Hosting MediaWiki

MediaWiki

MediaWiki is an open source wiki application. MediaWiki was initially released in 2002 after being developed to power Wikipedia.

1 click installation MediaWiki

1 click installation

Easy update MediaWiki

Easy update

Backup and restoration MediaWiki

Backup and restoration

Information

Application
wiki
Category
Community Building
Current version
1.36.1
Last update
28 June 2021
Languages
English + 333 others

System Requirements

Installation size
300.00 MB
Database
mysql
Licence
open source
Overview
What's new
Showcase

1.36.1

(security release)
28 June - 300MBSecurity
  • CVE-2021-35197 Prevent blocked users from purging pages.

Bug Fixes
  • DatabaseInstaller.php: Only run core schema file if specified table doesn't already exist.
  • Optimise MessageCache::isMainCacheable() for the single-message case.
  • JavaScriptMinifer: Fix handling of "delete" as object property.
  • Fix SkinModule to correctly prepend remote path on document root installs.
  • Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
  • Don't send headers on ob_end_clean().
  • MultiHttpClient: Replace PHP version check with defined().

Read more: https://www.mediawiki.org/wiki/Release_notes/1.36

1.36.0

(major version)
30 May - 300MBNew Configuration
  • $wgManualRevertSearchRadius – This setting introduces a feature that marks edits as reverts if they restore the page to an exact previous state. This configuration variable sets the maximum number of revisions of a page that will be checked against every new edit. Set this to 0 to disable the feature entirely.
  • $wgOldRevisionParserCacheExpireTime β€” This setting was added to control caching of ParserOutput for old revisions.
  • $wgRememberMe - This setting configures the "remember me" checkbox on account log-in systems via RememberMeAuthenticationRequest.
  • $wgSkinMetaTags – This setting allows configuration of skins to support meta tags. These tags make sharing of MediaWiki pages on a variety of social platforms more contentful and thus useful.
  • $wgIncludejQueryMigrate - This setting allows the jQuery Migrate plugin to be disabled. It has been enabled by default since MediaWiki 1.27.

Changed configuration
  • $wgLogos – The default value for the site logo, which is shown in an install if you have not set one, will now be the new logo of MediaWiki.
  • $wgAjaxEditStash β€” This setting, to disable the edit stashing feature when users start writing an edit summary, has been deprecated. In future releases, this feature will always be enabled.
  • $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand media scaling, was deprecated. Use the `thumbProxyUrl` setting in $wgLocalFileRepo instead.
  • $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical respectively. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which try to read them.
  • $wgWANObjectCaches - The "coalesceKeys" option was removed without deprecation. A new "coalesceScheme" option takes its place, and is "hash_stop" by default. If you use Dynomite, then set the new "coalesceKeys" option to "hash_tag".
  • $wgWANObjectCaches - The "cluster" and "mcrouterAware" options were removed without deprecation. Use "broadcastRoutingPrefix" instead.

Removed Configuration
  • $wgUseTwoButtonsSearchForm β€” This setting, deprecated in 1.35, has been removed.
  • $wgAllowImageMoving β€” This setting, deprecated in 1.35, has been removed. Use group permission settings instead. For example, to prevent sysops from moving files, set `$wgGroupPermissions['sysop']['movefile'] = false;`
  • $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields, $wgExtPGAlteredFields, $wgExtModifiedFields β€” These settings were removed. They became obsolete after 1.17 overhauled the database updater, but were kept for backwards compatibility. The LoadExtensionSchemaUpdates hook should be used instead.
  • $wgParserConf - This setting, deprecated in 1.35, has been removed. The preprocessor configuration which used to live within this setting was deprecated in 1.34 and removed in 1.35.
  • $wgEnableRestAPI - This setting, ignored since 1.35, has been removed.
  • $wgPagePropsHaveSortkey – This temporary setting has been removed, along with the schema change upgrade path it controlled. If your site is still using it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24, you must now apply it before upgrading.
  • The deprecated password policies PasswordCannotMatchBlacklist and PasswordNotInLargeBlacklist were removed. Please use PasswordCannotMatchDefaults and PasswordNotInCommonList instead.

New Features
  • The logo of MediaWiki has changed. This means that the "Powered By MediaWiki" button shown in the skin footer will be different.
  • All HTML5 named entities are now accepted in wikitext.
  • The file description page's alternate sizes now include 2048px.

Changed External Libraries
  • Added wikimedia/minify 2.2.1.
  • Added wikimedia/request-timeout 1.1.0.
  • Added wikimedia/shellbox 1.0.4.
  • Added WVUI 0.1.0.
  • Updated composer/semver from 1.5.1 to 3.2.4.
  • Updated guzzlehttp/guzzle from 6.5.4 to 7.2.0.
  • Updated jQuery from v3.4.1 to v3.6.0.
  • Updated jQuery Migrate from v3.1.0 to v3.3.2.
  • Updated jquery.client from 2.0.2 to 3.0.0.
  • Updated OOUI from 0.39.3 to 0.41.3.
  • Updated pear/mail_mime from 1.10.8 to 1.10.9.
  • Updated pear/net_smtp from 1.9.1 to 1.9.2.
  • Updated pimple/pimple from 3.3.0 to 3.3.1.
  • Updated wikimedia/at-ease from 2.0.0 to 2.1.0.
  • Updated wikimedia/cldr-plural-rule-parser from 1.0.0 to 2.0.0.
  • Updated wikimedia/common-passwords from 0.2.0 to 0.3.0.
  • Updated wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1.
  • Updated wikimedia/html-formatter from 1.0.2 to 3.0.1.
  • Updated wikimedia/ip-set from 2.1.0 to 3.0.0.
  • Updated wikimedia/ip-utils from 1.0.0 to 3.0.2.
  • Updated wikimedia/less.php from 3.0.0 to 3.1.0.
  • Updated wikimedia/object-factory from 2.1.0 to 3.0.0.
  • Updated wikimedia/php-session-serializer from 1.0.7 to 2.0.0.
  • Updated wikimedia/remex-html from 2.2.0 to 2.2.2.
  • Updated wikimedia/utfnormal from 2.0.0 to 3.0.2.
  • Updated wikimedia/wait-condition-loop from 1.0.1 to 2.0.1.
  • Updated wikimedia/xmp-reader from 0.7.0 to 0.8.1.

Removed External Libraries
  • The html5shiv library has been removed, as support for Internet Explorer 8 has been dropped.
  • The wikimedia/avro suggested development-only library has been removed, as the support for logging in Avro format has been dropped.

Bug Fixes
  • ApiEditPage module used to switch 'undo' and 'undoafter' parameters, if it founds you reversed them (based on assumption that higher revision ID indicates a later revision). The assumption is not always true, and is hindering proper edit undoing in some cases, hence the logic has been removed. Reversing the parameters will now lead to edit conflict or undefined behavior.
  • In history merging, pages with a content model that does not support redirects will now be recorded as deleted if no revision is being left in the source page (that's if all revisions of the page have been merged to another).

Action API Changes
  • `Access-Control-Max-Age` was added to the default list of headers allowed for cross-origin API requests ($wgAllowedCorsHeaders).
  • Accounts with the 'bot' right no longer have pages automatically added to the watchlist when making API edits, regardless of their preferences. This is to reduce the size of the watchlist data in the database. To add API bot edits to the watchlist, explicitly set the 'watch' option.

Breaking Changes
  • Grade C (non-JavaScript) support for Internet Explorer 8 has been dropped.
  • wfIsBadImage(), deprecated in 1.34, has been removed.
  • EditPage::getContextTitle() will now throw an exception if a context title was not set using setContextTitle(). Previously, this mis-use would only cause a deprecation warning to be emitted.
  • The DeferredStringifier class, deprecated since 1.31, was removed.
  • Multiple methods that fell back to the $wgUser global variable were individually hard deprecated previously. The following have now been removed: ApiTestCase::doLogin, Article::doDeleteArticle, Article::doDeleteArticleReal, Article::getComment, Article::getCreator, Article::getUser, Article::getUserText, Article::insertProtectNullRevision, File::delete, File::recordUpload, ForeignDBFile::delete, ForeignDBFile::recordUpload, LocalFile::delete, LocalFile::deleteOld, LocalFile::recordUpload, PageArchive::undelete, RecentChange::markPatrolled, Title::getUserPermissionsErrors, Title::quickUserCan, Title::userCan, WebRequest::getLimitOffset, WikiPage::doDeleteArticle, WikiPage::insertProtectNullRevision
  • The SpecialPageFactory class, deprecated in 1.32, has been removed. Use the SpecialPageFactory service instead.
  • Multiple methods previously had optional User parameters, with fallbacks to the $wgUser global variable. Not passing a User to those methods was previously hard deprecated, and support for not passing a User has now been removed: ArchivedFile::userCan, File::userCan, FileDeleteForm::__construct, FileDeleteForm::doDelete, LocalFileDeleteBatch::__construct, LogEventsList::getExcludeClause (only needed for the 'user' audience), LogEventsList::userCan, LogEventsList::userCanBitfield, LogEventsList::userCanViewLogType, LogPage::addEntry (also accepts user id instead), OldLocalFile::userCan, PatrolLog::record, Title::getNotificationTimestamp (though the entire method is deprecated), WikiPage::getComment (only needed for the FOR_THIS_USER audience), WikiPage::getCreator (only needed for the FOR_THIS_USER audience), WikiPage::getUser (only needed for the FOR_THIS_USER audience), WikiPage::getUserText (only needed for the FOR_THIS_USER audience)
  • The following hooks have been removed: APIQueryInfoTokens, APIQueryRecentChangesTokens, APIQueryRevisionsTokens, APIQueryUsersTokens, ApiTokensGetTokenTypes
  • LogEventsList::typeAction previously accepted an optional right parameter, and checked if the context user ($wgUser) had that right. Passing a right was hard deprecated in 1.35, and support for passing a right has now been removed.
  • WikiPage::doDeleteArticleReal previously accepted an optional user as its fifth parameter, and fell back to $wgUser if not user was provided. The signature changed to have the user as the second parameter, and the old signature was hard deprecated in 1.35. Support for the old signature has now been removed.
  • User::addNewUserLogEntry, deprecated since 1.27, was removed.
  • As part of refactoring the EditPage class, EditPage::setPreloadedContent, which had no known callers was removed entirely. Additionally, the following public methods were made private: ::extractSectionTitle, ::getSummaryInputWidget, ::noSuchSectionPage, ::initialiseForm
  • EditPage::matchSpamRegex and ::matchSummarySpamRegex, deprecated in 1.35, were removed. Use the SpamChecker service instead.
  • The global function `wfWaitForSlaves`, deprecated in 1.27 and hard-deprecated in 1.35, has been removed. Use LBFactory::waitForReplication() instead.
  • Calling Action::factory() with null as the first parameter, rather than a string, was deprecated in 1.35 and support was now removed.
  • Calling Action::factory() with an object that wasn't an Article as the second parameter was deprecated in 1.35 and support was now removed.
  • The global variable $wgMemc, deprecated since 1.35, has been removed. Usage should generally be migrated to WANObjectCache, or if you really need the internal object, use ObjectCache::getLocalClusterInstance instead.
  • The preprocessDump.php maintenance script was removed.
  • CategoryFinder, which was deprecated in 1.31 and hard-deprecated in 1.35, has been removed.
  • GenderCache::singleton(), which was deprecated in 1.28 and hard-deprecated in 1.35, has been removed.
  • Sanitizer::escapeId(), deprecated in 1.30, has been removed.
  • Direct invocation of Parser::__construct() (instead of via a ParserFactory) now throws an exception; support has also been removed for several deprecated variants on the arguments passed to Parser::__construct. Direct invocation of Parser::__construct was deprecated in 1.34.
  • Parser::setFunctionTagHook(), deprecated in 1.35, has been removed.
  • The following properties of Parser, deprecated in 1.35, have been made private: $mTagHooks - use Parser::getTags(), $mFunctionHooks - use Parser::getFunctionHooks(), $mOutput - use Parser::getOutput(), $mPreprocessor - use Parser::getPreprocessor()
  • The ParserBeforeTidy hook, deprecated in 1.35, has been removed.
  • The ParserBeforeTidy, ParserBeforeStrip, and ParserAfterStrip hooks, deprecated in 1.35, have been removed.
  • All methods of MWTidy except for MW::tidy() have been removed. These were each either marked as @internal or deprecated in 1.35.
  • (task T248062) Mixins `.background-image-svg()` and `.background-image-svg-quick()` (provided by mediawiki.mixins.less), which have been deprecated since 1.35, have now been removed. MediaWiki no longer supports any browser which would require this SVG-fallback PNG support, so you can simply use the regular CSS `background-image:` declaration instead.
  • The ResourceLoader module `mediawiki.legacy.oldshared` and its file 'oldshared.css', deprecated since 1.35 has been removed (task T248357).
  • `ResourceLoader::__construct` now requires a Config parameter. The optional nature of this parameter was deprecated in 1.34.
  • The LinkBegin and LinkEnd hooks, deprecated in 1.28, have been removed. You can instead use the HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd hooks, respectively.
  • The EmailUser hook passes its fifth param, $error, by reference, to allow hook handlers to add error messages, indicate that they have sent the email instead of core, etc. Setting the parameter to something other than a Status object, true, false, an empty string, an array, or a MessageSpecifier, object, which had been deprecated in 1.29, is no longer supported, and now results in an MWException being thrown.
  • Skin::getDynamicStylesheetQuery(), deprecated in 1.32, has been removed. You should use action=raw&ctype=text/css directly.
  • Skin::makeI18nUrl(), deprecated in 1.35, has been removed.
  • The following User methods, deprecated and moved to BlockManager in 1.34, were removed: ::isDnsBlacklisted, ::inDnsBlacklist, ::isLocallyBlockedProxy, ::trackBlockWithCookie
  • Support for v1 of the parser tests file format has been removed; it was deprecated in 1.35. (task T174199)
  • SpecialUnblockUser::processUIUnblock() now returns a Status object instead of an array of messages or a boolean value. This function was also marked as @internal and is no longer safe to call it publicly.
  • mw.Title.getDotExtension() from the 'mediawiki.Title' module was removed without deprecation. You should use mw.Title.getExtension() and prepend the dot if need be.
  • Profiler::getTemplated and Profiler::setTemplated, deprecated in 1.34, have been removed.
  • Removed HookContainer::getOriginalHooksForTest() without deprecation. This method was introduced in 1.35 for internal use, and appears unused outside of MediaWiki core.
  • ParserCache::__construct() now requires three parameters.
  • Message->getFormat(), deprecated in 1.29, has been removed.
  • Support for passing Article to ParserCache::get, deprecated in 1.35, has been removed.
  • ParserCache::singleton(), deprecated in 1.30, has been removed.
  • DatabaseBlock::deleteIfExpired and ::fromMaster, deprecated in 1.35, have been removed.
  • Some deprecated AbstractBlock methods have been removed: ::prevents, deprecated in 1.33, ::shouldTrackWithCookie, deprecated in 1.34, ::getBlocker, deprecated in 1.35, ::setBlocker, deprecated in 1.35, ::getBlockErrorParams, deprecated in 1.35
  • Multiple DatabaseBlock methods dealing with cookies, deprecated in 1.34, have been removed: ::setCookie, ::clearCookie, ::getCookieValue, ::getIdFromCookieValue, ::shouldTrackWithCookie
  • The public static callback function SpecialUnblock::processUIUnblock has been removed. This method was for internal use only, and appears unused outside of MediaWiki core.
  • ChangeTags::truncateTagDescription, deprecated in 1.35, has been removed.
  • Deprecated null fallbacks in PasswordReset constructor have been removed.
  • User::isEveryoneAllowed and User::getAllRights, deprecated in 1.34, has been removed.
  • The following methods of the UserGroupMembership class, deprecated in 1.35, has been removed: ::initFromRow, ::newFromRow - use UserGroupManager::newGroupMembershipFromRow, ::selectFields - use UserGroupManager::getQueryInfo, ::delete - use UserGroupManager::removeUserFromGroup, ::insert - use UserGroupManager::addUserToGroup, ::purgeExpired - use UserGroupManager::purgeExpired, ::getMembershipsForUser - use UserGroupManager::getUserGroupMemberships, ::getMembership - use UserGroupManager::getUserGroupMemberships
  • The public static callback function SpecialBlock::validateTargetField has been removed. This method was for internal use only, and appears unused outside of MediaWiki core.
  • The public static callback function SpecialUploadStash::tryClearStashedUploads has been removed. This method was for internal use only, and appears unused outside of MediaWiki core.
  • SpecialComparePages::showDiff() ::revOrTitle(), ::checkExistingTitle(), and ::checkExistingRevision() were marked as @internal to allow for breaking changes. They are no longer safe to call. The methods were unused outside of MediaWiki core.
  • Each special page within core now uses service injection via it constructor. When extending these special pages, a call to the grandparent constructor (`SpecialPage::__construct()`) in the sub-class would now break the derived special page, as the fallback code in the parent constructor cannot set the services as needed. Be sure to call the parent constructor when extending core special pages. Extending core's special pages is not part of the stable interface, and should generally be avoided.
  • Language::getExtraUserToggles and ::viewPrevNext, deprecated in 1.34, have been removed.
  • StreamFile::send404Message and ::parseRange, deprecated in 1.34, have been removed.
  • SVGMetadataExtractor class, deprecated in 1.34, has been removed.
  • ProcessCacheLRU class, deprecated in 1.32, has been removed.
  • wfForeignMemcKey(), deprecated in 1.35, has been removed.
  • LoadBalancer::safeWaitForMasterPos(), deprecated in 1.34, has been removed.
  • JobQueue::factory() now requires its `idGenerator` option. The optional nature of this option was deprecated in 1.35.
  • ApiFeedRecentChanges::getFeedObject has been changed to private, and appears unused outside of MediaWiki core.
  • Skin::subPageSubtitle() has been changed to private method. Callers should use Skin::prepareSubtitle().
  • RevisionDeleter::checkRevisionExistence was removed without deprecation. It had no known callers.
  • wfForeignMemcKey() and wfMemcKey(), deprecated in 1.35, have been removed.
  • MediaWiki now also requires the php-intl extension.
  • BotPassword::save() now returns a Status object for the result rather than a bool.
  • The methods in CoreTagHooks have been marked @internal and type hints have been added. The methods appeared to be unused outside of MediaWiki core.
  • SquidPurgeClient and SquidPurgeClientPool, deprecated since 1.35, have been removed.
  • Several methods on WikiPage will now throw an exception when called on a WikiPage instance that where constructed on a title that does not refer to a proper page (but rather a special page or interwiki link). The behavior was previously undefined and could in some cases lead to data corruption. Affected methods are: getId(), insertOn(), newPageUpdater(), doUpdateRestrictions(), doDeleteArticleReal(), doRollback(), and doEditContent().
  • The ParserTestRunner no longer invokes the ParserTestTables hook. Instead, it clones all database tables before running tests, like MediaWikiIntegrationTest does. If an extension was mis-using the hook to *exclude* tables from the clone, that will no longer occur, and tests may fail.
  • The following classes, which were only loaded for tests and had no uses found in public MediaWiki-related git, were removed:, MockWebRequest, UserWrapper
  • Passing Title as a second parameter to RevisionStore::getPreviousRevision and getNextRevision, hard deprecated since 1.31, was prohibited.
  • (task T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods.
  • The internal class FirejailCommand was removed.
  • Command::execute() now returns a Shellbox\Command\UnboxedResult instead of a MediaWiki\Shell\Result. Any type hints should be updated.
  • WikiPage::$mIsRedirect was removed.
  • ObjectCache::detectLocalServerCache(), deprecated in 1.35, was removed.
  • The following functions from the Title class have been removed: countRevisionsBetween, getAuthorsBetween
  • The PageProps class was converted to a service. PageProps::overrideInstance was removed, and MediaWikiServices::redefineService should be used instead.
  • Support for creating a MediaWikiTitleCodec object without the InterwikiLookup and NamespaceInfo services, deprecated in 1.34, was removed. Note that the MediaWikiTitleCodec class is not @newable or @stable to create, and should be retrieved from MediaWikiServices instead.
  • The $wgContLang variable, deprecated in 1.32, was removed. You can instead use MediaWikiServices::getInstance()->getContentLanguage().
  • User::clearAllNotifications(), hard deprecated in 1.35, was removed. Use WatchlistManager::clearAllUserNotifications() instead.
  • DatabaseBlock::getBlocker can return any UserIdentity instance, not just User.
  • MediaWiki::triggerJobs(), deprecated in 1.34, was removed.
  • The following Article methods, deprecated in 1.35, were removed: checkFlags, checkTouched, clearPreparedEdit, doDeleteUpdates, doEditUpdates, doPurge, doViewUpdates, exists, followRedirect, getAutoDeleteReason, getCategories, getContentHandler, getContentModel, getContributors, getDeletionUpdates, getHiddenCategories, getId, getLatest, getLinksTimestamp, getMinorEdit, getOldestRevision, getRedirectTarget, getRedirectURL, getRevision, getTouched, getUndoContent, hasViewableContent, insertOn, insertRedirect, insertRedirectEntry, isCountable, isRedirect, loadFromRow, loadPageData, lockAndGetLatest, makeParserOptions, pageDataFromId, pageDataFromTitle, prepareContentForEdit, protectDescription, protectDescriptionLog, replaceSectionAtRev, replaceSectionContent, setTimestamp, shouldCheckParserCache, supportsSections, triggerOpportunisticLinksUpdate, updateCategoryCounts, updateIfNewerOn, updateRedirectOn, updateRevisionOn, doUpdateRestrictions, updateRestrictions, doRollback, commitRollback, generateReason
  • The monolog-based logging system has dropped the Avro format. Because of this, the AvroFormatter class and the AvroValidator utility class have been removed without deprecation.
  • AbstractBlock::$mReason, deprecated in 1.34, was removed. Use AbstractBlock::getReasonComment and AbstractBlock::setReason instead.

Deprecations
  • The DB_MASTER constant has been deprecated in favour of DB_PRIMARY.
  • User::getGrantName() is now hard deprecated and will be removed in a subsequent release. Use MWGrants::grantName() instead.
  • wfIncrStats() is now deprecated. Use MediaWikiServices::getInstance() ->getStatsdDataFactory()->updateCount() instead.
  • WikiPage::doEditContent() is now deprecated. Use WikiPage::doUserEditContent() instead. Note that doEditContent() was also deprecated in 1.32 for unrelated reasons and doUserEditContent() is deprecated for other reasons, however, using doUserEditContent() is recommended over using doEditContent().
  • WikiPage::doUserEditContent() is now deprecated. Use PageUpdater::saveRevision instead. Note that the new method expects callers to take care of checking EDIT_MINOR against the minoredit right, and to apply the autopatrol right as appropriate.
  • LocalFile::recordUpload2, soft deprecated in 1.35, now emits deprecation warnings. Use ::recordUpload3 instead.
  • Constructing a new instance of the ParserOptions class without providing a User object, which falls back to the global $wgUser, is now deprecated.
  • The User class, which was marked as @newable in 1.35, is no longer newable, meaning that it is no longer safe to manually call the constructor via `new User`. Instead, use the UserFactory service. Additionally, the following static constructor methods were deprecated in favor of using the UserFactory service: User::newFromName, User::newFromId, User::newFromActorId, User::newFromIdentity, User::newFromAnyId, User::newFromConfirmationCode
  • The following User methods have been hard deprecated in favor of the new UserEditTracker service: User::getFirstEditTimestamp, User::getLatestEditTimestamp
  • The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered().
  • Use of the `preprocessor=Preprocessor_DOM` option in parser test files has been deprecated. Preprocessor_DOM was removed in 1.35.
  • ParserOptions::setTidy() has been deprecated. It has had no effect since1.35.
  • Sanitizer::escapeIdReferenceList() has been deprecated; it will eventually be made private to the class, as it appears to have no uses outside the Sanitizer class.
  • Sanitizer::hackDocType() is deprecated; it will eventually be made private.
  • Skin::getIndicatorsHTML() is deprecated. The functionality can be retained by reimplementing the method using the raw indicators data from OutputPage::getIndicators.
  • Skin::makeVariablesScript() has been deprecated. Use ResourceLoader::makeInlineScript() instead.
  • SpecialPageFactory::getRestrictedPages() has been deprecated. Use SpecialPageFactory::getUsablePages() instead.
  • Title::nameOf() is deprecated; use Title::newFromID()->getPrefixedDBkey() instead.
  • DatabaseBlock::insert, DatabaseBlock::update, DatabaseBlock::purgeExpired and DatabaseBlock::delete are deprecated. Use DatabaseBlockStore::insertBlock, DatabaseBlockStore::updateBlock, DatabaseBlockStore::purgeExpiredBlocks and DatabaseBlockStore::deleteBlock instead.
  • SpecialBlock::getTargetAndType and AbstractBlock::parseTarget are deprecated. Call BlockUtils::parseBlockTarget instead.
  • SpecialUnblock::processUnblock was deprecated - use UnblockUserFactory service instead.
  • Deprecated MediaWikiIntegrationtestCase::removeTemporaryHook() in favor of MediaWikiIntegrationtestCase::clearHook().
  • Skin::getSearchLink(), also exposed as 'searchaction' option in SkinTemplate, has been deprecated. Use Title or SpecialPage methods directly.
  • Skin::getAllowedSkins and ::getSkinNames have been deprecated. Use their respective equivalents in SkinFactory instead.
  • The RollbackComplete hook has been deprecated, use the PageSaveComplete hook instead.
  • Skin::makeUrl() has been deprecated. Title methods should be used instead.
  • Skin::privacyLink(), Skin::disclaimerLink() and Skin::aboutLink() have been deprecated. Please use Skin::footerLink() instead.
  • Skin::getLogo() has been deprecated. Use ResourceLoaderSkinModule instead.
  • The module `mediawiki.toc.styles` has been replaced by ResourceLoaderSkinModule. If you are having problems styling table of contents ensure you have an updated skin.
  • Skin::mainPageLink() has been deprecated. Use LinkRenderer service instead.
  • BaseTemplate::getToolbox() method has been hard deprecated. The toolbox data is now available in a sidebar data array which you can get from any class that's extending QuickTemplate class.
  • Constructing a DefaultPreferencesFactory, LinkHolderArray or PasswordReset without a $hookContainer parameter is deprecated.
  • Autopromote class, soft deprecated since 1.35, now emits deprecation warnings. Use UserGroupManager instead.
  • SpecialBlock::canBlockEmail has been deprecated. Please use BlockPermissionChecker::checkEmailPermissions instead.
  • SpecialBlock::checkUnblockSelf has been deprecated. Please use BlockPermissionChecker::checkBlockPermissions instead.
  • SpecialBlock::parseExpiryInput was deprecated - use BlockUser::parseExpiryInput instead.
  • SpecialBlock::validateTarget has been deprecated, use BlockUtils instead.
  • SpecialBlock::validateTargetField has been deprecated for external use, use BlockUtils instead.
  • SpecialPage::getLanguageConverter has been deprecated, use LanguageConverterFactory::getLanguageConverter() directly.
  • ParserCache::getKey has been deprecated. Use ParserCache::getMetadata and ParserCache::makeParserOutputKey instead.
  • The PHPUnit4And6Compat class, used to provide compatibility with PHPUnit 4, was removed. MediaWiki support for PHPUnit 4 ended with the removal of HHVM support.
  • The PHPUnit6And8Compat class, used to provide compatibility with PHPUnit 6, was removed without deprecation. This class was introduced during the upgrade to PHPUnit 8, but never used.
  • MediaWikiIntegrationTestCase::assertType, hard-deprecated in 1.35 due to incompatibility with PHPUnit 8, was removed.
  • ParserCache::getETag has been deprecated, instead build suitable etag explicitly.
  • The following functions from the Language class have been hard deprecated and will be removed in a subsequent release: findVariantLink, convertTitle, updateConversionTable, commafy
  • The following functions from the Title class have been hard deprecated: getPreviousRevisionID, getNextRevisionID, getEarliestRevTime
  • The following functions from the User class have been hard deprecated: getDefaultOptions, getDefaultOption
  • The mw.language.commafy client-side method has been deprecated, to match the deprecation of Language::commafy. Use mw.language.convertNumber instead.
  • The "es6-promise" module has been deprecated. Use "es6-polyfills" instead.
  • Title::isDeleted() and Title::isDeletedQuick() have been deprecated. Please use Title::getDeletedEditsCount() and Title::hasDeletedEdits() instead.
  • Article::getContentObject, soft-deprecated since 1.32, was hard-deprecated.
  • WikiRevision::importUpload, soft-deprecated since 1.31, was hard-deprecated.
  • Html::infoBox() has been deprecated. There's no replacement.
  • Message::toString() without a $format parameter, soft-deprecated since 1.28, was hard-deprecated. Use explicit formatting methods instead, such as Message::text() and Message::escaped().
  • BagOStuff::makeKeyInternal() usage outside of BagOStuff has been deprecated.
  • BagOStuff::setDebug() is deprecated and calls to it are ignored. Debug logs are now unconditionally enabled.
  • The following global functions have been hard deprecated: wfAppendToArrayIfNotDefault, wfAcceptToPrefs, wfClearOutputBuffers, wfConfiguredReadOnlyReason, wfDebugMem, wfGetPrecompiledData, wfNegotiateType
  • BeforeParserFetchTemplateAndtitleHook has been deprecated; replace with the new BeforeParserFetchTemplateRevisionRecord hook. (The similar ParserFetchTemplateHook was deprecated in 1.35; the new hook replaces both.)
  • The InterwikiLoadPrefix hook has been deprecated; it is not compatible with future wikitext parsers (which need to enumerate all interwiki prefixes). In test cases please use $wgInterwikiCache instead.
  • WikiPage instances should no longer be constructed for titles that do not represent editable pages (e.g. special pages). WikiPages were always documented to represent "MediaWiki article and history".
  • Skin::getSkinStylePath() has been deprecated. Please replace usages with the direct path to the resources.
  • The second argument of EnhancedChangesList::getDiffHistLinks, $query, has been deprecated.
  • The ParserTestTables hook has been deprecated; it is no longer necessary after a ParserTestRunner refactoring.
  • The following classes have been hard deprecated: CachedAction, SpecialCachedPage, CacheHelper, ICacheHelper. They were unused in MediaWiki ecosystem, so no replacement was provided.
  • The ProtectionForm::buildForm hook has been deprecated. Please use the ProtectionFormAddFormFields hook instead.
  • RevisionStore::newMutableRevisionFromArray has beed hard deprecated. Instead, MutableRevisionRecord should be constructed directly via constructor.
  • UserIdentity::getActorId() is deprecated. The actor ID should not be exposed to application logic. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names.
  • Constructing a UserIdentityValue with an actor ID as the third parameter is deprecated. The parameter should be omitted. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names.
  • Command::cgroup() is deprecated and no longer functional. $wgShellCgroup is now implemented as an Executor option.
  • Command::restrict() is deprecated. Instead use the new separate accessors.
  • MWTidy::tidy() is deprecated. Use MediaWikiServices::getTidy()-tidy() instead.
  • TidyDriverBase::supportsValidate() is deprecated; it has always returned false since 1.33.
  • WatchedItem::getUser hard-deprecated in favor of ::getUserIdentity.
  • WatchedItemStoreInterface::enqueueWatchlistExpiryJob was hard deprecated in favor of the new method maybeEnqueueWatchlistExpiryJob that takes care of relevant configuration checks.
  • LogEntry::getPerformer() and its implementations have been hard-deprecated, in favor of ::getPerformerIdentity().
  • AuthManager::singleton(), deprecated in 1.35, is hard deprecated. Use MediaWikiServices::getAuthManager() instead.
  • User::clearNotification(), deprecated in 1.35, is hard deprecated. Use WatchlistManager::clearTitleUserNotification() instead.
  • Passing string to DatabaseBlock::setBlocker was deprecated. Only UserIdentity is now allowed.
  • DatabaseBlock constructor 'byText' option was deprecated in favour of 'by' option, which now accepts UserIdentity. Passing user ID is deprecated.
  • Parser::getUser was deprecated. Use Parser::getUserIdentity instead.
  • DatabaseBlock::isWhitelistedFromAutoblocks was deprecated. Use DatabaseBlock::isExemptedFromAutoblocks instead.
  • User::isIPRange(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service or IPUtils directly.
  • BaseTemplate::getFooterIcons(), deprecated in 1.35, is hard deprecated. Read footer icons from template data requested via $this->get('footericons').
  • `box-shadow()` LESS mixin from mediawiki.mixins is deprecated due to updated basic browser support. Use unprefixed property `box-shadow:` instead.
  • MergeHistory::checkPermissions was deprecated. Use ::probablyCanMerge or ::authorizeMerge instead.
  • User::isValidUserName(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service instead.
  • The TitleArrayFromResult hook has been deprecated.
  • The EditPageBeforeEditToolbar hook has been deprecated; it has become defunct after the classic edit toolbar was removed. Use one of the many other EditPage hooks instead.
  • Deprecated the class name MediaWiki\User\WatchlistNotificationManager; use MediaWiki\Watchlist\WatchlistManager instead. Deprecated the method MediaWikiServices->getWatchlistNotificationManager(); use MediaWikiServices->getWatchlistManager() instead.
  • The "ArticleEditUpdatesDeleteFromRecentchanges" hook, deprecated in 1.35, has been removed. Other hooks like "RecentChange_save" can be used instead.

Other Changes
  • The 'tidy' key in ParserOptions (used in the parser cache) has been removed. It has had no effect since 1.35.
  • A future release of MediaWiki will make `=` a built-in parser function, for use when automatically escaping the `=` character in template arguments. A tracking category and parser warning have been added to this release when `=` is used and it expands to something other than `=`.
  • The implementation of TestFileReader::read has been changed to use Parsoid's parser test file parser. This should be compatible with existing code, but it only supports version 2 of the test file specification and may be more strict when parsing invalid input, including duplicate tests.
  • BeforeParserFetchTemplateRevisionRecord, a new hook, unifies and replaces the old BeforeParserFetchTemplateAndtitleHook and ParserFetchTemplateHook.
  • The SkinLessImportPaths attribute was added, allowing skins to add a directory to the import path for LESS stylesheets. Skins can use this to provide a custom version of mediawiki.skin.variables.less, setting skin-specific values for certain LESS variables.
  • The interaction between ContentHandler::getParserOutputForIndexing() and ContentHandler::getDataForSearchIndex() has been clarified (the latter should only be called with the result of the former). Extensions may override getParserOutputForIndexing() to skip generating HTML, which may improve indexing performance. (The default implementation still generates HTML, and getDataForSearchIndex() implementations can still rely on it if they do not over-ride getParserOutputForIndexing().)
  • Article::fetchContentObject, ::mContentObject, ::mContentLoaded, ::mRevIdFetched, all deprecated since 1.32, were removed.
  • Article::mParserOptions and ::setParserOptions were removed.
  • Article and ImagePage::getEmptyPageParserOutput, unused, were removed.
  • ParserCache's default serialization format was changed from PHP serialization to JSON serialization. In case some installed extension do not support JSON yet, $wgParserCacheUseJson can be used to revert back to PHP serialization.
  • PermissionManager::groupHasPermission, ::getGroupPermissions and ::getGroupsWithPermission were deprecated, use GroupPermissionsLookup service instead.
  • WatchedItemStoreInterface now accepts PageIdentity where it accepted LinkTarget, calling with LinkTarget was deprecated.
  • 'movable' attribute has been added to the 'namespaces' property of extension.json schema. Extensions that define namespaces can set it to `false` to disallow moving pages in the specified namespace. Extensions should either use this or NamespaceIsMovableHook, but not both. The hook overides the attribute.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.36

1.35.3

(security release)
28 June - 210MBSecurity
  • CVE-2021-35197 SECURITY: Prevent blocked users from purging pages.

Bug Fixes
  • SQLite compatibility with ZeroConf VisualEditor was fixed in 1.35.2.
  • Fix the test MonologSpiTest::testDefaultChannel.
  • Parser: Trim trailing whitespace as the last step in pre-save transform.
  • rdbms: Add DB_PRIMARY to replace DB_MASTER.
  • Update updateSearchIndex.php to 2006+ standards.
  • Define a batch size in maintenance/manageJobs.php.
  • Implement JobQueueDB::getAllAbandonedJobs.
  • authevents: strval() variables passed to status when logging.
  • $wgIncludejQueryMigrate - This setting allows the jQuery Migrate plugin to be disabled. It has been enabled by default since MediaWiki 1.27.
  • apihelp-query+iwlinks-param-prop: s/interlanguage/interwiki/.
  • Delete maintenance/cleanupAncientTables.php.
  • RedisConnectionPool: Suppress phan issue.
  • WebInstaller: Don't show the announce-l subscribe checkbox temporarily.
  • Fix annoying E_NOTICE about undefined 'alt' index in Skin#makeFooterIcon.
  • UserRightsProxy::addGroup has to be allowed to update the old group as well, which is used for granting interwiki rights.
  • getFooterIcons should not return empty arrays.
  • Skip AvroFormatterTest::testSchemaNotAvailable on PHP 8.0.
  • phpunit: fail on warnings.
  • Freenode -> Libera per wikimedia moving from freenode to libera.
  • Make phpunit:unit accept extension*.json to populate the classes.
  • Add extension.json merge strategy "provide_default".
  • HookContainer: Fix normalization of callback for static handler.
  • Fix array order for array_replace_recursive merge strategy.
  • Optimise MessageCache::isMainCacheable() for the single-message case.
  • Don't send headers on ob_end_clean().

Read more: https://www.mediawiki.org/wiki/Release_notes/1.35

1.35.2

(security release)
9 April - 210MBSecurity
  • Allow blocked users to access Special:ResetTokens.
  • Escape mediastatistics-header-* messages on Special:NewFiles.
  • Escape rcfilters-filter-* messages on ChangesList pages.
  • Allow user to only apply protection they have right to do so via action=protect.
  • Non-admin deleted enwiki page in fast double move.
  • ContentModelChange: Check that user cancreate pages.
  • Parsoid comment fostering allows for inserting mostly arbitrary tags.* HTMLFormField: Use non namespaced class name rather than static::class.

Changes
  • The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered().
  • Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support.
  • Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support.
  • Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support.
  • Fix display of Special:Preferences URL in password reset email.
  • resourceloader: Give SkinModule 'features' option an extensible default.
  • Unknown features shouldn't break style output.
  • Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0.
  • DefaultSettings.php: Update $wgPingback documentation.
  • Fix docs for LanguageConverter::translate.
  • Don't rely on implicit string->int cast in comparison.
  • Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine.
  • UploadBase: Don't call MimeAnalyzer if mTempPath is null.
  • Remove nonfunctional default sampling for WANObjectCache metrics.
  • Prevent service injection to LoadExtensionSchemaUpdates hook.
  • Hooks: Map dash character to underscore when generating hook names.
  • Fix fetching ipblock-exempt within BlockManager::getUserBlock.
  • PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
  • Set empty closures in DatabaseTest to fix PHP 8 tests.
  • rdbms: Remove outdated MySQL 4 references and fix doc URLs.
  • Special:Contributions reports negative namespace error on PHP 8.
  • objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8.
  • Fix CacheTime::getCacheExpiry for PHP 8.
  • Allow REST API POST handlers to opt out of mandatory SQLite locking.
  • MWLBFactory: rename magic HTTP header for opting out of SQLite write lock.
  • Fix DeprecationHelperTest on PHP 8.
  • Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support.
  • OutputPage: Make $wgDebugRedirects work again.
  • registration: Allow reusing cached metadata between wikis.
  • CdnCacheUpdate: Send full URL instead of path to Curl for purge.
  • Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support.
  • FileBackend: Do not use SOCKET_ENOENT on windows.
  • ApiQueryUserInfo: Allow all uiprops to be requested at once.
  • Escape wikitext in the title in invalid title error messages.
  • Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL.
  • PHPVersionCheck: Complain about known-bad versions above minimum.
  • Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support.
  • Record all used options in metadata.
  • Allow usage of Composer 2.0 to install MediaWiki's dependencies.
  • skins: Call headElement() after getTemplateData() in SkinMustache.
  • Add "Account data" section to user preferences.
  • Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
  • registration: Allow specifying immovable namespaces in extension.json.
  • Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods.
  • Remove page inner join from subquery in SpecialWhatLinksHere.
  • signup: added help message for security.
  • maintenance: Don't create SearchUpdate in rebuildtextindex.php for page_namespace below 0.
  • Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8.
  • Switch to new MediaWiki logo by Serhio Magpie.
  • Expand config-pingback-help, link to privacy policy in config-pingback.
  • Fix documentation of user-global in $wgRateLimits.
  • BackupDumper: Add -o as shortcode for --output.
  • Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.35

display more versions

1.35.1

(security release)
18 December 2020 - 210MBSecurity
  • SECURITY: Use Html::element in ChangeListSpecialPage for sanity. (CVE-2020-35474)
  • SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity. (CVE-2020-35478, CVE-2020-35479)
  • SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. (CVE-2020-35477)
  • SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. (CVE-2020-35480)

Bug Fixes and Changes
  • purgeList.php Fix all-namespaces option to match one used in code.
  • ParserCache::get - fix wfDeprecated call.
  • WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab.
  • Preload mediawiki.watchstar.widgets before api request.
  • ApiEditPage: Show existing watchlist expiry if status is not being changed.
  • Fix PHP 8 compat with strcspn() $length parameter exceeding string.
  • Remove final modifier on private function.
  • Remove ipb_anon_only from ipb_address_unique index addition.
  • Add days left messages to changes-lists' clock icons.
  • Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave.
  • Preload class used in HeaderCallback.
  • (T260868, T260009) Normalize WatchedItem expiry field.
  • Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields.
  • ApiPageSet: Avoid infinite loop when merging redirects.
  • Empty Monolog loggers are now real blackholes.
  • WatchAction: avoid UPDATE when old and new watch period is indefinite.
  • Parser: Adjust typehint to show that getTitle can return null.
  • media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData().
  • BaseTemplate: Guard against passing zero arg to array_merge().
  • Fix base path handling for MessagePosterModule registration.
  • Fix Database::getTempTableWrites for multi table DDLs.
  • Fix switch/case indentation per mediawiki coding conventions.
  • Flip Yoda conditionals.
  • Move SkinTemplate::getFooterLinks() to Skin.
  • build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
  • Make ImageBuilder::checkMissingImage public.
  • Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
  • Support new style hook registration on install and update.
  • Fix unsetting of copyright icon in FooterIcons.
  • upload.js: Don't assume that warnings array will include 'code' key.
  • upload.js: Fix typo in upload API.
  • (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded.
  • importTextFiles.php: Replace deprecated WikiRevision:setText().
  • composer.json: add requirement for composer-plugin-api ^1.1.
  • Add ARIA attributes to watchlink and its notification.
  • Change invalid 'Content-Encoding: none' header.
  • Fix trailing ; in patch-sites-site_language-35.sql.
  • wfAssembleUrl: Handle empty query field in URL bits.
  • Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0).
  • migrateComments: Cast array keys back to string before passing to the DB.
  • Introduce new $wgThumbPath config.
  • MemcachedClient: Cast Resource to integer.
  • Use the old HookContainer to set up the post-reset services.
  • Change "site cache" to just "cache" in the right-purge message.
  • [UploadedFileStreamTest] Skip test with chmod.
  • Updating composer/semver (1.5.1 => 1.7.2).
  • Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0).
  • BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database.
  • Fix English/*nix specific error messages in FSFileBackend.
  • Split dropping of image.img_user_timestamp.
  • [FileTest] Do not assume /tmp exists on windows.
  • Clean up temp files correctly after unit tests.
  • Skip undo related phpunit tests when diff3 is missing.
  • rdbms: Remove outer parentheses in insert query for Postgres.
  • In MWExceptionHandler::report(), catch all throwables.
  • Use Xml::element in SpecialUserrights for sanity.
  • Fixed mixed escaping in Language::translateBlockExpiry.
  • UserOptionsManager: don't differentiate anons caches.
  • HeaderCallback: pre-cache request ID.
  • Parsoid updated to v0.12.1.
  • Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.35

1.35.0

(major version) (security release)
5 October 2020 - 210MBSecurity
  • Unescaped message used in HTML on Special:Contributions.
  • Unescaped message used in HTML within LogEventsList.
  • Prevent invoking firejail's --output functionality.
  • mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
  • mediawiki.js: Escape HTML in mw.message( ... ).parse().
  • ActorMigration: Load user from the correct database.
  • ensure actor ID from correct wiki is used.
  • User::pingLimiter: add user-global rate limit type.

Changes and Bug Fixes
  • Remove checks for ancient ImageMagick versions in BitmapHandler.
  • Don't include null page ids in query list for category dumps.
  • Check existing watchitem when saving action=watch.
  • Correct success messages for action=watch.
  • mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
  • mediawiki.page.ready: Fix skin override config flags, wrong way round.
  • Remove requirement for ApiWatchlistTrait to be in ApiBase.
  • Watchlist: Fix updateWatchLink removing css class when action=watch.
  • mediawiki.notification: Don't close notif when clicking element.
  • Sanitizer: Truncate IDs to a reasonable length.
  • Parsoid updated to v0.12.0.
  • watch.ajax: Add expiry support to watchpage.mw event.
  • Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook.
  • Hard deprecate File::userCan() with $user=null.
  • Use localized success message after watching via action=watch.
  • Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
  • Installer: consistently reset Language objects.
  • Installer: consistently reset Language objects.
  • Explicitly wrap some XML calls in libxml_disable_entity_loader().
  • Ensure dropdown label is always on its own line.
  • resourceloader: Use a local HookRunner.
  • Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc.
  • Set fake time, to avoid flaky tests.
  • Add FindMissingActors script.
  • shell: Don't blacklist /run/firejail.
  • NewPagesPager: Ignore nonexistent namespaces.
  • Update specialPageAliases and magicWords for Egyptian Arabic (arz).
  • ParserOutput: don't throw on bad editsection.
  • SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
  • Add Finnish special page aliases.
  • Fix GuzzleHttpRequest request headers.
  • Fix description for pruneFileCache.php.
  • emptyUserGroup.php: handle more than 5000 users.
  • Make ApiSandbox copyable URL absolute.
  • Add a link from a deleted page to that page's logs.
  • mediawiki.visibleTimeout: Update the nextVisibleTimeoutId value.
  • Ensure Parsoid doesn't throw when is used w/o Cite installed.
  • Remove maintenance/createCommonPasswordCdb.php.
  • Increase "sites.site_global_key" to varbinary(64).
  • Fix shell edge-cases in Windows.
  • Drop PHP 7.2 support; require 7.3.19.
  • User: enforce pingLimiter() expiry time.
  • Rest: Handle Uri constructor exception.
  • Fix RequestFromGlobalsTest failing in Travis CI.
  • Rest: Use try/catch to handle URIs with embedded colon.
  • uuid: Fix filenames on Windows.
  • Remove Gruntfile.js and package-lock.json from the tarball.
  • firejail: Strengthen by copying from Wikimedia's profile.
  • ResourceLoaderOOUIImageModule: loadOOUIDefinition() may return false.
  • The installer supports using a Postgres server running on a custom port other than 5432.
  • Support private wikis in Parsoid zero configuration mode.
  • Fix bad use of `|=` PHP bit operation where `= … ||` bool is intended.
  • SpecialBlock: Show error if a block could not be inserted or found.
  • UserOptionsManager: fix options reset.
  • WatchAction: avoid unnecessary UPDATEs when expiry is unchanged.
  • Allow skins to override mediawiki.page.ready initialisation.
  • mediawiki.page.ready: Allow skins to disable search lazy load.
  • Update language in watchlist expiry.
  • Use IPset in MWRestrictions::checkIP.
  • Fix race condition on edit page.
  • Hide watchlist expiry label in edit form.
  • mime: Fix docs of MIME_EXTENSIONS, they're arrays, not space-seperated.
  • Add application/font-sfnt to MimeMap for ttf files.
  • WatchedItemStore: Cache single WatchedItems with preexisting expiry.
  • Add a maintenance script to create bot passwords.
  • Add Traditional Chinese zh-hant as fallback for Amis (ami).
  • Improve wfParseUrl docs.
  • Add multi index fields in ImageListPager for unique paginate.
  • Guard against 'Widget not found' error.
  • Fix RecentChanges watchlist filters when WatchlistExpiry is off.
  • Update time period for watchlist expiry pop-up.
  • Fix expiry dropdown not getting disabled on edit page.
  • Add license information for promise-polyfill.
  • Remove executable bit from scripts without shebang.
  • Fix bold of watched items on Special:RecentChangesLinked.
  • Edit page expiry dropdown should keep state after disabling/enabling.
  • Translate expiry period in pop-up message for watchlist expiry.
  • Add watchlist clock icon to RecentChanges.
  • Permit temporary table writes on replica DB connections.
  • Add UI support in Special:EditWatchlist for watchlist expiry.
  • Disable wgLegacyJavaScriptGlobals by default.
  • Add Edge to MediaWiki:Clearyourcache.
  • Add mediawiki.ui Less variable deprecation note.
  • Fixed reassignEdits.php to work with anonymous users.
  • Fix Circular dependency when creating service in DBLoadBalancerFactory.
  • Default to using watchlist expiry of old page when moving pages.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.35

1.34.4

(security release)
7 October 2020 - 210MB1.34.4

Security
  • Fixed issues relating to backporting of changes for T260485.

1.34.3

Security
  • Special:UserRights exposes the existence of hidden users.
  • User::pingLimiter: add user-global rate limit type.
  • SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
  • Unescaped message used in HTML on Special:Contributions.
  • Unescaped message used in HTML within LogEventsList.
  • Prevent invoking firejail's --output functionality.
  • mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
  • mediawiki.js: Escape HTML in mw.message( ... ).parse().
  • ActorMigration: Load user from the correct database.
  • ensure actor ID from correct wiki is used.

Changes and Bug Fixes
  • In the web installer, use secure session cookies.
  • Make UsersPager::requestedGroup public.
  • Split patch-drop-user-fields.sql into patch per table.
  • Split patch-drop-comment-fields.sql into patch per table.
  • Undeprecate WebInstaller::getInfoBox().
Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We recommend this be set * to true on pure HTTPS wikis.
  • Added $wgCookieSameSite, which allows login cookies to be sent with SameSite=None. This is required for cross-site CentralAuth autologin after Chrome 84.
  • Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to SameSite=None cookies for browsers which implemented an incompatible draft version of the specification.
  • shell: Expand documentation in firejail.profile.
  • Give the "remember me" checkbox a specific CSS class so skins like Minerva can only hide that checkbox.
  • rdbms: improve DBConnRef domain selection exception message.
  • phpunit: Acknowledge known dberror from SpecialPageFatalTest.
  • Cleanup up excess commit() call in LocalRepoTest.
  • Fix runBatchedQuery.php for no result from select.
  • Add Edge to MediaWiki:Clearyourcache.
  • reassignEdits: Update script to use User::newFromName for anon users.
  • GlobalFunctions: Use php_uname instead of posix_uname.
  • Use IPset in MWRestrictions::checkIP.
  • Add application/font-sfnt to MimeMap for ttf files.
  • shell: Make ->restrict( RESTRICT_NONE ) actually work.
  • Fixes shell edge-cases in Windows.
  • Add CentralIdLookup::factoryNonLocal().
  • User: Fix pingLimiter() to use makeGlobalKey() for global rate limits.
  • User: enforce pingLimiter() expiry time.
  • don't include null page ids in query list for category dumps.
  • Sanitizer: Truncate IDs to a reasonable length.
  • Fix failure of rebuildLocalisationCache.php due to a ResourceLoader hook.
  • Explicitly wrap some XML calls in libxml_disable_entity_loader().
  • Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php.

1.34.2

Security
  • img_auth.php may leak private extension images into the public cache.

Changes and Bug Fixes
  • PasswordReset performance improvements.
  • The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked.
  • Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
  • Let $wgResourceLoaderMaxQueryLength=-1 fallback to default.
  • Remove some rotten and out of date documentation.
  • Improvements to some older SQLite update patches.
  • Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
  • cleanupUsersWithNoId.php: Handle missing fields.
  • Set recentchanges.rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
  • Update the change_tag table in rebuildrecentchanges.php.
  • Password Reset Updates.
  • Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.34#MediaWiki_1.34.4

1.34.1

(security release)
6 April 2020 - 210MBSecurity
  • (T236509) SECURITY: Fix HTML escaping in UserGroupMembership::getLink().
  • (T232932) SECURITY: User content can redirect the logout button to different URL.
  • (T246602) SECURITY: jquery.makeCollapsible allows applying event handler to any CSS selector.

Bug Fixes
  • (T211450) User: better error message when getActorId fails.
  • (T241340) Don't redefine MW_ENTRY_POINT in thumb.php if already defined.
  • (T236444) User: Allow newSystemUser() to create over anonymous actors.
  • (T238483) Fix NewPagesPager "hide registered users" option.
  • (T245072) mediawiki.language: Rename languageData back to languageNames.
  • Use proper SemVer comparison in CheckComposerLockUpToDate.
  • (T212738) Add the MW_VERSION constant, global $wgVersion is soft deprecated.
  • (T246127) Fix error when initialising updateCollation.php.
  • Update comment about PHP versions supported by The PHP Group.
  • (T247215) Fix output of RecountCategories::doWork().
  • Add check for page existence to view.php maintenance script.
  • (T245149) Fix fetching login token from action=query&meta=tokens on private wikis.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.34

1.34.0

(major version)
20 December 2019 - 210MBSecurity
  • (T192134) Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset.
  • (T239466) Possible to circumvent title-blacklist (CVE-2019-19709).

Read more: https://www.mediawiki.org/wiki/Release_notes/1.34

1.33.3

(security release)
6 April 2020 - 210MBSecurity
  • (T236509) SECURITY: Fix HTML escaping in UserGroupMembership::getLink().
  • (T246602) SECURITY: jquery.makeCollapsible allows applying event handler to

Bug Fixes
  • (T245072) mediawiki.language: Rename languageData back to languageNames.
  • Use proper SemVer comparison in CheckComposerLockUpToDate.
  • (T212738) Add the MW_VERSION constant, global $wgVersion is soft deprecated.
  • Update comment about PHP versions supported by The PHP Group.
  • (T247215) Fix output of RecountCategories::doWork().
  • Add check for page existence to view.php maintenance script.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.33

1.33.1

(security release)
11 October 2019 - 210MB
  • A change that kept people with a database table prefix that didn't end with an underscore from updating was reverted.
  • (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3.
  • The ImgAuthModifyHeaders hook was added to img_auth.php to allow modification of headers in private wikis.
  • (T230317) Allow upgrading from MediaWiki before 1.15 where the valid_tag table doesn't yet exist.
  • (T208897) MessageCache: Restore 'loadedLanguages' tracking for load().
  • (T228555) MessageCache: Fix isMainCacheable() logic for non-content languages.
  • (T200088) Remove title protection correctly for undeletions and imports.
  • (T230402) SECURITY: Add permission check for suppressed account to Special:Redirect.
  • Add helper for HTTPFileStreamer header syntax.
  • (T227461) ObjectCache: avoid using deprecated phpredis::delete() alias.
  • (T231386) SpecialRedirect::dispatchUser() should use a 302 http status code.
  • (T118799) Fix XMP parser errors due to trailing nullchar.
  • (T230618) Fix GROUP BY in ActiveUsersPager and RecentChangesUpdateJob for PostgreSQL.
  • (T230487) Handle changed defaults in Argon2PasswordTest::testPartialConfig().
  • (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy.
  • (T227662) Split down patch-comment-table.sql and patch-actor-table.sql into separate files to help allieviate potential migration problems.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.33

1.33.0

(major version)
20 August 2019 - 210MB1.33.0
  • Update installer link to PHP intl.
  • Only attempt to deduplicate if there is data in archive and revision tables.
  • Fetch tag ID before calling undefineTag().
  • Detect APC for MainCacheType in CLI installer.
  • Call unpack() with correct parameters in MimeAnalyzer.php for PHP 7.0 support.
  • Style change tags correctly on Special:NewPages.
  • Fix SQLite patch-(page|template)links-fix-pk.sql column order.

New Configuration
  • $wgEnablePartialBlocks – This enables the Partial Blocks feature, which gives accounts with block permissions the ability to block users, IPs, and IP ranges from editing specific pages, while allowing them to edit the rest of the wiki. It is a temporary setting for gradual enablement, current default to `false`, and will be set to `true` and then removed once initial development completes.

Changed Configuration
  • $wgChangeTagsSchemaMigrationStage β€” This temporary setting, added in MediaWiki 1.32, now defaults to MIGRATION_NEW instead of MIGRATION_WRITE_BOTH.
  • $wgPasswordPolicy – There is a new password policy to check that the account's password is not in the large blacklist. This is enabled by default for the built-in user groups bureaucrat, sysop, interface-admin, and bot. To configure this for other user groups, set the `PasswordNotInLargeBlacklist` flag `true`.
  • $wgPasswordDefault – There is a new password type configuration using Argon2 password hashing (which requires PHP 7.2 and above). It's designed to resist timing attacks, and (on systems with PHP 7.3+) GPU hacking; if you configure argon2 to be used, by default, it will automatically choose the best available algorithm depending on which version of PHP you have available. To use this, you can set $wgPasswordDefault = 'argon2';.
  • $wgActorTableSchemaMigrationStage now defaults to reading the new schema. update.php will back-populate the new database fields due to the changed setting, which may take some time on large wikis. You can avoid downtime by following a process like that described in task T188327.

Removed Configuration
  • $wgTagStatisticsNewTable β€” This temporary setting, added in MediaWiki 1.32, has now been removed. When loading Special:Tags, MediaWiki will now always use the change_tag_def instead of the change_tag table.
  • $wgUseTidy, $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy – These options, all deprecated since 1.26, have now all been removed, as MediaWiki now always tidies user output. The $wgTidyConfig setting remains only for experimental features and debugging, and should not be used.
  • $wgEnableParserCache – This setting has been deprecated since 1.26, has now been removed. If you still desire to disable the parser cache, instead you can set $wgParserCacheType = CACHE_NONE;.
  • $wgCommentTableSchemaMigrationStage – This temporary migration setting has now been removed. Code finding it unset should treat it as being MIGRATION_NEW.
  • $wgAuth – This old setting, deprecated in 1.27, has been removed as part of the removal of AuthPlugin.
  • $wgSitesCacheFile – This configuration was introduced in 1.25 with the intent to allow sites to configure a file in which to cache the SiteStore database table, but it was never used. SiteStore already caches its information by default using BagOStuff (e.g. Memcached or APC).
  • $wgClockSkewFudge – This setting was used by User.php to let sites adjust by how much MediaWiki would fudge when trying to minimize the chances of a user.user_touched database update to the "current" timestamp being before the value already there (e.g. due to clock skew between different servers). This is no longer a problem, because the code now ensures the timestamp is always higher than the previous one. The writes are guarded with CAS logic (check and set), which prevents updates that would overlap.
  • $wgDBmysql5 - This experimental setting, deprecated in 1.31, has been removed.

New User-facing Features
  • __EXPECTUNUSEDCATEGORY__ on a category page causes the category to be hidden on Special:UnusedCategories.
  • SVGs are now by default displayed in wiki language on image pages.
  • Special:CreateAccount now warns the user if their chosen username has to be normalized.
  • Multilingual images are now be displayed in the current parse language where available.
  • Special:ActiveUsers will no longer filter out users who became inactive since the last time the active users query cache was updated.
  • RecentChange and ManualLogEntry implement new Taggable interface.
  • Added a hook, ManualLogEntryBeforePublish, to allow extensions to modify (example: add tags) log entries.

New Developer Features
  • The AuthManagerLoginAuthenticateAudit hook has a new parameter for additional information about the authentication event.
  • TextContent::getText() was introduced as a replacement for Content::getNativeData() for text-based content models.
  • LinksUpdate::getAddedExternalLinks() and LinksUpdate::getRemovedExternalLinks() were introduced.
  • Added MaintenanceUpdateAddParams hook
  • The MarkPatrolled hook has a new parameter for the tags associated with this entry in the patrol log.
  • Extensions can now specify platform abilities they require to work, limited to shell access for now.

New External Libraries
  • Added wikimedia/password-blacklist 0.1.4.
  • Added guzzlehttp/guzzle 6.3.3.

Changed External Libraries
  • Updated OOUI from v0.29.2 to v0.31.3.
  • Updated OOjs Router from pre-release to v0.2.0.
  • Updated moment from v2.19.3 to v2.24.0.
  • Updated wikimedia/xmp-reader from 0.6.0 to 0.6.2.
  • Updated wikimedia/scoped-callback from 2.0.0 to 3.0.0.
  • Updated jquery-client from 2.0.1 to 2.0.2.
  • Updated pear/net_smtp from 1.8.0 to 1.8.1.
  • Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
  • Updated wikimedia/php-session-serializer from 1.0.6 to 1.0.7.

Removed External Libraries
  • jquery.ui.spinner, deprecated since 1.31, was removed.

New developer libraries
  • Added jakub-onderka/php-console-highlighter 0.3.2 explicitly (dev-only).
  • Added mediawiki/mediawiki-phan-config 0.5.0 (dev-only).

Changed Developer Libraries
  • Updated wikimedia/ip-set from 1.3.0 to 2.0.1 (the deprecated IPSet\IPSet alias was removed, Wikimedia\IPSet must be used instead).
  • Updated psy/psysh from 0.9.6 to 0.9.9 (dev-only).
  • Updated nikic/php-parser from 3.1.3 to 3.1.5 (dev-only).
  • Updated mediawiki/mediawiki-codesniffer from 22.0.0 to 25.0.0 (dev-only).
  • Updated qunitjs from 2.6.2 to 2.9.1.

Removed Developer Libraries
  • The jetbrains/phpstorm-stubs repository was removed in favour of the minimal stubs we need, which are kept in the new `.phan/internal_stubs` directory (dev-only).

Bug Fixes
  • Special:UserRights could sometimes fail with a "conflict detected" error when there weren't any conflicts.
  • Chrome redirects to Special:BadTitle after editing a section with a non-Latin name on a page with non-Latin characters in title.
  • resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies().

Action API Changes
  • Added ApiOptions hook.
  • The JSON formatversion=2 is no longer experimental.
  • Internal API errors (those with code beginning "internal_api_error") will include the exception class name in a data field named "errorclass".
  • - Class names are not guaranteed to remain stable, and in particular database exceptions will now include the "Wikimedia\Rdbms\" prefix in the class name.
  • - The code including an exception class name is deprecated. In the future, all internal errors will use code "internal_api_error".
  • When using action=delete on pages with many revisions, the module may return a boolean-true 'scheduled' and no 'logid'. This signifies that the deletion will be processed via the job queue.
  • action=setnotificationtimestamp will now update the watchlist asynchronously if entirewatchlist is set, so updates may not be visible immediately
  • Block info will be added to "blocked" errors from more modules.
  • Autoblocks will now be spread by action=edit and action=move.
  • action=query&meta=userinfo has a new uiprop, 'latestcontrib', that returns the date of user's latest contribution.
  • action=logout now requires to be posted and have a csrf token.

Action API Internal Changes
  • A number of deprecated methods for API documentation, intended for overriding by extensions, are no longer called by MediaWiki, and will emit deprecation notices if your extension attempts to use them: ApiBase::getDescription() (deprecated in 1.25), ApiBase::getParamDescription() (deprecated in 1.25), ApiBase::getExamples() (deprecated in 1.25), ApiBase::getDescriptionMessage() (deprecated in 1.30)
  • Additionally, the APIGetDescription and APIGetParamDescription hooks have been removed, as their only use was to let extensions override values returned by getDescription() and getParamDescription(), respectively.
  • API error codes may only contain ASCII letters, numbers, underscore, and hyphen. Methods such as ApiBase::dieWithError() and ApiMessageTrait::setApiCode() will throw an InvalidArgumentException if passed a bad code.
  • ApiBase::checkTitleUserPermissions() now takes an options array as its third parameter. Passing a User object or null is deprecated.
  • The api-feature-usage log channel now has log context. The text message is deprecated and will be removed in the future.

Languages Updated
  • Added language support for Eastern Pwo (kjp).
  • Fixed a translation error on Goan Konkani (gom-deva) translations for NS_TEMPLATE.
  • Added $digitTransformTable for Santali (sat).
  • Added language support for Saisiyat (xsy).
  • Added support for new Japanese era name "Reiwa"

Breaking Changes
  • The parameter $lang in DifferenceEngine::setTextLanguage must be of type Language. Other types are deprecated since 1.32.
  • Skin::doEditSectionLink requires type Language for the parameter $lang. The parameters $tooltip and $lang are mandatory. Omitting the parameters is deprecated since 1.32.
  • Language::truncate(), deprecated in 1.31, has been removed.
  • UtfNormal, deprecated in 1.25, was removed. Use UtfNormal\Validator directly instead.
  • In OOUI HTMLForm fields, the parameters 'notice', 'notice-messages', and 'notice-message', which were deprecated in 1.32, were removed. Instead, use 'help', 'help-message', and 'help-messages'.
  • HTMLFormField::getNotices(), deprecated in 1.32, was removed.
  • The "Parsoid v1" compatibility mappings in ParsoidVirtualRESTService and RestbaseVirtualRESTService, deprecated since 1.26, have been removed. Use the RESTBase v1 or Parsoid v3 API instead.
  • ParserOptions defaults 'tidy' to true now, since the untidy modes of the parser are being deprecated and ParserOptions::getCanonicalOverrides() has always been true at any rate.
  • Support for disabling tidy and external tidy implementations has been removed. This was deprecated in 1.32. The pure PHP Remex tidy implementation is now used and no configuration is necessary.
  • A number of deprecated methods for API documentation, intended for overriding by extensions, are no longer called by MediaWiki, and will emit deprecation notices if your extension attempts to use them: ApiBase::getDescription() (deprecated in 1.25), ApiBase::getParamDescription() (deprecated in 1.25), ApiBase::getExamples() (deprecated in 1.25), ApiBase::getDescriptionMessage() (deprecated in 1.30)
  • Additionally, the APIGetDescription and APIGetParamDescription hooks have been removed, as their only use was to let extensions override values returned by getDescription() and getParamDescription(), respectively.
  • The authentication hooks AbortAutoAccount, AbortNewAccount, AbortLogin, LoginUserMigrated, UserCreateForm, and UserLoginForm, all deprecated by the creation of AuthManager in 1.27, have been removed. This also means that the FakeAuthTemplate and LoginForm classes are removed, that FakeAuthTemplate is no longer passed into LoginSignupSpecialPage->getFieldDefinitions(), and that LoginSignupSpecialPage->getBCFieldDefinitions() is removed.
  • The 'jquery.localize' module, deprecated in 1.32, has been removed. Instead, use 'jquery.i18n'.
  • The hooks LanguageGetSpecialPageAliases and LanguageGetMagic, deprecated since 1.16, have now been removed. Instead, use $specialPageAliases or $magicWords respectively in a $wgExtensionMessagesFiles file.
  • The following methods of the Preferences class, deprecated in 1.31, have been removed: getSaveBlacklist(), loadPreferenceValues(), getOptionFromUser(), profilePreferences(), skinPreferences(), filesPreferences(), datetimePreferences(), renderingPreferences(), editingPreferences(), rcPreferences(), watchlistPreferences(), searchPreferences(), miscPreferences(), generateSkinOptions(), getDateOptions(), getImageSizes(), getThumbSizes(), validateSignature(), cleanSignature(), getTimezoneOptions(), filterIntval(), filterTimezoneInput(), getTimeZoneList()
  • mw.util.jsMessage(), deprecated in 1.20, was removed. Use mw.notify instead.
  • User::EDIT_TOKEN_SUFFIX was removed. It was deprecated since 1.27.
  • The 'mediawiki.api' module aliases, deprecated in 1.32, have been removed. Specifically: mediawiki.api.category, mediawiki.api.edit, mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse, mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch, mediawiki.api.messages, and mediawiki.api.rollback.
  • The 'jquery.byteLimit' module alias for 'jquery.lengthLimit', deprecated in 1.31, was removed.
  • Revision::fetchRevision(), deprecated in 1.28, was removed.
  • Class SquidUpdate, deprecated in 1.27, was removed.
  • Title->getSquidURLs(), deprecated in 1.27, was removed. Instead, use Title->getCdnUrls().
  • Title::escapeFragmentForURL(), deprecated in 1.30, was removed. Use Sanitizer::escapeIdForLink() or escapeIdForExternalInterwiki() instead.
  • Title->canTalk(), deprecated in 1.30, was removed. Instead, use Title->canHaveTalkPage().
  • Title's methods for site and user page related to CSS and JS, deprecated in 1.31, were removed:
  • - Title->isCssOrJsPage() β€” Use Title->isSiteConfigPage()
  • - Title->isCssJsSubpage() – Use Title->isUserConfigPage()
  • - Title->getSkinFromCssJsSubpage() – Use Title->getSkinFromConfigSubpage()
  • - Title->isCssSubpage() – Use Title->isUserCssConfigPage()
  • - Title->isJsSubpage() – Use Title->isUserJsConfigPage()
  • SiteSQLStore, deprecated in 1.27 and whose only method, SiteSQLStore::newInstance(), would return the global SiteStore instance, has been removed. You can get to this via MediaWiki\MediaWikiServices::getInstance()->getSiteStore() directly.
  • Linker::formatSize, deprecated in 1.28, has been removed (with DummyLinker's). Instead, use Language->formatSize() with the relevant Language object.
  • Linker::formatTemplates, deprecated in 1.28, has been removed (along with the version in DummyLinker). You can use TemplatesOnThisPageFormatter directly.
  • EventRelayerGroup::singleton(), deprecated in 1.27, has been removed. You can use MediaWikiServices::getInstance()->getEventRelayerGroup() directly.
  • LinkCache->addLink(), deprecated in 1.27, has been removed. It is thought to be unused, and is distinct from OutputPage->addLink(), which remains.
  • JsonContent->getJsonData(), deprecated in 1.25, has been removed. Instead, use JsonContent->getData().
  • MWExceptionHandler::getLogId(), deprecated in 1.27, has been removed, as the exception ID is the same as the request ID, from WebRequest::getRequestId().
  • SearchEngine::getNearMatchResultSet(), deprecated in 1.27, has been removed. You can use SearchEngine::getNearMatcher() instead.
  • EmailNotification::updateWatchlistTimestamp, deprecated in 1.27, has been removed. Instead, use WatchedItemStore::updateNotificationTimestamp directly.
  • User::getGroupName() and User::getGroupMember(), both deprecated in 1.29, have been removed. Instead, please use UserGroupMembership::getGroupName() and UserGroupMembership::getGroupMemberName().
  • Backwards compatibility for setting wgSessionsInObjectCache to false or using wgSessionHandler, both of which were deprecated in 1.27 with the introduction of SessionManager, has been removed.
  • SessionManager::autoCreateUser, deprecated in 1.27, has been removed. Use MediaWiki\Auth\AuthManager::autoCreateUser instead.
  • The mw.libs.jpegmeta property, deprecated in 1.31, was removed. Use require( 'mediawiki.libs.jpegmeta' ) instead.
  • The mw.user.stickyRandomId() method, deprecated in 1.32, was removed. Use mw.user.getPageviewToken() instead.
  • Removed deprecated class property WikiRevision::$importer.
  • ResourceLoaderFileModule::readStyleFiles() now requires its $context parameter.
  • The ChangeList::insertArticleLink() method, that was deprecated in 1.27, has been removed.
  • MessageBlobStore::__construct() now requires its $rl parameter.
  • Second parameter to Sanitizer::escapeIdReferenceList() (deprecated in 1.31) has been removed.
  • The 'jquery.xmldom' module has been removed.
  • The 'jquery.mockjax' module has been removed.
  • The 'jquery.hidpi' module, deprecated in 1.32, has been removed.
  • AuthPlugin and related code, deprecated in 1.27, has been removed. Extensions should instead use AuthManager. The following no longer exist:
  • - The AuthPlugin class itself and the related AuthPluginUser class and i18n
  • - The AuthPluginSetup and AuthPluginAutoCreate hooks
  • - The transitional wrapper classes AuthPluginPrimaryAuthenticationProvider, AuthManagerAuthPlugin, and AuthManagerAuthPluginUser.
  • - The $wgAuth configuration setting and its use in Setup.php and unit tests
  • The 'wgAvailableSkins' mw.config key in JavaScript, was removed.
  • Language::markNoConversion, deprecated in 1.32, has been removed. Use LanguageConverter::markNoConversion instead.
  • BagOStuff::modifySimpleRelayEvent() method has been removed.
  • ParserOutput::getLegacyOptions, deprecated in 1.30, has been removed. Use ParserOutput::allCacheVaryingOptions instead.
  • CdnCacheUpdate::newSimplePurge, deprecated in 1.27, has been removed. Use CdnCacheUpdate::newFromTitles() instead.
  • Handling of multiple arguments by the Block constructor, deprecated in 1.26, has been removed.
  • The translation of main page in Sardinian (sc) was changed from "PΓ gina Base" to "PΓ gina printzipale". Existing wikis using this content language need to move the main page or change the name through MediaWiki:Mainpage page.
  • wfSplitWikiID(), deprecated in 1.32, has been removed.
  • MessageBlobStore::getBlob(), deprecated in 1.27, has been removed. Use MessageBlobStore::getBlobs() instead.
  • The .background-size() LESS mixin, deprecated in 1.27, has been removed.
  • ReadOnlyMode::clearCache() and ConfiguredReadOnlyMode::clearCache() have been removed. Use MediaWikiTestCase::overrideMwServices() instead.

Deprecations
  • The configuration option $wgUseESI has been deprecated, and is expected to be removed in a future release.
  • The configuration option $wgSquidPurgeUseHostHeader has been deprecated, and is expected to be removed in a future release.
  • The configuration options $wgFixArabicUnicode and $wgFixMalayalamUnicode, introduced in MW 1.17, have been deprecated. These fixes will always be applied for Arabic and Malayalam in the future. Please enable these on your local wiki (if you have them explicitly set to false) and run maintenance/cleanupTitles.php to fix any existing page titles.
  • The LegacyHookPreAuthenticationProvider class, deprecated since its creation in 1.27 as part of the AuthManager re-write, now emits deprecation warnings. This will help identify the issue if you added it to $wgAuthManagerConfig.
  • wfSplitWikiId() is now deprecated. Cache key generation should have the wiki domain ID as a key component and use makeGlobalKey().
  • Title::getUserCaseDBKey() is deprecated; instead, please use Title::getDBKey(), which doesn't vary case.
  • User::getPasswordValidity() is now deprecated. User::checkPasswordValidity() returns the same information in a more useful format.
  • For Linker::generateTOC() and Linker::tocList(), passing strings or booleans as the $lang parameter was deprecated. The same applies to DummyLinker.
  • The PasswordPolicy 'PasswordCannotBePopular' has been deprecated. To follow best practices, it is reccommended to use 'PasswordNotInLargeBlacklist' instead which blacklists 100,000 commonly used passwords.
  • Action::requiresUnblock() is now called from Title::getUserPermissionsErrors() and Title::userCan(). Previously, the method was only called in Action::checkCanExecute(). Actions should ensure that their requiresUnblock() returns the proper result (the default is `true`).
  • The MediaWiki\Services namespace has been renamed to Wikimedia\Services. The old name is still supported, but deprecated.
  • Content::getNativeData has been deprecated. Please use model-specific getters, such as TextContent::getText().
  • The class WebInstallerOutput is now marked as @private.
  • The jquery.async module has been deprecated. JavaScript code that needs asynchronous behaviour should use Promises.
  • Password::equals() is deprecated, use verify().
  • BaseTemplate::msgWiki() and QuickTemplate::msgWiki() will be removed. Use other means to fetch a properly escaped message string or Message object.
  • The 'ResourceLoaderTestModules' hook, which lets you declare QUnit testing code for your JavaScript modules, is deprecated. Instead, you can now use the new extension registration key 'QUnitTestModule'.
  • The jquery.throttle-debounce module has been deprecated. JavaScript code that needs this behaviour should use OO.ui.debounce/throttle.
  • The mw.language.specialCharacters property from the 'mediawiki.language.specialCharacters' module has been deprecated. Use require( 'mediawiki.language.specialCharacters' ) instead.
  • ChangeTags::purgeTagUsageCache() has been deprecated, and is expected to be removed in a future release.
  • Passing a User object or null as the third parameter to ApiBase::checkTitleUserPermissions() has been deprecated. Pass an array [ 'user' => $user ] instead.
  • Block::prevents is deprecated. Use Block::isEmailBlocked, Block::isCreateAccountBlocked and Block::isUsertalkEditAllowed to get and set block properties; use Block::appliesToRight and Block::appliesToUsertalk to check block behaviour.
  • The api-feature-usage log channel now has log context. The text message is deprecated and will be removed in the future.
  • The FileBasedSiteLookup class has been deprecated. For a cacheable SiteLookup implementation, use CachingSiteStore instead.
  • Language::viewPrevNext function is deprecated, use SpecialPage::buildPrevNextNavigation instead
  • ManualLogEntry::setTags() is deprecated, use ManualLogEntry::addTags() instead. The setTags() method was overriding the tags, addTags() doesn't override, only adds new tags.
  • Block::isValid is deprecated, since it is no longer needed in core.
  • Calling Maintenance::hasArg() as well as Maintenance::getArg() with no parameter has been deprecated. Please pass the argument number 0.
  • ResourceLoaderContext::expandModuleNames has been deprecated. Use ResourceLoader::expandModuleNames instead.

Other Changes
  • Html::openElement() warns if given an element name with a space in it.
  • The implementation of buildStringCast() in Wikimedia\Rdbms\Database has changed to explicitly cast. Subclasses relying on the base-class implementation should check whether they need to override it now.
  • BagOStuff::add is now abstract and must explicitly be defined in subclasses.
  • LinksDeletionUpdate is now a subclass of LinksUpdate. As a consequence, the following hooks will now be triggered upon page deletion in addition to page updates: LinksUpdateConstructed, LinksUpdate, LinksUpdateComplete. LinksUpdateAfterInsert is not triggered since deletions do not cause insertions into links tables.
  • Category::newFromID( $id )->getID() will now return $id without any validation, to avoid a mostly unnecessary DB query.
  • On Special:Version, the name for an extension can no longer be arbitrary html when no link is specified.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.33

1.32.4

(security release)
11 October 2019 - 210MB1.32.4
  • (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3.
  • The ImgAuthModifyHeaders hook was added to img_auth.php to allow modification of headers in private wikis.
  • (T230402) SECURITY: Add permission check for suppressed account to Special:Redirect.
  • (T208897) MessageCache: Restore 'loadedLanguages' tracking for load().
  • (T200088) Remove title protection correctly for undeletions and imports.
  • Add helper for HTTPFileStreamer header syntax.
  • (T118799) Fix XMP parser errors due to trailing nullchar.
  • (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy.
  • Cache redirects from Special:Redirect.
  • (T231386) dispatchUser() should use a 302 http status code.
  • (T227662) Split down patch-comment-table.sql and patch-actor-table.sql into separate files to help allieviate potential migration problems.
  • Make SQLite's patch-add-3d.sql a no-op to prevent clobbering other database updates.

1.32.3
  • (T225558) Update installer link to PHP intl.
  • (T225496) Detect APC for MainCacheType in CLI installer.
  • (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
  • (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.32

1.32.2

(security release)
7 June 2019 - 210MBSecurity
  • (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.
  • (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table.
  • (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.
  • (T208881) blacklist CSS var().
  • (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
  • (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly.
  • (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.
  • (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF).
  • (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags.
  • (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
  • (T221739, CVE-2019-11358) Fix potential XSS in jQuery.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.32.2

1.32.1


8 May 2019 - 210MB
  • (T213577) rdbms: avoid transaction status errors from ping() in rollback().
  • rdbms: Pass required parameter.
  • rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
  • (T204531) rdbms: reduce LoadBalancer replication log spam.
  • (T213489) Avoid session double-start in Setup.php.
  • (T213717) Correct namespace 'Template' for gom-deva
  • (T198054) Fix login page crash caused by unknown language via ?uselang
  • (T215324) (T210937) list=users mistakenly reports user as missing.
  • (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for use with scripts like addWiki.php to avoid mismatched domain errors.
  • (T208871) The hard-coded Google search form on the database error page was removed.
  • (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
  • (T215566) Fix installer being unable to determine if the database exists during a fresh installation.

Read more: https://www.mediawiki.org/wiki/Release_notes/1.32.1

1.32.0

(major version)
17 January 2019 - 210MB1.32.0

WARNINGS
Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).
  • Fix slow queries in migrateActors.php.
  • Fix $magicWords for the Sanskrit language.
  • Fix addition of ug_expiry column to user_groups table on MSSQL.
  • Fix the cache timestamp for forced updates.
  • User: Bypass repeatable-read when creating an actor_id.
  • Extensions can now specify PHP versions and PHP extensions they depend on.
  • Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
  • When using action=delete on pages with many revisions, the module may return a boolean-true 'scheduled' and no 'logid'. This signifies that the deletion will be processed via the job queue.
  • Dropped columns category.cat_hidden, site_stats.ss_admins, and recentchanges.rc_cur_time from the PostgreSQL schema.
  • Prevent populateSearchIndex.php from breaking once actor migration has been started.
  • Properly set $wgLanguageCode in the generated LocalSettings.php if --lang is used with the command-line installer (install.php).
  • Multiple changes to configuration and API

Read more: https://www.mediawiki.org/wiki/Release_notes/1.32

Our Web hostings are compatible with
MediaWiki

Web

Only the Web hosting

100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD


Learn more

from CHF 9.92 / month

Classic

The complete Web+Mail offer

100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD


Professional messaging
5 email addresses with unlimited storage


WorkSpace
Online messaging
Instant messaging
Syncing contacts and calendars


Learn more

from CHF 12.00 / month

Cloud Server

Managed

100% SSD Web Hosting
100 GB and +
Multi-site management
Advanced management of EV and DV SSL certificates
Anti-DDoS protection
10 GB of VOD


Power
2 CPU and +
6 Gb (RAM) and +
100% SSD
100% dedicated resources


Management
Infomaniak manages your server


Learn more

from CHF 39.00 / month

Prices in CHF