Hosting MediaWiki

MediaWiki

MediaWiki ist eine Open Source Wiki-Software und wurde ursprünglich im Jahr 2002 entwickelt um die Plattform Wikipedia damit zu betreiben.

Installation mit einem Klick MediaWiki

Installation mit einem Klick

Einfache Aktualisierung MediaWiki

Einfache Aktualisierung

Speichern und wiederherstellen MediaWiki

Speichern und wiederherstellen

Information

Anwendung
Wiki
Kategorie
Community-Software
Laufende Version
1.33.0
Letzte Aktualisierung
20 August 2019
Sprachen
Deutsch + 333 andere

Systemanforderungen

Grösse der Installation
210.00 MB
Datenbank
mysql
Lizenz
open-source
Übersicht
Was gibt es Neues?

1.33.0

(Hauptversion)
20 August - 210MB1.33.0
  • Update installer link to PHP intl.
  • Only attempt to deduplicate if there is data in archive and revision tables.
  • Fetch tag ID before calling undefineTag().
  • Detect APC for MainCacheType in CLI installer.
  • Call unpack() with correct parameters in MimeAnalyzer.php for PHP 7.0 support.
  • Style change tags correctly on Special:NewPages.
  • Fix SQLite patch-(page|template)links-fix-pk.sql column order.

New Configuration
  • $wgEnablePartialBlocks – This enables the Partial Blocks feature, which gives accounts with block permissions the ability to block users, IPs, and IP ranges from editing specific pages, while allowing them to edit the rest of the wiki. It is a temporary setting for gradual enablement, current default to `false`, and will be set to `true` and then removed once initial development completes.

Changed Configuration
  • $wgChangeTagsSchemaMigrationStage — This temporary setting, added in MediaWiki 1.32, now defaults to MIGRATION_NEW instead of MIGRATION_WRITE_BOTH.
  • $wgPasswordPolicy – There is a new password policy to check that the account's password is not in the large blacklist. This is enabled by default for the built-in user groups bureaucrat, sysop, interface-admin, and bot. To configure this for other user groups, set the `PasswordNotInLargeBlacklist` flag `true`.
  • $wgPasswordDefault – There is a new password type configuration using Argon2 password hashing (which requires PHP 7.2 and above). It's designed to resist timing attacks, and (on systems with PHP 7.3+) GPU hacking; if you configure argon2 to be used, by default, it will automatically choose the best available algorithm depending on which version of PHP you have available. To use this, you can set $wgPasswordDefault = 'argon2';.
  • $wgActorTableSchemaMigrationStage now defaults to reading the new schema. update.php will back-populate the new database fields due to the changed setting, which may take some time on large wikis. You can avoid downtime by following a process like that described in task T188327.

Removed Configuration
  • $wgTagStatisticsNewTable — This temporary setting, added in MediaWiki 1.32, has now been removed. When loading Special:Tags, MediaWiki will now always use the change_tag_def instead of the change_tag table.
  • $wgUseTidy, $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy – These options, all deprecated since 1.26, have now all been removed, as MediaWiki now always tidies user output. The $wgTidyConfig setting remains only for experimental features and debugging, and should not be used.
  • $wgEnableParserCache – This setting has been deprecated since 1.26, has now been removed. If you still desire to disable the parser cache, instead you can set $wgParserCacheType = CACHE_NONE;.
  • $wgCommentTableSchemaMigrationStage – This temporary migration setting has now been removed. Code finding it unset should treat it as being MIGRATION_NEW.
  • $wgAuth – This old setting, deprecated in 1.27, has been removed as part of the removal of AuthPlugin.
  • $wgSitesCacheFile – This configuration was introduced in 1.25 with the intent to allow sites to configure a file in which to cache the SiteStore database table, but it was never used. SiteStore already caches its information by default using BagOStuff (e.g. Memcached or APC).
  • $wgClockSkewFudge – This setting was used by User.php to let sites adjust by how much MediaWiki would fudge when trying to minimize the chances of a user.user_touched database update to the "current" timestamp being before the value already there (e.g. due to clock skew between different servers). This is no longer a problem, because the code now ensures the timestamp is always higher than the previous one. The writes are guarded with CAS logic (check and set), which prevents updates that would overlap.
  • $wgDBmysql5 - This experimental setting, deprecated in 1.31, has been removed.

New User-facing Features
  • __EXPECTUNUSEDCATEGORY__ on a category page causes the category to be hidden on Special:UnusedCategories.
  • SVGs are now by default displayed in wiki language on image pages.
  • Special:CreateAccount now warns the user if their chosen username has to be normalized.
  • Multilingual images are now be displayed in the current parse language where available.
  • Special:ActiveUsers will no longer filter out users who became inactive since the last time the active users query cache was updated.
  • RecentChange and ManualLogEntry implement new Taggable interface.
  • Added a hook, ManualLogEntryBeforePublish, to allow extensions to modify (example: add tags) log entries.

New Developer Features
  • The AuthManagerLoginAuthenticateAudit hook has a new parameter for additional information about the authentication event.
  • TextContent::getText() was introduced as a replacement for Content::getNativeData() for text-based content models.
  • LinksUpdate::getAddedExternalLinks() and LinksUpdate::getRemovedExternalLinks() were introduced.
  • Added MaintenanceUpdateAddParams hook
  • The MarkPatrolled hook has a new parameter for the tags associated with this entry in the patrol log.
  • Extensions can now specify platform abilities they require to work, limited to shell access for now.

New External Libraries
  • Added wikimedia/password-blacklist 0.1.4.
  • Added guzzlehttp/guzzle 6.3.3.

Changed External Libraries
  • Updated OOUI from v0.29.2 to v0.31.3.
  • Updated OOjs Router from pre-release to v0.2.0.
  • Updated moment from v2.19.3 to v2.24.0.
  • Updated wikimedia/xmp-reader from 0.6.0 to 0.6.2.
  • Updated wikimedia/scoped-callback from 2.0.0 to 3.0.0.
  • Updated jquery-client from 2.0.1 to 2.0.2.
  • Updated pear/net_smtp from 1.8.0 to 1.8.1.
  • Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
  • Updated wikimedia/php-session-serializer from 1.0.6 to 1.0.7.

Removed External Libraries
  • jquery.ui.spinner, deprecated since 1.31, was removed.

New developer libraries
  • Added jakub-onderka/php-console-highlighter 0.3.2 explicitly (dev-only).
  • Added mediawiki/mediawiki-phan-config 0.5.0 (dev-only).

Changed Developer Libraries
  • Updated wikimedia/ip-set from 1.3.0 to 2.0.1 (the deprecated IPSet\IPSet alias was removed, Wikimedia\IPSet must be used instead).
  • Updated psy/psysh from 0.9.6 to 0.9.9 (dev-only).
  • Updated nikic/php-parser from 3.1.3 to 3.1.5 (dev-only).
  • Updated mediawiki/mediawiki-codesniffer from 22.0.0 to 25.0.0 (dev-only).
  • Updated qunitjs from 2.6.2 to 2.9.1.

Removed Developer Libraries
  • The jetbrains/phpstorm-stubs repository was removed in favour of the minimal stubs we need, which are kept in the new `.phan/internal_stubs` directory (dev-only).

Bug Fixes
  • Special:UserRights could sometimes fail with a "conflict detected" error when there weren't any conflicts.
  • Chrome redirects to Special:BadTitle after editing a section with a non-Latin name on a page with non-Latin characters in title.
  • resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies().

Action API Changes
  • Added ApiOptions hook.
  • The JSON formatversion=2 is no longer experimental.
  • Internal API errors (those with code beginning "internal_api_error") will include the exception class name in a data field named "errorclass".
  • - Class names are not guaranteed to remain stable, and in particular database exceptions will now include the "Wikimedia\Rdbms\" prefix in the class name.
  • - The code including an exception class name is deprecated. In the future, all internal errors will use code "internal_api_error".
  • When using action=delete on pages with many revisions, the module may return a boolean-true 'scheduled' and no 'logid'. This signifies that the deletion will be processed via the job queue.
  • action=setnotificationtimestamp will now update the watchlist asynchronously if entirewatchlist is set, so updates may not be visible immediately
  • Block info will be added to "blocked" errors from more modules.
  • Autoblocks will now be spread by action=edit and action=move.
  • action=query&meta=userinfo has a new uiprop, 'latestcontrib', that returns the date of user's latest contribution.
  • action=logout now requires to be posted and have a csrf token.

Action API Internal Changes
  • A number of deprecated methods for API documentation, intended for overriding by extensions, are no longer called by MediaWiki, and will emit deprecation notices if your extension attempts to use them: ApiBase::getDescription() (deprecated in 1.25), ApiBase::getParamDescription() (deprecated in 1.25), ApiBase::getExamples() (deprecated in 1.25), ApiBase::getDescriptionMessage() (deprecated in 1.30)
  • Additionally, the APIGetDescription and APIGetParamDescription hooks have been removed, as their only use was to let extensions override values returned by getDescription() and getParamDescription(), respectively.
  • API error codes may only contain ASCII letters, numbers, underscore, and hyphen. Methods such as ApiBase::dieWithError() and ApiMessageTrait::setApiCode() will throw an InvalidArgumentException if passed a bad code.
  • ApiBase::checkTitleUserPermissions() now takes an options array as its third parameter. Passing a User object or null is deprecated.
  • The api-feature-usage log channel now has log context. The text message is deprecated and will be removed in the future.

Languages Updated
  • Added language support for Eastern Pwo (kjp).
  • Fixed a translation error on Goan Konkani (gom-deva) translations for NS_TEMPLATE.
  • Added $digitTransformTable for Santali (sat).
  • Added language support for Saisiyat (xsy).
  • Added support for new Japanese era name "Reiwa"

Breaking Changes
  • The parameter $lang in DifferenceEngine::setTextLanguage must be of type Language. Other types are deprecated since 1.32.
  • Skin::doEditSectionLink requires type Language for the parameter $lang. The parameters $tooltip and $lang are mandatory. Omitting the parameters is deprecated since 1.32.
  • Language::truncate(), deprecated in 1.31, has been removed.
  • UtfNormal, deprecated in 1.25, was removed. Use UtfNormal\Validator directly instead.
  • In OOUI HTMLForm fields, the parameters 'notice', 'notice-messages', and 'notice-message', which were deprecated in 1.32, were removed. Instead, use 'help', 'help-message', and 'help-messages'.
  • HTMLFormField::getNotices(), deprecated in 1.32, was removed.
  • The "Parsoid v1" compatibility mappings in ParsoidVirtualRESTService and RestbaseVirtualRESTService, deprecated since 1.26, have been removed. Use the RESTBase v1 or Parsoid v3 API instead.
  • ParserOptions defaults 'tidy' to true now, since the untidy modes of the parser are being deprecated and ParserOptions::getCanonicalOverrides() has always been true at any rate.
  • Support for disabling tidy and external tidy implementations has been removed. This was deprecated in 1.32. The pure PHP Remex tidy implementation is now used and no configuration is necessary.
  • A number of deprecated methods for API documentation, intended for overriding by extensions, are no longer called by MediaWiki, and will emit deprecation notices if your extension attempts to use them: ApiBase::getDescription() (deprecated in 1.25), ApiBase::getParamDescription() (deprecated in 1.25), ApiBase::getExamples() (deprecated in 1.25), ApiBase::getDescriptionMessage() (deprecated in 1.30)
  • Additionally, the APIGetDescription and APIGetParamDescription hooks have been removed, as their only use was to let extensions override values returned by getDescription() and getParamDescription(), respectively.
  • The authentication hooks AbortAutoAccount, AbortNewAccount, AbortLogin, LoginUserMigrated, UserCreateForm, and UserLoginForm, all deprecated by the creation of AuthManager in 1.27, have been removed. This also means that the FakeAuthTemplate and LoginForm classes are removed, that FakeAuthTemplate is no longer passed into LoginSignupSpecialPage->getFieldDefinitions(), and that LoginSignupSpecialPage->getBCFieldDefinitions() is removed.
  • The 'jquery.localize' module, deprecated in 1.32, has been removed. Instead, use 'jquery.i18n'.
  • The hooks LanguageGetSpecialPageAliases and LanguageGetMagic, deprecated since 1.16, have now been removed. Instead, use $specialPageAliases or $magicWords respectively in a $wgExtensionMessagesFiles file.
  • The following methods of the Preferences class, deprecated in 1.31, have been removed: getSaveBlacklist(), loadPreferenceValues(), getOptionFromUser(), profilePreferences(), skinPreferences(), filesPreferences(), datetimePreferences(), renderingPreferences(), editingPreferences(), rcPreferences(), watchlistPreferences(), searchPreferences(), miscPreferences(), generateSkinOptions(), getDateOptions(), getImageSizes(), getThumbSizes(), validateSignature(), cleanSignature(), getTimezoneOptions(), filterIntval(), filterTimezoneInput(), getTimeZoneList()
  • mw.util.jsMessage(), deprecated in 1.20, was removed. Use mw.notify instead.
  • User::EDIT_TOKEN_SUFFIX was removed. It was deprecated since 1.27.
  • The 'mediawiki.api' module aliases, deprecated in 1.32, have been removed. Specifically: mediawiki.api.category, mediawiki.api.edit, mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse, mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch, mediawiki.api.messages, and mediawiki.api.rollback.
  • The 'jquery.byteLimit' module alias for 'jquery.lengthLimit', deprecated in 1.31, was removed.
  • Revision::fetchRevision(), deprecated in 1.28, was removed.
  • Class SquidUpdate, deprecated in 1.27, was removed.
  • Title->getSquidURLs(), deprecated in 1.27, was removed. Instead, use Title->getCdnUrls().
  • Title::escapeFragmentForURL(), deprecated in 1.30, was removed. Use Sanitizer::escapeIdForLink() or escapeIdForExternalInterwiki() instead.
  • Title->canTalk(), deprecated in 1.30, was removed. Instead, use Title->canHaveTalkPage().
  • Title's methods for site and user page related to CSS and JS, deprecated in 1.31, were removed:
  • - Title->isCssOrJsPage() — Use Title->isSiteConfigPage()
  • - Title->isCssJsSubpage() – Use Title->isUserConfigPage()
  • - Title->getSkinFromCssJsSubpage() – Use Title->getSkinFromConfigSubpage()
  • - Title->isCssSubpage() – Use Title->isUserCssConfigPage()
  • - Title->isJsSubpage() – Use Title->isUserJsConfigPage()
  • SiteSQLStore, deprecated in 1.27 and whose only method, SiteSQLStore::newInstance(), would return the global SiteStore instance, has been removed. You can get to this via MediaWiki\MediaWikiServices::getInstance()->getSiteStore() directly.
  • Linker::formatSize, deprecated in 1.28, has been removed (with DummyLinker's). Instead, use Language->formatSize() with the relevant Language object.
  • Linker::formatTemplates, deprecated in 1.28, has been removed (along with the version in DummyLinker). You can use TemplatesOnThisPageFormatter directly.
  • EventRelayerGroup::singleton(), deprecated in 1.27, has been removed. You can use MediaWikiServices::getInstance()->getEventRelayerGroup() directly.
  • LinkCache->addLink(), deprecated in 1.27, has been removed. It is thought to be unused, and is distinct from OutputPage->addLink(), which remains.
  • JsonContent->getJsonData(), deprecated in 1.25, has been removed. Instead, use JsonContent->getData().
  • MWExceptionHandler::getLogId(), deprecated in 1.27, has been removed, as the exception ID is the same as the request ID, from WebRequest::getRequestId().
  • SearchEngine::getNearMatchResultSet(), deprecated in 1.27, has been removed. You can use SearchEngine::getNearMatcher() instead.
  • EmailNotification::updateWatchlistTimestamp, deprecated in 1.27, has been removed. Instead, use WatchedItemStore::updateNotificationTimestamp directly.
  • User::getGroupName() and User::getGroupMember(), both deprecated in 1.29, have been removed. Instead, please use UserGroupMembership::getGroupName() and UserGroupMembership::getGroupMemberName().
  • Backwards compatibility for setting wgSessionsInObjectCache to false or using wgSessionHandler, both of which were deprecated in 1.27 with the introduction of SessionManager, has been removed.
  • SessionManager::autoCreateUser, deprecated in 1.27, has been removed. Use MediaWiki\Auth\AuthManager::autoCreateUser instead.
  • The mw.libs.jpegmeta property, deprecated in 1.31, was removed. Use require( 'mediawiki.libs.jpegmeta' ) instead.
  • The mw.user.stickyRandomId() method, deprecated in 1.32, was removed. Use mw.user.getPageviewToken() instead.
  • Removed deprecated class property WikiRevision::$importer.
  • ResourceLoaderFileModule::readStyleFiles() now requires its $context parameter.
  • The ChangeList::insertArticleLink() method, that was deprecated in 1.27, has been removed.
  • MessageBlobStore::__construct() now requires its $rl parameter.
  • Second parameter to Sanitizer::escapeIdReferenceList() (deprecated in 1.31) has been removed.
  • The 'jquery.xmldom' module has been removed.
  • The 'jquery.mockjax' module has been removed.
  • The 'jquery.hidpi' module, deprecated in 1.32, has been removed.
  • AuthPlugin and related code, deprecated in 1.27, has been removed. Extensions should instead use AuthManager. The following no longer exist:
  • - The AuthPlugin class itself and the related AuthPluginUser class and i18n
  • - The AuthPluginSetup and AuthPluginAutoCreate hooks
  • - The transitional wrapper classes AuthPluginPrimaryAuthenticationProvider, AuthManagerAuthPlugin, and AuthManagerAuthPluginUser.
  • - The $wgAuth configuration setting and its use in Setup.php and unit tests
  • The 'wgAvailableSkins' mw.config key in JavaScript, was removed.
  • Language::markNoConversion, deprecated in 1.32, has been removed. Use LanguageConverter::markNoConversion instead.
  • BagOStuff::modifySimpleRelayEvent() method has been removed.
  • ParserOutput::getLegacyOptions, deprecated in 1.30, has been removed. Use ParserOutput::allCacheVaryingOptions instead.
  • CdnCacheUpdate::newSimplePurge, deprecated in 1.27, has been removed. Use CdnCacheUpdate::newFromTitles() instead.
  • Handling of multiple arguments by the Block constructor, deprecated in 1.26, has been removed.
  • The translation of main page in Sardinian (sc) was changed from "Pàgina Base" to "Pàgina printzipale". Existing wikis using this content language need to move the main page or change the name through MediaWiki:Mainpage page.
  • wfSplitWikiID(), deprecated in 1.32, has been removed.
  • MessageBlobStore::getBlob(), deprecated in 1.27, has been removed. Use MessageBlobStore::getBlobs() instead.
  • The .background-size() LESS mixin, deprecated in 1.27, has been removed.
  • ReadOnlyMode::clearCache() and ConfiguredReadOnlyMode::clearCache() have been removed. Use MediaWikiTestCase::overrideMwServices() instead.

Deprecations
  • The configuration option $wgUseESI has been deprecated, and is expected to be removed in a future release.
  • The configuration option $wgSquidPurgeUseHostHeader has been deprecated, and is expected to be removed in a future release.
  • The configuration options $wgFixArabicUnicode and $wgFixMalayalamUnicode, introduced in MW 1.17, have been deprecated. These fixes will always be applied for Arabic and Malayalam in the future. Please enable these on your local wiki (if you have them explicitly set to false) and run maintenance/cleanupTitles.php to fix any existing page titles.
  • The LegacyHookPreAuthenticationProvider class, deprecated since its creation in 1.27 as part of the AuthManager re-write, now emits deprecation warnings. This will help identify the issue if you added it to $wgAuthManagerConfig.
  • wfSplitWikiId() is now deprecated. Cache key generation should have the wiki domain ID as a key component and use makeGlobalKey().
  • Title::getUserCaseDBKey() is deprecated; instead, please use Title::getDBKey(), which doesn't vary case.
  • User::getPasswordValidity() is now deprecated. User::checkPasswordValidity() returns the same information in a more useful format.
  • For Linker::generateTOC() and Linker::tocList(), passing strings or booleans as the $lang parameter was deprecated. The same applies to DummyLinker.
  • The PasswordPolicy 'PasswordCannotBePopular' has been deprecated. To follow best practices, it is reccommended to use 'PasswordNotInLargeBlacklist' instead which blacklists 100,000 commonly used passwords.
  • Action::requiresUnblock() is now called from Title::getUserPermissionsErrors() and Title::userCan(). Previously, the method was only called in Action::checkCanExecute(). Actions should ensure that their requiresUnblock() returns the proper result (the default is `true`).
  • The MediaWiki\Services namespace has been renamed to Wikimedia\Services. The old name is still supported, but deprecated.
  • Content::getNativeData has been deprecated. Please use model-specific getters, such as TextContent::getText().
  • The class WebInstallerOutput is now marked as @private.
  • The jquery.async module has been deprecated. JavaScript code that needs asynchronous behaviour should use Promises.
  • Password::equals() is deprecated, use verify().
  • BaseTemplate::msgWiki() and QuickTemplate::msgWiki() will be removed. Use other means to fetch a properly escaped message string or Message object.
  • The 'ResourceLoaderTestModules' hook, which lets you declare QUnit testing code for your JavaScript modules, is deprecated. Instead, you can now use the new extension registration key 'QUnitTestModule'.
  • The jquery.throttle-debounce module has been deprecated. JavaScript code that needs this behaviour should use OO.ui.debounce/throttle.
  • The mw.language.specialCharacters property from the 'mediawiki.language.specialCharacters' module has been deprecated. Use require( 'mediawiki.language.specialCharacters' ) instead.
  • ChangeTags::purgeTagUsageCache() has been deprecated, and is expected to be removed in a future release.
  • Passing a User object or null as the third parameter to ApiBase::checkTitleUserPermissions() has been deprecated. Pass an array [ 'user' => $user ] instead.
  • Block::prevents is deprecated. Use Block::isEmailBlocked, Block::isCreateAccountBlocked and Block::isUsertalkEditAllowed to get and set block properties; use Block::appliesToRight and Block::appliesToUsertalk to check block behaviour.
  • The api-feature-usage log channel now has log context. The text message is deprecated and will be removed in the future.
  • The FileBasedSiteLookup class has been deprecated. For a cacheable SiteLookup implementation, use CachingSiteStore instead.
  • Language::viewPrevNext function is deprecated, use SpecialPage::buildPrevNextNavigation instead
  • ManualLogEntry::setTags() is deprecated, use ManualLogEntry::addTags() instead. The setTags() method was overriding the tags, addTags() doesn't override, only adds new tags.
  • Block::isValid is deprecated, since it is no longer needed in core.
  • Calling Maintenance::hasArg() as well as Maintenance::getArg() with no parameter has been deprecated. Please pass the argument number 0.
  • ResourceLoaderContext::expandModuleNames has been deprecated. Use ResourceLoader::expandModuleNames instead.

Other Changes
  • Html::openElement() warns if given an element name with a space in it.
  • The implementation of buildStringCast() in Wikimedia\Rdbms\Database has changed to explicitly cast. Subclasses relying on the base-class implementation should check whether they need to override it now.
  • BagOStuff::add is now abstract and must explicitly be defined in subclasses.
  • LinksDeletionUpdate is now a subclass of LinksUpdate. As a consequence, the following hooks will now be triggered upon page deletion in addition to page updates: LinksUpdateConstructed, LinksUpdate, LinksUpdateComplete. LinksUpdateAfterInsert is not triggered since deletions do not cause insertions into links tables.
  • Category::newFromID( $id )->getID() will now return $id without any validation, to avoid a mostly unnecessary DB query.
  • On Special:Version, the name for an extension can no longer be arbitrary html when no link is specified.

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.33

1.32.2

(Sicherheitsupdate)
7 Juni - 210MBSecurity
  • (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.
  • (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table.
  • (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.
  • (T208881) blacklist CSS var().
  • (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
  • (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly.
  • (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.
  • (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF).
  • (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags.
  • (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
  • (T221739, CVE-2019-11358) Fix potential XSS in jQuery.

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.32.2

1.32.1


8 Mai - 210MB
  • (T213577) rdbms: avoid transaction status errors from ping() in rollback().
  • rdbms: Pass required parameter.
  • rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
  • (T204531) rdbms: reduce LoadBalancer replication log spam.
  • (T213489) Avoid session double-start in Setup.php.
  • (T213717) Correct namespace 'Template' for gom-deva
  • (T198054) Fix login page crash caused by unknown language via ?uselang
  • (T215324) (T210937) list=users mistakenly reports user as missing.
  • (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for use with scripts like addWiki.php to avoid mismatched domain errors.
  • (T208871) The hard-coded Google search form on the database error page was removed.
  • (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
  • (T215566) Fix installer being unable to determine if the database exists during a fresh installation.

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.32.1

1.32.0

(Hauptversion)
17 Januar - 210MB1.32.0

WARNINGS
Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).
  • Fix slow queries in migrateActors.php.
  • Fix $magicWords for the Sanskrit language.
  • Fix addition of ug_expiry column to user_groups table on MSSQL.
  • Fix the cache timestamp for forced updates.
  • User: Bypass repeatable-read when creating an actor_id.
  • Extensions can now specify PHP versions and PHP extensions they depend on.
  • Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
  • When using action=delete on pages with many revisions, the module may return a boolean-true 'scheduled' and no 'logid'. This signifies that the deletion will be processed via the job queue.
  • Dropped columns category.cat_hidden, site_stats.ss_admins, and recentchanges.rc_cur_time from the PostgreSQL schema.
  • Prevent populateSearchIndex.php from breaking once actor migration has been started.
  • Properly set $wgLanguageCode in the generated LocalSettings.php if --lang is used with the command-line installer (install.php).
  • Multiple changes to configuration and API

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.32

Zeige mehr Versionen

1.31.2

(Sicherheitsupdate)
7 Juni - 210MBSecurity
  • (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.
  • (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table.
  • (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.
  • (T208881) blacklist CSS var().
  • (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
  • (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly.
  • (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.
  • (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF).
  • (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags.
  • (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
  • (T221739, CVE-2019-11358) Fix potential XSS in jQuery.

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.31.2

1.31.1

(Hauptversion) (Sicherheitsupdate)
17 Januar - 210MBHighlights
  • $wgRateLimits entry for 'user' overrides 'newbie'.
  • BotPasswords can bypass CentralAuth's account lock.
  • Tarball was missing .htaccess files.
  • Bundle Nuke extension, it was accidentally omitted.
  • Fix undefined patchPath() method call in parser tests.
  • Fix various selectFields methods to use the string 'NULL', not null.
  • Special:BotPasswords now requires reauthentication.
  • Add 'logid' parameter to Special:Log.
  • Indicate when a Bot Password needs reset.
  • GitInfo: Don't try shelling out if it's disabled.
  • Log email changes.
  • Fix performance regression when multiple DB used without caching.
  • PHPSessionHandler: Suppress headers warnings in initialize().
  • task T196793) Exif: Guard against uncountable tag values.
  • Fix total breakage of SQLite web upgrade.
  • Fix pingback over-reporting on non-MySQL databases
  • Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
  • Initialize PSR-4 namespaces at same stage as normal autoloader.
  • Hide MySQL binary/utf-8 charset option in the installer.
  • Don't allow setting $wgDBmysql5 in the installer.
  • php-memcached 3.0 (provided with PHP 7.0}}) is now supported.
  • UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
  • Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
  • The mtime of extension.json files is now able to be zero
  • Validate $length in padleft/padright parser functions.
  • Make $wgEmailConfirmToEdit only affect edit actions.
  • Drop archive.ar_text and ar_flags.
  • Add default edit rate limit of 90 edits/minute for all users.
  • Use codepoint as tiebreaker when getting first-letters in IcuCollation.
  • Don't shell during the installer if shelling out is disabled.
  • Improve duplicate config setting exception as part of extension registration.
  • Don't require trailing slash in PSR-4 autoloader directory.
  • Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
  • Do not incorrectly hide namespace input field in the installer.
  • Refactor checks looking for PEAR mail libraries to be clearer.

Lesen Sie mehr: https://www.mediawiki.org/wiki/Release_notes/1.30

1.30.1

(Sicherheitsupdate)
1 Oktober 2018 - 210MB
  • (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.
  • (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.
  • (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
  • Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
  • (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature.
  • (T190503) Let built-in web server (maintenance/dev) handle .php requests.
  • (T167507) selenium: Run Chrome headlessly.
  • selenium: Pass -no-sandbox to Chrome under Docker.
  • (T179190) selenium: Move logic for running tests from package.json to selenium.sh
  • (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
  • Add default edit rate limit of 90 edits/minute for all users.
  • (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
  • oojs/oojs-ui updated to remove an unnecessary dependancy.
  • (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
  • (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
  • (T196672) The mtime of extension.json files is now able to be zero
  • (T180403) Validate $length in padleft/padright parser functions.
  • (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
  • (T193995) Fix undefined patchPath() method call in parser tests.
  • Special:BotPasswords now requires reauthentication.
  • (T191608, T187638) Add 'logid' parameter to Special:Log.
  • (T193829) Indicate when a Bot Password needs reset.
  • (T151415) Log email changes.
  • (T200861) Fix total breakage of SQLite web upgrade.
  • (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
  • (T190539) Explicitly require Postgres 9.1.
  • (T118420) Unbreak Oracle installer.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.30.1

1.30.0

(Hauptversion)
3 April 2018 - 210MBWARNING
DUE TO CHANGES IN THE DATABASE SCHEMA, UPDATING TO 1.30.x FROM A PREVIOUS BRANCH MAY TAKE QUITE LONG (MINUTES ON A MEDIUM SIZED SITE, POTENTIALLY MANY HOURS ON A LARGE SITE).

1.30.0 is the latest major release of MediaWiki.

Highlights
  • Added the ability to search for contributions within an IP range at Special:Contributions. References to revisions made by IPs are stored in the ip_changes table to make querying for ranges more efficient.
  • Output from Parser::parse() will now be wrapped in a with class="mw-parser-output" by default. This may be changed or disabled using ParserOptions::setWrapOutputClass().
  • Added the 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software- specific tags to be added by users.
  • Added the 'ParserOptionsRegister' hook to allow extensions to register additional parser options.
  • Included Pig Latin, a language game in English, as a LanguageConverter variant. This allows English-speaking developers to develop and test LanguageConverter more easily. Pig Latin can be enabled by setting $wgUsePigLatinVariant to true.
  • Added the 'RecentChangesPurgeRows' hook to allow extensions to purge data that depends on the recentchanges table.
  • Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.

Configuration Changes
  • The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid unexpected behavior when code uses locale-sensitive string comparisons. For example, the Scribunto extension considers "bar" < "Foo" in most locales since it ignores case.
  • $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See documentation of $wgShellLocale for details.
  • $wgShellLocale is now applied for all requests. wfInitShellLocale() is deprecated and a no-op, as it is no longer needed.
  • $wgJobClasses may now specify callback functions as an alternative to plain class names. This is intended for extensions that want control over the instantiation of their jobs, to allow for proper dependency injection.
  • $wgResourceModules may now specify callback functions as an alternative to plain class names, using the 'factory' key in the module description array. This allows dependency injection to be used for ResourceLoader modules.
  • $wgExceptionHooks has been removed.
  • $wgUsePigLatinVariant added (off by default).
  • $wgRangeContributionsCIDRLimit was introduced to control the size of IP ranges that can be queried at Special:Contributions.

Action API Changes
  • action=parse output will be wrapped in a with class="mw-parser-output" by default. This may be changed or disabled using the new 'wrapoutputclass' parameter.
  • When errorformat is not 'bc', abort reasons from action=login will be formatted as specified by the error formatter parameters.
  • action=compare can now handle arbitrary text, deleted revisions, and returning users and edit comments.
  • The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto', 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree' parameters to prop=revisions are deprecated, as are the similarly named parameters to prop=deletedrevisions, list=allrevisions, and list=alldeletedrevisions. Use action=compare, action=parse, or action=expandtemplates instead.
  • ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are deprecated. The existing message should be split between "apihelp-*-summary" and "apihelp-*-extended-description".
  • Individual values of multi-valued parameters can now be marked as deprecated.

Misc Changes
  • The use of an associative array for $wgProxyList, where the IP address is in the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]). Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
  • mw.user.bucket (deprecated in 1.23) was removed.
  • LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are deprecated. There are no known callers.
  • File::getStreamHeaders() was deprecated.
  • MediaHandler::getStreamHeaders() was deprecated.
  • Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be used instead.
  • MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace() should be used instead.
  • The ExtractThumbParameters hook (deprecated in 1.21) was removed.
  • The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both deprecated in 1.24) were removed.
  • wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and BagOStuff::makeGlobalKey() should be used instead.
  • Preprocessor handling of LanguageConverter markup has been improved. As a result of the new uniform handling, '-{' may need to be escaped (for example, as '-{') where it occurs inside template arguments or wikilinks.
  • Page moves are now counted as edits for the purposes of autopromotion, i.e., they increment the user_editcount field in the database.
  • Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for manipulating Special:Log and Special:NewPages lines.
  • The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding hooks have an additional parameter, for manipulating HTML data attributes of RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the $data['attribs'] subarray.
  • The OutputPage::enableTOC() method was removed.
  • WikiPage::getParserOutput() will now throw an exception if passed ParserOptions that would pollute the parser cache. Callers should use WikiPage::makeParserOptions() to create the ParserOptions object and only change options that affect the parser cache key.
  • Article::viewRedirect() is deprecated.
  • DeprecatedGlobal no longer supports passing in a direct value, it requires a callable factory function or a class name.
  • The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton() are all deprecated. The main ParserCache instance should be obtained from MediaWikiServices instead. Access to the underlying BagOStuff is possible through the new ParserCache::getCacheStorage() method.
  • .mw-ui-constructive CSS class (deprecated in 1.27) was removed.

Languages
  • Support for kbp (Kabɩyɛ / Kabiyè) was added.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.30

1.29.2

(Hauptversion) (Sicherheitsupdate)
29 November 2017 - 180MBWARNING
DUE TO CHANGES IN THE DATABASE SCHEMA, UPDATING TO 1.29.x FROM A PREVIOUS BRANCH MAY TAKE QUITE LONG (MINUTES ON A MEDIUM SIZED SITE, POTENTIALLY MANY HOURS ON A LARGE SITE).

1.29.2
This is a security and maintenance release of the MediaWiki 1.29 branch.

Security
  • Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
  • BotPassword login attempts weren't throttled.
  • Reflected File Download from api.php.
  • Do not reveal if user exists during login failure.
  • Ensure Message::rawParams can't lead to XSS.
  • Make anchor for headlines escape > and and onTransactionIdle.
  • (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
  • (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
  • (T167798) Fix phrase search and highlighting for phrase queries.
  • (T151136) Provide credits information to callbacks in extension registration.
  • (T160462) Allow namespaces defined in extension.json to be overwritten locally.
  • (T168337) Fix ErrorPageError to work from non-UI contexts.
  • (T143788) Backports for PHP 7.0 and 7.1 support.
  • (T175439) Unbreak Postgres Updater when setting defaults for a column.
  • (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
  • (T174255) Declare uploadCount property in importDump.php.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.28

1.28.2

(Hauptversion)
23 Mai 2017 - 170MBConfiguration changes
  • $wgSend404Code now affects status code of action=history if the page is not there.
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown.
  • The number of internal PBKDF2 iterations used to derive the session secret is configurable via $wgSessionPbkdf2Iterations.
  • Upload dialog's file upload log comment can now be configured separately for local and foreign uploads.
  • $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog.
  • The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension.
  • When $wgPingback is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default.
  • When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes".
  • The 'editcontentmodel' permission is now granted to all logged-in users ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at Help:ChangeContentModel.
  • $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
  • Magic links are now disabled by default, and can be re-enabled by modifying the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on Requests for comment/Future of magic links and explain your use case(s).
  • New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting.

New features
  • User::isBot() method for checking if an account is a bot role account.
  • Added a new 'slideshow' mode for galleries.
  • Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
  • Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing.
  • Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash.
  • (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed.
  • (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script.
  • Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar.
  • mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki.
  • After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
  • Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules.

External library changes
  • Updated es5-shim from v4.1.5 to v4.5.8
  • Updated composer/semver from v1.4.1 to v1.4.2
  • Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
  • Added wikimedia/scoped-callback v1.0.0
  • Added wikimedia/wait-condition-loop v1.0.1

Bug fixes
  • (T146496) action=history pages should return 404 HTTP error code if the page does not exist
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '' in inline blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()

Action API changes
  • Added 'maxarticlesize' property to action=query&meta=siteinfo which contains the value of $wgMaxArticleSize.
  • Property 'modulemessages' from action=parse&prop=modules was removed (deprecated since 1.26).
  • The following response properties from action=login, deprecated in 1.27, are now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state.
  • Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator) instead of the pipe character. This will be useful if some of the multiple values need to contain pipes, e.g. for action=options.
  • The API will now warn if input is not NFC-normalized Unicode or if it contains invalid characters.
  • The 'normalized' list output by action=query and other modules that use ApiPageSet may contain entries where the 'from' value is percent-encoded as the raw value cannot be represented in a valid API response. These are indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
  • (T28680) action=paraminfo can now return info about all submodules of a module without listing them all explicitly.
  • (T146770) It is now possible to assert that the current user is a specific named user, using the 'assertuser' parameter.
  • (T141963) Added a 'known' property when missing-but-known titles (e.g. from the 'TitleIsAlwaysKnown' hook) are output in various modules.

Action API internal changes
  • Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with ApiParse and ApiExpandTemplates.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • ApiBase::getResultData() was removed (deprecated since 1.25)
  • ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
  • ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
  • ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
  • ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
  • ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
  • ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
  • ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
  • ApiFormatBase::setHelp() was removed (deprecated since 1.25)
  • ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
  • ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
  • ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
  • ApiMain::setHelp() was removed (deprecated since 1.25)
  • ApiResult::beginContinuation() was removed (deprecated since 1.25)
  • ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
  • ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
  • ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
  • ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
  • ApiResult::endContinuation() was removed (deprecated since 1.25)
  • ApiResult::getData() was removed (deprecated since 1.25)
  • ApiResult::getIsRawMode() was removed (deprecated since 1.25)
  • ApiResult::setContent() was removed (deprecated since 1.25)
  • ApiResult::setContinueParam() was removed (deprecated since 1.25)
  • ApiResult::setElement() was removed (deprecated since 1.25)
  • ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
  • ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
  • ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
  • ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
  • ApiResult::setParsedLimit() was removed (deprecated since 1.25)
  • ApiResult::setRawMode() was removed (deprecated since 1.25)
  • ApiResult::size() was removed (deprecated since 1.25)
  • Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. A query module can enable these hooks by passing an array for $hookData to ApiQueryBase::select() and by calling ApiQueryBase->processRow() before adding a row's data to the result.

Languages updated - MediaWiki supports over 350 languages, and many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.
  • (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru, BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
  • (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha, Saiddzone Saimawnkham, Saosukham, and Sengwan.
  • Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
  • (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

Other changes
  • (T128697) Improved handling of large diffs.
  • [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can use or update a custom session provider if needed.
  • Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
  • The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
  • SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
  • The 'UserLoginComplete' hook has a new parameter to differentiate between actual login and visiting the login page while already logged in.
  • ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
  • $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
  • mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
  • mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
  • Linker::link() and Linker::linkKnown() were deprecated; please instead use MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd respectively. See docs/hooks.txt for the specific changes needed for those hooks.
  • Linker::formatSize() was deprecated. Use Language::formatSize() directly.
  • Aliases for Linker methods, deprecated since 1.21, were removed from Skin: Skin::commentBlock() (use Linker::commentBlock() instead); Skin::generateRollback() (use Linker::generateRollback() instead); Skin::link() (use MediaWiki\Linker\LinkRenderer instead); Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead); Skin::userLink() (use Linker::userLink() instead); Skin::userToolLinks() (use Linker::userToolLinks() instead)
  • The 'ParserLimitReportFormat' hook was removed.
  • Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is disabled.
  • DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
  • UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated. Use ...->stashFile()->getFileKey() instead.
  • "Public domain" was removed as a wiki license option from the installer, in favour of CC-0.
  • AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED on requests needed by primary providers even if all primaries need them. Primary providers are discouraged from returning multiple REQUIRED requests.
  • OOjs UI PHP widgets constructed with the `'infusable' => true` config option will no longer be automatically infused. You should call `OO.ui.infuse()` on them yourself from your JavaScript code.
  • parserTests.php has moved to tests/parser/parserTests.php
  • The command line options specific to parser tests have been removed from phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter. Instead of --keep-uploads, use the same option to parserTests.php, but you must specify a directory with --upload-dir.
  • The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
  • IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should migrate to using the same functions on a ProxyLookup instance, obtainable from MediaWikiServices.
  • The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation warnings if used.
  • (T68404) CSS3 attr() function with url type is no longer allowed in inline styles.
  • Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass instead.
  • (T148957) Replace $wgShowExceptionDetails with $wgShowDBErrorBacktrace on db errors.
  • (T148956) Only apply $wgDBschema to postgres/mssql.
  • (T145991) Introduce separate log action for deleting pages on move.
  • (T141474) (T110464) Bypass login page if no user input is required.
  • (T142210) The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option 'wgPageParseReport' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData() and getLimitReportData() behave as they did in MediaWiki 1.27 again.
  • (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly.
  • (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26.
  • (T149759) manifest_version: 2 was removed.

MediaWiki 1.28.1
  • $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
  • Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
  • (T152717) Better escaping for PHP mail() command
  • (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
  • (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
  • (T158766) Avoid SQL error on MSSQL when using selectRowCount()
  • (T145635) Fix too long index error when installing with MSSQL
  • (T156184) $wgRawHtml will no longer apply to internationalization messages.
  • (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
  • (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
  • (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
  • (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
  • (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
  • (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
  • (T156184) SECURITY: Escape content model/format url parameter in message.
  • (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
  • (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
  • (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.

MediaWiki 1.28.2
  • Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did not contain the fix for SyntaxHighlight_GeSHi. This new release does contain that fix.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.28

1.27.4

(Sicherheitsupdate)
23 November 2017 - 160MBThis is a security and maintenance release of the MediaWiki 1.27 branch.

Security
  • Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
  • BotPassword login attempts weren't throttled.
  • Reflected File Download from api.php.
  • Do not reveal if user exists during login failure.
  • Ensure Message::rawParams can't lead to XSS.
  • Make anchor for headlines escape > and 0.
  • Better escaping for PHP mail() command
  • Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • Avoid SQL error on MSSQL when using selectRowCount()
  • Fix too long index error when installing with MSSQL.
  • $wgRawHtml will no longer apply to internationalization messages.
  • CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
  • (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
  • SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
  • SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
  • SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
  • SECURITY: Escape content model/format url parameter in message.
  • SECURITY: SVG filter evasion using default attribute values in DTD declaration.
  • SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
  • SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
  • SECURITY: Sysops can undelete pages, although the page is protected against it.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.27

1.27.1

(Hauptversion)
24 August 2016 - 100MB
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '' in inline blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
  • (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.27

1.26.4

(Sicherheitsupdate)
23 August 2016 - 100MB
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T124163) Fixed fatal error in DifferenceEngine under HHVM.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '' in inline blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • Remove support for $wgWellFormedXml = false, all output is now well formed

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.26

1.26.2


21 Dezember 2015 - 100MB
  • (bug T121892) Various special pages resulted in fatal errors.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.26

1.26.1

(Sicherheitsupdate)
18 Dezember 2015 - 100MBThis release fixes six security issues in core, in addition to other bug fixes.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Bugfixes
  • Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
  • Fixed stray literal \n in Special:Search.
  • Fix issue that breaks HHVM Repo Authorative mode.
  • (bug T120267) Work around APCu memory corruption bug

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.26

1.26.0

(Hauptversion)
25 November 2015 - 100MBConfiguration changes
  • $wgPasswordResetRoutes['email'] = true by default.
  • $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE instead if you want to disable the parser cache.
  • New-style continuation is now the default for API action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • (T7645) The "Signature" button on the edit toolbar is now hidden by default in non-talk namespaces. A new configuration variable, $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces the "Signature" button on the edit toolbar will be displayed.
  • $wgResourceLoaderUseESI was deprecated and removed. This was an experimental feature that was never enabled by default.
  • $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed. This experimental feature was never enabled by default and is obsolete as of MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
  • $wgMasterWaitTimeout was removed (deprecated in 1.24).
  • Fields in ParserOptions are now private. Use the accessors instead.
  • Custom LESS functions (defined via $wgResourceLoaderLESSFunctions) have been removed, after being deprecated in 1.24.
  • $wgAlwaysUseTidy has been removed.

New features
  • (T51506) Now action=info gives estimates of actual watchers for a page. See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret to learn how to configure if needed.
  • Change tags can now be hidden in the interface by disabling the associated "tag-" interface message.
  • ':' (colon) is now invalid in usernames for new accounts. Existing accounts are not affected.
  • Added a new hook, 'LogException', to log exceptions in nonstandard ways.
  • Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of search results are rendered. The initial use case is to append a "give us feedback" link beneath the search results.
  • Added a new hook, 'RejectParserCacheValue', which allows extensions to reject an otherwise-successful parser cache lookup. The intent is to allow extensions to manage the eviction of archaic HTML output from the cache.
  • (T68699) The expiration of the UserID and Token login cookies ($wgExtendedLoginCookieExpiration) can be configured independently of the expiration of all other cookies ($wgCookieExpiration).
  • (T50519) Support for generating JPEG/PNG thumbnails from WebP images added if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading of WebP images still disabled by default. Add $wgFileExtensions[] = 'webp'; to LocalSettings.php to enable uploading of WebP images.
  • Added new hooks 'EnhancedChangesListModifyLineData' & 'EnhancedChangesListModifyBlockLineData', to modify the data used to build lines in enhanced recentchanges and watchlist.
  • Caches that need purging ability now use the WANObjectCache interface. This corresponds to a new $wgMainWANCache setting, which defaults to using the $wgMainCacheType settings.
  • Callers needing fast light-weight data stores use $wgMainStash to select the store type from $wgObjectCaches. The default is the local database.
  • Interface message overrides in the MediaWiki namespace will now be cached in memcached and APC (if available), rather than memcached and local files.
  • Added a new hook, 'RandomPageQuery', to allow modification of the query used by Special:Random to select random pages.
  • $wgTransactionalTimeLimit was added, which controls the request time limit for potentially slow POST requests that need to be as atomic as possible.
  • ResourceLoader now loads all scripts asynchronously. The top-queue and startup modules are no longer synchronously loaded.
  • 'mediawiki.ui.button' styles are no longer unconditionally loaded on every page. During the deprecation period, the styles will only be loaded on pages which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will only be loaded if explicitly required.

External libraries
  • Update es5-shim from v4.0.0 to v4.1.5.
  • Update json2 from revision 2014-02-04 to 2015-05-03.
  • Update Sinon.JS from 1.10.3 to 1.15.4.
  • Upgrade jQuery Client from v1.0.0 to v2.0.0.
  • Added mediawiki/at-ease 1.0.0.
  • Update QUnit from v1.17.1 to v1.18.0.

Bug fixes
  • (T53283) load.php sometimes sends 304 response without full headers
  • (T65198) Talk page tabs now have a "rel=discussion" attribute
  • (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
  • (T104142) $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string.

Action API changes
  • New-style continuation is now the default for action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • API action=query&list=tags: The displayname can now be boolean false if the tag is meant to be hidden from user interfaces.
  • action=import no longer allows both the namespace= and rootpage= parameters to be set. If they are both set, the value of rootpage= will be ignored.
  • prop=revision output in enum mode is now sorted by timestamp rather than revision ID. This usually won't make any difference.
  • (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array with formatversion=2.
  • Various other output from meta=siteinfo will now always be arrays instead of sometimes being numerically-indexed objects with formatversion=2.
  • When errors about users being blocked are returned, they now include information about the relevant block.
  • (T99926) list=random has higher limits, in line with other API modules.
  • list=random's rnredirect parameter is deprecated in favor of a new rnfilterredir parameter that also allows for listing both redirects and non-redirects.
  • list=random now supports continuation.
  • API responses to GET requests may now include ETag and Last-Modified headers, and will honor corresponding If-None-Match and If-Modified-Since on such requests.

Action API internal changes
  • New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key into the value when the value is an assoc.
  • API action modules may now provide values for the RFC 7232 ETag and Last-Modified headers. The API will check these against If-None-Match and If-Modified-Since request headers on GET requests and avoid executing the module when appropriate.
  • Languages updated[edit | edit source]
  • MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

Languages added
  • ase (American sign language), thanks to translator Icemandeaf
  • dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द, मेश सिंह बोहरा, and राम प्रसाद जोशी
  • luz (لئری دوٙمینی / Southern Luri)

Other changes
  • ChangeTags::tagDescription() will return false if the interface message for the tag is disabled.
  • Added PageHistoryPager::doBatchLookups hook.
  • Added $wikiId parameter to FormatAutocomments hook.
  • Added ParserCacheSaveComplete to ParserCache
  • supportsDirectEditing and supportsDirectApiEditing methods added to ContentHandler, to provide a way for ApiEditPage and EditPage to check if direct editing of content is allowed. These methods return false, by default for the ContentHandler base class and true for TextContentHandler and it's derivative classes (everything in core). For Content types that do not support direct editing, an alternative mechanism should be provided for editing, such as action overrides or specific api modules.
  • mediaWiki.confirmCloseWindow now returns an object of functions, instead of one function. The callback can't be called directly any more. The callback function is replaced with confirmCloseWindow.release().
  • BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to ResourceLoaderModule::getDependencies(). Extension classes that override that method should be updated. If they aren't updated, PHP Strict standards warnings will appear when E_STRICT error reporting is enabled. Note: in the near future, this parameter will probably become non-optional.
  • Removed maintenance script deleteImageMemcached.php.
  • MWFunction::newObj() was removed (deprecated in 1.25). ObjectFactory::getObjectFromSpec() should be used instead.
  • The parser will no longer randomize the string it uses to mark the place of items that were stripped during parsing. It will use a fixed string instead. This causes the parser to re-use the regular expressions it uses to search and replace markers rather than generate novel expressions on each parse. Re-using regular expressions will improve performance on HHVM and the forthcoming PHP 7. The interfaces changes accompanying this change are:
  • - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  • - The $uniq_prefix argument for Parser::extractTagsAndParams() and the $prefix argument for StripState::_construct() are deprecated and their value is ignored.
  • wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library, mediawiki/at-ease, and are now deprecated. Callers should use MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
  • The Block class constructor now takes an associative array of parameters instead of many optional positional arguments. Calling the constructor the old way will issue a deprecation warning.
  • The jquery.mwExtension module was deprecated.
  • $wgSpecialPageGroups was removed (deprecated in 1.21).
  • SpecialPageFactory::setGroup was removed (deprecated in 1.21).
  • SpecialPageFactory::getGroup was removed (deprecated in 1.21).
  • DatabaseBase::ignoreErrors() is now protected.
  • BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following a lengthy deprecation period.
  • The ScopedPHPTimeout class was removed.
  • Removed maintenance script fixSlaveDesync.php.
  • Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption() are deprecated. Applications using those can work via the OAuth extension instead. New tokens types should not be added.
  • DatabaseBase::errorCount() was removed (unused).

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.26

1.25.5


21 Dezember 2015 - 100MB
  • (phab:T103237) $wgUseGzip had no effect when using file cache.
  • (phab:T114606) mw.notify was not correctly fixed to the page if initialized while not at the top of the page

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.25

1.25.4

(Sicherheitsupdate)
18 Dezember 2015 - 100MBThis release fixes six security issues in core.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.25

1.25.3

(Sicherheitsupdate)
16 Oktober 2015 - 100MBThis release fixes five security issues in core, in addition to other bug fixes.

Security fixes
  • Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).
  • Internal review discovered that it is not possible to throttle file uploads. (T91850)
  • Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. (T95589)
  • Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. (T108616)

Bugfixes
  • Fix having multiple callbacks for a single hook. (T98975)
  • maintenance/refreshLinks.php did not always remove all links pointing to nonexistent pages. (T107632)
  • $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string. (T104142)
  • Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was causing an error when accessing the api help page if the mastering PHP extension was not installed. (T62174)
  • Confirmation emails would sometimes contain invalid codes. (T105896)
  • Fixed edit stash inclusion queries. (T105597)

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html

1.25.2

(Sicherheitsupdate)
10 August 2015 - 100MBThis release fixes three security issues in the core, in addition to other bug fixes. Several extensions have also had security issues fixed.

Security fixes
  • Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. (T106893)
  • Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf. (T94116)
  • John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss. #T97391
  • Extension:SemanticForms - MediaWiki user Grunny discovered multiple reflected xss vectors in SemanticForms. Further internal review discovered and fixed other reflected and stored xss vectors. (T103391, T103765, T103761)
  • Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal review discovered that the contib directory for GeSHi was re-included in MediaWiki 1.25. Some scripts could be potentially be used for DoS, and DAU Huy Ngoc discovered an xss vector. All contrib scripts have been removed. (T108198)
  • Extension:TimedMediaHandler - User:McZusatz reported that resetting transcodes deleted the transcode without creating a new one, which could be used for vandalism or potentially DoS. (T100211)
  • Extension:Quiz - Internal review discovered that Quiz did not properly escape regex metacharacters in a user controlled regular expression, enabling a DoS vector. #T97083
  • Extension:Widgets - MediaWiki developer Majr reported a potential HTML injection (xss) vector. (T88964)

Bugfixes
  • Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. (T102562)
  • Setting a configuration setting for skin or extension to false in LocalSettings.php was not working. (T100767)
  • API action=opensearch json output no longer breaks when $wgDebugToolbar is enabled. (T100635)
  • Using an extension.json or skin.json file which has a "manifest_version" property for 1.26 compatability will no longer trigger warnings. (T102522)
  • Running updateSearchIndex.php will not throw an error as page_restrictions has been added to the locked table list. (T86156)
  • Special:Version would throw notices if using SVN due to an incorrectly named variable. Add an additional check that an index is defined.

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html

1.25.1

(Hauptversion)
26 Mai 2015 - 100MBThis is a large release that contains many new features and bug fixes.

Our thanks to everyone who helped to improve MediaWiki by testing the release candidates and submitting bug reports.

What's new for users?
  • MediaWiki 1.25 includes all changes released in the smaller 1.25wmf* software deployments to Wikimedia sites over six months, totaling approximately 2200 changes.
  • Indicators – Templates that add icons to the top right corner of the page (and more) can be updated to use the new page status indicators feature.
  • Enhanced recent changes – MediaWiki now uses by default the extended watchlist and so called enhanced recent changes (preference "Group changes by page in recent changes and watchlist"), which also received several improvements in MediaWiki 1.24 and 1.25 (task 37785). This means that Special:RecentChanges and Special:Watchlist show all the changes to each page in a given day, sorted by page rather than chronologically. Changes to each page are collapsed by default and a compact overview is shown, with links to collated diffs and counts of each user's actions. Full activity for an individual page can then be shown with a single click. Users will no longer need to know in detail how a single change was chosen for display in order to figure out what else may have happened to the page that day, nor to scan a long list of non-contiguous lines on the screen in order to get a complete picture. The change is part of MediaWiki's evolution towards an interface which is more discoverable and less cluttered by default, while equally easy to quickly access in full, with the help of JavaScript. However, the (grouped) layout is an improvement for non-JavaScript users as well.
  • Live preview – While editing, you're not sure what a wikitext syntax will produce? That's no longer a problem, now that live preview is no longer experimental. By enabling the feature in your preferences, MediaWiki will display the effect of your edits without fully reloading the page, so that you can quickly correct any mistake.
  • Import – The import tool is now much easier to use on content from a wiki which has different namespaces than yours (e.g. because it's in another language).
  • Internationalization - In logging and gender support, continuing the work in MediaWiki 1.18 and 1.19, multiple log types of Special:Log have been migrated to the new logging system, which allows full internationalization including word order and grammatical gender. The migration continues. See task T26620 for a list.
  • Locales – The following locales have been added: अवधी, بلوچی رخشانی and Koyraboro Senni.
  • API documentation is localized and easier to access through Special:ApiHelp.

What's new for system administrators?
  • PHP 5.3.3 is now required (from 5.3.2)
  • Extensions and skins are now loaded through a new registration system
  • Profiling was completely overhauled to use the xhprof module.

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-May/000176.html

1.24.6


21 Dezember 2015 - 100MB
  • (bug T121892) Various special pages resulted in fatal errors.

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.24

1.24.5

(Sicherheitsupdate)
18 Dezember 2015 - 100MBThis release fixes six security issues in core.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Lesen Sie mehr: http://mediawiki.org/wiki/Release_notes/1.24

1.24.4

(Sicherheitsupdate)
16 Oktober 2015 - 100MBThis release fixes five security issues in the core, in addition to other bug fixes.

Security fixes
  • Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).
  • Internal review discovered that it is not possible to throttle file uploads. (T91850)
  • Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. (T95589)
  • Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. (T108616)

Bugfixes
  • Minimal PSR-3 debug logger to support backports from 1.25+. (T91653)
  • Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. (T68650)

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html

1.24.3

(Sicherheitsupdate)
10 August 2015 - 100MBThis release fixes three security issues in the core, in addition to other bug fixes. Several extensions have also had security issues fixed.

Security fixes
  • Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. (T106893)
  • Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf. (T94116)
  • John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss. #T97391
  • Extension:SemanticForms - MediaWiki user Grunny discovered multiple reflected xss vectors in SemanticForms. Further internal review discovered and fixed other reflected and stored xss vectors. (T103391, T103765, T103761)
  • Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal review discovered that the contib directory for GeSHi was re-included in MediaWiki 1.25. Some scripts could be potentially be used for DoS, and DAU Huy Ngoc discovered an xss vector. All contrib scripts have been removed. (T108198)
  • Extension:TimedMediaHandler - User:McZusatz reported that resetting transcodes deleted the transcode without creating a new one, which could be used for vandalism or potentially DoS. (T100211)
  • Extension:Quiz - Internal review discovered that Quiz did not properly escape regex metacharacters in a user controlled regular expression, enabling a DoS vector. #T97083
  • Extension:Widgets - MediaWiki developer Majr reported a potential HTML injection (xss) vector. (T88964)

Bugfixes
  • Update jQuery from v1.11.2 to v1.11.3.
  • (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html

1.24.2

(Sicherheitsupdate)
31 März 2015 - 100MBThis is a security and maintenance release.

Security fixes
  • (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
  • (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
  • (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
  • (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
  • (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
  • (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
  • (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.

Bugfixes
  • Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
  • (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
  • (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html

1.24.1

(Sicherheitsupdate)
17 Dezember 2014 - 100MBThis is a regular security and maintenance release.

Security fixes
  • (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
  • (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.

Bugfixes
  • (bug T74222) The original patch for T74222 was reverted as unnecessary.
  • Fixed a couple of entries in RELEASE-NOTES-1.24.
  • (bug T76168) OutputPage: Add accessors for some protected properties.
  • (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
  • Add missing $ in front of variable in OutputPage.php

Security fixes in extensions
  • (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
  • (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
  • (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
  • (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
  • (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
  • (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.

Lesen Sie mehr: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html

1.24.0

(Hauptversion)
27 November 2014 - 100MBThis is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users.

What's new?
  • MediaWiki 1.24 includes all changes released in the smaller 1.24wmfX software deployments to Wikimedia sites.

Preferences made easier
  • MediaWiki is known to be extremely flexible and customisable, but few users use its full potential. In 1.24, we aim to make dozens obscure preferences easily discoverable and obvious to use.

New features
  • Category pages can now be moved (bug 5451).
  • MergeHistory for all administrators by default (bug 66155).
  • Improvements have been made to the password storage system, allowing improved security against offline attacks should a wiki's database be compromised by attackers. Then, the default password storage algorithm was changed to PBKDF2. PBKDF2 and Bcrypt have built-in support in PHP. The new extensible password API makes it trivial to implement scrypt support if we wanted to.

Usability
  • The move feature and other actions are now discoverable in Vector, thanks to a label for the dropdown where they're hidden by default (bug 44591).
  • Specify default language on a per-page basis
  • Redirect to Special:UserLogin when logging is in required to proceed, instead of showing an error message

Performance
  • In 2014, MediaWiki development has a new focus on frontend performance.
  • (bug 39035) Improved Vector skin performance by removing collapsibleNav, which used to collapse some sidebar elements by default. This removes -list id suffixes like p-lang-list: instead of using things like #p-lang-list, you can do #p-lang .body ul. If you would like CollapsibleNav back please use the CollapsibleVector extension.

Lesen Sie mehr: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000169.html

Unsere Webhostings sind kompatibel mit
MediaWiki

Web

Nur Webhosting

100%-SSD-Webhosting
100 GB und mehr
Multidomain-Verwaltung
Erweiterte Verwaltung von EV- und DV-SSL-Zertifikaten
DDoS-Schutz
10 GB VOD


Weitere Infos

ab 5.75 € / Monat

Classic

Das Web+Mail-Komplettangebot

100%-SSD-Webhosting
100 GB und mehr
Multidomain-Verwaltung
Erweiterte Verwaltung von EV- und DV-SSL-Zertifikaten
DDoS-Schutz
10 GB VOD


Professionelle E-Mail
25 E-Mail-Adressen mit unbegrenztem Speicherplatz


WorkSpace
Online-E-Mail-Client
Instant Messaging
Sychronisation von Kontakten und Kalendern


Weitere Infos

ab 7.42 € / Monat

Cloud-Server

Managed

100%-SSD-Webhosting
100 GB und mehr
Multidomain-Verwaltung
Erweiterte Verwaltung von EV- und DV-SSL-Zertifikaten
DDoS-Schutz
10 GB VOD


Leistung
2 CPU und mehr
6 GB RAM und mehr
100% SSD
100% dedizierte Ressourcen


Verwaltung
Infomaniak verwaltet Ihren Server


Weitere Infos

ab 29 € / Monat

Preise in EUR

Hilfe

Nützliche Anleitungen