mediawiki/RELEASE-NOTES-1.23

RELEASE-NOTES-1.23

1​Security reminder: MediaWiki does not require PHP's register_globals. If you
2​have it on, turn it '''off''' if you can.
3
4​== MediaWiki 1.23.17 ==
5
6​=== Changes since 1.23.16 ===
7
8​* Fix syntax errors introduced in 1.23.16 when running PHP 5.3.
9
10​== MediaWiki 1.23.16 ==
11​This is a security and maintenance release of the MediaWiki 1.23 branch.
12
13​=== Changes since 1.23.15 ===
14​* (T68404) CSS3 attr() function with url type is no longer allowed
15​ in inline styles.
16​* (T156184) $wgRawHtml will no longer apply to internationalization messages.
17​* Submitting the lgtoken and lgpassword parameters in the query string to
18​ action=login is now deprecated and outputs a warning. They should be submitted
19​ in the POST body instead.
20​* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
21​ to interwiki links.
22​* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
23​ $wgAdvancedSearchHighlighting is true.
24​* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
25​ their values out of the logs.
26​* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
27​ token.
28​* (T156184) SECURITY: Escape content model/format url parameter in message.
29​* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
30​ declaration.
31​* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
32​ syntax's link parameter.
33​* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
34​ it.
35
36​== MediaWiki 1.23.15 ==
37
38​This is a maintenance release of the MediaWiki 1.23 branch.
39
40​== Changes since 1.23.14 ==
41​* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
42​ made by MediaWiki via a proxy. Relying on the http_proxy environment
43​ variable is no longer supported.
44​* (T139565) SECURITY: API: Generate head items in the context of the given title
45​* (T137264) SECURITY: XSS in unclosed internal links
46​* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
47​* (T133147) SECURITY: Require login to preview user CSS pages
48​* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
49​ the top file
50​* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
51​ permissions
52​* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
53​* (T115333) SECURITY: Check read permission when loading page content in ApiParse
54​* Remove support for $wgWellFormedXml = false, all output is now well formed
55
56​== MediaWiki 1.23.13 ==
57
58​This is a maintenance release of the MediaWiki 1.23 branch.
59
60​== Changes since 1.23.12 ==
61​* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
62​* (T122056) Old tokens are remaining valid within a new session
63​* (T127114) Login throttle can be tricked using non-canonicalized usernames
64​* (T123653) Cross-domain policy regexp is too narrow
65​* (T123071) Incorrectly identifying http link in a's href attributes, due to
66​ m modifier in regex
67​* (T129506) MediaWiki:Gadget-popups.js isn't renderable
68​* (T125283) Users occasionally logged in as different users after
69​ SessionManager deployment
70​* (T103239) Patrol allows click catching and patrolling of any page
71​* (T122807) [tracking] Check php crypto primatives
72​* (T98313) Graphs can leak tokens, leading to CSRF
73​* (T130947) Diff generation should use PoolCounter
74​* (T133507) Careless use of $wgExternalLinkTarget is insecure
75​* (T132874) API action=move is not rate limited
76​* (T110143) strip markers can be used to get around html attribute escaping in
77​ (many?) parser tags
78​* (T126685) Globally throttle password attempts
79
80​== MediaWiki 1.23.12 ==
81
82​This is a security and maintenance release of the MediaWiki 1.23 branch.
83
84​== Changes since 1.23.11 ==
85​* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
86​ that do not begin with a slash. This enabled trivial XSS attacks.
87​ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
88​ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
89​ error.
90​* (T119309) SECURITY: Use hash_compare() for edit token comparison
91​* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
92​ with '@' as file uploads
93​* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
94​ longer be shorter than $wgMinimalPasswordLength
95​* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
96​ result in improper blocks being issued
97​* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
98​ and related pages no longer use HTTP redirects and are now redirected by
99​ MediaWiki
100
101​== MediaWiki 1.23.11 ==
102
103​This is a security and maintenance release of the MediaWiki 1.23 branch.
104
105​== Changes since 1.23.10 ==
106
107​* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
108​* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
109​* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
110
111​== MediaWiki 1.23.10 ==
112
113​This is a security and maintenance release of the MediaWiki 1.23 branch.
114
115​== Changes since 1.23.9 ==
116
117​* (T94116) SECURITY: Compare API watchlist token in constant time
118​* (T97391) SECURITY: Escape error message strings in thumb.php
119​* (T106893) SECURITY: Don't leak autoblocked IP addresses on
120​ Special:DeletedContributions
121​* (bug 67644) Make AutoLoaderTest handle namespaces
122​* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
123​* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
124​ policy of Wikimedia Commons.
125
126​== MediaWiki 1.23.9 ==
127
128​This is a security and maintenance release of the MediaWiki 1.23 branch.
129
130​== Changes since 1.23.8 ==
131
132​* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
133​ to prevent various DoS attacks.
134​* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
135​ likelihood of DoS.
136​* (T88310) SECURITY: Always expand xml entities when checking SVG's.
137​* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
138​* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
139​* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
140​ prevent XSS and protect viewer's privacy.
141​* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
142​ update.php to fix.
143​* (bug T70087) Fix Special:ActiveUsers page for installations using
144​ PostgreSQL.
145
146​== MediaWiki 1.23.8 ==
147
148​This is a security and maintenance release of the MediaWiki 1.23 branch.
149
150​== Changes since 1.23.7 ==
151
152​* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
153​ could lead to xss. Permission to edit MediaWiki namespace is required to
154​ exploit this.
155​* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
156​ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
157​ part of its name.
158​* (bug T74222) The original patch for T74222 was reverted as unnecessary.
159
160​== MediaWiki 1.23.7 ==
161
162​This is a security and maintenance release of the MediaWiki 1.23 branch.
163
164​== Changes since 1.23.6 ==
165
166​* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
167​ into API clients that used format=php to process pages that underwent flash
168​ policy mangling. This was fixed along with improving how the mangling was done
169​ for format=json, and allowing sites to disable the mangling using
170​ $wgMangleFlashPolicy.
171​* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
172​ the content model for a page could allow an unprivileged attacker to edit
173​ another user's common.js under certain circumstances. The user right
174​ "editcontentmodel" was added, and is needed to change a revision's content
175​ model.
176​* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
177​ HTML, it is not safe to preview wikitext coming from an untrusted source such
178​ as a cross-site request. Thus add an edit token to the form, and when raw HTML
179​ is allowed, ensure the token is provided before showing the preview. This
180​ check is not performed on wikis that both allow raw HTML and anonymous
181​ editing, since there are easier ways to exploit that scenario.
182​* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
183​ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
184​ public RFC about the desired functionality. This issue was reported by user
185​ Bawolff.
186​* (bug 71621) Make allowing site-wide styles on restricted special pages a
187​ config option.
188​* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
189​* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
190​ might be a flash policy directive configurable.
191
192​== MediaWiki 1.23.6 ==
193
194​This is a maintenance release of the MediaWiki 1.23 branch.
195
196​=== Changes since 1.23.5 ===
197​* (Bug 72274) Job queue not running (HTTP 411) due to missing
198​ Content-Length: header
199​* (Bug 67440) Allow classes to be registered properly from installer
200
201​== MediaWiki 1.23.5 ==
202
203​This is a security release of the MediaWiki 1.23 branch.
204
205​=== Changes since 1.23.4 ===
206​* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
207​ allowance.
208
209​== MediaWiki 1.23.4 ==
210
211​This is a security and maintenance release of the MediaWiki 1.23 branch.
212
213​=== Changes since 1.23.3 ===
214
215​* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
216​ elements; normalize style elements and attributes before filtering; add
217​ checks for attributes that contain css; add unit tests for html5sec and
218​ reported bugs.
219​* (bug 65998) Make MySQLi work with non-standard socket.
220​* (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
221​ settings.
222
223​== MediaWiki 1.23.3 ==
224
225​This is a maintenance release of the MediaWiki 1.23 branch.
226
227​=== Changes since 1.23.2 ===
228
229​* (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
230​* (bug 64970) Fix support for blobs on DatabaseOracle::update.
231​* (bug 66574) Display MediaWiki:Loginprompt on the login page.
232​* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
233​* (bug 60629) Handle invalid language code gracefully in
234​ Language::fetchLanguageNames.
235​* (bug 62017) Restore the number of rows shown on Special:Watchlist.
236​* Check for boolean false result from database query in SqlBagOStuff.
237
238​== MediaWiki 1.23.2 ==
239
240​This is a security and maintenance release of the MediaWiki 1.23 branch.
241
242​=== Changes since 1.23.1 ===
243
244​* (bug 68187) SECURITY: Prepend jsonp callback with comment.
245​* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
246​ for loading a new page in Javascript,instead of relying on the URL in the link
247​ that has been clicked.
248​* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
249​ ParserOutput.
250​* (bug 68313) Preferences: Turn stubthreshold back into a combo box.
251​* (bug 65214) Fix initSiteStats.php maintenance script.
252​* (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
253
254​== MediaWiki 1.23.1 ==
255
256​This is a security and maintenance release of the MediaWiki 1.23 branch.
257
258​=== Changes since 1.23.0 ===
259
260​* (bug 65839) SECURITY: Prevent external resources in SVG files.
261​* (bug 67025) Special:Watchlist: Don't try to render empty row.
262​* (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
263​* (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
264​* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
265​ like only extracting the tail of the file partially or not at all.
266​* (bug 66182) Removed -x flag on some php files.
267
268​== MediaWiki 1.23 ==
269
270​MediaWiki 1.23.0 is the stable branch and is recommended for use in production.
271
272​MediaWiki 1.23 is a large release that contains many new features and bug
273​fixes. This is the full list of changes in this version.
274
275​Our thanks go to everyone who helped to improve MediaWiki by testing the beta
276​release and submitting bug reports.
277
278​=== Configuration changes in 1.23 ===
279​* (bug 13250) Restored method for clearing a watchlist in web UI
280​ so that users with large watchlists don't have to perform
281​ contortions to clear them.
282​* When $wgJobRunRate is higher than zero, jobs are now executed via an
283​ asynchronous HTTP request to a MediaWiki entry point. This may require
284​ increasing the number of server worker threads. $wgRunJobsAsync has been
285​ added to disable this feature if needed, falling back to executing the job
286​ on the same process but making the execution synchronously.
287​* $wgDebugLogGroups values may be set to an associative array with a
288​ 'destination' key specifying the log destination. The array may also contain
289​ a 'sample' key with a positive integer value N indicating that the log group
290​ should be sampled by dispatching one in every N messages on average. The
291​ sampling is random.
292​* In addition to the current exception log format, MediaWiki now serializes
293​ exception metadata to JSON and logs it to the 'exception-json' log group.
294​ This makes MediaWiki easier to integrate with log aggregation and analysis
295​ tools.
296​* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
297​ Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
298​ addresses that should be trusted to provide X-Forwarded-For headers.
299​* Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add
300​ pages I create and files I upload to my watchlist", "Add pages and files I
301​ edit to my watchlist", "Email me when a page or file on my watchlist is
302​ changed") are now enabled by default. In addition new user accounts' personal
303​ and talk pages are now watched by them by default.
304​* $wgLBFactoryConf: Class names have had underscores removed. The configuration
305​ should be updated if LBFactory_Simple or LBFactory_Multi is configured.
306​* $wgPasswordSenderName has been removed and is no longer functional. To set a
307​ custom mailer name, the system message 'emailsender' should be modified
308​ (default: "{{SITENAME}}").
309​* (bug 63269) Email notifications were not correctly handling the
310​ [[MediaWiki:Helppage]] message being set to a full URL (the default).
311​ If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
312​ you'll need to edit it locally to include the URL via the new variable
313​ $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
314​ you don't have to do anything.
315​* $wgDBAhandler was removed as the only class using it was also removed
316​* The 'max threads' setting was removed from $wgDBservers.
317​* Support for AdminSettings.php has been completely removed. All configuration
318​ belongs in LocalSettings.php.
319​* $wgSkipSkin, which has been replaceable by $wgSkipSkins since 2005 (r9249), is
320​ now formally deprecated.
321​* Removed deprecated $wgDisabledActions as it is hardly used anywhere.
322​* $wgRateLimitLog has been deprecated and replaced by
323​ $wgDebugLogGroup['ratelimit'].
324​* $wgLocalInterwikis is an array containing multiple local interwiki prefixes
325​ (interwiki prefixes that point back to the current wiki). This effectively
326​ allows more than one value of $wgLocalInterwiki to be specified and
327​ understood by the parser. The value of $wgLocalInterwiki is automatically
328​ prepended to the start of this array.
329​* $wgQueryPages has been removed. Query Pages should be added to by using the
330​ wgQueryPages hook.
331​* $wgHttpOnlyBlacklist has been removed.
332​* $wgLicenseTerms has been removed as it was unused.
333​* $wgProfileOnly is now deprecated; set the log file in
334​ $wgDebugLogGroups['profileoutput'] to replace it.
335​* $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
336​* Deprecated ResourceLoaderGetStartupModules hook.
337
338​=== New features in 1.23 ===
339​* ResourceLoader can utilize the Web Storage API to cache modules client-side.
340​ Compared to the browser cache, caching in Web Storage allows ResourceLoader
341​ to be more granular about evicting stale modules from the cache while
342​ retaining the ability to retrieve multiple modules in a single HTTP request.
343​ This capability can be enabled by setting $wgResourceLoaderStorageEnabled to
344​ true. This feature is currently considered experimental and should only be
345​ enabled with care.
346​* (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}}
347​ and {{REVISIONTIMESTAMP:}} (with friends).
348​* Add "wgRelevantUserName" to mw.config containing the current
349​ Skin::getRelevantUser value.
350​* (bug 56033) Add content model to the page information.
351​* Added Article::MissingArticleConditions hook to give extensions a chance to
352​ hide their (unrelated) log entries.
353​* Added LonelyPagesQuery hook to let extensions modify the query used to
354​ generate Special:LonelyPages.
355​* Added $wgOpenSearchDefaultLimit defining the default number of entries to show
356​ on action=opensearch API call.
357​* For namespaces with $wgNamespaceProtection (including the MediaWiki
358​ namespace), the "protect" tab will be shown only if there are restriction
359​ levels available that would restrict editing beyond what
360​ $wgNamespaceProtection already applies. The protection form will offer only
361​ those protection levels.
362​* Added $wgAPIFormatModules, allowing extensions to add additional output
363​ formatting modules for the API.
364​* (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add
365​ custom CSS or JavaScript enabled only for registered users.
366​* (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist
367​ now include a legend describing the symbols used in lists of changes.
368​* Improved the accessibility of the tabs in Special:Preferences.
369​* Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook:
370​ it's called after everything is set up but before any major processing
371​ happens.
372​* The jquery.client module now performs a component-wise version comparison in
373​ its #test method when strings are used in the browser map: version '1.10' is
374​ now correctly considered larger than '1.2'. Using numbers in the version map
375​ is not affected.
376​* All API modules now support an assert parameter, which can either be
377​ 'user' or 'bot'. The API will throw an error if the user is not logged
378​ in (user) or does not have the 'bot' userright (bot). Based off of the
379​ AssertEdit extension by Steve Sanbeg.
380​* [[Special:Diff]] was added, allowing users to create internal links to
381​ revision comparison pages using syntax such as [[Special:Diff/12345]],
382​ [[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
383​* New user accounts' personal and talk pages are now watched by them by default.
384​* Added SkinTemplateGetLanguageLink hook to allow changing the html of language
385​ links.
386​* Added MessageCache::get hook as a new way to customize messages across
387​ multiple sites.
388​* Added jquery.throttle-debounce ResourceLoader module to limit the number of
389​ callbacks for frequently occurring events.
390​* Special:ProtectedPages shows now a table. The timestamp, the reason and
391​ the protecting user is also shown.
392​* Added experimental support for using Microsoft SQL Server as the database
393​ backend.
394​** Added new Microsoft SQL Server-specific configuration variable
395​ $wgDBWindowsAuthentication, which makes the web server authenticate against
396​ the database server using Integrated Windows Authentication instead of
397​ $wgDBuser/$wgDBpassword.
398​* HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and
399​ 'radio' fields can now use message keys as labels via the 'options-messages'
400​ parameter, which overrides the 'options' parameter.
401​* Admins can expire users users passwords manually, or on a schedule using the
402​ $wgPasswordExpirationDays configuration setting.
403​* Add new hook SendWatchlistEmailNotification, this will be used to determine
404​ whether to send a watchlist email notification.
405​* (bug 42026) Special:Contributions now includes an option to filter page
406​ creations, similar to the topOnly option.
407​* Add mediawiki.ui.button styling to all pages so wiki content can use styled
408​ buttons.
409​* Special:UserLogin/signup now does AJAX checks for invalid and taken usernames,
410​ displaying the error live.
411​* Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
412​* Support has been added for a JSON based localisation file format. The
413​ installer has been updated to use it.
414​* Changes to content typography (colors, line-height etc.). See
415​ https://www.mediawiki.org/wiki/Typography_refresh for further information.
416​* The Vector skin's visual treatment of external links has been simplified to a
417​ single icon (from nine). This should not affect local rules unless they were
418​ re-using these icons, which have now been deleted.
419​* ResourceLoader: mw.loader.using() now implements a Promise interface.
420​* Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows.
421​ If called by the ChangesList consumer this gives extensions a chance to batch
422​ process the result set prior to rendering.
423​* A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf.
424​ This requires at least one Redis 2.6+ server.
425​* $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB
426​ in StartProfiler.php instead of using this.
427​* (bug 63444) Made it possible to change the indent string (default: 4 spaces)
428​ used by FormatJson::encode().
429
430​=== Bug fixes in 1.23 ===
431​* (bug 41759) The "updated since last visit" markers (on history pages, recent
432​ changes and watchlist) and the talk page message indicator are now correctly
433​ updated when the user is viewing old revisions of pages, instead of always
434​ acting as if the latest revision was being viewed.
435​* (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code"
436​ when the email address is already confirmed. Also, consistently use
437​ "confirmed", rather than "authenticated", when messaging whether or not the
438​ user has confirmed an email address.
439​* (bug 19415) action=render no longer shows section edit links. This affects
440​ behavior of several other features where (bogus) section edit links will
441​ disappear, such as file description pages loaded via $wgUseInstantCommons or
442​ pages transcluded cross-wiki via $wgEnableScaryTranscluding.
443​* (bug 56912) Show correct link color on cached result of Special:DeadendPages.
444​* Classes TitleListDependency and TitleDependency have been removed, as they
445​ have been found unused in core and extensions for a long time.
446​* (bug 57098) SpecialPasswordReset now obeys returnto parameter
447​* (bug 37812) ResourceLoader will notice when a module's definition changes and
448​ recompile it accordingly.
449​* (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
450​* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
451​ to appear blank or with missing text.
452​* (bug 56931) Updated the plural rules to CLDR 24. They are in new format
453​ which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
454​ the JavaScript evaluator were updated to support the new format. Plural rules
455​ for some languages have changed, most notably Russian. Affected software
456​ messages have been updated and marked for review at translatewiki.net.
457​* (bug 23542) imagelinks now stores both the redirect and target (as
458​ templatelinks does).
459​* (bug 58167) The web installer no longer throws an exception when PHP is
460​ compiled without support for MySQL yet with support for another DBMS.
461​* (bug 56199) Raw option of parser functions must now match complete word,
462​ to take effect.
463​* (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
464​* (bug 29762) Undoing an already-undone edit will now display an appropriate
465​ message instead of leading the user to make a null edit.
466​* (bug 52659) mediawiki.notification: Notification area remained visible when
467​ empty and thus was stealing pointer events from links on the page.
468​* (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now
469​ hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace
470​ no longer applies in such cases.
471​* (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause
472​ warnings to be printed on Windows due to large path length.
473​* (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold
474​ the wrong path to the placeholder logo (skins/common/images/wiki.png).
475​* (bug 64289) jquery.textSelection: Don't throw errors on empty collections.
476
477​=== Web API changes in 1.23 ===
478​* (bug 54884) action=parse&prop=categories now indicates hidden and missing
479​ categories.
480​* action=query&meta=filerepoinfo now returns additional information for each
481​ repo.
482​* action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in
483​ MediaWiki 1.24.
484​* action=parse now has disabletoc flag to disable table of contents in output.
485​* (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages,
486​ list=deletedrevs and list=filearchive did not handle case-sensitivity
487​ properly for all parameters.
488​* ApiQueryBase::titlePartToKey allows an extra parameter that indicates the
489​ namespace in order to properly capitalize the title part.
490​* (bug 57874) action=feedcontributions no longer has one item more than limit.
491​* All API modules now support an assert parameter. See the new features section
492​ for more details.
493​* Added prop=contributors to fetch the list of contributors to the page.
494​* The following API modules will now return entries where fields have been
495​ revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges,
496​ list=watchlist. "hidden" indicators will be included, in the same style as is
497​ already done for prop=revisions.
498​* The following API modules will now return the content of revision-deleted
499​ fields, in addition to the "hidden" indicators, if the querying user has the
500​ necessary rights: list=logevents, list=usercontribs, prop=imageinfo,
501​ prop=revisions.
502​* The above modules, where applicable, will now return entries filtered by
503​ revision-deleted fields if the querying user has the necessary rights. For
504​ example, prop=revisions with rvuser or rvexcludeuser will no longer skip
505​ revisions where the user was revision-deleted if the current user has the
506​ deletedhistory right.
507​* The 'hideuser' right, used when blocking, is no longer necessary or
508​ sufficient for seeing contributions with revision-deleted in
509​ list=usercontribs.
510​* list=watchlist now uses the querying user's rights rather than the wlowner's
511​ rights when checking whether wlprop=patrol is allowed.
512​* (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators).
513​ Title parameter is now deprecated.
514​* (bug 23005) Added action=revisiondelete.
515​* Added siprop=restrictions to API action=query&meta=siteinfo for querying
516​ possible page restriction (protection) levels and types.
517​* Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
518​* (bug 58627) Provide language names on action=parse&prop=langlinks.
519​* Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
520​* Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
521​* prop=redirects is added, to return redirects to the pages in the query.
522​* list=allredirects is added, to list all redirects pointing to a namespace.
523​* (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs.
524​ Also added newonly to action=feedcontributions.
525​* (bug 42026) Deprecated uctoponly in favor of ucshow=top.
526​* list=search no longer has a "srredirects" parameter. Redirects are now
527​ included in all searches.
528​* Added list=prefixsearch that works like action=opensearch but can be used as
529​ a generator.
530​* (bug 24782) Various modules will now use unique continuation parameters.
531​* (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.
532
533​=== Languages updated in 1.23 ===
534
535​MediaWiki supports over 350 languages. Many localisations are updated
536​regularly. Below only new and removed languages are listed, as well as
537​changes to languages because of Bugzilla reports.
538
539​* Support was added for Algerian Spoken Arabic (arq).
540​* Support was added for Riograndenser Hunsrückisch (hrx).
541​* Support was added for Northern Luri (lrc).
542
543​=== Other changes in 1.23 ===
544​* The rc_type field in the recentchanges table has been superseded by a new
545​ rc_source field. The rc_source field is a string representation of the
546​ change type where rc_type was a numeric constant. This field is not yet
547​ queried but will be in a future release.
548​** Utilize update.php to create and populate this new field. On larger wikis
549​ which do not wish to update recentchanges table in one large update please
550​ review the SQL and comments in maintenance/archives/patch-rc_source.sql.
551​** The rc_type field of recentchanges will be deprecated in a future release.
552​* The global variable $wgArticle has been removed after a lengthy deprecation.
553​* The global functions addButton and insertTags (for mw.toolbar.addButton and
554​ mw.toolbar.insertTags) now emits mw.log.warn when accessed.
555​* The ExpandTemplates extension has been moved into MediaWiki core.
556​* (bug 52812) Removed "Disable search suggestions" from Preference.
557​* (bug 52809) Removed "Disable browser page caching" from Preference.
558​* Three new modules intended for use by custom skins were added:
559​ 'mediawiki.skinning.elements', 'mediawiki.skinning.content', and
560​ 'mediawiki.skinning.interface', representing three levels of standard
561​ MediaWiki styling. Previously skin creators wishing to use them had to refer
562​ to the file names of appropriate files directly, which is now discouraged.
563​* The modules 'skins.vector' and 'skins.monobook' have been renamed to
564​ 'skins.vector.styles' and 'skins.monobook.styles', respectively,
565​ and their definition was changed not to include the common*.css files;
566​ the two skins now load the 'mediawiki.skinning.interface' module instead.
567​* A page_links_updated field has been added to the page table.
568​* SpecialPage::getTitle has been deprecated in favor of
569​ SpecialPage::getPageTitle.
570​* BREAKING CHANGE: Two potentially backwards-incompatible changes have been made
571​ to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make
572​ the hook more consistent with the 'SpecialRecentChangesQuery' one:
573​** Several array keys have been renamed: hideMinor → hideminor,
574​ hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu,
575​ hidePatrolled → hidepatrolled, hideOwn → hidemyself.
576​** The parameter value is now a FormOptions object, not a plain array (array
577​ access operators should continue to work, as it implements the ArrayAccess
578​ interface).
579​* Option to mark hooks as deprecated has been added.
580​* (bug 52811) Preference "Enable section editing via [edit] links" was removed.
581​* (bug 52813) Preference "Show table of contents (for pages with more than
582​ 3 headings)" was removed.
583​* (bug 52810) Preference "Justify paragraphs" was removed.
584​* OutputPage::showErrorPage raises a notice if arguments are incoherent.
585​* Thumbnails that keep failing to render in thumb.php will be rate-limited
586​ againt further render attempts for 1 hour. $wgAttemptFailureEpoch can be
587​ altered to reset all rate-limited thumbnails at once.
588​* (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
589​* mw.loader.go and mw.loader.version have been removed.
590​* (bug 52815) Preference "Enable simplified search bar (Vector skin only)"
591​ was removed.
592​* A user_password_expires column has been added to the user table. The User
593​ object expects this column to exist. Use update.php to create this new field.
594​* The jquery.delayedBind ResourceLoader module was deprecated in favor of the
595​ jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
596​* mw.user.bucket has been deprecated.
597​* On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to
598​ table.mw-prefixindex-list-table to avoid duplicate ids when the special page
599​ is transcluded.
600​* (bug 62198) window.$j has been deprecated.
601​* Preference "Disable link title conversion" was removed.
602​* SpecialRecentChanges no longer includes any functionality for generating feeds
603​ - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new
604​ ones.
605​* RecentChange::mExtra['lang'] is no longer set and should no longer be used.
606​ Extensions should read from other configuration variables, including
607​ $wgLocalInterwikis, to identify the current wiki.
608​* Sections in the parser test framework have been renamed and the old
609​ section names are deprecated. Please use "!!wikitext" and "!!html"
610​ (or "!!html/php") instead of "!!input" and "!!result". This allows
611​ us to extend parser tests to accommodate additional input/output
612​ pairs, such as "!!html/parsoid" (for the output of the Parsoid
613​ parser, where it differs from the PHP parser).
614​* Special:Search no longer has an "include redirects" option on the advanced
615​ tab. Redirects are now included in all searches.
616​* mediawiki.api.category's getCategories() 'async' parameter was deprecated.
617​* The locations of resources have been split between upstream libraries, now in
618​ resources/lib/, local libaries in resources/src/, and local forks of upstream
619​ libraries, also in resources/src/.
620​* BREAKING CHANGE: The automatically-generated function closure with which
621​ ResourceLoader wraps all modules' JavaScript code now binds the identifier
622​ names 'jQuery' and '$' to the jQuery object of the version of jQuery that is
623​ bundled with MediaWiki. If you bind these names to other objects in global
624​ scope (like Zepto.js or document.querySelectorAll, for example) you will need
625​ to use different names to or re-bind them at the top of each
626​ ResourceLoader-loaded module.
627​* (bug 52342) Preference "Remember my login" was removed.
628​* The skin autodiscovery mechanism has been deprecated and will be removed in
629​ MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
630​ for migration guide for creators and users of custom skins that relied on it.
631
632​==== Removed classes ====
633​* FakeMemCachedClient (deprecated in 1.18)
634​* RdfMetaData (unused)
635​* TitleDependency (unused)
636​* TitleListDependency (unused)
637​* WikiError (deprecated in 1.17)
638​* WikiXmlError (deprecated in 1.17)
639​* WikiErrorMsg (deprecated in 1.17)
640
641​==== Renamed classes ====
642​* CdbReader_DBA to CdbReaderDBA
643​* CdbReader_PHP to CdbReaderPHP
644​* CdbWriter_DBA to CdbWriterDBA
645​* CdbWriter_PHP to CdbWriterPHP
646​* DiffOp_Add to DiffOpAdd
647​* DiffOp_Change to DiffOpChange
648​* DiffOp_Copy to DiffOpCopy
649​* DiffOp_Delete to DiffOpDelete
650​* HWLDF_WordAccumulator to HWLDFWordAccumulator
651​* LBFactory_Fake to LBFactoryFake
652​* LBFactory_Multi to LBFactoryMulti
653​* LBFactory_Simple to LBFactorySimple
654​* LBFactory_Single to LBFactorySingle
655​* LCStore_Accel to LCStoreAccel
656​* LCStore_CDB to LCStoreCDB
657​* LCStore_DB to LCStoreDB
658​* LCStore_Null to LCStoreNull
659​* LoadBalancer_Single to LoadBalancerSingle
660​* LoadMonitor_MySQL to LoadMonitorMySQL
661​* LoadMonitor_Null to LoadMonitorNull
662​* LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
663​* csvStatsOutput to CsvStatsOutput
664​* extensionLanguages to ExtensionLanguages
665​* languages to Languages
666​* statsOutput to StatsOutput
667​* textStatsOutput to TextStatsOutput
668​* wikiStatsOutput to WikiStatsOutput
669
670​==== Removed methods ====
671​* ApiBase::getValidNamespaces() (deprecated in 1.17)
672​* ApiMain::setCachePrivate() (deprecated in 1.17)
673​* ApiMain::setVaryCookie (deprecated in 1.17)
674​* Article::doRedirect() (deprecated in 1.18)
675​* Article::doUnwatch() (deprecated in 1.18)
676​* Article::doWatch() (deprecated in 1.18)
677​* Article::forUpdate() (deprecated in 1.18)
678​* Article::markpatrolled() (deprecated in 1.18)
679​* Article::unwatch() (deprecated in 1.18)
680​* Article::watch() (deprecated in 1.18)
681​* Block::clear() (deprecated in 1.18)
682​* Block::decodeExpiry() (deprecated in 1.18)
683​* Block::encodeExpiry() (deprecated in 1.18)
684​* Block::forUpdate() (deprecated in 1.18)
685​* Block::infinity() (deprecated in 1.18)
686​* Block::load() (deprecated in 1.18)
687​* Block::newFromDB() (deprecated in 1.18)
688​* Block::normaliseRange() (deprecated in 1.18)
689​* Block::parseExpiryInput() (deprecated in 1.18)
690​* CategoryViewer::addSubcategory() (deprecated in 1.17)
691​* EditPage::spamPage() (deprecated since 1.17)
692​* Exif::getFormattedData() (deprecated in 1.18)
693​* Exif::makeFormattedData() (deprecated in 1.18)
694​* in_string (deprecated in 1.21)
695​* Language::convertLinkToAllVariants() (deprecated in 1.17)
696​* LanguageConverter::convertLinkToAllVariants() (deprecated in 1.17)
697​* Linker::makeBrokenLink() (deprecated in 1.16)
698​* Linker::makeBrokenLinkObj() (deprecated in 1.16)
699​* Linker::makeColouredLinkObj() (deprecated in 1.16)
700​* Linker::makeSizeLinkObj() (deprecated in 1.17)
701​* MediaWiki::articleFromTitle() (deprecated in 1.18)
702​* ParserOptions::getkin() (deprecated 1.18)
703​* ProfilerSimple::getCpuTime (deprecated in 1.20)
704​* Revision::revText() (deprecated in 1.17)
705​* SkinTemplate::jstext() (deprecated in 1.21)
706​* SpecialPage::__call() (deprecated in 1.17)
707​* SpecialPage::executePath() (deprecated in 1.18)
708​* SpecialPage::exists() (deprecated in 1.18)
709​* SpecialPage::file() (deprecated in 1.18)
710​* SpecialPage::func() (deprecated in 1.18)
711​* SpecialPage::getGroup() (deprecated in 1.18)
712​* SpecialPage::getPage() (deprecated in 1.18)
713​* SpecialPage::getPageByAlias() (deprecated in 1.18)
714​* SpecialPage::getLocalNameFor() (deprecated in 1.18)
715​* SpecialPage::getRegularPages() (deprecated in 1.18)
716​* SpecialPage::getRestrictedPages() (deprecated in 1.18)
717​* SpecialPage::getTitleForAlias() (deprecated in 1.18)
718​* SpecialPage::getUsablePages() (deprecated in 1.18)
719​* SpecialPage::includable() (deprecated in 1.18)
720​* SpecialPage::init()
721​* SpecialPage::initAliasList() (deprecated in 1.18)
722​* SpecialPage::initList() (deprecated in 1.18)
723​* SpecialPage::name() (deprecated in 1.18)
724​* SpecialPage::removePage() (deprecated in 1.18)
725​* SpecialPage::resolveAlias() (deprecated in 1.18)
726​* SpecialPage::resolveAliasWithSubpage() (deprecated in 1.18)
727​* SpecialPage::restriction() (deprecated in 1.18)
728​* SpecialPage::setGroup() (deprecated in 1.18)
729​* SpecialRecentChanges::feedSetup()
730​* SpecialRevisionDelete::extractBitField() (deprecated in 1.22)
731​* User::getPageRenderingHash() (deprecated in 1.17)
732​* WebRequest::getFileSize() (deprecated in 1.17)
733​* WebRequest::isPathInfoBad() (deprecated in 1.17)
734​* wfGenerateToken (deprecated in 1.20)
735​* wfStreamFile (deprecated in 1.19)
736​* wfUILang (deprecated in 1.18)
737​* WikiPage::createUpdates() (deprecated in 1.18)
738​* WikiPage::quickEdit() (deprecated in 1.18)
739​* WikiPage::useParserCache() (deprecated in 1.18)
740​* WikiPage::viewUpdates() (deprecated in 1.18)
741
742​==== Removed globals ====
743​* $wgBetterDirectionality (deprecated in 1.18)
744
745​== Compatibility ==
746
747​MediaWiki 1.23 requires PHP 5.3.2 or later.
748
749​MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
750​support for them is somewhat less mature. There is experimental support for
751​Oracle and Microsoft SQL Server.
752
753​The supported versions are:
754
755​* MySQL 5.0.2 or later
756​* PostgreSQL 8.3 or later
757​* SQLite 3.3.7 or later
758​* Oracle 9.0.1 or later
759​* Microsoft SQL Server 2005 (9.00.1399)
760
761​== Upgrading ==
762
763​1.23 has several database changes since 1.22, and will not work without schema
764​updates. Note that due to changes to some very large tables like the revision
765​table, the schema update may take quite long (minutes on a medium sized site,
766​many hours on a large site).
767
768​If upgrading from before 1.11, and you are using a wiki as a commons
769​repository, make sure that it is updated as well. Otherwise, errors may arise
770​due to database schema changes.
771
772​If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
773​new database fields are filled with data.
774
775​If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
776​1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
777​with MediaWiki 1.21.
778
779​Don't forget to always back up your database before upgrading!
780
781​See the file UPGRADE for more detailed upgrade instructions.
782
783​For notes on 1.22.x and older releases, see HISTORY.
784
785​== Online documentation ==
786
787​Documentation for both end-users and site administrators is available on
788​MediaWiki.org, and is covered under the GNU Free Documentation License (except
789​for pages that explicitly state that their contents are in the public domain):
790
791​ https://www.mediawiki.org/wiki/Documentation
792
793​== Mailing list ==
794
795​A mailing list is available for MediaWiki user support and discussion:
796
797​ https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
798
799​A low-traffic announcements-only list is also available:
800
801​ https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
802
803​It's highly recommended that you sign up for one of these lists if you're
804​going to run a public MediaWiki, so you can be notified of security fixes.
805
806​== IRC help ==
807
808​There's usually someone online in #mediawiki on irc.freenode.net.