-== Changes since 1.11.0rc1 ==
-
-A possible HTML/XSS injection vector in the API pretty-printing mode has
-been found and fixed.
-
-The vulnerability may be worked around in an unfixed version by simply
-disabling the API interface if it is not in use, by adding this to
-LocalSettings.php:
-
- $wgEnableAPI = false;
-
-(This is the default setting in 1.8.x.)
-
-Not vulnerable versions:
-* 1.11 >= 1.11.0
-* 1.10 >= 1.10.2
-* 1.9 >= 1.9.4
-* 1.8 >= 1.8.5
-
-Vulnerable versions:
-* 1.11 <= 1.11.0rc1
-* 1.10 <= 1.10.1
-* 1.9 <= 1.9.3
-* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
-
-MediaWiki 1.7 and below are not affected as they do not include
-the faulty function, however the BotQuery extension is similarly
-vulnerable unless updated to the latest SVN version.
-
-
-== Configuration changes since 1.10 ==
-
-* $wgThumbUpright - Adjust width of upright images when parameter 'upright' is
- used
-* $wgAddGroups, $wgRemoveGroups - Finer control over who can assign which
- usergroups
-* $wgEnotifImpersonal, $wgEnotifUseJobQ - Bulk mail options for large sites
-* $wgShowHostnames - Expose server host names through the API and HTML comments
-* $wgSaveDeletedFiles has been removed, the feature is now enabled unconditionally
-
-== New features since 1.10 ==
-
-* (bug 8868) Separate "blocked" message for autoblocks
-* Adding expiry of block to block messages
-* Links to redirect pages in categories are wrapped in
- <span class="redirect-in-category"></span>
-* Introduced 'ImageOpenShowImageInlineBefore' hook; see docs/hooks.txt for
- more information
-* (bug 9628) Show warnings about slave lag on Special:Contributions,
- Special:Watchlist
-* (bug 8818) Expose "wpDestFile" as parameter $1 to "uploaddisabledtext"
-* Introducing new image keyword 'upright' and corresponding variable
- $wgThumbUpright. This allows better proportional view of upright images
- related to landscape images on a page without nailing the width of upright
- images to a fix value which makes views for anon unproportional and user
- preferences useless
-* (bug 6072) Introducing 'border' keyword to the [[Image:]] syntax
-* Introducing 'frameless' keyword to [[Image:]] syntax which respects the
- user preferences for image width like 'thumb' but without a frame.
-* (bug 7960) Link to "what links here" for each "what links here" entry
-* Added support for configuration of an arbitrary number of commons-style
- file repositories.
-* Added a Content-Disposition header to thumb.php output
-* Improved thumb.php error handling
-* Display file history on local image description pages of shared images
-* Added $wgArticleRobotPolicies
-* (bug 10076) Additional parameter $7 added to MediaWiki:Blockedtext
- containing, the ip, ip range, or username whose block is affecting the
-* (bug 7691) Show relevant lines from the deletion log when re-creating a
- previously deleted article
-* Added variables 'wgRestrictionEdit' and 'wgRestrictionMove' for JS to header
-* (bug 9898) Allow viewing all namespaces in Special:Newpages
-* (bug 10139) Introduce 'EditSectionLink' and 'EditSectionLinkForOther' hooks;
- see docs/hooks.txt for details
-* (bug 9769) Provide "watch this page" toggle on protection form
-* (bug 9886) Provide clear example "stub link" in Special:Preferences
-* (bug 10055) Populate email address and real name properties of User objects
- passed to the 'AbortNewAccount' hook
-* Show result of Special:Booksources in wiki content language always, it's
- normally better maintained than the generic list from the standard message
- files
-* (bug 7997) Allow users to be blocked from using Special:Emailuser
-* (bug 8989) Blacklist 'mhtml' and 'mht' files from upload
-* (bug 8760) Allow wiki links in "protectexpiry" message
-* (bug 5908) Add "DEFAULTSORTKEY" and "DEFAULTCATEGORYSORT" aliases for
- "DEFAULTSORT" magic word
-* (bug 10181) Support the XCache object caching mechanism
-* (bug 9058) Introduce '--aconf' option for all maintenance scripts, to provide
- a path to the AdminSettings.php file
-* (bug 8781) Remind users to check file permissions for LocalSettings.php
- post-installation
-* Use shared.css for all skins and oldshared.css in place of common.css for
- pre-Monobook skins. As always, modifications should go in-wiki to MediaWiki:
- Common.css and MediaWiki:Monobook.css.
-* (bug 8869) Introduce Special:Uncategorizedtemplates
-* (bug 8734) Different log message when article protection level is changed
-* (bug 8458, 10338) Limit custom signature length to $wgMaxSigChars Unicode
- characters
-* (bug 10096) Added an ability to query interwiki map table
-* On reupload, add a null revision to the image description page
-* Group log output by date
-* Kurdish interface latin/arabic writing system with transliteration
-* Support wiki text in all query page headers
-* Add 'Orphanedpages' as an alias to Special:Lonelypages
-* (bug 9328) Use "revision-info-current" message in place of "revision-info"
- when viewing the current revision of a page, if available
-* (bug 8890) Enable wiki text for "license" message
-* Throw a showstopper exception when a hook function fails to return a value.
- Forgetting to give a 'true' return value is a very common error which tends
- to cause hard-to-track-down interactions between extensions.
-* Use $wgJobClasses to determine the correct Job to instantiate for a particular
- queued task; allows extensions to introduce custom jobs
-* (bug 10326) AJAX-based page watching and unwatching has been cleaned up and
- enabled by default.
-* Added option to install to MyISAM
-* (bug 9250) Remove hardcoded minimum image name length of three characters
-* Fixed DISPLAYTITLE behaviour to reject titles which don't normalise to the
- same title as the current page, and enabled per default
-* Wrap site CSS and JavaScript in a <pre> tag, like user JS/CSS
-* (bug 10196) Add classes and dir="ltr" to the <pre>s on CSS and JS pages (new
- classes: mw-code, mw-css, mw-js)
-* (bug 6711) Add $wgAddGroups and $wgRemoveGroups to allow finer control over
- usergroup assignment.
-* Introduce 'UserEffectiveGroups' hook; see docs/hooks.txt for more information
-* (bug 10387) Detect and handle '.php5' extension environments at install time
-* Introduce 'ShowRawCssJs' hook; see docs/hooks.txt for more information
-* (bug 10404) Show rights log for the selected user in Special:Userrights
-* New javascript for upload page that will show a warning if a file with the
- "destination filename" already exists.
-* Add 'editsection-brackets' message to allow localization (or removal) of the
- brackets in the "[edit]" link for sections
-* (bug 10437) Move texvc styling to shared.css
-* Introduce "raw editing" mode for the watchlist, to allow bulk additions,
- removals, and convenient exporting of watchlist contents
-* Show "undo" links in page histories
-* Option to jump to specified time period in user contributions
-* Improved feedback on "rollback success" page
-* Show distinct 'namespaceprotected' message to users when namespace protection
- prevents page editing
-* (bug 9936) Per-edit suppression of preview-on-first edit with "preview=no"
-* Allow showing a one-off preview on first edit with "preview=yes"
-* (bug 9151) Remove timed redirects on "Return to X" pages for accessibility.
-* Link to user logs in toolbox when viewing a user page
-* (bug 10508) Allow HTML attributes on <gallery>
-* (bug 1962) Allow HTML attributes on <math>
-* (bug 10530) Introduce optional "sp-contributions-explain" message for
- additional explanation in Special:Contributions
-* (bug 10520) Preview licences during upload via AJAX (toggle with
- $wgAjaxLicensePreview)
-* New Parser::setTransparentTagHook for parser extension and template
- compatibility
-* Introduced 'ContributionsToolLinks' hook; see docs/hooks.txt for more
- information
-* Add a message if category is empty
-* Add CSS compatibility for Opera 9.5
-* Remove largely untested handheld stylesheet, which was causing more trouble
- than good. Proper handheld support will be added at a future date. For now,
- display should be acceptable either with CSS turned off or when using a so-
- phisticated handheld browser.
-* (bug 3173) Option to offer exported pages as a download, rather than displaying
- inline, as in most browsers
-* Pass the user as an argument to 'isValidPassword' hook callbacks; see
- docs/hooks.txt for more information
-* Introduce 'UserGetRights' hook; see docs/hooks.txt for more information
-* (bug 9595) Pass new Revision to the 'ArticleInsertComplete' and
- 'ArticleSaveComplete' hooks; see docs/hooks.txt for more information
-* (bug 9575) Accept upload description from GET parameters
-* Skip the difference engine cache when 'action=purge' is used while requesting
- a difference page, to allow refreshing the cache in case of errors
-* (bug 10701) Link to Special:Listusers in default Special:Statistics messages
-* Improved file history presentation
-* (bug 10739) Users can now enter comments when reverting files
-* Improved handling of permissions errors
-* (bug 10793) "Mark patrolled" links will now be shown for users with
- patrol permissions on all eligible diff pages
-* (bug 10655) Show standard tool links for blocked users in block log messages
-* Show standard tool links for blocked users in Special:Ipblocklist
-* Miscellaneous aesthetic improvements to Special:Ipblocklist
-* (bug 10826) Added link trail with Cyrillic characters for Mongolian language
-* (bug 10859) Introduce 'UserGetImplicitGroups' hook; see docs/hooks.txt for
- more information
-* (bug 10832) Include user information when viewing a deleted revision
-* (bug 10872) Fall back to sane defaults when generating protection selector
- labels for custom restriction levels
-* Show edit count in user preferences
-* Improved support for audio/video extensions
-* (bug 10937) Distinguish overwritten files in upload log
-* Introduce 'ArticleUpdateBeforeRedirect' hook; see docs/hooks.txt for more
- information
-* Confirmation is now required when deleting old versions of files
-* (bug 7535) Users can now enter comments when deleting old versions of files
-* (bug 11001) Submit Special:Newpages as a GET, rather than a POST request
-* The <strong></strong> around links to watched pages in change lists now
- has a class - "mw-watched"
-* (bug 9002) Provide a "view/restore deleted edits" link on Special:Upload
- when a destination filename is provided that corresponds with previous
- deleted files
-* Make the "invalid special page" message clearer
-* Add accesskey 's' and tooltip to 'upload file' button at Special:Upload
-* Introduced 'SkinAfterBottomScripts' hook; see docs/hooks.txt for
- more information
-* (bug 11095) Honour "preview on first edit" preference when preloading
- text for a non-existent page
-* (bug 11022) Use a more accurate page title for Special:Whatlinkshere and
- Special:Recentchangeslinked
-* Add link to user contributions in normal watchlist edit mode
-* (bug 9426) Add 'newsectionheaderdefaultlevel' message to allow
- modification of the heading formatting for new sections when section=new
- argument is supplied
-* (bug 10836) Add 'newsectionsummary' message to allow modification of the
- text that prefixes a new section link in Recent Changes
-
-== Bugfixes since 1.10 ==
-
-* (bug 9712) Use Arabic comma in date/time formats for Arabic and Farsi
-* (bug 9670) Follow redirects when render edit section links to transcluded
- templates.
-* (bug 6204) Fix incorrect unindentation with $wgMaxTocLevel
-* (bug 3431) Suppress "next page" link in Special:Search at end of results
-* Don't show unblock form if the user doesn't have permission to use it
- (cosmetic change, no vulnerabilities existed)
-* Subtitle success message when unblocking a block ID instead of a pseudo link
- like [[User:#123|#123]]
-* Use the standard HTTP fetch functions when retrieving remote wiki pages
- through transwiki, so we can take advantage of cURL goodies if available
-* Disable user JavaScript on Special:Userlogin, Special:Resetpass and
- Special:Preferences, to avoid a compromised script sniffing passwords, etc.
-* (bug 9854, 3770) Clip overflow text in gallery boxes for visual cleanliness
- instead of letting it flow outside the box or trigger ugly scroll bars.
-* Tooltips for print version and permalink
-* Links to the MediaWiki namespace for system messages having their default
- values are no longer shown as nonexistent (e.g., in red)
-* Special:Ipblocklist differentiates between empty list and no search results.
-* (bug 5375) profiling does not respect read-only mode.
-* (bug 7070) monobook/user.gif has antialias artifacts
-* (bug 9123) Safer way when applying $wgLocalTZoffset
-* (bug 9896) Documentation for $wgSquidServers and X-FORWARDED-FOR
-* (bug 9417) Uploading new versions of images when using Postgres no longer
- throws warnings.
-* (bug 9908) Using tsearch2 with Postgres 8.1 no longer gives an error.
-* (bug 1438) Fix for diff table layout on very wide lines.
- Diff style rules have been broken out to common/diff.css,
- and the dupes removed from the default skin files.
- Skins can still override the default rules.
-* (bug 1229) Balance columns in diff display evenly
-* Right-align diff line numbers in RTL language display
-* (bug 9332) Fix instructions in tests/README
-* (bug 9813) Reject usernames containing '#' to avoid silent truncation
- of fragments during the normalisation process
-* (bug 7989) RSS feeds content now use black text when using white background.
-* (bug 9971) Typo in a french language message.
-* (bug 9973) Changed size was shown in advanced recentchanges collapsible items
- with $wgRCShowChangedSized = false.
-* Fix PHP strict standards warning in enhanced recent changes.
-* (bug 5850) Added hexadecimal html entities comments for $digitTransformTable
- entries.
-* (bug 7432) Change language name for Aromanian (roa-rup)
-* (bug 908) Unexistent special pages now generate a red link.
-* (bug 7899) Added \hline and \vline to the list of allowed TeX commands
-* (bug 7993) support mathematical symbol classes
-* (bug 10007) Allow Block IP to work with Postgrs again.
-* Add Google Wireless Transcoder to the Unicode editing blacklist
-* (bug 10083) Fix for Special:Version breakage on PHP 5.2 with some hooks
-* (bug 3624) TeX: \ker, \hom, \arg, \dim treated like \sin & \cos
-* (bug 10132, 10134) Restore back-compatibility Image::imageUrl() function
-* (bug 10113) Fix double-click for view source on protected pages
-* (bug 10117) Special:Wantedpages doesn't handle invalid titles in result
- set [now prints out a warning]
-* (bug 10118) Introduced Special:Mostlinkedtemplates, report which lists
- templates with a high number of inclusion links
-* (bug 10104) Fixed Database::getLag() for PostgreSQL and Oracle
-* (bug 9820) session.save_path check no longer halts installation, but
- warns of possible bad values
-* (bug 9978) Fixed session.save_path validation when using extended
- configuration format, e.g. "5;/tmp"
-* Don't generate a diff link in the patrol log if the page doesn't exist
-* (bug 10067) Translations for former skins removed from message files
-* (bug 9993) Force $wgShowExceptionDetails on during installation
-* (bug 9980) Validate administrator username and password during
- installation
-* (bug 9383) Don't set a default value for BLOB column in rc-deleted
- database patch
-* (bug 10149) Don't show full template list on section-0 edit
-* (bug 9909) Ensure access to binary fields in the math table use encodeBlob()
- and decodeBlob()
-* (bug 6743) Don't link broken image links to the upload form when uploads
- are disabled
-* (bug 9679) Improve documentation for $wgSiteNotice
-* (bug 10215) Show custom editing introduction when editing existing pages
-* (bug 10223) Fix edit link in noarticletext localizations for fr, oc
-* (bug 10247) Fix IP address regex to avoid false positive IPv6 matches
-* (bug 9948) Workaround for diff regression with old Mozilla versions
-* (bug 10265) Fix regression in category image gallery paging
-* (bug 8577) Fix some weird misapplications of time zones.
- {{CURRENT*}} functions now consistently use UTC as intended, while
- {{LOCAL*}} functions return local time per server config or $wgLocaltimezone.
- Signature dates for Japanese and other languages including weekday now show
- the correct day to match the rest of the time in local time.
-* Escape the output of magic variables that return page name or part of it
-* (bug 10309) Initialise parser state properly in extractSections(), fixes
- some cases where section edits broke because tags were improperly stripped
-* Avoid PHP notice errors when doing HTTP proxy purges for an empty list
-* As intended, *skip* the HTTP proxy purges when doing HTCP purges
-* (bug 9696) Fix handling of brace transformations in "pagemovedtext"
-* (bug 10325) Fix regression in form action on Special:Listusers
-* Fixed installation on MyISAM or old InnoDB with charset=utf8, was giving
- overlong key errors.
-* Fixed zero-padding issues with MySQL 5 binary schema
-* (bug 10344) Don't follow a redirect after changing its protection level
-* (bug 10333) Correct date format in Slovenian
-* (bug 10160) Show error message for unknown namespace on Special:Allpages and
- Special:Prefixindex; making forms prettier for RTL wikis.
-* (bug 10334) Replace normal spaces before percent (%) signs with non-breaking
- spaces
-* (bug 10372) namespaceDupes.php no longer ignores namespace aliases
-* (bug 10198) namespaceDupes.php no longer ignores interwiki prefixes
-* namespaceDupes.php should work better for initial-lowercase wikis
-* (bug 10377) "Permanent links" to revisions still work if the page is moved
- and the redirect deleted
-* (bug 7071) Properly handle an 'oldid' passed to view or edit that doesn't
- match the given title. Fixes inconsistencies with talk, history, edit links.
-* (bug 10397) Fix AJAX watch error fallback when we receive a bogus result
-* (bug 10396) Fix AJAX error when $wgScriptPath/index.php is not valid;
- using $wgScript now included in JS info
-* Use native XMLHttpRequest class in preference to ActiveX on IE 7; this
- avoids the "ActiveX "Do you want to allow ActiveX?" prompt when something
- security settings are cranked this way and AJAX-y gets used.
-* Delay AJAX watch initialization until click so IE 6 with ugly security
- settings doesn't prompt you until you use the link.
-* (bug 10401) Provide non-redirecting link to original title in Special:Movepage
-* Fix broken handling of log views for page titles consisting of one
- or more zeros, e.g. "0", "00" etc.
-* Fix read permission check for special pages with subpage parameters, e.g.
- Special:Confirmemail
-* Fix read permission check for unreadable page titles which are numerically
- equivalent to a whitelisted title
-* '?>' closing tag removed from all files to help avoid problems with extraneous
- whitespace (broken XML feeds, etc.)
-* Don't use garbled parser cache output when viewing custom CSS or JavaScript
+== Changes since 1.15.3 ==
+
+* (bug 23534) Fixed SQL query error in API list=allusers.
+* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
+ account" and "create by e-mail" features of [[Special:Userlogin]]
+* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+
+=== Changes since 1.15.2 ===
+
+* (bug 22828) Fixed deletion on SQLite.
+* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
+ be submitted along with the user name and password.
+
+=== Changes since 1.15.1 ===
+
+* The installer now includes a check for a data corruption issue with certain
+ versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug
+ present in the official release of PHP 5.3.1.
+* (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which
+ was displayed to the user
+* (bug 21150) SQLite no longer raise an error when deleting files
+* (bug 20880) Fixed updater failure on SQLite backend
+* upgrade1_5.php now requires to be run --update option to prevent confusion
+* Fixed a CSS validation issue which allowed external images to be included
+ into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
+ similar image access authentication schemes. Check user permissions before
+ streaming out scaled images from thumb.php.
+
+=== Changes since 1.15.0 ===
+
+* Fixed fatal errors for unusual file repository configurations, such as
+ ForeignAPIRepo.
+* Fixed the "change password" link on Special:Preferences to have the correct
+ returnto parameter.
+* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
+
+=== Changes since 1.15.0rc1 ===
+
+* Removed category redirect feature, implementation was incomplete.
+* (bug 18846) Remove update_password_format(), unnecessary, destroys all
+ passwords if a wiki with $wgPasswordSalt=false is upgraded with the web
+ installer.
+* (bug 19127) Documentation warning for PostgreSQL users who run update.php:
+ use the same user in AdminSettings.php as in LocalSettings.php.
+* Fixed possible web invocation of some maintenance scripts, due to the use of
+ include() instead of require(). A full exploit would require a very strange
+ web server configuration.
+* Localisation updates.
+
+=== Configuration changes in 1.15 ===
+
+* Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to
+ temporary passwords
+* Added $wgUseTwoButtonsSearchForm to choose the Search form behavior/look
+* Added $wgNoFollowDomainExceptions to allow exempting particular domain names
+ from rel="nofollow" on external links
+* (bug 12970) Brought back $wgUseImageResize.
+* Added $wgRedirectOnLogin to allow specifying a specifc page to redirect users
+ to upon logging in (ex: "Main Page")
+* Add $wgExportFromNamespaces for enabling/disabling the "export all from
+ namespace" option (disabled by default)
+
+=== New features in 1.15 ===
+
+* (bug 2242) Add an expiry time to temporary passwords
+* (bug 9947) Add PROTECTIONLEVEL parser function to return the protection level
+ for the current page for a given action
+* (bug 17002) Add &minor= and &summary= as parameters in the url when editing,
+ to automatically add a summary or a minor edit.
+* (bug 16852) padleft and padright now accept multiletter pad characters
+* When using 'UserCreateForm' hook to add new checkboxes into
+ Special:UserLogin/signup, the messages can now contain HTML to allow
+ hyperlinking to the site's Terms of Service page, for example
+* Add new hook 'UserLoadFromDatabase' that is called while loading a user
+ from the database.
+* (bug 17045) Options on the block form are prefilled with the options of the
+ existing block when modifying an existing block.
+* (bug 17055) "(show/hide)" links to Special:RevisionDelete now use a CSS class
+ rather than hardcoded HTML tags
+* Added new hook 'WantedPages::getSQL' into SpecialWantedpages.php to allow
+ extensions to alter the SQL query which is used to get the list of wanted
scripts.mit.edu / autoinstalls / mediawiki.git / blobdiff