3 This is a security and maintenance release of the MediaWiki 1.30 branch.
5 === Changes since MediaWiki 1.30.1 ===
6 * (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query all
7 titles when asked for none.
8 * (T109121) Remove deprecated pear/mail_mime-decode from composer suggested libraries.
9 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
10 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
11 * (T207603) SECURITY: User JS may no longer be loaded with mime type text/javascript if
12 there is no account associated with the username.
13 * (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME type if
14 non-admins can edit the page.
15 * (T207541) Pass email address to mail().
16 * Fix addition of ug_expiry column to user_groups table on MSSQL.
17 * (T204531) rdbms: reduce LoadBalancer replication log spam.
18 * (T213489) Avoid session double-start in Setup.php.
19 * (T195525) Fix db error outage page.
20 * (T208871) The hard-coded Google search form on the database error page was
22 * (T216968) Return pageid as int in both list=iwbacklinks and list=langbacklinks.
23 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
24 $wgBlockDisablesLogin is true.
25 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf token.
26 * (T222385) resourceloader: Use AND instead of OR for upsert conds in
27 saveFileDependencies().
28 * (T224374) Fix message parameters so that the message that says SQLite is out of date
30 * SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
32 * FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
33 getLoginSecurityLevel() returns non-false.
34 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
35 * T208881) SECURITY: blacklist CSS var().
36 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
37 * (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
38 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
39 * (T222036, T222038) SECURITY: Add permission check for user is permitted to
41 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
43 == MediaWiki 1.30.1 ==
45 This is a security and maintenance release of the MediaWiki 1.30 branch.
47 === Changes since MediaWiki 1.30.0 ===
48 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
50 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
52 * (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
53 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
54 * (T189567) the CLI installer (maintenance/install.php) learned to detect and
55 include extensions. Pass --with-extensions to enable that feature.
56 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
57 * (T167507) selenium: Run Chrome headlessly.
58 * selenium: Pass -no-sandbox to Chrome under Docker.
59 * (T179190) selenium: Move logic for running tests from package.json to selenium.sh
60 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
61 * Add default edit rate limit of 90 edits/minute for all users.
62 * (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
63 * oojs/oojs-ui updated to remove an unnecessary dependancy.
64 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
65 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
66 * (T196672) The mtime of extension.json files is now able to be zero
67 * (T180403) Validate $length in padleft/padright parser functions.
68 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
69 * (T193995) Fix undefined patchPath() method call in parser tests.
70 * Special:BotPasswords now requires reauthentication.
71 * (T191608, T187638) Add 'logid' parameter to Special:Log.
72 * (T193829) Indicate when a Bot Password needs reset.
73 * (T151415) Log email changes.
74 * (T200861) Fix total breakage of SQLite web upgrade.
75 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
77 * (T190539) Explicitly require Postgres 9.1.
78 * (T118420) Unbreak Oracle installer.
82 === Changes since MediaWiki 1.30.0-rc.0 ===
83 * Upgraded Moment.js from v2.15.0 to v2.19.3.
84 * Add ip_changes to postgres/tables.sql.
85 * Skip null shell parameters.
86 * Add wfWaitForSlaves() to maintenance/migrateComments.php.
87 * (T182245) Fix join conditions in ImageListPager.
88 * (T178626) Revert #contentSub and #jump-to-nav margin changes.
90 === MySQL version requirement in 1.30 ===
91 As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
94 === Configuration changes in 1.30 ===
95 * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
96 unexpected behavior when code uses locale-sensitive string comparisons. For
97 example, the Scribunto extension considers "bar" < "Foo" in most locales
98 since it ignores case.
99 * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
100 documentation of $wgShellLocale for details.
101 * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
102 deprecated and a no-op, as it is no longer needed.
103 * $wgJobClasses may now specify callback functions as an alternative to plain
104 class names. This is intended for extensions that want control over the
105 instantiation of their jobs, to allow for proper dependency injection.
106 * $wgResourceModules may now specify callback functions as an alternative
107 to plain class names, using the 'factory' key in the module description
108 array. This allows dependency injection to be used for ResourceLoader modules.
109 * $wgExceptionHooks has been removed.
110 * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
111 of IP ranges that can be queried at Special:Contributions.
112 * (T45547) $wgUsePigLatinVariant added (off by default).
113 * (T152540) MediaWiki now supports a section ID escaping style that allows to display
114 non-Latin characters verbatim on many modern browsers. This is controlled by the
115 new configuration setting, $wgFragmentMode.
116 * $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
117 use $wgFragmentMode to migrate off it to a modern alternative.
118 * $wgExternalInterwikiFragmentMode was introduced to control how fragments in
119 sinterwikis going outside of current wiki farm are encoded.
120 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
121 This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
122 auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
123 requested through the configuration parameter $wgDBservers.
124 * $wgOOUIEditPage was removed, as it is now the default. This was documented as a
125 temporary variable during the migration period.
127 === New features in 1.30 ===
128 * (T37247) Output from Parser::parse() will now be wrapped in a div with
129 class="mw-parser-output" by default. This may be changed or disabled using
130 ParserOptions::setWrapOutputClass().
131 * (T163562) Added ability to search for contributions within an IP ranges
132 at Special:Contributions.
133 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
134 specific tags to be added by users.
135 * Added a 'ParserOptionsRegister' hook to allow extensions to register
136 additional parser options.
137 * (T45547) Included Pig Latin, a language game in English, as a
138 LanguageConverter variant. This allows English-speaking developers
139 to develop and test LanguageConverter more easily. Pig Latin can be
140 enabled by setting $wgUsePigLatinVariant to true.
141 * Added RecentChangesPurgeRows hook to allow extensions to purge data that
142 depends on the recentchanges table.
143 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
144 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
145 'watchlistunwatchlinks' preference option is enabled). With JavaScript
146 enabled, these links toggle so the user can also re-watch pages that have
148 * Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
149 MediaHandlerFactory for parser tests.
150 * Edit summaries, block reasons, and other "comments" are now stored in a
151 separate database table. Use the CommentFormatter class to access them.
152 ** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
153 can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
154 soon as any necessary extensions are updated.
155 * (T138166) Added ability for users to prohibit other users from sending them
156 emails with Special:Emailuser. Can be enabled by setting
157 $wgEnableUserEmailBlacklist to true.
158 * (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
159 Instead, users using browsers that do not support Unicode will be unable to edit
160 and should upgrade to a modern browser instead.
162 === External library changes in 1.30 ===
164 ==== Upgraded external libraries ====
165 * Updated justinrainbow/json-schema from v3.0 to v5.2.
166 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
167 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
168 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
169 * Updated OOjs from v2.0.0 to v2.1.0.
170 * Updated OOUI from v0.21.1 to v0.23.0.
171 * Updated QUnit from v1.23.1 to v2.4.0.
172 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
173 * Upgraded Moment.js from v2.15.0 to v2.19.3.
175 ==== New external libraries ====
176 * The class \TestingAccessWrapper has been moved to the external library
177 wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
178 * Purtle, a fast, lightweight RDF generator.
180 ==== Removed and replaced external libraries ====
183 === Bug fixes in 1.30 ===
184 * (T151633) Ordered list items use now Devanagari digits in Nepalese
187 === Action API changes in 1.30 ===
188 * (T37247) action=parse output will be wrapped in a div with
189 class="mw-parser-output" by default. This may be changed or disabled using
190 the new 'wrapoutputclass' parameter.
191 * When errorformat is not 'bc', abort reasons from action=login will be
192 formatted as specified by the error formatter parameters.
193 * action=compare can now handle arbitrary text, deleted revisions, and
194 returning users and edit comments.
195 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
196 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
197 parameters to prop=revisions are deprecated, as are the similarly named
198 parameters to prop=deletedrevisions, list=allrevisions, and
199 list=alldeletedrevisions. Use action=compare, action=parse, or
200 action=expandtemplates instead.
202 === Action API internal changes in 1.30 ===
203 * ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
204 deprecated. The existing message should be split between "apihelp-*-summary"
205 and "apihelp-*-extended-description".
206 * (T123931) Individual values of multi-valued parameters can now be marked as
209 === Languages updated in 1.30 ===
210 MediaWiki supports over 350 languages. Many localisations are updated
211 regularly. Below only new and removed languages are listed, as well as
212 changes to languages because of Phabricator reports.
214 * Added: kbp (Kabɩyɛ / Kabiyè)
215 * Added: skr (Saraiki, سرائیکی)
216 * Added: tay (Tayal / Atayal)
217 * Removed: tokipona (Toki Pona)
219 ==== Pig Latin added ====
220 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
221 for easier variant development and testing. Disabled by default. It can be
222 enabled by setting $wgUsePigLatinVariant to true.
224 === Other changes in 1.30 ===
225 * The use of an associative array for $wgProxyList, where the IP address is in
226 the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
227 Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
228 * mw.user.bucket (deprecated in 1.23) was removed.
229 * LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
230 deprecated. There are no known callers.
231 * File::getStreamHeaders() was deprecated.
232 * MediaHandler::getStreamHeaders() was deprecated.
233 * Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
235 * MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
236 should be used instead.
237 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
238 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
239 deprecated in 1.24) were removed.
240 * wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
241 BagOStuff::makeGlobalKey() should be used instead.
242 * (T146304) Preprocessor handling of LanguageConverter markup has been improved.
243 As a result of the new uniform handling, '-{' may need to be escaped
244 (for example, as '-<nowiki/>{') where it occurs inside template arguments
246 * (T163966) Page moves are now counted as edits for the purposes of
247 autopromotion, i.e., they increment the user_editcount field in the database.
248 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
249 manipulating Special:Log and Special:NewPages lines.
250 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
251 PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
252 hooks have an additional parameter, for manipulating HTML data attributes of
253 RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
254 $data['attribs'] subarray.
255 * (T130632) The OutputPage::enableTOC() method was removed.
256 * WikiPage::getParserOutput() will now throw an exception if passed
257 ParserOptions that would pollute the parser cache. Callers should use
258 WikiPage::makeParserOptions() to create the ParserOptions object and only
259 change options that affect the parser cache key.
260 * Article::viewRedirect() is deprecated.
261 * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
262 * DeprecatedGlobal no longer supports passing in a direct value, it requires a
263 callable factory function or a class name.
264 * The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
265 are all deprecated. The main ParserCache instance should be obtained from
266 MediaWikiServices instead. Access to the underlying BagOStuff is possible
267 through the new ParserCache::getCacheStorage() method.
268 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
269 * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
270 escapeIdForLink() or escapeIdForExternalInterwiki() instead.
271 * Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
272 Sanitizer functions or, if possible, Title::getFragmentForURL().
273 * Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
274 nothing and is deprecated.
275 * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
277 * MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
278 * WikiImporter now requires the second parameter to be an instance of the Config,
279 class. Prior to that, the Config parameter was optional (a behavior deprecated in
281 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
282 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
284 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
285 The namespaced classes in the Cdb namespace should be used instead.
286 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
287 should be used instead.
288 * RunningStat class (deprecated in 1.27) was removed. The namespaced
289 RunningStat\RunningStat should be used instead.
290 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
291 The MemcachedClient class should be used instead.
292 * EditPage underwent some refactoring and deprecations:
293 * EditPage::isOouiEnabled() is deprecated and will always return true.
294 * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
295 use ::getSummaryInputWidget() instead.
296 * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
297 use ::getCheckboxesWidget() instead.
298 * Creating an EditPage instance without calling EditPage::setContextTitle() should
299 be avoided and will be deprecated in a future release.
300 * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
301 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
302 corresponding methods from Title should be used instead.
303 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
304 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
305 ::getArticle() and ::getTitle() should be used instead.
306 * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
307 and $wgLang is no longer supported and won't work. The IContextSource returned from
308 EditPage::getContext() must be modified instead.
309 * Parser::getRandomString() (deprecated in 1.26) was removed.
310 * Parser::uniqPrefix() (deprecated in 1.26) was removed.
311 * Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
312 $uniq_prefix was deprecated in 1.26 and has now been removed.
313 * (T172514) The following tables have had their UNIQUE indexes turned into proper
314 PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
315 langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
316 templatelinks, text, transcache, user_former_groups, user_properties.
317 * IDatabase::nextSequenceValue() is no longer needed by any database backends
318 (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
319 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
321 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
322 page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
323 user_properties.up_user have all been made unsigned on MySQL.
324 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
325 * wfUsePHP() is deprecated.
326 * wfFixSessionID() was removed.
327 * wfShellExec() and related functions are deprecated, use Shell::command(). This also
328 slightly changes the behavior of how execution time limits are calculated when only
329 some of defaults are overridden per-call. When in doubt, always override both wall
331 * (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
332 user object. Using the method without the second argument is deprecated.
333 * (T67297) Browsers that don't support Unicode will have their edits rejected.
334 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
335 release. For notifying the user of an event, the Notifications ("Echo") system
336 should be used instead.
337 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
338 sends non-standard url escaping.
339 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
343 MediaWiki 1.30 requires PHP 5.5.9 or later. There is experimental support for
344 HHVM 3.6.5 or later. MediaWiki requires that the mbstring, xml, ctype, json,
345 iconv and fileinfo PHP extensions are loaded to work.
347 MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
348 but support for them is somewhat less mature. There is experimental support for
349 Oracle and Microsoft SQL Server.
351 The supported versions are:
353 * MySQL 5.5.8 or later
354 * PostgreSQL 9.1 or later
355 * SQLite 3.3.7 or later
356 * Oracle 9.0.1 or later
357 * Microsoft SQL Server 2005 (9.00.1399)
360 1.30 has several database changes since 1.29, and will not work without schema
361 updates. Note that due to changes to some very large tables like the revision
362 table, the schema update may take a long time (minutes on a medium sized site,
363 many hours on a large site).
365 Don't forget to always back up your database before upgrading!
367 See the file UPGRADE for more detailed upgrade instructions, including
368 important information when upgrading from versions prior to 1.11.
370 For notes on 1.29.x and older releases, see HISTORY.
372 == Online documentation ==
373 Documentation for both end-users and site administrators is available on
374 MediaWiki.org, and is covered under the GNU Free Documentation License (except
375 for pages that explicitly state that their contents are in the public domain):
377 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
380 A mailing list is available for MediaWiki user support and discussion:
382 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
384 A low-traffic announcements-only list is also available:
386 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
388 It's highly recommended that you sign up for one of these lists if you're
389 going to run a public MediaWiki, so you can be notified of security fixes.
392 There's usually someone online in #mediawiki on irc.freenode.net.