1 = MediaWiki release notes =
3 Security reminder: MediaWiki does not require PHP's register_globals
4 setting since version 1.2.0. If you have it on, turn it *off* if you can.
10 This is a security and maintenance release.
12 MediaWiki is now using a "continuous integration" development model with
13 quarterly snapshot releases. The latest development code is always kept
14 "ready to run", and in fact runs our own sites on Wikipedia.
16 Release branches will continue to receive security updates for about a year
17 from first release, but nonessential bugfixes and feature developments
18 will be made on the development trunk and appear in the next quarterly release.
20 Those wishing to use the latest code instead of a branch release can obtain
21 it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
23 === Changes since 1.15.2 ===
25 * (bug 22828) Fixed deletion on SQLite.
26 * (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
27 be submitted along with the user name and password.
29 === Changes since 1.15.1 ===
31 * The installer now includes a check for a data corruption issue with certain
32 versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug
33 present in the official release of PHP 5.3.1.
34 * (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which
35 was displayed to the user
36 * (bug 21150) SQLite no longer raise an error when deleting files
37 * (bug 20880) Fixed updater failure on SQLite backend
38 * upgrade1_5.php now requires to be run --update option to prevent confusion
39 * Fixed a CSS validation issue which allowed external images to be included
40 into wikis where that is disallowed by configuration.
41 * Fixed a data leakage vulnerability for private wikis using img_auth.php or
42 similar image access authentication schemes. Check user permissions before
43 streaming out scaled images from thumb.php.
45 === Changes since 1.15.0 ===
47 * Fixed fatal errors for unusual file repository configurations, such as
49 * Fixed the "change password" link on Special:Preferences to have the correct
51 * (bug 19693) Fixed cross-site scripting vulnerability in Special:Block
53 === Changes since 1.15.0rc1 ===
55 * Removed category redirect feature, implementation was incomplete.
56 * (bug 18846) Remove update_password_format(), unnecessary, destroys all
57 passwords if a wiki with $wgPasswordSalt=false is upgraded with the web
59 * (bug 19127) Documentation warning for PostgreSQL users who run update.php:
60 use the same user in AdminSettings.php as in LocalSettings.php.
61 * Fixed possible web invocation of some maintenance scripts, due to the use of
62 include() instead of require(). A full exploit would require a very strange
63 web server configuration.
64 * Localisation updates.
66 === Configuration changes in 1.15 ===
68 * Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to
70 * Added $wgUseTwoButtonsSearchForm to choose the Search form behavior/look
71 * Added $wgNoFollowDomainExceptions to allow exempting particular domain names
72 from rel="nofollow" on external links
73 * (bug 12970) Brought back $wgUseImageResize.
74 * Added $wgRedirectOnLogin to allow specifying a specifc page to redirect users
75 to upon logging in (ex: "Main Page")
76 * Add $wgExportFromNamespaces for enabling/disabling the "export all from
77 namespace" option (disabled by default)
79 === New features in 1.15 ===
81 * (bug 2242) Add an expiry time to temporary passwords
82 * (bug 9947) Add PROTECTIONLEVEL parser function to return the protection level
83 for the current page for a given action
84 * (bug 17002) Add &minor= and &summary= as parameters in the url when editing,
85 to automatically add a summary or a minor edit.
86 * (bug 16852) padleft and padright now accept multiletter pad characters
87 * When using 'UserCreateForm' hook to add new checkboxes into
88 Special:UserLogin/signup, the messages can now contain HTML to allow
89 hyperlinking to the site's Terms of Service page, for example
90 * Add new hook 'UserLoadFromDatabase' that is called while loading a user
92 * (bug 17045) Options on the block form are prefilled with the options of the
93 existing block when modifying an existing block.
94 * (bug 17055) "(show/hide)" links to Special:RevisionDelete now use a CSS class
95 rather than hardcoded HTML tags
96 * Added new hook 'WantedPages::getSQL' into SpecialWantedpages.php to allow
97 extensions to alter the SQL query which is used to get the list of wanted
99 * (bugs 16957/16969) Add show/hide to preferences for RC patrol options on
101 * (bug 11443) Auto-noindex user/user talk pages for blocked user
102 * (bug 11644) Add $wgMaxRedirects variable to control how many redirects are
103 recursed through until the "destination" page is reached.
104 * Add $wgInvalidRedirectTargets variable to prevent redirects to certain
106 * Use HTML5 rel attributes for some links, where appropriate
107 * Added optional alternative Search form look - Go button & Advanced search
108 link instead of Go button & Search button
109 * (bug 2314) Add links to user custom CSS and JS to Special:Preferences
110 * More helpful error message on raw page access if PHP_SELF isn't set
111 * (bug 13040) Gender switch in user preferences
112 * (bug 13040) {{GENDER:}} magic word for interface messages
113 * (bug 3301) Optionally sort user list according to account creation time
114 * Remote description pages for foreign file repos are now fetched in the
116 * (bug 17180) If $wgUseFileCache is enabled, $wgShowIPinHeader is automatically
118 * (bug 16604) Mark non-patrolled edits in feeds with "!"
119 * (bug 16604) Show title/rev in IRC for patrol log
120 * (bug 16854) Whether a page is being parsed as a preview or section preview
121 can now be determined and set with ParserOptions.
122 * Wrap message 'confirmemail_pending' into a div with CSS classes "error" and
123 "mw-confirmemail-pending"
124 * (bug 8249) The magic words for namespaces and pagenames can now be used as
125 parser functions to return the desired namespace or normalized title/title
126 part for a given title.
127 * (bug 17110) Styled #mw-data-after-content in cologneblue.css to match the
129 * (bug 7556) Time zone names in signatures lack i18n
130 * (bug 3311) Automatic category redirects
131 * (bug 17236) Suppress 'watch user page link' for IP range blocks
132 * Wrap message 'searchresulttext' (Special:Search) into a div with
133 class "mw-searchresult"
134 * (bug 15283) Interwiki imports can now fetch included templates
135 * Treat svn:// URLs as external links by default
136 * New function to convert namespace text for display (only applies on wiki with
137 LanguageConverter class)
138 * (bug 17379) Contributions-title is now parsed for magic words.
139 * Preprocessor output now cached in memcached.
140 * (bug 14468) Lines in classic RecentChanges and Watchlist have classes
141 "mw-line-odd" and "mw-line-even" to make styling using css possible.
142 * (bug 17311) Add a note beside the gender selection menu to tell users that
143 this information will be public
144 * Localize time zone regions in Special:Preferences
145 * Add NUMBEROFACTIVEUSERS magic word, which is like NUMBEROFUSERS, but uses
146 the active users data from site_stats.
147 * Add a <link rel="canonical"> tag on redirected page views
148 * Replace hardcoded '...' as indication of a truncation with the
150 * Wrap warning message 'editinginterface' into a div with class
151 'mw-editinginterface'
152 * (bug 17497) Oasis opendocument added to mime.types
153 * Remove the link to Special:FileDuplicateSearch from the "file history" section
154 of image description pages as the list of duplicated files is shown in the
156 * Added $wgRateLimitsExcludedIPs, to allow specific IPs to be whitelisted from
158 * (bug 14981) Shared repositories can now have display names, located at
159 Mediawiki:Shared-repo-name-REPONAME, where REPONAME is the name in
161 * Special:ListUsers: Sort list of usergroups by alphabet
162 * (bug 16762) Special:Movepage now shows a list of subpages when possible
163 * (bug 17585) Hide legend on Special:Specialpages from non-privileged users
164 * Added $wgUseTagFilter to control enabling of filter-by-change-tag
165 * (bug 17291) MediaWiki:Nocontribs now has an optional $1 parameter for the
167 * Wrap special page summary message '$specialPageName-summary' into a div
168 with class 'mw-specialpage-summary'
169 * $wgSummarySpamRegex added to handle edit summary spam. This is used *instead*
170 of $wgSpamRegex for edit summary checks. Text checks still use $wgSpamRegex.
171 * New function to convert content text to specified language (only applies on wiki with
172 LanguageConverter class)
173 * (bug 17844) Redirect users to a specific page when they log in, see
175 * Added a link to Special:UserRights on Special:Contributions for privileged users
176 * (bug 10336) Added new magic word {{REVISIONUSER}}, which displays the editor
177 of the displayed revision's author user name
178 * LinkerMakeExternalLink now has an $attribs parameter for link attributes and
179 a $linkType parameter for the type of external link being made
180 * (bug 17785) Dynamic dates surrounded with a <span> tag, fixing sortable tables
182 * (bug 4582) Provide preference-based autoformatting of unlinked dates with the
183 dateformat parser function.
184 * (bug 17886) Special:Export now allows you to export a whole namespace (limited
186 * (bug 17714) Limited TIFF upload support now built in if 'tif' extension is
187 enabled. Image width and height are now recognized, and when using ImageMagick,
188 optional flattening to PNG or JPEG for inline display can be enabled by setting
190 * Renamed two input IDs on Special:Log from 'page' and 'user' to 'mw-log-page' and
191 'mw-log-user', respectively
192 * Added $wgInvalidUsernameCharacters to disallow certain characters in
193 usernames during registration (such as "@")
194 * Added $wgUserrightsInterwikiDelimiter to allow changing the delimiter
195 used in Special:UserRights to denote the user should be searched for
196 on a different database
197 * Add a class if 'missingsummary' is triggered to allow styling of the summary
200 === Bug fixes in 1.15 ===
202 * (bug 16968) Special:Upload no longer throws useless warnings.
203 * (bug 17000) Special:RevisionDelete now checks if the database is locked
204 before trying to delete the edit.
205 * (bug 16852) padleft and padright now handle multibyte characters correctly
206 * (bug 17010) maintenance/namespaceDupes.php now add the suffix recursively if
207 the destination page exists
208 * (bug 17035) Special:Upload now fails gracefully if PHP's file_uploads has
210 * Fixing the caching issue by using -{T|xxx}- syntax (only applies on wiki with
211 LanguageConverter class)
212 * Improving the efficiency by using -{A|xxx}- syntax (only applies on wiki with
213 LanguageConverter class)
214 * (bug 17054) Added more descriptive errors in Special:RevisionDelete
215 * (bug 11527) Diff on page with one revision shows "Next" link to same diff
216 * (bug 8065) Fix summary forcing for new pages
217 * (bug 10569) redirects to Special:Mypage and Special:Mytalk are no longer
218 allowed by default. Change $wgInvalidRedirectTargets to re-enable.
219 * (bug 3043) Feed links of given page are now preceded by standard feed icon
220 * (bug 17150) escapeLike now escapes literal \ properly
221 * Inconsistent use of sysop, admin, administrator in system messages changed
223 * (bug 14423) Check block flag validity for block logging
224 * DB transaction and slave-lag avoidance tweaks for Email Notifications
225 * (bug 17104) Removed [Mark as patrolled] link for already patrolled revisions
226 * (bug 17106) Added 'redirect=no' and 'mw-redirect' class to redirects at
228 * Rollback links on new pages removed from "user contributions"
229 * (bug 15811) Re-upload form tweaks: license fields removed, destination locked,
230 comment label uses better message
231 * Whole HTML validation ($wgValidateAllHtml) now works with external tidy
232 * Parser tests no longer fail when $wgExternalLinkTarget is set in
234 * (bug 15391) catch DBQueryErrors on external storage insertion. This avoids
235 error messages on save were the edit in fact is saved.
236 * (bug 17184) Remove duplicate "z" accesskey in MonoBook
237 * Parser tests no longer fail when $wgAlwaysUseTidy is set in LocalSettings.php
238 * Removed redundant dupe warnings on reupload for the same title. Dupe warnings
239 for identical files at different titles are still given.
240 * Add 'change tagging' facility, where changes can be tagged internally with
241 certain designations, which are displayed on various summaries of changes,
242 and the entries can be styled with CSS.
243 * (bug 17207) Fix regression breaking category page display on PHP 5.1
244 * Categoryfinder utility class no longer fails on invalid input or gives wrong
245 results for category names that include pseudo-namespaces
246 * (bug 17252) Galician numbering format
247 * (bug 17146) Fix for UTF-8 and short word search for some possible MySQL
249 * (bug 7480) Internationalize database error message
250 * (bug 16555) Number of links to mediawiki.org scaled back on post-installation
251 * (bug 14938) Removing a section no longer leaves excess whitespace
252 * (bug 17304) Fixed fatal error when thumbnails couldn't be generated for file
254 * (bug 17283) Remove double URL escaping in show/hide links for log entries
255 and RevisionDeleteForm::__construct
256 * (bug 17105) Numeric table sorting broken
257 * (bug 17231) Transcluding special pages on wikis using language conversion no
258 longer affects the page title
259 * (bug 6702) Default system messages updated/improved
260 * (bug 17190) User ID on preference page no longer has delimeters
261 * (bug 17341) "Powered by MediaWiki" should be on the left on RTL wikis
262 * (bug 17404) "userrights-interwiki" right was missing in User::$mCoreRights
263 * (bug 7509) Separation strings should be configurable
264 * (bug 17420) Send the correct content type from action=raw when the HTML file
266 * (bug 12746) Do not allow new password e-mails when wiki is in read-only mode
267 * (bug 17478) Fixed a PHP Strict standards error in
268 maintenance/cleanupWatchlist.php
269 * (bug 17488) RSS/Atom links in left toolbar are now localized in classic skin
270 * (bug 17472) use print <<<EOF in maintenance/importTextFile.php
271 * Special:PrefixIndex: Move table styling to shared.css, add CSS IDs to tables
272 use correct message 'allpagesprefix' for input form label, replace _ with ' '
274 * (bug 17506) Exceptions within exceptions now respect $wgShowExceptionDetails
275 * Fixed excessive job queue utilisation
276 * File dupe messages for remote repos are now shown only once.
277 * (bug 14980) Messages 'shareduploadwiki' and 'shareduploadwiki-desc' are now
278 used as a parameter in 'sharedupload' for easier styling and customization.
279 * (bug 17482) Formatting error in Special:Preferences#Misc (Opera)
280 * (bug 17556) <link> parameters in Special:Contributions feeds (RSS and Atom)
281 now point to the actual contributors' feed.
282 * ForeignApiRepos now fetch MIME types, rather than trying to figure it locally
283 * Special:Import: Do not show input field for import depth if
284 $wgExportMaxLinkDepth == 0
285 * (bug 17570) $wgMaxRedirects is now correctly respected when following
286 redirects (was previously one more than $wgMaxRedirects)
287 * (bug 16335) __NONEWSECTIONLINK__ magic word to suppress new section link.
288 * (bug 17581) Wrong index name in PostgreSQL's updater: was rc_timestamp_nobot,
289 changed to rc_timestamp_bot
290 * (bug 17437) Fixed incorrect link to web-based installer
291 * (bug 17538) Use shorter URLs in <link> elements
292 * (bug 13778) Hidden input added to the search form so that using the Enter key
293 on IE will do a fulltext search like clicking the button does
294 * (bug 1061) CSS-added icons next to links display through the text and makes
296 * Special:Wantedtemplates now works on PostgreSQL
297 * (bug 14414) maintenance/updateSpecialPages.php no longer throws error with
299 * (bug 17546) Correct Tongan language native name is "lea faka-Tonga"
300 * (bug 17621) Special:WantedFiles has no link to Special:Whatlinkshere
301 * (bug 17460) Client ecoding is now correctly set for PostgreSQL
302 * (bug 17648) Prevent floats from intruding into edit area in previews if no
304 * (bug 17692) Added (list of members) link to 'user' in Special:Listgrouprights
305 * (bug 17707) Show file destination as plain text if &wpForReUpload=1
306 * (bug 10172) Moved setting of "changed since last visit" flags out of the job
308 * (bug 17761) "show/hide" link in page history in now works for the first
309 displayed revision if it's not the current one
310 * (bug 17722) Fix regression where users are unable to change temporary passwords
311 * (bug 17799) Special:Random no longer throws a database error when a non-
312 namespace is given, silently falls back to NS_MAIN
313 * (bug 17751) The message for bad titles in WantedPages is now localized
314 * (bug 17860) Moving a page in the "MediaWiki" namespace using SuppressRedirect
315 no longer corrupts the message cache
316 * (bug 17900) Fixed User Groups interface log display after saving groups.
317 * (bug 17897) Fixed string offset error in <pre> tags
318 * (bug 17778) MediaWiki:Catseparator can now have HTML entities
319 * (bug 17676) Error on Special:ListFiles when using Postgres
320 * Special:Export doesn't use raw SQL queries anymore
321 * (bug 14771) Thumbnail links to individual DjVu pages have two no longer have
322 two "page" parameters
323 * (bug 17972) Special:FileDuplicateSearch form now works correctly on wikis that
324 don't use PathInfo or short urls
325 * (bug 17990) trackback.php now has a trackback.php5 alias and works with
327 * (bug 14990) Parser tests works again with PostgreSQL
328 * (bug 11487) Special:Protectedpages doesn't list protections with pr_expiry
330 * (bug 18018) Deleting a file redirect leaves behind a malfunctioning redirect
331 * (bug 17537) Disable bad zlib.output_compression output on HTTP 304 responses
332 * (bug 11213) [edit] section links in printable version no longer appear when
333 you cut-and-paste article text
334 * (bug 17405) "Did you mean" to mirror Go/Search behavior of original request
335 * (bug 18116) 'edittools' is now output identically on edit and upload pages
336 * (bug 17241) The diffonly URI parameter should cascade to "Next edit" and
337 "Previous edit" diff links
338 * (bug 16823) 'Sidebar search form should not use Special:Search view URL as
340 * (bug 16343) Non-existing, but in use, category pages can be "go" match hits
341 * Fixed the circular template inclusion check, was broken when the loop
342 involved redirects. Without this, infinite recursion within the parser is
344 * (bug 17611) Provide a sensible error message on install when the SQLite data
346 * (bug 16937) Fixed PostgreSQL installation on Windows, workaround for upstream
348 * (bug 11451) Fix upgrade from MediaWiki 1.2 or earlier (imagelinks schema).
349 * Fixed SQLite indexes, installation and upgrade. Reintroduced it as an option
351 * (bug 18170) Fixed a PHP warning in Parser::preSaveTransform() in PHP 5.3
352 * (bug 8873) Enable variant conversion in text on 'alt' and 'title' attributes
354 == API changes in 1.15 ==
356 * (bug 16858) Revamped list=deletedrevs to make listing deleted contributions
357 and listing all deleted pages possible
358 * (bug 16844) Added clcategories parameter to prop=categories
359 * (bug 17025) Add "fileextension" parameter to meta=siteinfo&siprop=
360 * (bug 17048) Show the 'new' flag in list=usercontribs for the revision that
361 created the page, even if it's not the top revision
362 * (bug 17069) Added ucshow=patrolled|!patrolled to list=usercontribs
363 * action=delete respects $wgDeleteRevisionsLimit and the bigdelete user right
364 * (bug 15949) Add undo functionality to action=edit
365 * (bug 16483) Kill filesort in ApiQueryBacklinks caused by missing parentheses.
366 Building query properly now using makeList()
367 * (bug 17182) Fix pretty printer so URLs with parentheses in them are
369 * (bug 17224) Added siprop=rightsinfo to meta=siteinfo
370 * (bug 17239) Added prop=displaytitle to action=parse
371 * (bug 17317) Added watch parameter to action=protect
372 * (bug 17007) Added export and exportnowrap parameters to action=query
373 * (bug 17326) BREAKING CHANGE: Changed output format for iiprop=metadata
374 * (bug 17355) Added auwitheditsonly parameter to list=allusers
375 * (bug 17007) Added action=import
376 * BREAKING CHANGE: Removed rctitles parameter from list=recentchanges because
377 of performance concerns
378 * Listing (semi-)deleted revisions and log entries as well in prop=revisions
380 * (bug 11430) BREAKING CHANGE: Modules may return fewer results than the
381 limit and still set a query-continue in some cases
382 * (bug 17357) Added movesubpages parameter to action=move
383 * (bug 17433) Added bot flag to list=watchlist&wlprop=flags output
384 * (bug 16740) Added list=protectedtitles
385 * Added mainmodule and pagesetmodule parameters to action=paraminfo
386 * (bug 17502) meta=siteinfo&siprop=namespacealiases no longer lists namespace
387 aliases already listed in siprop=namespaces
388 * (bug 17529) rvend ignored when rvstartid is specified
389 * (bug 17626) Added uiprop=email to list=userinfo
390 * (bug 13209) Added rvdiffto parameter to prop=revisions
391 * Manual language conversion improve: Now we can include both ";" and ":" in
393 * (bug 17795) Don't report views count on meta=siteinfo if $wgDisableCounters
395 * (bug 17774) Don't hide read-restricted modules like action=query from users
396 without read rights, but throw an error when they try to use them.
397 * Don't hide write modules when $wgEnableWriteAPI is false, but throw an error
398 when someone tries to use them
399 * BREAKING CHANGE: action=purge requires write rights and, for anonymous users,
401 * (bug 18099) Using appendtext to edit a non-existent page causes an interface
402 message to be included in the page text
403 * (bug 18601) generator=backlinks returns invalid continue parameter
404 * (bug 18597) Internal error with empty generator= parameter
405 * (bug 18617) Add xml:space="preserve" attribute to relevant tags in XML output
407 === Languages updated in 1.15 ===
409 MediaWiki supports over 300 languages. Many localisations are updated
410 regularly. Below only new and removed languages are listed, as well as
411 changes to languages because of MediaZilla reports.
413 * Austrian German (de-at) (new)
414 * Swiss Standard German (de-ch) (new)
415 * Simplified Gan Chinese (gan-hans) (new)
416 * Traditional Gan Chinese (gan-hant) (new)
417 * Literary Chinese (lzh) (new)
418 * Uyghur (Latin script) (ug-latn) (renamed from 'ug')
420 * Võro (vro) (renamed from fiu-vro)
421 * (bug 17151) Add magic word alias for #redirect for Vietnamese
422 * (bug 17288) Messages improved for default language (English)
423 * (bug 12937) Update native name for Afar
424 * (bug 16909) 'histlegend' now reuses messages instead of copying them
425 * (bug 17832) action=delete returns 'unknownerror' instead of 'permissiondenied'
426 when the user is blocked
427 * Traditional/Simplified Gan Chinese conversion support
431 MediaWiki 1.15 requires PHP 5 (5.2 recommended). PHP 4 is no longer supported.
433 PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing:
434 http://bugs.php.net/bug.php?id=34879
435 Upgrade affected systems to PHP 5.1 or higher.
437 MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
438 At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.
443 1.15 has several database changes since 1.14, and will not work without schema
446 If upgrading from before 1.11, and you are using a wiki as a commons reposito-
447 ry, make sure that it is updated as well. Otherwise, errors may arise due to
448 database schema changes.
450 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
451 new database fields are filled with data.
453 If you are upgrading from MediaWiki 1.4.x or earlier, some major database
454 changes are made, and there is a slightly higher chance that things could
455 break. Don't forget to always back up your database before upgrading!
457 See the file UPGRADE for more detailed upgrade instructions.
462 Some output, particularly involving user-supplied inline HTML, may not
463 produce 100% valid or well-formed XHTML output. Testers are welcome to
464 set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
465 cases, but this is not recommended on live sites. (This must be set for
466 MathML to display properly in Mozilla.)
468 For notes on 1.14.x and older releases, see HISTORY.
471 === Online documentation ===
473 Documentation for both end-users and site administrators is currently being
474 built up on MediaWiki.org, and is covered under the GNU Free Documentation
475 License (except for pages that explicitly state that their contents are in
478 http://www.mediawiki.org/wiki/Documentation
483 A MediaWiki-l mailing list has been set up distinct from the Wikipedia
486 http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
488 A low-traffic announcements-only list is also available:
490 http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
492 It's highly recommended that you sign up for one of these lists if you're
493 going to run a public MediaWiki, so you can be notified of security fixes.
498 There's usually someone online in #mediawiki on irc.freenode.net