X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/mediawiki.git/blobdiff_plain/d75ce11339b35963b5f8c3d53190819c1c025716..19e297c21b10b1b8a3acad5e73fc71dcb35db44a:/RELEASE-NOTES
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index d3983380..05c00206 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,1007 +1,878 @@
= MediaWiki release notes =
-== MediaWiki 1.16.0 ==
-
-2010-07-28
-
-This is a stable release of the MediaWiki 1.16 branch.
-
-=== Summary of selected changes in 1.16 ===
-
-Selected changes since MediaWiki 1.15 that may be of interest:
-
-* Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden,
- since Atom is a better protocol and is supported by virtually all clients.
-
-* It's now possible to block users from sending email via Special:Emailuser.
-
-* The maintenance script system was overhauled. Most maintenance scripts now
- have a useful help page when you run them with --help.
-
-* AdminSettings.php is no longer required in order to run maintenance scripts.
- You can just set $wgDBadminuser and $wgDBadminpassword in your
- LocalSettings.php instead.
-
-* The preferences system was overhauled. Preferences are stored in a more
- compact format. Changes to site default preferences will automatically
- affect all users who have not chosen a different preference.
-
-* Support for SQLite was improved. Some broken features were fixed, and it
- now has an efficient full-text search.
-
-* The user groups ACL system was improved by allowing rights to be revoked,
- instead of just granted.
-
-* A new localisation caching system was introduced, which will make MediaWiki
- faster for almost everyone, especially when lots of extensions are enabled.
-
-By default, this new system makes a lot of database queries. If your database
-is particularly slow, or if your system administrator limits your query count,
-or if you want to squeeze as much performance as possible out of Mediawiki,
-set $wgCacheDirectory to a writable path on the local filesystem. Make sure
-you have the DBA extension for PHP installed, this will improve performance
-further.
-
-== Changes since 1.16 beta 3 ==
-
-* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in
- 1.16 beta 1, but is currently poorly supported by browsers.
-* (bug 23175) Re-added window.ta variable for backwards compatibility.
-* (bug 23264) Fixed breakage of various command line scripts due to extra line
- endings being inserted by Maintenance::output().
-* Fixed HTTP client functionality with safe_mode=On.
-* Fixed parser tests broken in 1.16 beta 3.
-* For Oracle DB backend: fixed parser tests and table prefix feature.
-* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue).
-* Fixed plural function for Northern Sami (se)
-* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and
- parser-generated heading IDs. Renamed head, panel, head-base and page-base.
-* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet.
-* (bug 23465) Don't ignore the predefined destination filename on
- Special:Upload after following a red link to a file.
-* In SQLite full-text search feature: fixed "move page" feature, was non-
- functional.
-* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
- user privacy in the case where an attacker can access the wiki through the
- same HTTP proxy as a logged-in user.
-* Fixed an XSS vulnerability in profileinfo.php for installations with
- $wgEnableProfileInfo = true (false by default)
-* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
- false. Fixed a minor header parsing issue when $wgUseXVO = true.
-* Fixed a register_globals arbitrary inclusion vulnerability in
- MediaWikiParserTest.php, introduced in 1.16 beta 1.
-
-== Changes since 1.16 beta 2 ==
-
-* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of
- invalid usernames.
-* Fixed sorting in [[Special:Allmessages]]
-* (bug 23113) Fixed title in the show/hide links on diff pages
-* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests
-* (bug 23127) Re-added missing $1 parameter to the uploadtext message
-* Fixed a bug in the Vector skin where personal tools display behind the logo
-* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes
- showed the same text.
-* (bug 23115, bug 23124) Fixed various problems with
and
elements
- in page views and previews when the language converter is enabled.
-* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image
- scaling, which was introduced in 1.16 beta 1.
-* Improved error checking on installer.
-* (bug 22970) Fixed a JavaScript error in the upload destination conflict
- check.
-* (bug 23167) Check the watch checkbox by default if the watchcreations
- preference is set.
-* (bug 23171) Improve IE6 version check to avoid false positives.
-* (bug 23176) Fixed upload warning override feature "upload new version",
- broken in 1.16 beta 1.
-* Fixed regression in unwatch links sent out in notification emails. When the
- mailing job was deferred via the job queue, the title was incorrect.
-* (bug 23534) Fixed SQL query error in API list=allusers.
-* Fixed a bug in uploads for non-JavaScript clients. An empty string was used
- as the default destination filename, instead of the source filename as
- expected.
-* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
- account" and "create by e-mail" features of [[Special:Userlogin]]
-* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
- validation issue.
-* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick
- expanded wildcard characters "?" and "*" in image filenames, potentially
- causing large numbers of images to be scaled in response to a single request.
- The fix for this involves breaking the scaling of such image filenames until
- ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details.
-* (bug 23608) Fixed invalid HTML in diff pages.
-
-=== Changes since 1.16 beta 1 ===
-
-* Fixed errors in maintenance/patchSql.php
-* (bug 19627) Fix regression from r57867 where HTMLForm would output
- rather than
-* Fixed broken "-r" option to maintenance/lag.php
-* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
- be submitted along with the user name and password.
-
-=== Configuration changes in 1.16 ===
-
-* (bug 18222) $wgMinimalPasswordLength default is now 1
-* $wgSessionHandler can be used to configure session.save_handler
-* $wgLocalFileRepo/$wgForeignFileRepos now have a 'fileMode' parameter to
- be used when uploading/moving files
-* (bug 18761) $wgHiddenPrefs is a new array for specifying preferences not
- to be shown to users
-* $wgAllowRealName and $wgAllowUserSkin were deprecated in favor of
- $wgHiddenPrefs[] = 'realname', but the former are still retained
- for backwards-compatibility
-* (bug 9257) $wgRCMaxAge now defaults to three months
-* $wgDevelopmentWarnings can be set to true to show warnings about deprecated
- functions and other potential errors when developing.
-* Subpages are now enabled in the MediaWiki namespace by default. This is
- mainly a cosmetic change, and does not in any way affect the MessageCache,
- which was already effectively treating the namespace as if it had subpages.
-* Oracle: maintenance/ora/user.sql script for creating DB user on oracle with
- appropriate privileges. Creating this user with web-install page requires
- oci8.privileged_connect set to On in php.ini.
-* Removed UserrightsChangeableGroups hook introduced in 1.14
-* Added $wgCacheDirectory, to replace $wgFileCacheDirectory,
- $wgLocalMessageCache, and any other local caches which need a place to put
- files.
-* $wgFileCacheDirectory is no longer set to anything by default, and so either
- needs to be set explicitly, or $wgCacheDirectory needs to be set instead.
-* $wgLocalMessageCache has been removed. Instead, set $wgUseLocalMessageCache
- to true
-* Removed $wgEnableSerializedMessages and $wgCheckSerialized. Similar
- functionality is now available via $wgLocalisationCacheConf.
-* $wgMessageCache->addMessages() is deprecated. Messages added via this
- interface will not appear in Special:AllMessages.
-* $wgRegisterInternalExternals can be used to record external links pointing
- to same server
-* (bug 19907) $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainExceptions added
- to control which external domains may access the API via cross-site AJAX.
-* $wgMaintenanceScripts for extensions to add their scripts to the default list
-* $wgMemoryLimit has been added, default value '50M'
-* $wgExtraRandompageSQL is deprecated, the SpecialRandomGetRandomTitle hook
- should be used instead
-* (bug 20489) $wgIllegalFileChars added to override the default list of illegal
- characters in file names.
-* (bug 19646) $wgImgAuthDetails added to display reason access to uploaded file
- was denied to users(img_auth only)
-* (bug 19646) $wgImgAuthPublicTest added to test to see if img_auth set up
- correctly (img_auth only)
-* $wgUploadMaintenance added to disable file deletions and restorations during
- maintenance
-* $wgCapitalLinkOverrides added to configure per-namespace capitalization
-* (bug 21172) $wgSorbsUrl can now be an array with multiple DNSBL and renamed
- to $wgDnsBlacklistUrls (backward compatibility kept)
-* $wgEnableHtmlDiff has been removed
-* (bug 3340) $wgBlockCIDRLimit added (default: 16) to configure the low end of
- CIDR ranges for blocking
-* $wgUseInstantCommons added for quick and easy enabling of Commons as a remote
- file repository
-* $wgDBAhandler added to choose a DBA handler when using CACHE_DBA
-* $wgPreviewOnOpenNamespaces for extensions that create namespaces that behave
- similarly to the category namespace.
-* $wgEnableSorbs renamed to $wgDnsBlacklistUrls ($wgEnableSorbs kept for
- backward compatibility)
-* $wgUploadNavigationUrl now also affects images inline images that do not
- exist. In that case the URL will get (?|&)wpDestFile= appended to
- it as appropriate.
-* If $wgLocaltimezone is null, use the server's timezone as the default for
- signatures. This was always the behaviour documented in DefaultSettings.php
- but has not been the actual behaviour for some time: instead, UTC was used
+Security reminder: MediaWiki does not require PHP's register_globals
+setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
+
+== MediaWiki 1.17.4 ==
+2012-04-25
+
+This a maintenance of the MediaWiki 1.17 branch.
+
+=== Summary of selected changes in 1.17 ===
+
+Selected changes since MediaWiki 1.16 that may be of interest:
+
+* A new installer has been introduced. It has a wizard-style interface which is
+ translated into many languages. Many shortcomings in the old installer were
+ addressed with this rewrite. Note that it is no longer required for the config
+ directory to be made writable by the webserver. Instead the generated
+ LocalSettings.php file is offered as a download, which you must then upload
+ to the wiki's base directory.
+
+* ResourceLoader, a new framework for delivering client-side resources such as
+ JavaScript and CSS, has been introduced. These resources are now delivered
+ through the new entry point script "load.php", instead of as static files
+ served directly by the web server. This allows minification, compression and
+ client-side caching to be used more effectively, which should provide a net
+ performance improvement for most users.
+
+* Category sorting has been improved.
+** Sorting is now case insensitive.
+** Sub-categories, pages and files can now be paged separately.
+** When several pages are given the same sort key, they sort by their
+ names instead of randomly.
+
+* The lowest supported version of PHP is now 5.2.3. If necessary, please
+ upgrade PHP prior to upgrading MediaWiki.
+
+=== Changes since 1.17.3 ===
+
+* (bug 35961) Hash comparison should always be strict.
+* Fix broken email confirmation expiration caused by MWCryptRand changes.
+* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php
+ on line 598.
+
+=== Changes since 1.17.2 ===
+
+* (bug 22555) Remove or skip strip markers from tag hooks like <nowiki> in
+ core parser functions which operate on strings, such as padleft.
+* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token
+ parameter present.
+* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated
+ CSRF attacks.
+* (bug 35317) CSRF in Special:Upload.
+
+=== Changes since 1.17.1 ===
+* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
+* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
+
+=== Changes since 1.17.0 ===
+
+* (bug 29535) Added missing Creative Commons CC0 icon.
+* (bug 29726) Fixed failure to load internationalization messages in
+ client-side scripts on WebKit-based browsers.
+* Fixed a bug in message transformation where the previous language could leak
+ into later transformations in the UI language.
+* (bug 29091) Fixed form of native name for Ossetic language (ÐÑÐ¾Ð½Ð°Ñ -> ÐÑон)
+* Fixed maintenance scripts upgrade1_5.php and rebuildImages.php, they did not
+ work at all since 1.17 beta 1.
+* (bug 29531) Fixed img_auth.php for thumbnails and other filenames with
+ multiple dots, was broken by the fix for bug 28840.
+* In the maintenance script purgeList.php, fixed a fatal error when a page
+ title is given, instead of a URL.
+* (bug 19514) Unordered list list-style-image should be IE6-compatible (8-bit).
+* Installer checked for magic_quotes_runtime instead of register_globals.
+* $wgSVGMaxSize is now applied to the smaller of width or height, making very
+ wide pano/timeline/diagram SVGs renderable at saner sizes.
+* (bug 29959) Installer fatal when cURL and allow_url_fopen is disabled and user
+ tries to subsribe to mediawiki-announce.
+* Installer checked for magic_quotes_runtime instead of register_globals
+* (bug 30131) XCache with variable caching disabled no longer used for variable
+ caching (CACHE_ACCEL)
+* (bug 30264) Changed installer-generated LocalSettings.php to use require_once()
+ instead require() for included extensions.
+* (bug 26486) ResourceLoader modules with paths to nonexistent files cause PHP
+ warnings/notices to be thrown
+* (bug 30907) Special:Unusedcategories should sort ascendingly.
+* (bug 30219) The page shown when LocalSettings.php does not exist was broken on
+ Windows servers.
+* Hardcoded NLS_NUMERIC_CHARACTERS for Oracle DB to prevent type conversion errors.
+* Fixed recentchanges FK violation on page delete and cache purge error in updater
+ for Oracle DB.
+* (bug 32276) Skins were generating output using the internal page title which
+ would allow anonymous users to determine wheter a page exists, potentially
+ leaking private data. In fact, the curid and oldid request parameters would
+ allow page titles to be enumerated even when they are not guessable.
+* (bug 32616) action=ajax requests were dispatched to the relevant internal
+ functions without any read permission checks being done. This could lead to
+ data leakage on private wikis.
+
+=== Changes since 1.17.0rc1 ===
+
+* Fixed syntax error in generated LocalSettings.php when a non-default user
+ rights profile is chosen.
+* (bug 29399) Fixed PostgreSQL installation when the DB user for installation
+ is the same as the one for web access.
+* (bug 29233) Fixed failover for DB slave servers. When a DB slave went down,
+ an error was immediately shown to the user, instead of trying another slave.
+ Was broken since 1.17 beta 1.
+* (bug 29278) Fixed PHP fatal error when attempting to add text to a page via a
+ redirect.
+* (bug 29408) Fixed uploads of files with MIME types that aren't detected by
+ MediaWiki.
+* Removed DEFAULT '' NOT NULL field definitions from Oracle DB schema because
+ using the DEFAULT value ('') in DML broke Oracle backend as it treats an
+ empty VARCHAR2 value as NULL. Indexes on Oracle do not require NOT NULL
+ fields.
+
+=== Changes since 1.17 beta 1 ===
+
+* Fixed warning about missing file "password.js".
+* When installing on MySQL, don't attempt to create a new database user if the
+ same user is used for installation and web access.
+* Fixed SQL query errors in queries with table aliases.
+* (bug 27891) Fixed the "chronology protector", broken since 1.17beta1, which
+ ensures that when database replication is used, the new version is seen by
+ the user immediately after they create or edit an article.
+* (bug 28845) Allow PostgreSQL installation using a non-root user account which
+ has role creation abilities.
+* When installing on PostgreSQL and the install account is the same as the web
+ account, check to make sure that the account has suitable privileges in the
+ mediawiki schema.
+* (bug 28172) Fixed error in PostgreSQL installation when creating the wiki
+ sysop account.
+* Fixed an issue with the Oracle installer in cases where the user is different
+ to the database name.
+* Added "unblockself" to the list of available rights.
+* In the installer, fixed the "user rights profile" option, it never worked.
+* (bug 29117) Fixed Hebrew localisation of the installer.
+* (bug 28840) Reduce the collateral damage caused by the fix for bug 28235 (XSS
+ on Internet Explorer 6 due to a file extension in the query string) by
+ reducing the number of URLs that are blocked, and by redirecting the request
+ to a safer URL where possible instead of blocking it.
+* (bug 28812) Fixed documentation of API action=parse.
+* (bug 28979) Fixed styling of and .
+* Fixed the error message displayed when you try to create an account by email,
+ but an email address is not given.
+* Fixed JS error due to missing dependency for jquery.suggestions.
+* Exposed $wgExtensionAssetsPath in JavaScript.
+* (bug 28738) Made ResourceLoader support environments with small URL length
+ limits. The length limit can be configured via $wgResourceLoaderMaxQueryLength,
+ and this is set automatically in the generated LocalSettings.php when the
+ php.ini variable "suhosin.get.max_value_length" is set. When a URL exceeds
+ this limit, the request is split up. Also, reduced the average length of
+ load.php URLs by using a more compact parameter format.
+* (bug 25262) Fix for minification of hardcoded data: URIs in CSS.
+* (bug 25124) Respect $wgStyleDirectory in ResourceLoader.
+* Allow installation when no HTTP client is available, don't throw an exception.
+* (bug 27465) Fix metadata extraction for SVG files using unusual namespace
+ names.
+* (bug 29174) Fix regression in upload-by-URL: uploading files larger than the
+ PHP memory limit should work again.
+* Fixed the display of comments in the new user log.
+* (bug 28237) When installing extensions using the web-based installer, create
+ any necessary database tables.
+* (bug 28983) Fixed automated installation of extensions that overwrite $path.
+* Fixed error caused by missing magic words.
+* Fixed breakage of article editing in PostgreSQL due to text search
+ configuration errors.
+* Fixed the HTTPS client used when Curl is not available. This avoids an error
+ during install about failure of the mediawiki-announce subscription.
+* (bug 28162) When installing to PostgreSQL, respect the "database port" input,
+ it was ignored.
+
+=== Configuration changes in 1.17 ===
+
+* $wgLogAutocreatedAccounts controls whether autocreation of accounts is logged
+ to new users log.
+* (bug 22858) $wgLocalStylePath is by default set to the same value as
+ $wgStylePath but should never point to a different domain than the site is
+ on, allowing skins to use .htc files which are not cross-domain friendly.
+* $wgFileStore has been deprecated. The only usage $wgFileStore['deleted'] has
+ been turned into $wgDeletedDirectory.
+* $wgDeletedDirectory has been added to specify what directory to place deleted
+ uploads in.
+* IBM DB2 database no longer uses the db specific $wgDBport_db2 variable but the
+ normal $wgDBport.
+* $wgCategoryPrefixedDefaultSortkey was removed and is now always false. This
+ provides more sensible sorting behavior for categories.
+* Removed unused globals: $wgEnableSerializedMessages, $wgCheckSerialized,
+ $wgUseMemCached, $wgDisableSearchContext, $wgColorErrors, $wgUseZhdaemon,
+ $wgZhdaemonHost and $wgZhdaemonPort.
+* (bug 24408) The include_path is not modified in the default LocalSettings.php
+* $wgVectorExtraStyles was removed, and is no longer in use.
+* Removed $wgUpdates for database updates; extensions should use
+ DatabaseUpdater::addExtensionUpdate() via the LoadExtensionSchemaUpdates hook.
+* Removed $wgServerName. It doesn't need to be set anymore and is no longer
+ available as input for other configuration items, either.
+* It's no longer necessary for LocalSettings.php to include DefaultSettings.php.
+* It's no longer necessary to set $wgCacheEpoch to the file modification time
+ of LocalSettings.php, in LocalSettings.php itself. Instead, this is done
+ automatically if $wgInvalidateCacheOnLocalSettingsChange is true (which is
+ the default).
+* $wgCopyrightIcon is deprecated and $wgFooterIcons['copyright']['copyright']
+ should be used instead.
+* $wgSysopUserBans is deprecated, and will be made permanently true in 1.18.
+ If you need this functionality, you should use the BlockIp hook to filter and
+ reject such blocks.
+* $wgSysopRangeBans is deprecated, you should set $wgBlockCIDRLimit to maximum
+ (32 for IPv4, 128 for IPv6), equivalent to allowing rangeblocks of only 1
+ address at a time.
+
+=== New features in 1.17 ===
+
+* (bug 10183) Users can now add personal styles and scripts to all skins via
+ User:/common.css and /common.js (if user css/js is enabled).
+* (bug 22748) Add anchors on Special:ListGroupRights.
+* (bug 21981) Add parameter 'showfilename' to to automatically
+ apply the names of the individual files within the gallery.
+* Future-proof redirection to fragments in Gecko, so things work a little nicer
+ if they fix .
+* Support git:// and mms:// protocols by default for external links.
+* (bug 15810) Blocked admins can no longer unblock themselves without the
+ 'unblockself' permission (which they have by default).
+* (bug 18499) Added "enhanced" URL parameter to switch between old and enhanced
+ changes list.
+* (bug 22925) "sp-contributions-blocked-notice-anon" message now displayed when
+ viewing contributions of a blocked IP address.
+* (bug 22474) {{urlencode:}} now takes an optional second parameter for type of
+ escaping.
+* Special:Listfiles now supports a username parameter.
+* Special:Random carries over query string parameters.
+* (bug 23206) Add Special::Search hook for detecting successful "Go".
+* When visiting a "red link" of a deleted file, a deletion and move log excerpt
+ is provided on the Upload form.
+* (bug 22647) Add category details in search results.
+* (bug 23276) Add hook to Special:NewPages to modify query.
+* Add accesskey 's' and tooltip to 'Save' button at Special:Preferences.
+* Add accesskey 'b' and tooltip to the summary field of edit mode.
+* (bug 20186) Allow filtering Special:Contributions for RevisionDeleted edits.
+* ajaxwatch now uses the API and JQuery, and can be used to animate arbitrary
+ watch links, not just to watch the page the link is on.
+* (bug 20976) "searchmenu-new-nocreate" message now displayed when when there
+ is no title match in search and the user has no rights to create pages.
+* (bug 23429) Added new hook WatchlistEditorBuildRemoveLine.
+* (bug 22844) Added support for WinCache object caching (for IIS).
+* (bug 23580) Add two new events to LivePreview so that scripts can be notified
+ about the beginning and finishing of LivePreview actions.
+* (bug 21278) Now the sidebar allows inclusion of wiki markup.
+* (bug 23733) Add IDs to messages used on CSS/JS pages.
+* Show validity period of the login cookie in Special:UserLogin and
+ Special:Preferences.
+* Interlanguage links display the page title in their tooltip.
+* (bug 23621) New Special:ComparePages to compare (diff) two articles.
+* (bug 4597) Provide support in Special:Contributions to show only "current"
+ contributions
+* (bug 17857) {{anchorencode}} acts more like how the parser creates section ids
+* (bug 21477) \& can now be used in