageSaveComplete - ParserFetchTemplate - use BeforeParserFetchTemplateRevisionRecord - RevisionInsertComplete - use RevisionRecordInserted - TitleMoveComplete - use PageMoveComplete - TitleMoveCompleting - use PageMoveCompleting - UndeleteShowRevision - no replacement - UserRetrieveNewTalks - no replacement … the following methods and variables have been removed: - Article::$mRevision - Article::getRevisionFetched() - ContribsPager::tryToCreateValidRevision() - EditPage::$mBaseRevision - EditPage::getBaseRevision() - LinksUpdate::getRevision() - LinksUpdate::setRevision() - PageArchive::getArchivedRevision() - PageArchive::getPreviousRevision() - PageArchive::getRevision() - Parser::$mRevisionObject - Parser::fetchCurrentRevisionOfTitle() - Parser::getRevisionObject() - Parser::statelessFetchRevision() - ParserOptions::getCurrentRevisionCallback() - ParserOptions::setCurrentRevisionCallback() - Title::countAuthorsBetween() - Title::getFirstRevision() - User::getNewMessageLinks() - User::getNewMessageRevisionId() - User::setNewtalk() - WikiPage::getOldestRevision() - WikiPage::getRevision() - WikiPage::getUndoContent() - WikiPage::updateIfNewerOn() … and the following methods no longer accept Revision objects as parameters: - CategoryMembershipChange::__construct() - ContentHandler::getUndoContent() - DerivedPageDataUpdater::prepareUpdate() - DifferenceEngine::getRevisionHeader() - Linker::buildRollbackLink() - Linker::generateRollback() - Linker::getRevDeleteLink() - Linker::getRollbackEditCount() - Linker::revComment() - Linker::revUserLink() - Linker::revUserTools() - WikiPage::doDeleteUpdates() - WikiPage::doEditUpdates() - WikiPage::hasDifferencesOutsideMainSlot() - WikiPage::onArticleEdit() - WikiPage::prepareContentForEdit() - WikiPage::updateRevisionOn() The following methods return arrays that formerly included a 'revision' key that would emit deprecation warnings when accessed and return a Revision object. The Revision object has been removed from the arrays, and the 'revision-record' key should be used to get the relevant RevisionRecord instead: - PageUpdater::doCreate() - PageUpdater::doModify() - Parser::statelessFetchTemplate() - WikiPage::doEditContent() Finally, the ParserOptions `templateCallback` option is a callback that is called in Parser::fetchTemplateAndTitle() and should return an array - the 'revision' key to that array used to be a Revision object and was used if no 'revision-record' was returned - is now ignored. * Previously, the classes RevisionTestModifyableContent and RevisionTestModifyableContentHandler were loaded for use in tests, but were only used within the tests for the since-removed Revision class. This content and content handler class were removed without deprecation. * WANObjectCache::HOLDOFF_NONE, deprecated since 1.35, was removed. Use WANObjectCache::HOLDOFF_TTL_NONE instead. * Calling ResourceLoader::makeVersionQuery() without $modules parameter, deprecated since MediaWiki 1.34, is no longer supported. * LocalFile::recordUpload2(), deprecated since 1.35, was removed. * The following methods and fields in the Language class, deprecated since 1.35, have been removed: - ::classFromCode() - ::clearCaches() - ::convertTitle() - ::findVariantLink() - ::$mConverter - ::updateConversionTable() * The following methods in the Parser class have been removed after having been deprecated in 1.35: - fetchTemplate() - Title() * (T273354) When an edit is prevented by an 'EditFilterMergedContent' hook handler without changing the status, the edit form will now be displayed. * User::clearNotification() which had been deprecated in 1.35 has been removed. Use WatchlistManager::clearTitleUserNotification() instead. * User::getNewtalk() which had been deprecated in 1.35 has been removed. Use TalkPageNotificationManager::userHasNewMessages() instead. * The Autopromote class, deprecated since 1.35, was removed. Use UserGroupManager instead. * The CachedAction, SpecialCachedPage, CacheHelper, and ICacheHelper classes, all emitting deprecation warnings since 1.36, have been removed. * The hooks BeforeHttpsRedirect, CanIPUseHTTPS and UserRequiresHTTPS, deprecated in 1.35, were removed. * The TitleArrayFromResult hook, deprecated in 1.36, was removed. * The deprecated "es6-promise" alias ResourceLoader module has been removed. Use the "es6-polyfills" module directly intead. * The deprecated "mediawiki.legacy.protect" ResourceLoader module, deprecated since 1.36, has been removed. Use "mediawiki.action.protect" instead. * The JavaScript alias $j for references to jQuery, deprecated since 1.23, has been removed. Use $ instead. * The AuthenticationProvider interface and the SessionProvider class no longer extend the PSR LoggerAwareInterface concept, so they can't be typehinted as LoggerAwareInterface. * User::getGrantName(), emitting deprecation warnings since 1.36, has been removed. Use MWGrants::grantName() instead. * The following ApiBase methods, deprecated since 1.35, have been removed: - ApiBase::explodeMultiValue - ApiBase::parseMultiValue - ApiBase::validateLimit - ApiBase::validateTimestamp * The User::idCacheByName() public static field was removed without deprecation. Instead of using it, get a UserIdentity by name from the UserIdentityLookup service. * IDatabase::upsert() and IDatabase::replace() now only accept a single unique key. Previously, a warning was issued if there were multiple unique keys provided. * The MediaWiki:Autoblock_whitelist block exemption control was moved in 1.36 to MediaWiki:Block-autoblock-exemptionlist. The backward-compatibility of reading the old MediaWiki:Autoblock_whitelist page has now been dropped. * The following overridable methods in File hierarchy have changed signatures: - File::deleteFile() - now accepts UserIdentity instead of User - File::getDescription() - now accepts Authority instead of User - File::userCan() - now accepts Authority instead of User - LocalFile::deleteOldFile() - now accepts UserIdentity instead of User * The following global methods, each deprecated since 1.36, have been removed: - wfAppendToArrayIfNotDefault() - wfAcceptToPrefs() - wfConfiguredReadOnlyReason() - wfDebugMem() - wfGetPrecompiledData() - wfNegotiateType() * The following deprecated methods of the Title class have been removed: - ::nameOf(), deprecated in 1.36 - ::getPreviousRevisionID(), deprecated in 1.34 - ::getNextRevisionID(), deprecated in 1.34 - ::getEarliestRevTime(), deprecated in 1.35 * UploadBase::stashFile(), deprecated since 1.28, was removed. * wfGetRusage(), deprecated since 1.35, has been removed. * The following CLI options were removed from tests/phpunit.php: - use-filebackend - use-jobqueue - use-bagostuff The following options (inherited from Maintenance) were also removed: - conf - dbuser - dbpass - dbdefaultgroup - globals - memory-limit - profiler - server The following options were changed to environment variables: - wiki => PHPUNIT_WIKI - use-normal-tables => PHPUNIT_USE_NORMAL_TABLES - use-filebackend => PHPUNIT_USE_FILEBACKEND - use-bagostuff => PHPUNIT_USE_BAGOSTUFF - use-jobqueue => PHPUNIT_USE_JOBQUEUE This is so that we can use the default PHPUnit entry point (T90875). * The PHPUNIT_REUSE_DB / --reuse-db option was removed from the phpunit.php runner. It had been broken for at least three years already. The original use case was speeding up tests on Oracle, but Oracle support was dropped several releases ago. * The MediaWikiPHPUnitTest__endTestHook and MediaWikiPHPUnitTest__startTestHook PHPUnit hooks were removed. MediaWikiHooksPHPUnitExtension was also removed. * EntryPoint::getTextFormatters() was made private without a deprecation period; it had no known external callers. * DatabaseBlock::chooseBlock(), deprecated since 1.35, was removed. * SpecialPageFactory::getRestrictedPages(), deprecated since 1.36, was removed. * SpecialBlock::validateTarget(), deprecated since 1.36, was removed. * The PatchFileLocation trait was removed without deprecation. * ActorMigrationBase::getExistingActorId() and ::getNewActorId(), emitting deprecation warnings since 1.36, were removed. * Hook handlers implementing the MediaWikiServicesHook hook are now prohibited from having services injected. This is because by definition, this hook runs before the service container is fully initialized. * The protected property LocalFile::$metadata was removed without deprecation. * WatchedItem::getUser(), emitting deprecation warnings since 1.36, has been removed. * AuthManager::singleton(), emitting deprecation warnings since 1.36, has been removed. * The AugmentPageProps class was removed without deprecation. It had no known uses. * Html::infobox(), deprecated since 1.36, was removed. * ParserOptions::__construct() now requires that the first parameter is a UserIdentity object - passing `null` used to fallback to the global $wgUser but was deprecated since 1.36. * ParserOptions::newCanonical() no longer supports the first parameter being null (or omitted entirely), which would fallback to the global $wgUser but was deprecated since 1.35. * The SkinTemplatePreventOtherActiveTabs hook, deprecated in 1.35, was removed entirely. * The SkinTemplateTabAction hook, deprecated in 1.35, was removed entirely. * The SkinTemplateBuildNavUrlsNav_urlsAfterPermalink hook, deprecated in 1.35, was removed entirely. * The SkinTemplateToolboxEndHook, deprecated in 1.35, was removed entirely. * The following methods of RevisionStore class, formerly emitting deprecation warnings, were removed: - ::newMutableRevisionFromArray() - ::loadRevisionFromPageId() - ::loadRevisionFromTitle() - ::loadRevisionFromTimestamp() - ::listRevisionSizes() * LogEntry::getPerformer(), deprecated since 1.36, was removed along with methods in sub-classes: DatabaseLogEntry, ManualLogEntry, RCDatabaseLogEntry. * Skin::getRelevantUser() now returns an instance of UserIdentity, and not necessarily a User object. There is no known usages in MediaWiki ecosystem that were not satisfied with UserIdentity. * Direct construction of MergeHistory class, deprecated since 1.35, is no longer supported. Use MergeHistoryFactory instead. MergeHistory::checkPermissions, deprecated since 1.36, was removed. * Skin::generateDebugHTML(), deprecated since 1.35, was removed. Call MWDebug::getHTMLDebugLog() directly. * The ApiTestCase class no longer interacts with the global $wgUser. Previously, the global variable was set at the start of each test, and in ApiTestCase::doApiRequest() if a performer was specified $wgUser was updated to match, and if no performer was specified $wgUser was used instead. Now, $wgUser is not updated, and if no performer is specified the reusable TestUser object for the sysop is relied on. Extensions or skins that rely on the global $wgUser variable (which has been deprecated since 1.35) should instead retrieve the acting user from the relevant context source. * SkinTemplate::makeArticleUrlDetails(), deprecated since 1.35, was removed. * Skin::makeNSUrl(), deprecated since 1.35, was removed. * Skin::getRevisionId(), deprecated since 1.34, was removed. Use OutputPage::getRevisionId() instead. * Skin::isRevisionCurrent(), deprecated since 1.34, was removed. Use OutputPage::isRevisionCurrent() instead. * AbstractBlock::parseTarget(), deprecated since 1.36, was removed. * The ArticleEditUpdates hook, deprecated since 1.35, was removed. * The `@stable to extend` class CentralIdLookup has following changes: - The protected ::checkAudience() method now returns an Authority instead of a User instance. - A number of its `@stable to override` methods now accept an Authority instead of a User instance as the $audience parameter. - A number of methods now accept a UserIdentity instead of their User parameter. - The ::localUserFromCentralId() method now returns UserIdentity and not necessarily a User object. All extensions that extend this class or use this method were updated to be ready to the new behavior. * WatchedItemStoreInterface::enqueueWatchlistExpiryJob(), deprecated since 1.36, was removed. * ResultWrapper is now abstract. It cannot be directly constructed (T286694). * The SecondaryDataUpdates hook, deprecated in 1.32, was removed entirely. * Content::getDeletionUpdates(), was removed. Use ContentHandler::getDeletionUpdates() instead. * Content::getSecondaryDataUpdates(), was removed. Use ContentHandler::getSecondaryDataUpdates() instead. * wfDiff(), deprecated since 1.25, has been removed. * Language::$mLangObjCache, deprecated since 1.35, was removed. * Language::$transformData, deprecated since 1.35, was removed. * Language::transformUsingPairFile() was marked @internal. Its deprecated parameters are no longer supported. * SpecialMute::getTarget(), unused outside of the SpecialMute class, was made private. * The Skin::setupSkinUserCss() method, deprecated in 1.32, was removed. Please use skin registration instead. * The ResourceLoaderSkinModule `legacy`, `content` and `content-thumbnails` features were deprecated. Skins should instead select from the features listed on [[mw:Manual:ResourceLoaderSkinModule]]. * ParserCache::getKey() and ::getEtag(), deprecated since 1.36, were removed. * The BaseTemplateToolbox hook, deprecated since 1.35, was removed. * Previously a capitalize-all-nouns class was added to the body element of languages where nouns must be capitalized. This class is no longer added to the body tag and must be provided by skins. * The SkinTemplateOutputPageBeforeExec hook, deprecated since 1.35, was removed. * Calling Message::toString() without a parameter, which triggered deprecation warnings since 1.36, is no longer supported. You can instead use the explicit formatting methods directly, such as Message::text() and Message::escaped(). * Article::getContentObject(), deprecated since 1.32, was removed. * Article::delete(), Article::confirmDelete() and ImagePage::delete() were removed. The logic responsible for building the form is being moved to DeleteAction, while the actual deletion logic will be moved to a separate service. * WikiImporter::debugRevisionHandler(), unused and for debug only, was removed. * Content::preloadTransform() now emits deprecation warnings. Instead, please use ContentTransformer::preloadTransform(). Extensions defining a content model should override ContentHandler::preloadTransform(). * Content::preSaveTransform() now emits deprecation warnings. Instead, please use ContentTransformer::preSaveTransform() instead. Extensions defining a content model should override ContentHandler::preSaveTransform(). * Constructing WikiPage objects from Title instances that cannot exist, emitting deprecation warnings since 1.36, now throws an exception. Additionally, WikiPage now implements ProperPageIdentity, rather than just PageIdentity. * The Skin::bottomScripts() method is deprecated. Please instead use OutputPage::getBottomScripts(). * LinksUpdate::getTriggeringUser() now returns ?UserIdentity instead of ?User. * The LESS mixin `.box-shadow()` (from mediawiki.mixins.less), deprecated since 1.36, was removed. Use CSS property `box-shadow` unprefixed for all basic supported browsers instead. * The LESS mixin `.flex()` now no longer tries to support the 2009 version of the Flexbox specification; support for the 2012 and modern standard versions remains unchanged. * The StorageAwareness::ATTR_SYNCWRITES, StorageAwareness::QOS_SYNCWRITES_*, StorageAwareness::ATTR_LOCALITY, and StorageAwareness::QOS_LOCALITY_* constants were removed. === Deprecations in 1.37 === * JobQueue::getWiki(), deprecated in 1.33, now emits deprecation warnings. * AbstractBlock::getTargetAndType() and ::getTarget() now emit deprecation warnings. Use ::getTargetName() and ::getTargetUserIdentity() together with ::getType(). * Passing a UserIdentity to WatchlistManager::clearAllUserNotifications() and WatchlistManager::clearTitleUserNotifications() is now deprecated. Pass an Authority instead. * Passing LinkTarget to WatchlistManager::clearTitleUserNotifications() and WatchlistManager::getTitleNotificationTimestamp(). Pass PageIdentity instead. * The User class methods ::isWatched(), ::isTempWatched(), ::removeWatch(), and ::addWatch() have been deprecated. Use corresponding methods in WatchlistManager instead. * Multiple WatchAction methods have been deprecated in lieu of WatchlistManager: - ::doWatchOrUnwatch() use WatchlistManager::setWatch() - ::doWatch() -> WatchlistManager::addWatch() - ::doUnwatch() -> WatchlistManager::removeWatch() * WatchAction::getWatchToken() now emits deprecation warnings. Instead use CsrfTokenSet::getToken(). * Action::getHookContainer() has been marked as internal. Actions that require access to a hook container should have one injected instead. * The ::getTitle() and ::setTitle() methods in Parser have been deprecated. Use ::getPage() and ::setPage() instead. * Title::isWatchable() has been deprecated. Use WatchlistManager::isWatchable() instead. * Methods and classes related to the primary database, previously referred to as 'master', have been deprecated, with the new ones replacing them as follows: - The DBMasterPos and MySQLMasterPos classes have been respectively renamed to DBPrimaryPos and MySQLPrimaryPos. - LocalRepo::getMasterDB() -> ::getPrimaryDB() - ForeignDBRepo::getMasterDB() -> ::getPrimaryDB() - JobQueueDB::getMasterDB() -> ::getPrimaryDB() - ForeignDBViaLBRepo::getMasterDB() -> ::getPrimaryDB() - DBFileJournal::getMasterDB() -> ::getPrimaryDB() - ILoadBalancer::getMasterPos() -> ::getPrimaryPos() - IDatabase::getMasterPos() -> ::getPrimaryPos() - ILoadBalancer::finalizeMasterChanges() -> ::finalizePrimaryChanges() - ILoadBalancer::approveMasterChanges() -> ::approvePrimaryChanges() - ILoadBalancer::beginMasterChanges() -> ::beginPrimaryChanges() - ILBFactory::beginMasterChanges() -> ::beginPrimaryChanges() - ILoadBalancer::commitMasterChanges() -> ::commitPrimaryChanges() - ILBFactory::commitMasterChanges() -> ::commitPrimaryChanges() - IDatabase::getTopologyRootMaster() -> ::getTopologyRootPrimary() - IDatabase::masterPosWait() -> ::primaryPosWait() - ILoadBalancer::runMasterTransactionIdleCallbacks() -> ::runPrimaryTransactionIdleCallbacks() - ILoadBalancer::runMasterTransactionListenerCallbacks() -> ::runPrimaryTransactionListenerCallbacks() - ILoadBalancer::rollbackMasterChanges() -> ::rollbackPrimaryChanges() - ILBFactory::rollbackMasterChanges() -> ::rollbackPrimaryChanges() - ILoadBalancer::flushMasterSnapshots() -> ::flushPrimarySnapshots() - ILoadBalancer::hasMasterConnection() -> ::hasPrimaryConnection() - ILoadBalancer::hasMasterChanges() -> ::hasPrimaryChanges() - ILBFactory::hasMasterChanges() -> ::hasPrimaryChanges() - ILoadBalancer::lastMasterChangeTimestamp() -> ::lastPrimaryChangeTimestamp() - ILoadBalancer::hasOrMadeRecentMasterChanges() -> ::hasOrMadeRecentPrimaryChanges() - ILBFactory::hasOrMadeRecentMasterChanges() -> ::hasOrMadeRecentPrimaryChanges() - ILoadBalancer::pendingMasterChangeCallers() -> ::pendingPrimaryChangeCallers() - ILoadBalancer::forEachOpenMasterConnection() -> ::forEachOpenPrimaryConnection() - ILoadBalancer::waitForMasterPos() -> ::waitForPrimaryPos() - Database::assertIsWritableMaster() -> ::assertIsWritablePrimary() - RevDelList::reloadFromMaster() -> ::reloadFromPrimary() - ExternalStoreDB::getMaster() -> ::getPrimary() - DatabaseMysqlBase::getMasterServerInfo() -> ::getPrimaryServerInfo() - MWExceptionHandler::rollbackMasterChangesAndLog() -> ::rollbackPrimaryChangesAndLog() * wfGetLB(), deprecated since 1.27, now emits deprecation warnings. * wfLocalFile(), deprecated since 1.34, now emits deprecation warnings. * wfFindFile(), deprecated since 1.34, now emits deprecation warnings. * wfIncrStats(), deprecated in 1.36, now emits deprecation warnings. * wfCanIPUseHTTPS() is now deprecated, and always returns true. * The UserLoadFromDatabase hook has been deprecated. It had no known uses. * The following methods in ApiPageSet have been deprecated: - ::getTitles(), use ::getTargets() instead. - ::getGoodTitles(), use ::getGoodPages() instead. - ::getMissingTitles(), use ::getMissingPages() instead. - ::getGoodAndMissingTitles(), use ::getGoodAndMissingPages() instead. - ::getRedirectTitles(), use ::getRedirectTargets() instead. - ::getSpecialTitles(), use ::getSpecialPages() instead. * The following methods from the User class, deprecated in 1.35, now each emit deprecation warnings: - ::getOptions() - ::isIP() - ::isUsableName() - ::isCreatableName() - ::getCanonicalName() - ::addAutopromoteOnceGroups() - ::getEffectiveGroups() - ::getAutomaticGroups() - ::getFormerGroups() - ::getIntOption() - ::getBoolOption() * The following methods in User were deprecated: - ::idFromName() - use UserIdentityLookup::getUserIdentityByName() instead. - ::resetIdByNameCache() - in tests, reset service container. No replacement needed in production code. * Use of ActorMigration for any table except revision, deprecated in 1.34, now emits deprecation warnings. Instead of getInsertValues(), use ActorNormalization::acquireActorId(). Instead of getWhere() and getJoin(), do your own join on the actor table. * DatabasePostgres::remappedTableName() and its dependent constructor parameter 'keywordTableMap' are deprecated. Reserved identifiers that are used as table names should be quoted where necessary. * LinkCache::singleton(), deprecated since 1.28, now emits deprecation warnings. * MessageCache::singleton(), deprecated since 1.34, now emits deprecation warnings. * LockManagerGroup::singleton() and ::destroySingletons(), deprecated since 1.34, now emit deprecation warnings. * HtmlFileCacheUpdate::newFromTitles() is now deprecated and emitting warnings. Use newFromPages() instead. * SessionProvider ::setLogger(), ::setManager(), ::setConfig(), and ::setHookContainer() were deprecated. Use ::init() to inject dependencies, or override ::postInitSetup() to do any custom post-initialization configuration. * AbstractAuthenticationProvider ::setLogger(), ::setManager(), ::setConfig(), and ::setHookContainer() now emit deprecation warnings. Use ::init() to inject dependencies, or override ::postInitSetup() to do any custom post- initialization configuration. * User::isLoggedIn(), deprecated since 1.36, now emits deprecation warnings. Use the method it wraps, User::isRegistered(), instead. * FileBackendGroup::singleton() and ::destroySingletons(), deprecated since 1.35, now emit deprecation warnings. * The first parameter of User::getBlock() should now be an integer using the Authority::FOR_XXX constants. Providing a boolean is deprecated. * ApiBase::addBlockInfoToStatus() is deprecated for use by extensions. It is now marked as @internal and may be deleted in the future. It should not be necessary to call this method, Authority should be providing all relevant information via a PermissionStatus object. * JobQueueGroup::singleton() was deprecated - use MediaWikiServices::getJobQueueGroup() instead. * JobQueueGroup::destroySingletons() was deprecated. JobQueueGroups are now automatically destroyed after tests. * LinkCache::addGoodLinkObj() has been deprecated, since it is prone to corrupting the cache with invalid information. Use addGoodLinkObjFromRow() instead. PHPUnit tests must use LinkCacheTestTrait::addGoodLinkObject(). * ContentHandler::getContentText() is now deprecated. Use Content::getText() instead. * LinkCache::addLinkObj() has been deprecated, use PageStore::getPageForLink() instead. * MediaWiki\User\UserNamePrefixSearch::search() previously accepted as its first parameter either the string 'public' or a UserIdentity object, to filter results for. It now expects an Authority object instead of UserIdentity, and providing just a UserIdentity will now trigger a deprecation warning. * User::getRights(), deprecated since 1.34, now emits deprecation warnings. * User::changeableGroups() and ::changeableByGroup() now emit deprecation warnings, use corresponding methods in UserGroupManager instead. * User::incEditCount() was deprecated in favor of the new method UserEditTracker::incrementUserEditCount(). * RepoGroup::singleton(), ::destroySingleton() and ::setSingleton(), deprecated since 1.34, now emit deprecation warnings. * RecentChange::getPerformer(), deprecated since 1.36, now emits deprecation warnings. Use ::getPerformerIdentity() instead. * ContentHandler::cleanupHandlersCache(), deprecated since 1.35, now emits deprecation warnings. * Category::getTitle() was deprecated in favor of Category::getPage() * File::getUser() method now emits deprecation warnings, along with its over- rides in LocalFile and ForeignApiFile in favor of ::getUploader(). * SpecialBlock::checkUnblockSelf(), deprecated in 1.36, now emits deprecation warnings. * (T284179) The mediawiki.viewport ResourceLoader module is deprecated. You can now just use MutationObserver or InterSectionObserver directly, which are widely available in all supported JavaScript browsers. * The following constructor options of DatabaseBlock class will now trigger deprecation warnings: - the 'byText' property with blocker's name, - the 'by' property with blocker's ID, For both of these, use the 'by' property with UserIdentity value instead. * The BeforeResetNotificationTimestamp hook was deprecated. * ArchivedFile::getUser() ::getRawUser() ::getRawUserText() were deprecated in favor of ::getUploader.() ::getRawDescription() was deprecated in favor of ::getDescription() with RAW audience parameter. * When calling LocalFile::newFromRow() or LocalFile::loadFromRow(), passing extra fields not requested by ::getQueryInfo() will now trigger deprecation warnings. This is to warn callers that deprefixing and automatic assignment of such fields will not be done in a future version. * JobSpecification::getTitle() was deprecated without providing a replacement. It wasn't used and job given the purpose of JobSpecification class it is not needed. * The protected method File::getImageSize() is now deprecated. * BacklinkCache::get() was deprecated, use BacklinkCacheFactory::getBacklinkCache() instead. * Title::getBacklinkCache() now emits deprecation warnings. Instead, use the ::getBacklinkCache() method in the BacklinkCacheFactory service. * MediaHandler::getImageSize(), ::getMetadata(), and ::isMetadataValid() were deprecated and should no longer be overridden. Instead, sub-classes should override getSizeAndMetadata(). * Deprecated File::getMetadata(). Instead use ::getMetadataArray(), ::getMetadataItem() and ::getMetadataItems(). * Message::title() has been deprecated; use Message::page() instead. * BaseTemplate::getAfterPortlet(), BaseTemplate::renderAfterPortlet(), and the BaseTemplateAfterPortlet hook, which were deprecated in 1.35, now emit deprecation warnings. * The LocalFile::getHistory() hook is deprecated. * Previously the Skin templateDirectory option inside skin.json had to be relative to MediaWiki core. This should now be relative to the skin. * Calling WikiPage::prepareContentForEdit() without a UserIdentity is now deprecated. * User::getEditTokenObject(), ::getEditToken(), and ::matchEditToken() were each deprecated. Use CsrfTokenRepository, which is available via IContextSource, instead. ::matchEditTokenNoSuffix() was deprecated without replacement. It was introduced to be able to provide custom error message if the token was submitted, but ending slashes were stripped by some ASCII mangling proxy. Use ::matchToken() instead, such proxies are much less common now and there's not much benefit in customising the error message. * ContentHandler::getForTitle(), deprecated since 1.35, now emits deprecation warnings. * User::listOptionKinds(), deprecated since 1.35, now emits deprecation warnings. * WikiPage::doEditContent(), deprecated since 1.32, now emits deprecation warnings. * CentralIdLookup::factory() and ::factoryNonLocal() now emit deprecation warnings; obtain an instance from MediaWikiServices instead. * The class RandomPage was renamed to SpecialRandomPage. The class RandomPage is now deprecated. * BotPassword::invalidateAllPasswordsForCentralId() was deprecated. * BotPassword::removeAllPasswordsForCentralId() was deprecated. * The Title class members: $mTextform, $mUrlform, $mDbkeyform, $mNamespace, $mInterwiki, and $mFragment have been deprecated to not be used directly. Instead, their corresponding accessor methods should be used. * IDatabase::fetchObject(), ::fetchRow(), ::numRows(), ::numFields(), ::fieldName(), ::freeResult() and ::dataSeek() are deprecated. Use the corresponding methods in IResultWrapper instead. * ResultWrapper::unwrap(), DatabaseMysqlBase::fieldType() and DatabasePostgres::fieldType() each now emit deprecation warnings. * Sub-classes implementing Database::doQuery() should return either boolean or an IResultWrapper. To do otherwise will now trigger a deprecation warning. * User::getOptionKinds() and ::resetOptions(), both deprecated since 1.35, now emit deprecation warnings. * The following methods in MWNamespace, all deprecated since 1.34, now emit deprecation warnings: - ::isMovable() - ::isSubject() - ::getTalk() - ::getSubject() - ::getAssociated() - ::equals() - ::subjectEquals() - ::hasTalkNamespace() - ::wantSignatures() - ::isWatchable() - ::getSubjectNamespaces() - ::getTalkNamespaces() - ::isCapitalized() - ::hasGenderDistinction() - ::isNonincludable() - ::getNamespaceContentModel() - ::getRestrictionLevels() - ::getCategoryLinkType() * LogFormatter::styleRestricedElement() has been deprecated in favor of LogFormatter::styleRestrictedElement() * The following hooks related to user preferences were deprecated: - UserLoadOptions: use LoadUserOptions instead. - UserSaveOptions: use SaveUserOptions instead. - UserResetAllOptions: no replacement was provided, the hook is not used. * Title::isNamespaceProtected(), deprecated in 1.34, now emits deprecation warnings. * UserSelectQueryBuilder::userIds(), ::userNames(), and ::userNamePrefix() has been deprecated in favor of ::whereUserIds(), ::whereUserNames(), and ::whereUserNamePrefix(). * Manually constructing a MovePage object, deprecated in 1.34, now emits deprecation warnings. Use MovePageFactory instead. * The following deletion-related methods were deprecated: - WikiPage::doDeleteArticleReal() (soft) - use DeletePage - WikiPage::doDeleteArticleBatched() (soft) - no replacement - WikiPage::isBatchedDelete() (soft) - use DeletePage - WikiPage::doDeleteUpdates() (hard) - no replacement - WikiPage::getDeletionUpdates() (hard) - no replacement - Title::isBigDeletion (soft) - no replacement * Relying on PermissionManager or Authority to check for big deletions was deprecated. This is now automatically checked if you use DeletePage::deleteIfAllowed(). (T288759) * The userCan hook now emits deprecation warnings. Use the getUserPermissionsErrors or getUserPermissionsErrorsExpensive hooks instead. * Parser::$mUser public access, and the methods ParserOptions::getUser() and Parser::getUser() each now emit deprecation warnings. * The following methods in the Title class have been deprecated in favor of the corresponding methods in the new RestrictionStore service (with different names where indicated): - ::areCascadeProtectionSourcesLoaded() - ::areRestrictionsCascading() - ::areRestrictionsLoaded() - ::getAllRestrictions() - ::getCascadeProtectionSources() - ::getFilteredRestrictionTypes() -> ::listAllRestrictionTypes() - ::getRestrictionExpiry() - ::getRestrictionTypes() -> ::listApplicableRestrictionTypes() - ::getRestrictions() - ::isCascadeProtected() - ::isProtected() - ::isSemiProtected() - ::loadRestrictionsFromRows() * The following Title methods have been deprecated with no direct public replacement: - ::deleteTitleProtection() - ::getTitleProtection() - ::flushRestrictions() - ::loadRestrictions() * User::isAllowUsertalk() now emits deprecation warnings. Use User::getBlock() and AbstractBlock::isUsertalkEditAllowed() instead. * Classes used by Preprocessor_DOM have been merged with classes used by Preprocessor_Hash, as Preprocessor_DOM was removed in 1.35. - PPDPart has been merged into PPDPart_Hash - PPDStack has been merged into PPDStack_Hash - PPDStackElement has been merged into PPDStackElement_Hash * By default, the global variable $wgUser is now an instance of the new class StubGlobalUser rather than User, and the first time it is used it will emit deprecation warnings (the $wgUser variable was deprecated in 1.35). For extensions that read from this variable, please use a relevant ContextSource instead, falling back to RequestContext::getMain() if none is available. * Collation::singleton() and ::factory() were deprecated; obtain an instance of the CollationFactory from MediaWikiServices instead. * Title::getDefaultNamespace() has been deprecated to be removed because there are no known callers/consumers. * With removal of the stub threshold feature, the following methods now emit deprecation warnings: - LinkRenderer::setStubThreshold() and ::getStubThreshold() - no replacement. - LinkRendererFactory::createForUser() - calling ::create() is now sufficient - ParserOptions::setStubThreshold() and ::getStubThreshold() - no replacement. - User::getStubThreshold() - no replacement. * The ArticleDelete and ArticleDeleteComplete hooks were deprecated. Use PageDelete and PageDeleteComplete instead. * The ArticleUndeleteLogEntry hook was deprecated without replacement. * The following LESS mediawiki.mixins have been deprecated: - .box-sizing() - .transform() - .transform-origin() - .transition() - .transition-transform() * The `UndeleteForm::undelete` hook was deprecated. A new hook was introduced, `PageUndelete`, that provides handlers with more information and is also called for non-UI requests. The capability of replacing the PageArchive object has been removed, as that violates the laws of nature. === Other changes in 1.37 === * WatchlistManager::addWatch() and WatchlistManager::addWatchIgnoringRights(), which replace User::addWatch(), now call the WatchArticle and WatchArticleComplete hooks. * WatchlistManager::removeWatch() and WatchlistManager::removeWatchIgnoringRights(), which replace User::removeWatch(), now call the UnwatchArticle and UnwatchArticleComplete hooks. * The overridable postInitSetup() method was added to the AbstractAuthenticationProvider class. A provider can override postInitSetup() to do any custom post-initialization configuration. * The overridable postInitSetup() method was added to the SessionProvider class. A provider can override postInitSetup() to do any custom post-initialization configuration. * The protected getConfig() method was added to the SessionProvider class. Use SessionProvider::getConfig() to get a config. * The DBAccessBase class is deprecated. Classes that used to extend it should get a load balancer (factory) injected in the constructor instead. * ActorNormalization::acquireActorId() now requires IDatabase parameter. Not providing one emitted deprecation warnings since 1.36. * Anti-lock constants ALF_PRELOAD_LINK, ALF_NO_BLOCK_LOCK, ALF_NO_LINK_LOCK and ALF_PRELOAD_EXISTENCE have been removed. They're unused since 1.25. * (T278036) CSS class 'mw-htmlform-field-autoinfuse' used by some forms has been renamed to 'mw-htmlform-autoinfuse'. * User::newFromRow() does not accept pre-loaded user preferences under $data['user_properties'] anymore. This optimization was not used. * The following files change the letter case of the file names: - SpecialRandompage.php -> SpecialRandomPage.php - SpecialRandomredirect.php -> SpecialRandomRedirect.php - SpecialRandomrootpage.php -> SpecialRandomRootPage.php * Media files which are uploaded server side using the importImages.php maintenance script will now have the "mw-server-side-upload" change tag. * (T284917) The stub threshold feature has been removed. * Skin::getPoweredBy() and Skin::getCopyrightIcon() have been deprecated as they are only designed for use by skins extended BaseTemplate. You can move calls to instead use BaseTemplate::getPoweredByHTML() and ::getCopyrightIconHTML() respectively. * The SkinGetPoweredBy hook is deprecated. No replacement is provided. * HTMLTitleTextField didn't support interwiki titles well previously. Starting with 1.37, HTMLTitleTextField has a new parameter, 'interwiki', which can be used to control acceptance of interwiki titles. To provide a transitional period, the default value ('interwiki' => null) ensures MW will have the same behavior as before (logging a deprecation warning). In 1.38, the default behavior will change to "interwiki links aren't allowed". == Compatibility == MediaWiki 1.37 requires PHP 7.3.19 or later, or PHP 7.4.3 or later, and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml Support for PHP 8.0 is not yet complete. MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.36 = == MediaWiki 1.36.4 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.3 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T297708) Allow setting max execution time to several special pages. * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. == MediaWiki 1.36.3 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.2 === * (T280363) mediawiki.page.ready: Introduce wikipage.indicators hook. * (T290697) Add symfony/polyfill-php80. * IcuCollation: Add some more icu to unicode version mappings. * ApiBase: Annotate deprecated constants individually. * PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy. * (T293044) installer: Fix 5th param to sourceFile() in DatabaseUpdater. * (T291127) Always encode spaces in cookie values as "%20". * Use LocalFile::getHookRunner instead of LocalFile::hookRunner. * (T293564) mediawiki.page.ready: Fire hook 'wikipage.indicators' with children. * HistoryBlobStub: add getLocation() to get $mOldId. * Fix checkStorage.php. * checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. * (T212428, T267468) Allow populateContentTables to continue when there are bad blobs. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * Update pear/mail_mime to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * (T281972) Follow-Up: I10fbd4b6a: Update @since tags as those were backported. * Tweak error message for missing composer dependencies. * (T296112) Allow inserting new sections named '0'. * nukeNS: don't run purgeRedundantText() after every change. * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.36.2 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.1 === * Don't access MWServices prematurely in Maintenence.php. * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode. * Installer: Fix foundation.wikimedia.org link in config-pingback-help. * (T283273) Make postgres IRC channel point to libera.chat. * composer.json: Promote and pin monolog/monolog to require from require-dev. * (T287526) JavaScriptMinifer: Recognize `...` as a single token. * (T287526) Update wikimedia/minify to 2.2.4. * (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas. * (T281549) Installer: Fix mediawiki-announce auto subscription code. * FormatJson: Optimize encode() for supported PHP versions. * (T290398) renameRestrictions.php: Update protected_titles as well. * (T290489) objectcache: Fix PHP warning for ReplicatedBagOStuff::setMulti. * $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes. * (T277788) parser: Avoid calling ParserOptions::getOption() too many times. * (T291244) Unserialize objects in ParserCache->mExtensionData as objects. * MysqlUpdater: Add updatelog entries for dropDefault. * (T290776) Fix $phase check in OutputHandler. * The wikimedia/parsoid library has been upgraded from v0.13.0 to v0.13.1. * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions. == MediaWiki 1.36.1 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.0 === * (T283942) DatabaseInstaller.php: Only run core schema file if specified table doesn't already exist. * (T247223) Optimise MessageCache::isMainCacheable() for the single-message case. * (T283244) JavaScriptMinifer: Fix handling of "delete" as object property. * (T284391) Fix SkinModule to correctly prepend remote path on document root installs. * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. * (T278579) Don't send headers on ob_end_clean(). * (T285287) MultiHttpClient: Replace PHP version check with defined(). * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages. == MediaWiki 1.36.0 == === Changes since MediaWiki 1.36.0-rc.0 === * (T248481) rdbms: Use server time in DatabaseMysqlBase::getLagFromPtHeartbeat(). * (T281549) WebInstaller: Don't show the announce-l subscribe checkbox for now. * (T264214) Follow-ups for UserGroupManager. * (T282280) resourceloader: Fix path-only URLs in wiki modules when script path is docroot. * (T281972) UserIdentityValue: Introduce convenience static factory methods. * (T230428) Make page_is_redirect and page_is_new unsigned. * (T280292) Legacy feature should not load thumbnail style rules (only layout). * (T283247) Freenode -> Libera per wikimedia moving from freenode to libera. * (T280270) composer: Lock Parsoid version to specific 0.13.0 release. * (T142663) Add extension.json merge strategy "provide_default". * (T283540) HookContainer: Fix normalization of callback for static handler. * (T283464) registration: Fix array order for array_replace_recursive merge strategy. * (T283539) Interwiki: Fix calling "onInterwikiLoadPrefix" hook. * (T282594) Timeless: Re-branch to 40eb3dad1for REL1_36. == MediaWiki 1.36.0-rc.0 == == Upgrading notes for 1.36 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.27. Some specific notes for MediaWiki 1.36 upgrades are below: * MediaWiki 1.36 now requires the PHP internationalization extension (commonly referred to as Intl, ext-intl, or php-intl). * The MediaWiki:Autoblock_whitelist block exemption control has been moved to MediaWiki:Block-autoblock-exemptionlist. If you use this feature, please move the MediaWiki:Autoblock_whitelist page. * (T275334) $wgExtensionFunctions is sometimes used to change configuration settings. This is not safe; extension functions are run relatively late, some services are already initialized by that point and so they use the old configuration. Changes in 1.36 make this kind of breakage even more common. You can use the MediaWikiServices hook instead. (In the future there might be a dedicated hook for configuration changes.) For notes on 1.35.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.36 === The MediaWiki update script, maintenance/update.php, used to accept `--nopurge` as an option to prevent clearing caches stored in the database during upgrade. This is no longer encouraged, and the option has been removed. ==== New configuration ==== * (T256001) $wgManualRevertSearchRadius – This setting controls a new feature that marks edits as reverts if they restore the page to an exact previous state. This configuration variable sets the maximum number of revisions of a page that will be checked against every new edit. Set this to 0 to disable the feature entirely. * (T244058) $wgOldRevisionParserCacheExpireTime — This setting was added to control caching of ParserOutput for old (non-current) revisions. * (T265263) $wgRememberMe - This setting configures the "remember me" checkbox on account log-in systems via RememberMeAuthenticationRequest. * (T157145) $wgSkinMetaTags – This setting lets sysadmins configure skins that support meta tags. These tags make sharing of MediaWiki pages on a variety of social platforms more contentful and thus useful. * (T280944) $wgIncludejQueryMigrate - This setting lets sysadmins disable the jQuery Migrate plugin. It has been enabled by default since MediaWiki 1.27. In future releases it will be disabled by default. ==== Changed configuration ==== * $wgLogos – This setting selects the logo shown on the site. The default value for the site logo, which is shown in an install if you have not set one, will now be the new logo of MediaWiki. * (T274695) $wgAjaxEditStash — This setting, to disable the edit stashing feature when users start writing an edit summary, has been deprecated. In future releases, this feature will always be enabled. * $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand media scaling, was deprecated. Use the `thumbProxyUrl` setting in $wgLocalFileRepo instead. * $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical respectively. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which try to read them. * $wgWANObjectCaches - The "coalesceKeys" option was removed without deprecation and replaced by a new "coalesceScheme" option, set to "hash_stop" by default. If you use Dynomite, then set the new "coalesceKeys" option to "hash_tag". The "cluster" and "mcrouterAware" options were also removed without deprecation. Use "broadcastRoutingPrefix" instead. ==== Removed configuration ==== * $wgUseTwoButtonsSearchForm — This setting, deprecated in 1.35, has been removed. * $wgAllowImageMoving — This setting, deprecated in 1.35, has been removed. Use group permission settings instead. For example, to prevent sysops from moving files, set `$wgGroupPermissions['sysop']['movefile'] = false;` * $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields, $wgExtPGAlteredFields, $wgExtModifiedFields — These settings were removed. They became obsolete after 1.17 overhauled the database updater, but were kept for backwards compatibility. The LoadExtensionSchemaUpdates hook should be used instead. * $wgParserConf - This setting, deprecated in 1.35, has been removed. The last use of this setting was for pre-processor configuration, which was deprecated in 1.34 and removed in 1.35. * $wgEnableRestAPI - This setting, ignored since 1.35, has been removed. * $wgPagePropsHaveSortkey – This temporary setting has been removed, along with the schema change upgrade path it controlled. If your site is still using it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24, you must now apply it before upgrading. * The deprecated password policies PasswordCannotMatchBlacklist and PasswordNotInLargeBlacklist were removed. Please use PasswordCannotMatchDefaults and PasswordNotInCommonList respectively instead. === New user-facing features in 1.36 === * The logo of MediaWiki has changed. This means that the "Powered By MediaWiki" button shown in the skin footer will be different. * All HTML5 named entities are now accepted in wikitext. * (T106263) The file description page's alternate sizes now include 2048px. === New developer features in 1.36 === * Parser test files can now declare a dependency on a specific extension being loaded, not just on the presence of a certain extension tag hook. This is a better fit for extensions like TimedMediaHandler, which affect the output but don't register parser hooks. Use `extension:Foo` in the `!! hooks` section of your parser test file to declare a dependency on the `Foo` extension being loaded. * To expose code previously present in SpecialBlock/SpecialUnblock to other parts of the code, or to extensions, the new BlockUser and UnblockUser command objects were added. Use the BlockUserFactory and UnblockUserFactory services to create them. * The hook UsersPagerDoBatchLookupsHook takes now a \Wikimedia\Rdbms\IDatabase, instead of \Wikimedia\Rdbms\DBConnRef, as the first parameter. * MediaHandlers can now customize the formatting of the metadata they emit by over-riding MediaHandler::formatTag( $key, $value ). The default for unknown tags is numeric formatting; non-EXIF tags which are non-numeric should always use this method to specify the desired formatting. * The new 'title' type can be used to validate action API and REST API inputs. * The new ArticleParserOptions hook allows customizing the parser options used to parse wikitext for an article, based on user preferences, title, etc. * The new 'raw' type can be used to validate action API inputs. It bypasses the Unicode NFC normalization done on inputs of type 'string', so it more suitable when the input is binary or may contain deprecated Unicode sequences or characters (such as U+2001) that should be passed unmodified. * (T260330) A new abstraction for running shell commands has been introduced, called BoxedCommand. A BoxedCommand object can be obtained with MediaWikiServices::getInstance()->getCommandFactory()->createBoxed(). * ResourceLoader modules can now mark themselves as ES6-only by setting `'es6' => true` in their module definition. ES6-only modules will not be executed in browsers that don't support ES6, such as IE11. === External library changes in 1.36 === ==== New external libraries ==== * Added wikimedia/minify 2.2.2. * Added wikimedia/request-timeout 1.1.0. * Added wikimedia/shellbox 1.0.4. * Added WVUI 0.1.0. * Added symfony/symfony/polyfill-php80 1.23.1. ==== Changed external libraries ==== * Updated composer/semver from 1.5.1 to 3.2.4. * Updated guzzlehttp/guzzle from 6.5.4 to 7.2.0. * Updated jQuery from v3.4.1 to v3.6.0. * Updated jQuery Migrate from v3.1.0 to v3.3.2. * Updated jquery.client from 2.0.2 to 3.0.0. * Updated OOUI from 0.39.3 to 0.41.3. * Updated pear/mail_mime from 1.10.8 to 1.10.9. * Updated pear/net_smtp from 1.9.1 to 1.9.2. * Updated pimple/pimple from 3.3.0 to 3.3.1. * Updated wikimedia/at-ease from 2.0.0 to 2.1.0. * Updated wikimedia/cldr-plural-rule-parser from 1.0.0 to 2.0.0. * Updated wikimedia/common-passwords from 0.2.0 to 0.3.0. * Updated wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1. * Updated wikimedia/html-formatter from 1.0.2 to 3.0.1. * Updated wikimedia/ip-set from 2.1.0 to 3.0.0. * Updated wikimedia/ip-utils from 1.0.0 to 3.0.2. * Updated wikimedia/less.php from 3.0.0 to 3.1.0. * Updated wikimedia/object-factory from 2.1.0 to 3.0.0. * Updated wikimedia/php-session-serializer from 1.0.7 to 2.0.0. * Updated wikimedia/remex-html from 2.2.0 to 2.2.2. * Updated wikimedia/utfnormal from 2.0.0 to 3.0.2. * Updated wikimedia/wait-condition-loop from 1.0.1 to 2.0.1. * Updated wikimedia/xmp-reader from 0.7.0 to 0.8.1. ===== Changed development-only external libraries ===== * Updated composer/spdx-licenses from 1.5.3 to 1.5.4. * Updated doctrine/dbal from 2.10.2 to 3.0.0. * Updated doctrine/sql-formatter from 1.1.0 to 1.1.1. * Updated mediawiki/mediawiki-phan-config from 0.10.2 to 0.10.6. * Updated monolog/monolog from 1.25.3 to 2.2.0. * Updated nikic/php-parser from 4.4.0 to 4.10.2. * Updated psy/psysh from 0.10.4 to 0.10.5. * Updated seld/jsonlint from 1.7.1 to 1.8.3. * Updated symfony/yaml from ~3.4|~4.3|~5.0.5 to ~3.4|~5.1. * Updated wikimedia/testing-access-wrapper from 1.0.0 to 2.0.0. ==== Removed external libraries ==== * The html5shiv library has been removed, as support for Internet Explorer 8 has been dropped. * The wikimedia/avro suggested development-only library has been removed, as the support for logging in Avro format has been dropped. === Bug fixes in 1.36 === * (T190285) ApiEditPage module used to switch 'undo' and 'undoafter' parameters, if it founds you reversed them (based on assumption that higher revision ID indicates a later revision). The assumption is not always true, and is hindering proper edit undoing in some cases, hence the logic has been removed. Reversing the parameters will now lead to edit conflict or undefined behavior. * (T263340) In history merging, pages with a content model that does not support redirects will now be recorded as deleted if no revision is being left in the source page (that's if all revisions of the page have been merged to another). === Action API changes in 1.36 === * (T269636) `Access-Control-Max-Age` was added to the default list of headers allowed for cross-origin API requests ($wgAllowedCorsHeaders). * (T258108) Accounts with the 'bot' right no longer have pages automatically added to the watchlist when making API edits, regardless of their preferences. This is to reduce the size of the watchlist data in the database. To add API bot edits to the watchlist, explicitly set the 'watch' option. === Languages updated in 1.36 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T258975) Added a Latin/Cyrillic script converter for the Talysh language. * (T245359) Split Bali script locale from "ban" (Balinese) (ban-bali). * (T264582) Added language support for Madurese (mad). * (T259330) Added language support for Mara (mrh). * (T263968) Added language support for Nias (nia). * (T270365) Added language support for Tyap (kcg). * (T276745) Added language support for Wayuu (guc). === Breaking changes in 1.36 === * Grade C (non-JavaScript) support for Internet Explorer 8 has been dropped. * (T249459) wfIsBadImage(), deprecated in 1.34, has been removed. * (T176526) EditPage::getContextTitle() will now throw an exception if a context title was not set using setContextTitle(). Previously, this mis-use would only cause a deprecation warning to be emitted. * The DeferredStringifier class, deprecated since 1.31, was removed. * Multiple methods that fell back to the $wgUser global variable were individually hard deprecated previously. The following have now been removed: - ApiTestCase::doLogin - Article::doDeleteArticle - Article::doDeleteArticleReal - Article::getComment - Article::getCreator - Article::getUser - Article::getUserText - Article::insertProtectNullRevision - File::delete - File::recordUpload - ForeignDBFile::delete - ForeignDBFile::recordUpload - LocalFile::delete - LocalFile::deleteOld - LocalFile::recordUpload - PageArchive::undelete - RecentChange::markPatrolled - Title::getUserPermissionsErrors - Title::quickUserCan - Title::userCan - WebRequest::getLimitOffset - WikiPage::doDeleteArticle - WikiPage::insertProtectNullRevision * The SpecialPageFactory class, deprecated in 1.32, has been removed. Use the SpecialPageFactory service instead. * Multiple methods previously had optional User parameters, with fallbacks to the $wgUser global variable. Not passing a User to those methods was previously hard deprecated, and support for not passing a User has now been removed: - ArchivedFile::userCan - File::userCan - FileDeleteForm::__construct - FileDeleteForm::doDelete - LocalFileDeleteBatch::__construct - LogEventsList::getExcludeClause (only needed for the 'user' audience) - LogEventsList::userCan - LogEventsList::userCanBitfield - LogEventsList::userCanViewLogType - LogPage::addEntry (also accepts user id instead) - OldLocalFile::userCan - PatrolLog::record - Title::getNotificationTimestamp (though the entire method is deprecated) - WikiPage::getComment (only needed for the FOR_THIS_USER audience) - WikiPage::getCreator (only needed for the FOR_THIS_USER audience) - WikiPage::getUser (only needed for the FOR_THIS_USER audience) - WikiPage::getUserText (only needed for the FOR_THIS_USER audience) * The following hooks have been removed: - APIQueryInfoTokens - APIQueryRecentChangesTokens - APIQueryRevisionsTokens - APIQueryUsersTokens - ApiTokensGetTokenTypes * LogEventsList::typeAction previously accepted an optional right parameter, and checked if the context user ($wgUser) had that right. Passing a right was hard deprecated in 1.35, and support for passing a right has now been removed. * WikiPage::doDeleteArticleReal previously accepted an optional user as its fifth parameter, and fell back to $wgUser if not user was provided. The signature changed to have the user as the second parameter, and the old signature was hard deprecated in 1.35. Support for the old signature has now been removed. * User::addNewUserLogEntry, deprecated since 1.27, was removed. * As part of refactoring the EditPage class, EditPage::setPreloadedContent, which had no known callers was removed entirely. Additionally, the following public methods were made private: - ::extractSectionTitle - ::getSummaryInputWidget - ::noSuchSectionPage - ::initialiseForm * EditPage::matchSpamRegex and ::matchSummarySpamRegex, deprecated in 1.35, were removed. Use the SpamChecker service instead. * The global function `wfWaitForSlaves`, deprecated in 1.27 and hard-deprecated in 1.35, has been removed. Use LBFactory::waitForReplication() instead. * Calling Action::factory() with null as the first parameter, rather than a string, was deprecated in 1.35 and support was now removed. * Calling Action::factory() with an object that wasn't an Article as the second parameter was deprecated in 1.35 and support was now removed. * The global variable $wgMemc, deprecated since 1.35, has been removed. Usage should generally be migrated to WANObjectCache, or if you really need the internal object, use ObjectCache::getLocalClusterInstance instead. * The preprocessDump.php maintenance script was removed. * CategoryFinder, which was deprecated in 1.31 and hard-deprecated in 1.35, has been removed. * GenderCache::singleton(), which was deprecated in 1.28 and hard-deprecated in 1.35, has been removed. * Sanitizer::escapeId(), deprecated in 1.30, has been removed. * Direct invocation of Parser::__construct() (instead of via a ParserFactory) now throws an exception; support has also been removed for several deprecated variants on the arguments passed to Parser::__construct. Direct invocation of Parser::__construct was deprecated in 1.34. * Parser::setFunctionTagHook(), deprecated in 1.35, has been removed. * The following properties of Parser, deprecated in 1.35, have been made private: - $mTagHooks - use Parser::getTags() - $mFunctionHooks - use Parser::getFunctionHooks() - $mOutput - use Parser::getOutput() - $mPreprocessor - use Parser::getPreprocessor() * The ParserBeforeTidy hook, deprecated in 1.35, has been removed. * The ParserBeforeTidy, ParserBeforeStrip, and ParserAfterStrip hooks, deprecated in 1.35, have been removed. * All methods of MWTidy except for MW::tidy() have been removed. These were each either marked as @internal or deprecated in 1.35. * (T248062) Mixins `.background-image-svg()` and `.background-image-svg-quick()` (provided by mediawiki.mixins.less), which have been deprecated since 1.35, have now been removed. MediaWiki no longer supports any browser which would require this SVG-fallback PNG support, so you can simply use the regular CSS `background-image:` declaration instead. * The ResourceLoader module `mediawiki.legacy.oldshared` and its file 'oldshared.css', deprecated since 1.35 has been removed (T248357). * `ResourceLoader::__construct` now requires a Config parameter. The optional nature of this parameter was deprecated in 1.34. * The LinkBegin and LinkEnd hooks, deprecated in 1.28, have been removed. You can instead use the HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd hooks, respectively. * The EmailUser hook passes its fifth param, $error, by reference, to allow hook handlers to add error messages, indicate that they have sent the email instead of core, etc. Setting the parameter to something other than a Status object, true, false, an empty string, an array, or a MessageSpecifier, object, which had been deprecated in 1.29, is no longer supported, and now results in an MWException being thrown. * Skin::getDynamicStylesheetQuery(), deprecated in 1.32, has been removed. You should use action=raw&ctype=text/css directly. * Skin::makeI18nUrl(), deprecated in 1.35, has been removed. * The following User methods, deprecated and moved to BlockManager in 1.34, were removed: - ::isDnsBlacklisted - ::inDnsBlacklist - ::isLocallyBlockedProxy - ::trackBlockWithCookie * Support for v1 of the parser tests file format has been removed; it was deprecated in 1.35. (T174199) * SpecialUnblockUser::processUIUnblock() now returns a Status object instead of an array of messages or a boolean value. This function was also marked as @internal and is no longer safe to call it publicly. * mw.Title.getDotExtension() from the 'mediawiki.Title' module was removed without deprecation. You should use mw.Title.getExtension() and prepend the dot if need be. * Profiler::getTemplated and Profiler::setTemplated, deprecated in 1.34, have been removed. * DatabaseMysqlBase now requires MySQL version 5.6.4+ when "lagDetectionMethod" is set to "pt-heartbeat". * Removed HookContainer::getOriginalHooksForTest() without deprecation. This method was introduced in 1.35 for internal use, and appears unused outside of MediaWiki core. * ParserCache::__construct() now requires three parameters. * Message->getFormat(), deprecated in 1.29, has been removed. * Support for passing Article to ParserCache::get, deprecated in 1.35, has been removed. * ParserCache::singleton(), deprecated in 1.30, has been removed. * DatabaseBlock::deleteIfExpired and ::fromMaster, deprecated in 1.35, have been removed. * Some deprecated AbstractBlock methods have been removed: - ::prevents, deprecated in 1.33 - ::shouldTrackWithCookie, deprecated in 1.34 - ::getBlocker, deprecated in 1.35 - ::setBlocker, deprecated in 1.35 - ::getBlockErrorParams, deprecated in 1.35 * Multiple DatabaseBlock methods dealing with cookies, deprecated in 1.34, have been removed: - ::setCookie - ::clearCookie - ::getCookieValue - ::getIdFromCookieValue - ::shouldTrackWithCookie * The public static callback function SpecialUnblock::processUIUnblock has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * ChangeTags::truncateTagDescription, deprecated in 1.35, has been removed. * Deprecated null fallbacks in PasswordReset constructor have been removed. * User::isEveryoneAllowed and User::getAllRights, deprecated in 1.34, has been removed. * The following methods of the UserGroupMembership class, deprecated in 1.35, has been removed: - ::initFromRow - ::newFromRow - use UserGroupManager::newGroupMembershipFromRow - ::selectFields - use UserGroupManager::getQueryInfo - ::delete - use UserGroupManager::removeUserFromGroup - ::insert - use UserGroupManager::addUserToGroup - ::purgeExpired - use UserGroupManager::purgeExpired - ::getMembershipsForUser - use UserGroupManager::getUserGroupMemberships - ::getMembership - use UserGroupManager::getUserGroupMemberships * The public static callback function SpecialBlock::validateTargetField has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * The public static callback function SpecialUploadStash::tryClearStashedUploads has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * SpecialComparePages::showDiff() ::revOrTitle(), ::checkExistingTitle(), and ::checkExistingRevision() were marked as @internal to allow for breaking changes. They are no longer safe to call. The methods were unused outside of MediaWiki core. * Each special page within core now uses service injection via it constructor. When extending these special pages, a call to the grandparent constructor (`SpecialPage::__construct()`) in the sub-class would now break the derived special page, as the fallback code in the parent constructor cannot set the services as needed. Be sure to call the parent constructor when extending core special pages. Extending core's special pages is not part of the stable interface, and should generally be avoided. * Language::getExtraUserToggles and ::viewPrevNext, deprecated in 1.34, have been removed. * StreamFile::send404Message and ::parseRange, deprecated in 1.34, have been removed. * SVGMetadataExtractor class, deprecated in 1.34, has been removed. * ProcessCacheLRU class, deprecated in 1.32, has been removed. * wfForeignMemcKey(), deprecated in 1.35, has been removed. * LoadBalancer::safeWaitForMasterPos(), deprecated in 1.34, has been removed. * JobQueue::factory() now requires its `idGenerator` option. The optional nature of this option was deprecated in 1.35. * ApiFeedRecentChanges::getFeedObject has been changed to private, and appears unused outside of MediaWiki core. * Skin::subPageSubtitle() has been changed to private method. Callers should use Skin::prepareSubtitle(). * RevisionDeleter::checkRevisionExistence was removed without deprecation. It had no known callers. * wfForeignMemcKey() and wfMemcKey(), deprecated in 1.35, have been removed. * MediaWiki now also requires the php-intl extension. * BotPassword::save() now returns a Status object for the result rather than a bool. * The methods in CoreTagHooks have been marked @internal and type hints have been added. The methods appeared to be unused outside of MediaWiki core. * SquidPurgeClient and SquidPurgeClientPool, deprecated since 1.35, have been removed. * Several methods on WikiPage will now throw an exception when called on a WikiPage instance that where constructed on a title that does not refer to a proper page (but rather a special page or interwiki link). The behavior was previously undefined and could in some cases lead to data corruption. Affected methods are: getId(), insertOn(), newPageUpdater(), doUpdateRestrictions(), doDeleteArticleReal(), doRollback(), and doEditContent(). * The ParserTestRunner no longer invokes the ParserTestTables hook. Instead, it clones all database tables before running tests, like MediaWikiIntegrationTest does. If an extension was mis-using the hook to *exclude* tables from the clone, that will no longer occur, and tests may fail. * The following classes, which were only loaded for tests and had no uses found in public MediaWiki-related git, were removed: - MockWebRequest - UserWrapper * Passing Title as a second parameter to RevisionStore::getPreviousRevision and getNextRevision, hard deprecated since 1.31, was prohibited. * (T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods. * The internal class FirejailCommand was removed. * Command::execute() now returns a Shellbox\Command\UnboxedResult instead of a MediaWiki\Shell\Result. Any type hints should be updated. * WikiPage::$mIsRedirect was removed. * ObjectCache::detectLocalServerCache(), deprecated in 1.35, was removed. * The following functions from the Title class have been removed: - countRevisionsBetween - getAuthorsBetween * The PageProps class was converted to a service. PageProps::overrideInstance was removed, and MediaWikiServices::redefineService should be used instead. * Support for creating a MediaWikiTitleCodec object without the InterwikiLookup and NamespaceInfo services, deprecated in 1.34, was removed. Note that the MediaWikiTitleCodec class is not @newable or @stable to create, and should be retrieved from MediaWikiServices instead. * The $wgContLang variable, deprecated in 1.32, was removed. You can instead use MediaWikiServices::getInstance()->getContentLanguage(). * User::clearAllNotifications(), hard deprecated in 1.35, was removed. Use WatchlistManager::clearAllUserNotifications() instead. * DatabaseBlock::getBlocker can return any UserIdentity instance, not just User. * MediaWiki::triggerJobs(), deprecated in 1.34, was removed. * The following Article methods, deprecated in 1.35, were removed: - checkFlags - checkTouched - clearPreparedEdit - doDeleteUpdates - doEditUpdates - doPurge - doViewUpdates - exists - followRedirect - getAutoDeleteReason - getCategories - getContentHandler - getContentModel - getContributors - getDeletionUpdates - getHiddenCategories - getId - getLatest - getLinksTimestamp - getMinorEdit - getOldestRevision - getRedirectTarget - getRedirectURL - getRevision - getTouched - getUndoContent - hasViewableContent - insertOn - insertRedirect - insertRedirectEntry - isCountable - isRedirect - loadFromRow - loadPageData - lockAndGetLatest - makeParserOptions - pageDataFromId - pageDataFromTitle - prepareContentForEdit - protectDescription - protectDescriptionLog - replaceSectionAtRev - replaceSectionContent - setTimestamp - shouldCheckParserCache - supportsSections - triggerOpportunisticLinksUpdate - updateCategoryCounts - updateIfNewerOn - updateRedirectOn - updateRevisionOn - doUpdateRestrictions - updateRestrictions - doRollback - commitRollback - generateReason * The monolog-based logging system has dropped the Avro format. Because of this, the AvroFormatter class and the AvroValidator utility class have been removed without deprecation. * AbstractBlock::$mReason, deprecated in 1.34, was removed. Use AbstractBlock::getReasonComment and AbstractBlock::setReason instead. === Deprecations in 1.36 === * (T278026) The DB_MASTER constant has been deprecated in favour of DB_PRIMARY. * (T245963) User::getGrantName() is now hard deprecated and will be removed in a subsequent release. Use MWGrants::grantName() instead. * wfIncrStats() is now deprecated. Use MediaWikiServices::getInstance() ->getStatsdDataFactory()->updateCount() instead. * WikiPage::doEditContent() is now deprecated. Use WikiPage::doUserEditContent() instead. Note that doEditContent() was also deprecated in 1.32 for unrelated reasons and doUserEditContent() is deprecated for other reasons, however, using doUserEditContent() is recommended over using doEditContent(). * WikiPage::doUserEditContent() is now deprecated. Use PageUpdater::saveRevision instead. Note that the new method expects callers to take care of checking EDIT_MINOR against the minoredit right, and to apply the autopatrol right as appropriate. * LocalFile::recordUpload2, soft deprecated in 1.35, now emits deprecation warnings. Use ::recordUpload3 instead. * Constructing a new instance of the ParserOptions class without providing a User object, which falls back to the global $wgUser, is now deprecated. * The User class, which was marked as @newable in 1.35, is no longer newable, meaning that it is no longer safe to manually call the constructor via `new User`. Instead, use the UserFactory service. Additionally, the following static constructor methods were deprecated in favor of using the UserFactory service: - User::newFromName - User::newFromId - User::newFromActorId - User::newFromIdentity - User::newFromAnyId - User::newFromConfirmationCode * The following User methods have been hard deprecated in favor of the new UserEditTracker service: - User::getFirstEditTimestamp - User::getLatestEditTimestamp * The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered(). * Use of the `preprocessor=Preprocessor_DOM` option in parser test files has been deprecated. Preprocessor_DOM was removed in 1.35. * ParserOptions::setTidy() has been deprecated. It has had no effect since 1.35. * Sanitizer::escapeIdReferenceList() has been deprecated; it will eventually be made private to the class, as it appears to have no uses outside the Sanitizer class. * Sanitizer::hackDocType() is deprecated; it will eventually be made private. * Skin::getIndicatorsHTML() is deprecated. The functionality can be retained by reimplementing the method using the raw indicators data from OutputPage::getIndicators. * Skin::makeVariablesScript() has been deprecated. Use ResourceLoader::makeInlineScript() instead. * SpecialPageFactory::getRestrictedPages() has been deprecated. Use SpecialPageFactory::getUsablePages() instead. * Title::nameOf() is deprecated; use Title::newFromID()->getPrefixedDBkey() instead. * DatabaseBlock::insert, DatabaseBlock::update, DatabaseBlock::purgeExpired and DatabaseBlock::delete are deprecated. Use DatabaseBlockStore::insertBlock, DatabaseBlockStore::updateBlock, DatabaseBlockStore::purgeExpiredBlocks and DatabaseBlockStore::deleteBlock instead. * SpecialBlock::getTargetAndType and AbstractBlock::parseTarget are deprecated. Call BlockUtils::parseBlockTarget instead. * SpecialUnblock::processUnblock was deprecated - use UnblockUserFactory service instead. * Deprecated MediaWikiIntegrationtestCase::removeTemporaryHook() in favor of MediaWikiIntegrationtestCase::clearHook(). * Skin::getSearchLink(), also exposed as 'searchaction' option in SkinTemplate, has been deprecated. Use Title or SpecialPage methods directly. * Skin::getAllowedSkins and ::getSkinNames have been deprecated. Use their respective equivalents in SkinFactory instead. * The RollbackComplete hook has been deprecated, use the PageSaveComplete hook instead. * Skin::makeUrl() has been deprecated. Title methods should be used instead. * Skin::privacyLink(), Skin::disclaimerLink() and Skin::aboutLink() have been deprecated. Please use Skin::footerLink() instead. * Skin::getLogo() has been deprecated. Use ResourceLoaderSkinModule instead. * The module `mediawiki.toc.styles` has been replaced by ResourceLoaderSkinModule. If you are having problems styling table of contents ensure you have an updated skin. * Skin::mainPageLink() has been deprecated. Use LinkRenderer service instead. * BaseTemplate::getToolbox() method has been hard deprecated. The toolbox data is now available in a sidebar data array which you can get from any class that's extending QuickTemplate class. * Constructing a DefaultPreferencesFactory, LinkHolderArray or PasswordReset without a $hookContainer parameter is deprecated. * Autopromote class, soft deprecated since 1.35, now emits deprecation warnings. Use UserGroupManager instead. * SpecialBlock::canBlockEmail has been deprecated. Please use BlockPermissionChecker::checkEmailPermissions instead. * SpecialBlock::checkUnblockSelf has been deprecated. Please use BlockPermissionChecker::checkBlockPermissions instead. * SpecialBlock::parseExpiryInput was deprecated - use BlockUser::parseExpiryInput instead. * SpecialBlock::validateTarget has been deprecated, use BlockUtils instead. * SpecialBlock::validateTargetField has been deprecated for external use, use BlockUtils instead. * SpecialPage::getLanguageConverter has been deprecated, use LanguageConverterFactory::getLanguageConverter() directly. * ParserCache::getKey has been deprecated. Use ParserCache::getMetadata and ParserCache::makeParserOutputKey instead. * The PHPUnit4And6Compat class, used to provide compatibility with PHPUnit 4, was removed. MediaWiki support for PHPUnit 4 ended with the removal of HHVM support. * The PHPUnit6And8Compat class, used to provide compatibility with PHPUnit 6, was removed without deprecation. This class was introduced during the upgrade to PHPUnit 8, but never used. * MediaWikiIntegrationTestCase::assertType, hard-deprecated in 1.35 due to incompatibility with PHPUnit 8, was removed. * ParserCache::getETag has been deprecated, instead build suitable etag explicitly. * The following functions from the Language class have been hard deprecated and will be removed in a subsequent release: - findVariantLink - convertTitle - updateConversionTable - commafy * The following functions from the Title class have been hard deprecated: - getPreviousRevisionID - getNextRevisionID - getEarliestRevTime * The following functions from the User class have been hard deprecated: - getDefaultOptions - getDefaultOption * The mw.language.commafy client-side method has been deprecated, to match the deprecation of Language::commafy. Use mw.language.convertNumber instead. * The "es6-promise" module has been deprecated. Use "es6-polyfills" instead. * Title::isDeleted() and Title::isDeletedQuick() have been deprecated. Please use Title::getDeletedEditsCount() and Title::hasDeletedEdits() instead. * Article::getContentObject, soft-deprecated since 1.32, was hard-deprecated. * WikiRevision::importUpload, soft-deprecated since 1.31, was hard-deprecated. * Html::infoBox() has been deprecated. There's no replacement. * Message::toString() without a $format parameter, soft-deprecated since 1.28, was hard-deprecated. Use explicit formatting methods instead, such as Message::text() and Message::escaped(). * BagOStuff::makeKeyInternal() usage outside of BagOStuff has been deprecated. * BagOStuff::setDebug() is deprecated and calls to it are ignored. Debug logs are now unconditionally enabled. * The following global functions have been hard deprecated: - wfAppendToArrayIfNotDefault - wfAcceptToPrefs - wfClearOutputBuffers - wfConfiguredReadOnlyReason - wfDebugMem - wfGetPrecompiledData - wfNegotiateType * BeforeParserFetchTemplateAndtitleHook has been deprecated; replace with the new BeforeParserFetchTemplateRevisionRecord hook. (The similar ParserFetchTemplateHook was deprecated in 1.35; the new hook replaces both.) * The InterwikiLoadPrefix hook has been deprecated; it is not compatible with future wikitext parsers (which need to enumerate all interwiki prefixes). In test cases please use $wgInterwikiCache instead. * WikiPage instances should no longer be constructed for titles that do not represent editable pages (e.g. special pages). WikiPages were always documented to represent "MediaWiki article and history". * Skin::getSkinStylePath() has been deprecated. Please replace usages with the direct path to the resources. * The second argument of EnhancedChangesList::getDiffHistLinks, $query, has been deprecated. * The ParserTestTables hook has been deprecated; it is no longer necessary after a ParserTestRunner refactoring. * The following classes have been hard deprecated: CachedAction, SpecialCachedPage, CacheHelper, ICacheHelper. They were unused in MediaWiki ecosystem, so no replacement was provided. * The ProtectionForm::buildForm hook has been deprecated. Please use the ProtectionFormAddFormFields hook instead. * RevisionStore::newMutableRevisionFromArray has been hard deprecated. Instead, MutableRevisionRecord should be constructed directly via constructor. * UserIdentity::getActorId() is deprecated. The actor ID should not be exposed to application logic. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names. * Constructing a UserIdentityValue with an actor ID as the third parameter is deprecated. The parameter should be omitted. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names. * Command::cgroup() is deprecated and no longer functional. $wgShellCgroup is now implemented as an Executor option. * Command::restrict() is deprecated. Instead use the new separate accessors. * MWTidy::tidy() is deprecated. Use MediaWikiServices::getTidy()-tidy() instead. * TidyDriverBase::supportsValidate() is deprecated; it has always returned false since 1.33. * WatchedItem::getUser hard-deprecated in favor of ::getUserIdentity. * WatchedItemStoreInterface::enqueueWatchlistExpiryJob was hard deprecated in favor of the new method maybeEnqueueWatchlistExpiryJob that takes care of relevant configuration checks. * LogEntry::getPerformer() and its implementations have been hard-deprecated, in favor of ::getPerformerIdentity(). * AuthManager::singleton(), deprecated in 1.35, is hard deprecated. Use MediaWikiServices::getAuthManager() instead. * User::clearNotification(), deprecated in 1.35, is hard deprecated. Use WatchlistManager::clearTitleUserNotification() instead. * Passing string to DatabaseBlock::setBlocker was deprecated. Only UserIdentity is now allowed. * DatabaseBlock constructor 'byText' option was deprecated in favour of 'by' option, which now accepts UserIdentity. Passing user ID is deprecated. * Parser::getUser was deprecated. Use Parser::getUserIdentity instead. * DatabaseBlock::isWhitelistedFromAutoblocks was deprecated. Use DatabaseBlock::isExemptedFromAutoblocks instead. * User::isIPRange(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service or IPUtils directly. * BaseTemplate::getFooterIcons(), deprecated in 1.35, is hard deprecated. Read footer icons from template data requested via $this->get('footericons'). * `box-shadow()` LESS mixin from mediawiki.mixins is deprecated due to updated basic browser support. Use unprefixed property `box-shadow:` instead. * MergeHistory::checkPermissions was deprecated. Use ::probablyCanMerge or ::authorizeMerge instead. * User::isValidUserName(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service instead. * The TitleArrayFromResult hook has been deprecated. * The EditPageBeforeEditToolbar hook has been deprecated; it has become defunct after the classic edit toolbar was removed. Use one of the many other EditPage hooks instead. * Deprecated the class name MediaWiki\User\WatchlistNotificationManager; use MediaWiki\Watchlist\WatchlistManager instead. Deprecated the method MediaWikiServices->getWatchlistNotificationManager(); use MediaWikiServices->getWatchlistManager() instead. * The "ArticleEditUpdatesDeleteFromRecentchanges" hook, deprecated in 1.35, has been removed. Other hooks like "RecentChange_save" can be used instead. === Other changes in 1.36 === * The 'tidy' key in ParserOptions (used in the parser cache) has been removed. It has had no effect since 1.35. * A future release of MediaWiki will make `{{=}}` a built-in parser function, for use when automatically escaping the `=` character in template arguments. A tracking category and parser warning have been added to this release when `{{=}}` is used and it expands to something other than `=`. * The implementation of TestFileReader::read has been changed to use Parsoid's parser test file parser. This should be compatible with existing code, but it only supports version 2 of the test file specification and may be more strict when parsing invalid input, including duplicate tests. * BeforeParserFetchTemplateRevisionRecord, a new hook, unifies and replaces the old BeforeParserFetchTemplateAndtitleHook and ParserFetchTemplateHook. * The SkinLessImportPaths attribute was added, allowing skins to add a directory to the import path for LESS stylesheets. Skins can use this to provide a custom version of mediawiki.skin.variables.less, setting skin-specific values for certain LESS variables. * The interaction between ContentHandler::getParserOutputForIndexing() and ContentHandler::getDataForSearchIndex() has been clarified (the latter should only be called with the result of the former). Extensions may override getParserOutputForIndexing() to skip generating HTML, which may improve indexing performance. (The default implementation still generates HTML, and getDataForSearchIndex() implementations can still rely on it if they do not over-ride getParserOutputForIndexing().) * Article::fetchContentObject, ::mContentObject, ::mContentLoaded, ::mRevIdFetched, all deprecated since 1.32, were removed. * Article::mParserOptions and ::setParserOptions were removed. * Article and ImagePage::getEmptyPageParserOutput, unused, were removed. * ParserCache's default serialization format was changed from PHP serialization to JSON serialization. In case some installed extension do not support JSON yet, $wgParserCacheUseJson can be used to revert back to PHP serialization. * PermissionManager::groupHasPermission, ::getGroupPermissions and ::getGroupsWithPermission were deprecated, use GroupPermissionsLookup service instead. * WatchedItemStoreInterface now accepts PageIdentity where it accepted LinkTarget, calling with LinkTarget was deprecated. * 'movable' attribute has been added to the 'namespaces' property of extension.json schema. Extensions that define namespaces can set it to `false` to disallow moving pages in the specified namespace. Extensions should either use this or NamespaceIsMovableHook, but not both. The hook overrides the attribute. == Compatibility == MediaWiki 1.36 requires PHP 7.3.19 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.35 = MediaWiki 1.35 should mostly work on PHP 8.0/8.1, however it is not currently actively supported. Testing (on a development wiki!) is appreciated, and bugs with PHP 8.0/8.1 on MediaWiki 1.35 will be accepted. It is anticipated that in a later MediaWiki 1.35 point release, we can declare 1.35 as supporting PHP 8.0/8.1. PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.35.13 == This is a maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.12 === * Tarball release to fix backport issues with patch for T341529. == MediaWiki 1.35.12 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.11 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * (T341434) WikiImporter: Improve error message output. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T342632) ApiComparePages: Add help url. * (T347227) ImportReporter: Make callback functions public. * doc: Improve description of type in extension.schema.v1.json. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). == MediaWiki 1.35.11 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.10 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (1.9.0 => 1.9.1). * (T269636) Add Access-Control-Max-Age to $wgAllowedCorsHeaders. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * (T297917) objectcache: avoid use of ctype_digit() in WANObjectCache::adaptiveTTL(). * (T330464) Work around argument corruption bug in XMLReader::open. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.35.10 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.9 === * Localisation updates. * (T324895) MWCallbackStream: Add explicit $stream property. * Remove /images .htaccess rules that are no longer relevent. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * Fix phan error when Excimer is enabled. * (T274966) tests: Make pass on php8.0. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0. * (T326021) Add matrix: to $wgUrlProtocols. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T225218) Wait until the recent changes are updated. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses. * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.35.9 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.8 === * Localisation updates. * (T319000) WebInstaller: Don't try and run trim() on null. * (T320864) When calling mail(), use an array for headers. * (T311567) In ManualLogEntry, cast the comment to string. * (T323082) Upgrading wikimedia/xmp-reader (0.7.0 => 0.8.5). * Language: Handle ronna and quetta. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.35.8 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.7 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * (T313663) Make HandlerTestTrait compatible with php8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T289879, T289926) Get rid of warnings on PHP 8.1. * rdbms: fix some PHP 8 warnings in Database/LoadBalancer/LBFactory. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314404) SpecialGoToInterwiki: Null coalescene $par. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T314824) tests: Update parser test after i18n change. * (T263927) Add autocomplete HTML attribute to common auth form fields. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T229092) MigrateActors.php: ignore duplicate creations of actors. * (T313049) Bump wikimedia/parsoid to v0.12.3. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. == MediaWiki 1.35.7 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.6 === * Localisation updates. * (T289879) Type hints for ArrayAccess. * (T304783) TemplateParser: avoid warnings when called by NoLocalSettings. * Rebuilt vendor with composer 2.3.3. * (T289879) Address some deprecations for PHP 8.1. * Fix old_name in UserLogoutComplete hook. * (T286260, T307979) objectcache: normalize $exptime to a TTL in APCUBagOStuff/WinCacheBagOStuff. * MediaSearchWidget should declare an explicit dependency on mediawiki.user module. * (T288423) WikiImporter: Replace deprecated WikiRevision::setText. * (T309377, CVE-2022-29248, T311384, CVE-2022-27776) Updating guzzlehttp/guzzle (6.5.5 => 6.5.8). * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T281741) ChangeTags: Fix adding CSS classes for hidden tags. * (T296642) changetags: Fix management of a '0' tag. * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * (T303033) Handle null in ChangeTags::modifyDisplayQuery. == MediaWiki 1.35.6 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.5 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * (T274966) Upgrading wikimedia/html-formatter (1.0.2 => 2.0.1). * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T297708) Allow setting max execution time to several special pages. * Upgrading wikimedia/object-factory (v2.1.0 => v2.2.0). * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T303871) Add Title::getId() as an alias for ::getArticleId(). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T304993) Make editcontentmodel a part of editpage grant. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. == MediaWiki 1.35.5 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.4 === * (T290697) Add symfony/polyfill-php80. * IcuCollation: Add some more icu to unicode version mappings. * ApiBase: Annotate deprecated constants individually. * PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy. * (T293044) installer: Fix 5th param to sourceFile() in DatabaseUpdater. * (T291127) Always encode spaces in cookie values as "%20". * Use LocalFile::getHookRunner instead of LocalFile::hookRunner. * HistoryBlobStub: add getLocation() to get $mOldId. * Fix checkStorage.php. * checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T250068) resources: Upgrade jQuery from 3.4.1 to 3.6.0. * (T250068) resources: Upgrade jquery-migrate from 3.1.0 (patched) to 3.3.2 (patched). * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * (T212428, T267468) Allow populateContentTables to continue when there are bad blobs. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * Update pear/mail_mime to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * Tweak error message for missing composer dependencies. * (T296112) Allow inserting new sections named '0'. * nukeNS: don't run purgeRedundantText() after every change. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.35.4 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.3 === * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode. * (T283273) Make postgres IRC channel point to libera.chat. * (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas. * (T281549) Installer: Fix mediawiki-announce auto subscription code. * FormatJson: Optimize encode() for supported PHP versions. * (T290398) renameRestrictions.php: Update protected_titles as well. * $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes. * (T277788) parser: Avoid calling ParserOptions::getOption() too many times. * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions. == MediaWiki 1.35.3 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.2 === * (T259685) SQLite compatibility with ZeroConf VisualEditor was fixed in 1.35.2. * (T196906, T242751) Fix the test MonologSpiTest::testDefaultChannel. * (T279964) Parser: Trim trailing whitespace as the last step in pre-save transform. * (T278026) rdbms: Add DB_PRIMARY to replace DB_MASTER. * (T252853) Update updateSearchIndex.php to 2006+ standards. * (T276945) Define a batch size in maintenance/manageJobs.php. * (T276945) Implement JobQueueDB::getAllAbandonedJobs. * (T269676) authevents: strval() variables passed to status when logging. * (T280944) $wgIncludejQueryMigrate - This setting allows the jQuery Migrate plugin to be disabled. It has been enabled by default since MediaWiki 1.27. * (T281584) apihelp-query+iwlinks-param-prop: s/interlanguage/interwiki/. * (T281635) Delete maintenance/cleanupAncientTables.php. * (T282133) RedisConnectionPool: Suppress phan issue. * (T281549) WebInstaller: Don't show the announce-l subscribe checkbox temporarily. * (T278266) Fix annoying E_NOTICE about undefined 'alt' index in Skin#makeFooterIcon. * (T264214) UserRightsProxy::addGroup has to be allowed to update the old group as well, which is used for granting interwiki rights. * (T269776, T278266) getFooterIcons should not return empty arrays. * (T274966) Skip AvroFormatterTest::testSchemaNotAvailable on PHP 8.0. * phpunit: fail on warnings. * (T283247) Freenode -> Libera per wikimedia moving from freenode to libera. * (T243124) Make phpunit:unit accept extension*.json to populate the classes. * (T142663) Add extension.json merge strategy "provide_default". * (T283540) HookContainer: Fix normalization of callback for static handler. * (T283464) Fix array order for array_replace_recursive merge strategy. * (T247223) Optimise MessageCache::isMainCacheable() for the single-message case. * (T278579) Don't send headers on ob_end_clean(). * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages. == MediaWiki 1.35.2 == This is a security and maintenance release of the MediaWiki 1.35 branch. MediaWiki 1.35.2 supports Composer 2.0. It is recommended to make sure your libraries are up to date on Composer 1.x, before running Composer 2.x. While normally running update.php isn't required for point releases, it is recommended to run it for 1.35.2 so that iwlinks.iwl_prefix is updated to take 32 characters. === Changes since MediaWiki 1.35.1 === * (T270450) The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered(). * Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support. * Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support. * Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support. * (T270734) Fix display of Special:Preferences URL in password reset email. * (T252774, T271441) resourceloader: Give SkinModule 'features' option an extensible default. * (T271441) Unknown features shouldn't break style output. * (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0. * DefaultSettings.php: Update $wgPingback documentation. * Fix docs for LanguageConverter::translate. * (T272250) Don't rely on implicit string->int cast in comparison. * (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine. * (T272328) UploadBase: Don't call MimeAnalyzer if mTempPath is null. * Remove nonfunctional default sampling for WANObjectCache metrics. * (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook. * (T270852) Hooks: Map dash character to underscore when generating hook names. * (T271551, T270145) Fix fetching ipblock-exempt within BlockManager::getUserBlock. * PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0. * (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests. * (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs. * (T248925) Special:Contributions reports negative namespace error on PHP 8. * (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8. * (T248925) Fix CacheTime::getCacheExpiry for PHP 8. * (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking. * (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of SQLite write lock. * (T272326) Fix DeprecationHelperTest on PHP 8. * Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support. * (T236639) OutputPage: Make $wgDebugRedirects work again. * (T274648) registration: Allow reusing cached metadata between wikis. * CdnCacheUpdate: Send full URL instead of path to Curl for purge. * Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support. * FileBackend: Do not use SOCKET_ENOENT on windows. * (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once. * (T275261) Escape wikitext in the title in invalid title error messages. * (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL. * (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above minimum. * (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support. * (T269293) Record all used options in metadata. * Allow usage of Composer 2.0 to install MediaWiki's dependencies. * (T259872) skins: Call headElement() after getTemplateData() in SkinMustache. * (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens. * (T272412) Add "Account data" section to user preferences. * (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook. * (T277520) registration: Allow specifying immovable namespaces in extension.json. * (T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods. * (T254688) Remove page inner join from subquery in SpecialWhatLinksHere. * (T122124) signup: added help message for security. * (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles. * (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages. * (T277414) HTMLFormField: Use non namespaced class name rather than static::class. * (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php for page_namespace below 0. * (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8. * (T268230) Switch to new MediaWiki logo by Serhio Magpie. * (T271735) Expand config-pingback-help, link to privacy policy in config-pingback. * Fix documentation of user-global in $wgRateLimits. * BackupDumper: Add -o as shortcode for --output. * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. * (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect. * (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move. * (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can create pages. * (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary tags. == MediaWiki 1.35.1 == This is a security and maintenance release of the MediaWiki 1.35 branch. While normally running update.php isn't required for point releases, it is recommended to run it for 1.35.1 so that sites.site_language is updated to take 35 characters. Watchlist Expiry is no longer considered experimental, but is off by default. To enable it, set $wgWatchlistExpiry = true; in your LocalSettings.php. === Changes since MediaWiki 1.35.0 === * (T263929) purgeList.php Fix all-namespaces option to match one used in code. * (T248719) ParserCache::get - fix wfDeprecated call. * (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab. * Preload mediawiki.watchstar.widgets before api request. * (T261030) ApiEditPage: Show existing watchlist expiry if status is not being changed. * (T264502) Fix PHP 8 compat with strcspn() $length parameter exceeding string. * (T248925) Remove final modifier on private function. * (T264683) Remove ipb_anon_only from ipb_address_unique index addition. * (T261415) Add days left messages to changes-lists' clock icons. * Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave. * (T261260) Preload class used in HeaderCallback. * (T260868, T260009) Normalize WatchedItem expiry field. * (T264683) Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields. * (T264534) ApiPageSet: Avoid infinite loop when merging redirects. * (T196906) Empty Monolog loggers are now real blackholes. * (T258649) WatchAction: avoid UPDATE when old and new watch period is indefinite. * Parser: Adjust typehint to show that getTitle can return null. * (T263592) media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData(). * (T265223) BaseTemplate: Guard against passing zero arg to array_merge(). * (T264965) Fix base path handling for MessagePosterModule registration. * (T252183) Fix Database::getTempTableWrites for multi table DDLs. * (T182546) Fix switch/case indentation per mediawiki coding conventions. * Flip Yoda conditionals. * (T263213) Move SkinTemplate::getFooterLinks() to Skin. * build: Updating mediawiki/mediawiki-codesniffer to 33.0.0. * (T267105) Make ImageBuilder::checkMissingImage public. * Updating guzzlehttp/guzzle (6.5.4 => 6.5.5). * (T266681) Support new style hook registration on install and update. * (T266980) Fix unsetting of copyright icon in FooterIcons. * upload.js: Don't assume that warnings array will include 'code' key. * upload.js: Fix typo in upload API. * (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded. * (T267558) importTextFiles.php: Replace deprecated WikiRevision:setText(). * (T266418) composer.json: add requirement for composer-plugin-api ^1.1. * (T261431) Add ARIA attributes to watchlink and its notification. * (T258877) Change invalid 'Content-Encoding: none' header. * Fix trailing ; in patch-sites-site_language-35.sql. * (T248852) wfAssembleUrl: Handle empty query field in URL bits. * (T268846) Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0). * (T268887) migrateComments: Cast array keys back to string before passing to the DB. * (T266619) Introduce new $wgThumbPath config. * (T269178) MemcachedClient: Cast Resource to integer. * (T263925) Use the old HookContainer to set up the post-reset services. * Change "site cache" to just "cache" in the right-purge message. * [UploadedFileStreamTest] Skip test with chmod. * (T269710) Updating composer/semver (1.5.1 => 1.7.2). * (T269710) Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0). * (T260631, T260633), BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database. * (T265778) Fix English/*nix specific error messages in FSFileBackend. * (T267543) Split dropping of image.img_user_timestamp. * [FileTest] Do not assume /tmp exists on windows. * Clean up temp files correctly after unit tests. * Skip undo related phpunit tests when diff3 is missing. * (T269964) rdbms: Remove outer parentheses in insert query for Postgres. * (T263911) In MWExceptionHandler::report(), catch all throwables. * (T268894, CVE-2020-35474) SECURITY: Use Html::element in ChangeListSpecialPage for sanity. * (T268917) Use Xml::element in SpecialUserrights for sanity. * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity. * (T268938) Fixed mixed escaping in Language::translateBlockExpiry. * (T263911) UserOptionsManager: don't differentiate anons caches. * (T261260) HeaderCallback: pre-cache request ID. * Parsoid updated to v0.12.1. * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. * (T270145) Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP. == MediaWiki 1.35.0 == === Changes since MediaWiki 1.35.0-rc.3 === * (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler. * (T260232) Don't include null page ids in query list for category dumps. * (T260009) Check existing watchitem when saving action=watch. * (T259055) Correct success messages for action=watch. * mediawiki.page.ready: Simpler tablesorter/makeCollapsible call. * mediawiki.page.ready: Fix skin override config flags, wrong way round. * (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase. * (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch. * (T261901, T261476) mediawiki.notification: Don't close notif when clicking in Special:Preferences now has a correct type="text" parameter * (bug 482) Don't include TOC in the printable version if it has been hidden * Adjust the time according to the user configuration on Special:Revisiondelete * (bug 20624) Installation no longer allows "qqq" as the chosen language * (bug 20634) The installer-created database user will now have all rights on the database so that upgrades will go more smoothly. * (bug 18180) Special:Export ignores limit, dir, offset parameters * User::getBlockedStatus() works for all kinds of user objects and doesn't assume the user object is equal to the current-user object ($wgUser) * (bug 20517) Cancel link from edit page now returns to the old version when editing an old version * (bug 16902) Installer no longer shows warnings when exec() has been disabled by disable_functions * (bug 20726) Title::getLatestRevID's documentation now says that the function returns false if the page doesn't exist * (bug 20751) ForeignApiRepo now urldecodes filenames when saving to local cache * (bug 20730) Fix to Special:Version ViewVC link for branch checkouts * (bug 20353) wfShellExec() was adding extra quotes on Windows Vista, causing command line scripts to fail * (bug 20702) Parser functions can now be used correctly in MediaWiki:Missing-article * (bug 14117) "redirected from" is now also shown on foreign file redirects * (bug 17747) Only display thumbnail column in file history if the image can be rendered. * (bug 3421) Live preview no longer breaks user CSS/JS previews * (bug 11264) The file logo on a file description page for documents (PDF, ...) now links to the file rather than the file description page * Password fields built with HTMLForm now still have the type="password" attribute if $wgHtml5=false. * (bug 20836) Preload now works for MediaWiki namespace * (bug 20885) Search box no longer suggests unavailable special pages * (bug 20948) "Create this page" on Special:Search is no longer displayed when searching for special pages * (bug 20524) Hideuser: Show nice error when trying to block hidden user without hideuser right * (bug 21026) Fixed file redirects on shared repos on non-English client wikis * (bug 21030) Fixed schema choices from being overwritten by defining unique field names per driver. * (bug 21115) wgCanonicalSpecialPageName javascript variable is now always false on non-special pages * (bug 21113) "Other statistics" header on Special:Statistics is no more displayed when there isn't any entry in it * (bug 21114) Special:Contributions no longer shows diff links for new revisions * (bug 21116) MediaWiki:Templatesused, MediaWiki:Templatesusedpreview and MediaWiki:Templatesusedsection now support plural * (bug 21079) There is no more line wrapping between label and field in Special:Log * (bug 20256) Fixed SQL errors on Special:Recentchanges and Special:Recentchangeslinked on SQLite backend * (bug 20880) Fixed updater failure on SQLite backend * (bug 21182) Fixed invalid HTML in Special:Listgrouprights * (bug 20242) Installer no longer promts for user credentials for SQLite databases * (bug 20911) Installer failed to create a SQLite database * (bug 20847) Deprecated deprecated akeytt() removed in wikibits.js leaving dummy * (bug 21161) Changing $wgCacheEpoch now always invalidates file cache * (bug 20268) Fixed row count estimation on SQLite backend * (bug 20275) Fixed LIKE queries on SQLite backend * (bug 21234) Moving subpages of titles containing \\ now works properly * (bug 21006) maintenance/updateArticleCount.php now works again on PostgreSQL * (bug 19319) Add activeusers-intro message at top of SpecialActiveUsers page * (bug 21255) Fixed hostname construction for DNSBL checking * (bug 18019) Users are now warned when moving a file to a name in use on a shared repository and only users with the 'reupload-shared' permission can complete the move. * (bug 18909) Add missing Postgres INSERT SELECT wrapper * User::isValidPassword now only returns boolean results, User::getPasswordValidity can be used to get an error message string * The error message shown in Special:ChangePassword now parses wiki markup * (bug 19859) Removed experimental HTMLDiff feature * Removed section edit links in edit conflict form * Allow SpecialActiveusers to work on non-MySQL databases * (bug 6579) Fixed protecting images from uploading only * (bug 18609) Search index was empty for some pages * (bug 13453) rebuildrecentchanges maintenance script works on PG again * (bug 16583) Reduce false positives when checking for PHP (on upload, etc.) * (bug 20112) Bitrotted tests in the t/ directory were failing. * (bug 21470) MediaWiki:Sp-contributions-explain is now wrapped in a

with id "mw-sp-contributions-explain" * (bug 19159) Fixed \overleftrightarrow in texvc * (bug 19391) Fix caching for Recent ChangesFeed. * (bug 21455) Fixed "Watch this page" checkbox appearing on some special pages even to non-logged in users * (bug 21551) Rewrote the Squid purge HTTP client to provide a more robust and general implementation of HTTP, allowing it to purge non-Squid caches such as Varnish. * Fixed corruption of long UDP debug log messages by using socket_sendto() instead of fsockopen() with fwrite(). * (bug 16884) Fixed feed links in sidebar not complying with URL parameters of the displayed page * (bug 21403) memcached class renamed to MWMemecached to avoid conflict with PHP's memcached extension * (bug 21650) Both calls to SkinTemplateTabs hook are now compatible * (bug 21672) Add missing Accept-Language to both Vary and XVO headers * (bug 21679) "Edit block reasons" link at the bottom of Special:Blockip is now only displayed to the users that have "editinterface" right * (bug 21740) Attempting to protect a page that doesn't exist (salting) returns "unknown error" * (bug 18762) both redirects and links get fixed one after another if redirects-only switch is not present * (bug 20159) thumbnails rerendered if older than $wgThumbnailEpoch * Fixed a bug which in some situations causes the job queue to grow forever, due to an infinite loop of job requeues. * (bug 21523) File that can have multiple pages (djvu, pdf, ...) no longer have the page selector when they have only one page * (bug 21559) "logempty" message is now wrapped in a div with class "mw-warning-logempty" when used in log extract * (bug 20549) Parser tests were broken on SQLite backend * (bug 21776) Interwiki urls like http://en.wikibooks.org/wiki/cs: should give a redirect instead of a baderror. * (bug 21803) Special:MyContributions now keeps the query string parameters * Redirecting special pages now keep query string parameters set to "0" (e.g. for namespace) * (bug 20765) Special:ListGroupRights no longer misses addables and removables groups if there are duplicate entries * (bug 21814) Message shown when rolling back an edit with a deleted username now shows '(username deleted)' instead of broken user tool links * (bug 21536) Fixed JavaScript error on Special:Search caused by an incorrect ID * (bug 21535) RecentChanges RSS feed now always recognises the namespace filter, previously it sometimes didn't due to caching. * (bug 20388) ProfilerSimpleText no longer outputs comment on action=raw * refreshLinks.php now purges orphaned redirect table rows * (bug 2971) Swap links of hist & diff location on Special:Contributions for consistency with RC/WL * (bug 21986) Special page names are now capitalized by content language * If two log types have the same description, they're now both displayed in the type selector on Special:Log * (bug 20115) Special:Userlogin title says "Log in / create account" even if the user can't create an account * (bug 2658) Don't attempt to set the TZ environment variable. * (bug 9794) User rights log entries for foreign user now links to the foreign user's page if possible * (bug 14717) Don't load nonexistent CSS fix files for non-Monobook skins * (bug 22034) Use wfClientAcceptsGzip() in wfGzipHandler instead of reimplementing it. * (bug 19226) First line renders differently on many UI messages. * (bug 21303) Comments are no longer stripped from MediaWiki:Common.js and skin-specific JS pages * (bug 5061) Use the more precise thumbcaption thumbimage and thumbinner classes for image divs. * (bug 22096) IE50Fixes.css and IE55Fixes.css have been dropped from the Monobook and Chick skins * Fixed bug involving unclosed "-{" markup in the language converter * (bug 21870) No longer include Google logo from an external server on wiki error. * (bug 22181) Do not truncate if the ellipsis actually make the string longer * (bug 16039) Text disappearing after a bad image * (bug 18784) Internal links like [[File:Foo|caption]] should read 'caption', not 'File:Foo' when Foo is not an image * (bug 21518) Special:UserRights no longer displays the user name box for users that can only change their rights * (bug 21593) Special:UserRights now lists automatic groups membership * (bug 22364) Setting $wgUseExternalEditor to false no longer hides the reupload link from file pages * Fix bug introduced in MediaWiki 1.12: The author field in $wgExtensionCredits is no longer sorted with sort() but rather used as it appears in extensions as was the case before r30117 where it was unintentionally sorted along with other fields. * (bug 19334) Textarea no longer jumps when editing longer articles in IE8 * Truncate summary of page moves in revision comment field to avoid broken multibyte characters * (bug 22540) ForeignApiRepos no longer try to store thumbnails that don't exist * (bug 22551) Special:Resetpass now has a "Cancel" button that sends the user to the page set in the &returnto parameter. * (bug 19194) Search box in Modern skin doesn't focus with Safari/Chrome * (bug 17790) Users instantly logged off on HughesNet * (bug 21549) Make foreign key constraints DEFERRABLE INITIALLY DEFERRED when using Postgres as the database backend. == API changes in 1.16 == * Added uiprop=changeablegroups to meta=userinfo * Added usprop=gender to list=users * (bug 18311) action=purge now works for images too * Add parentid to prop=revisions output * (bug 17832) action=delete returns 'unknownerror' instead of 'permissiondenied' when the user is blocked * (bug 18546) Added timestamp of new revision to action=edit output * (bug 18554) Also list hidden revisions in list=usercontribs for privileged users * (bug 13049) "API must be accessed from the primary script entry point" error * (bug 1