MediaWiki

MediaWiki

MediaWiki è un software wiki open source. MediaWiki è stato inizialmente rilasciato nel 2002 dopo essere stato sviluppato per potere Wikipedia.

Installazione in 1 clic MediaWiki

Installazione in 1 clic

Aggiornamento facile MediaWiki

Aggiornamento facile

Salvataggio e ripristino MediaWiki

Salvataggio e ripristino

Informazione

Applicazione
wiki
Categoria
Applicazioni della Community
Versione corrente
1.27.1
Ultimo aggiornamento
24 August 2016
Lingue
Italiano + 333 altre

Configurazione richiesta

Dimensione dell'installazione
100 Mo
Database
mysql
Licenza
open source
Veduta d'insieme
Novità

1.27.1

(versione principale)
24 Agosto - 100MB
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '' in inline blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
  • (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.27

1.26.4

(release di sicurezza)
23 Agosto - 100MB
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T124163) Fixed fatal error in DifferenceEngine under HHVM.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '' in inline blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • Remove support for $wgWellFormedXml = false, all output is now well formed

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.26

1.26.2


21 Dicembre 2015 - 100MB
  • (bug T121892) Various special pages resulted in fatal errors.

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.26

1.26.1

(release di sicurezza)
18 Dicembre 2015 - 100MBThis release fixes six security issues in core, in addition to other bug fixes.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Bugfixes
  • Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
  • Fixed stray literal \n in Special:Search.
  • Fix issue that breaks HHVM Repo Authorative mode.
  • (bug T120267) Work around APCu memory corruption bug

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.26

visualizzare più versioni

1.26.0

(versione principale)
25 Novembre 2015 - 100MBConfiguration changes
  • $wgPasswordResetRoutes['email'] = true by default.
  • $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE instead if you want to disable the parser cache.
  • New-style continuation is now the default for API action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • (T7645) The "Signature" button on the edit toolbar is now hidden by default in non-talk namespaces. A new configuration variable, $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces the "Signature" button on the edit toolbar will be displayed.
  • $wgResourceLoaderUseESI was deprecated and removed. This was an experimental feature that was never enabled by default.
  • $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed. This experimental feature was never enabled by default and is obsolete as of MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
  • $wgMasterWaitTimeout was removed (deprecated in 1.24).
  • Fields in ParserOptions are now private. Use the accessors instead.
  • Custom LESS functions (defined via $wgResourceLoaderLESSFunctions) have been removed, after being deprecated in 1.24.
  • $wgAlwaysUseTidy has been removed.

New features
  • (T51506) Now action=info gives estimates of actual watchers for a page. See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret to learn how to configure if needed.
  • Change tags can now be hidden in the interface by disabling the associated "tag-" interface message.
  • ':' (colon) is now invalid in usernames for new accounts. Existing accounts are not affected.
  • Added a new hook, 'LogException', to log exceptions in nonstandard ways.
  • Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of search results are rendered. The initial use case is to append a "give us feedback" link beneath the search results.
  • Added a new hook, 'RejectParserCacheValue', which allows extensions to reject an otherwise-successful parser cache lookup. The intent is to allow extensions to manage the eviction of archaic HTML output from the cache.
  • (T68699) The expiration of the UserID and Token login cookies ($wgExtendedLoginCookieExpiration) can be configured independently of the expiration of all other cookies ($wgCookieExpiration).
  • (T50519) Support for generating JPEG/PNG thumbnails from WebP images added if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading of WebP images still disabled by default. Add $wgFileExtensions[] = 'webp'; to LocalSettings.php to enable uploading of WebP images.
  • Added new hooks 'EnhancedChangesListModifyLineData' & 'EnhancedChangesListModifyBlockLineData', to modify the data used to build lines in enhanced recentchanges and watchlist.
  • Caches that need purging ability now use the WANObjectCache interface. This corresponds to a new $wgMainWANCache setting, which defaults to using the $wgMainCacheType settings.
  • Callers needing fast light-weight data stores use $wgMainStash to select the store type from $wgObjectCaches. The default is the local database.
  • Interface message overrides in the MediaWiki namespace will now be cached in memcached and APC (if available), rather than memcached and local files.
  • Added a new hook, 'RandomPageQuery', to allow modification of the query used by Special:Random to select random pages.
  • $wgTransactionalTimeLimit was added, which controls the request time limit for potentially slow POST requests that need to be as atomic as possible.
  • ResourceLoader now loads all scripts asynchronously. The top-queue and startup modules are no longer synchronously loaded.
  • 'mediawiki.ui.button' styles are no longer unconditionally loaded on every page. During the deprecation period, the styles will only be loaded on pages which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will only be loaded if explicitly required.

External libraries
  • Update es5-shim from v4.0.0 to v4.1.5.
  • Update json2 from revision 2014-02-04 to 2015-05-03.
  • Update Sinon.JS from 1.10.3 to 1.15.4.
  • Upgrade jQuery Client from v1.0.0 to v2.0.0.
  • Added mediawiki/at-ease 1.0.0.
  • Update QUnit from v1.17.1 to v1.18.0.

Bug fixes
  • (T53283) load.php sometimes sends 304 response without full headers
  • (T65198) Talk page tabs now have a "rel=discussion" attribute
  • (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
  • (T104142) $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string.

Action API changes
  • New-style continuation is now the default for action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • API action=query&list=tags: The displayname can now be boolean false if the tag is meant to be hidden from user interfaces.
  • action=import no longer allows both the namespace= and rootpage= parameters to be set. If they are both set, the value of rootpage= will be ignored.
  • prop=revision output in enum mode is now sorted by timestamp rather than revision ID. This usually won't make any difference.
  • (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array with formatversion=2.
  • Various other output from meta=siteinfo will now always be arrays instead of sometimes being numerically-indexed objects with formatversion=2.
  • When errors about users being blocked are returned, they now include information about the relevant block.
  • (T99926) list=random has higher limits, in line with other API modules.
  • list=random's rnredirect parameter is deprecated in favor of a new rnfilterredir parameter that also allows for listing both redirects and non-redirects.
  • list=random now supports continuation.
  • API responses to GET requests may now include ETag and Last-Modified headers, and will honor corresponding If-None-Match and If-Modified-Since on such requests.

Action API internal changes
  • New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key into the value when the value is an assoc.
  • API action modules may now provide values for the RFC 7232 ETag and Last-Modified headers. The API will check these against If-None-Match and If-Modified-Since request headers on GET requests and avoid executing the module when appropriate.
  • Languages updated[edit | edit source]
  • MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

Languages added
  • ase (American sign language), thanks to translator Icemandeaf
  • dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द, मेश सिंह बोहरा, and राम प्रसाद जोशी
  • luz (لئری دوٙمینی / Southern Luri)

Other changes
  • ChangeTags::tagDescription() will return false if the interface message for the tag is disabled.
  • Added PageHistoryPager::doBatchLookups hook.
  • Added $wikiId parameter to FormatAutocomments hook.
  • Added ParserCacheSaveComplete to ParserCache
  • supportsDirectEditing and supportsDirectApiEditing methods added to ContentHandler, to provide a way for ApiEditPage and EditPage to check if direct editing of content is allowed. These methods return false, by default for the ContentHandler base class and true for TextContentHandler and it's derivative classes (everything in core). For Content types that do not support direct editing, an alternative mechanism should be provided for editing, such as action overrides or specific api modules.
  • mediaWiki.confirmCloseWindow now returns an object of functions, instead of one function. The callback can't be called directly any more. The callback function is replaced with confirmCloseWindow.release().
  • BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to ResourceLoaderModule::getDependencies(). Extension classes that override that method should be updated. If they aren't updated, PHP Strict standards warnings will appear when E_STRICT error reporting is enabled. Note: in the near future, this parameter will probably become non-optional.
  • Removed maintenance script deleteImageMemcached.php.
  • MWFunction::newObj() was removed (deprecated in 1.25). ObjectFactory::getObjectFromSpec() should be used instead.
  • The parser will no longer randomize the string it uses to mark the place of items that were stripped during parsing. It will use a fixed string instead. This causes the parser to re-use the regular expressions it uses to search and replace markers rather than generate novel expressions on each parse. Re-using regular expressions will improve performance on HHVM and the forthcoming PHP 7. The interfaces changes accompanying this change are:
  • - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  • - The $uniq_prefix argument for Parser::extractTagsAndParams() and the $prefix argument for StripState::_construct() are deprecated and their value is ignored.
  • wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library, mediawiki/at-ease, and are now deprecated. Callers should use MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
  • The Block class constructor now takes an associative array of parameters instead of many optional positional arguments. Calling the constructor the old way will issue a deprecation warning.
  • The jquery.mwExtension module was deprecated.
  • $wgSpecialPageGroups was removed (deprecated in 1.21).
  • SpecialPageFactory::setGroup was removed (deprecated in 1.21).
  • SpecialPageFactory::getGroup was removed (deprecated in 1.21).
  • DatabaseBase::ignoreErrors() is now protected.
  • BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following a lengthy deprecation period.
  • The ScopedPHPTimeout class was removed.
  • Removed maintenance script fixSlaveDesync.php.
  • Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption() are deprecated. Applications using those can work via the OAuth extension instead. New tokens types should not be added.
  • DatabaseBase::errorCount() was removed (unused).

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.26

1.25.5


21 Dicembre 2015 - 100MB
  • (phab:T103237) $wgUseGzip had no effect when using file cache.
  • (phab:T114606) mw.notify was not correctly fixed to the page if initialized while not at the top of the page

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.25

1.25.4

(release di sicurezza)
18 Dicembre 2015 - 100MBThis release fixes six security issues in core.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.25

1.25.3

(release di sicurezza)
16 Ottobre 2015 - 100MBThis release fixes five security issues in core, in addition to other bug fixes.

Security fixes
  • Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).
  • Internal review discovered that it is not possible to throttle file uploads. (T91850)
  • Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. (T95589)
  • Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. (T108616)

Bugfixes
  • Fix having multiple callbacks for a single hook. (T98975)
  • maintenance/refreshLinks.php did not always remove all links pointing to nonexistent pages. (T107632)
  • $wgEmergencyContact and $wgPasswordSender now use their default value if set to an empty string. (T104142)
  • Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was causing an error when accessing the api help page if the mastering PHP extension was not installed. (T62174)
  • Confirmation emails would sometimes contain invalid codes. (T105896)
  • Fixed edit stash inclusion queries. (T105597)

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html

1.25.2

(release di sicurezza)
10 Agosto 2015 - 100MBThis release fixes three security issues in the core, in addition to other bug fixes. Several extensions have also had security issues fixed.

Security fixes
  • Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. (T106893)
  • Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf. (T94116)
  • John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss. #T97391
  • Extension:SemanticForms - MediaWiki user Grunny discovered multiple reflected xss vectors in SemanticForms. Further internal review discovered and fixed other reflected and stored xss vectors. (T103391, T103765, T103761)
  • Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal review discovered that the contib directory for GeSHi was re-included in MediaWiki 1.25. Some scripts could be potentially be used for DoS, and DAU Huy Ngoc discovered an xss vector. All contrib scripts have been removed. (T108198)
  • Extension:TimedMediaHandler - User:McZusatz reported that resetting transcodes deleted the transcode without creating a new one, which could be used for vandalism or potentially DoS. (T100211)
  • Extension:Quiz - Internal review discovered that Quiz did not properly escape regex metacharacters in a user controlled regular expression, enabling a DoS vector. #T97083
  • Extension:Widgets - MediaWiki developer Majr reported a potential HTML injection (xss) vector. (T88964)

Bugfixes
  • Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. (T102562)
  • Setting a configuration setting for skin or extension to false in LocalSettings.php was not working. (T100767)
  • API action=opensearch json output no longer breaks when $wgDebugToolbar is enabled. (T100635)
  • Using an extension.json or skin.json file which has a "manifest_version" property for 1.26 compatability will no longer trigger warnings. (T102522)
  • Running updateSearchIndex.php will not throw an error as page_restrictions has been added to the locked table list. (T86156)
  • Special:Version would throw notices if using SVN due to an incorrectly named variable. Add an additional check that an index is defined.

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html

1.25.1

(versione principale)
26 Maggio 2015 - 100MBThis is a large release that contains many new features and bug fixes.

Our thanks to everyone who helped to improve MediaWiki by testing the release candidates and submitting bug reports.

What's new for users?
  • MediaWiki 1.25 includes all changes released in the smaller 1.25wmf* software deployments to Wikimedia sites over six months, totaling approximately 2200 changes.
  • Indicators – Templates that add icons to the top right corner of the page (and more) can be updated to use the new page status indicators feature.
  • Enhanced recent changes – MediaWiki now uses by default the extended watchlist and so called enhanced recent changes (preference "Group changes by page in recent changes and watchlist"), which also received several improvements in MediaWiki 1.24 and 1.25 (task 37785). This means that Special:RecentChanges and Special:Watchlist show all the changes to each page in a given day, sorted by page rather than chronologically. Changes to each page are collapsed by default and a compact overview is shown, with links to collated diffs and counts of each user's actions. Full activity for an individual page can then be shown with a single click. Users will no longer need to know in detail how a single change was chosen for display in order to figure out what else may have happened to the page that day, nor to scan a long list of non-contiguous lines on the screen in order to get a complete picture. The change is part of MediaWiki's evolution towards an interface which is more discoverable and less cluttered by default, while equally easy to quickly access in full, with the help of JavaScript. However, the (grouped) layout is an improvement for non-JavaScript users as well.
  • Live preview – While editing, you're not sure what a wikitext syntax will produce? That's no longer a problem, now that live preview is no longer experimental. By enabling the feature in your preferences, MediaWiki will display the effect of your edits without fully reloading the page, so that you can quickly correct any mistake.
  • Import – The import tool is now much easier to use on content from a wiki which has different namespaces than yours (e.g. because it's in another language).
  • Internationalization - In logging and gender support, continuing the work in MediaWiki 1.18 and 1.19, multiple log types of Special:Log have been migrated to the new logging system, which allows full internationalization including word order and grammatical gender. The migration continues. See task T26620 for a list.
  • Locales – The following locales have been added: अवधी, بلوچی رخشانی and Koyraboro Senni.
  • API documentation is localized and easier to access through Special:ApiHelp.

What's new for system administrators?
  • PHP 5.3.3 is now required (from 5.3.2)
  • Extensions and skins are now loaded through a new registration system
  • Profiling was completely overhauled to use the xhprof module.

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-May/000176.html

1.24.6


21 Dicembre 2015 - 100MB
  • (bug T121892) Various special pages resulted in fatal errors.

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.24

1.24.5

(release di sicurezza)
18 Dicembre 2015 - 100MBThis release fixes six security issues in core.

Security fixes
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

Per saperne di più: http://mediawiki.org/wiki/Release_notes/1.24

1.24.4

(release di sicurezza)
16 Ottobre 2015 - 100MBThis release fixes five security issues in the core, in addition to other bug fixes.

Security fixes
  • Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).
  • Internal review discovered that it is not possible to throttle file uploads. (T91850)
  • Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. (T95589)
  • Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. (T108616)

Bugfixes
  • Minimal PSR-3 debug logger to support backports from 1.25+. (T91653)
  • Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. (T68650)

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html

1.24.3

(release di sicurezza)
10 Agosto 2015 - 100MBThis release fixes three security issues in the core, in addition to other bug fixes. Several extensions have also had security issues fixed.

Security fixes
  • Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. (T106893)
  • Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf. (T94116)
  • John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss. #T97391
  • Extension:SemanticForms - MediaWiki user Grunny discovered multiple reflected xss vectors in SemanticForms. Further internal review discovered and fixed other reflected and stored xss vectors. (T103391, T103765, T103761)
  • Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal review discovered that the contib directory for GeSHi was re-included in MediaWiki 1.25. Some scripts could be potentially be used for DoS, and DAU Huy Ngoc discovered an xss vector. All contrib scripts have been removed. (T108198)
  • Extension:TimedMediaHandler - User:McZusatz reported that resetting transcodes deleted the transcode without creating a new one, which could be used for vandalism or potentially DoS. (T100211)
  • Extension:Quiz - Internal review discovered that Quiz did not properly escape regex metacharacters in a user controlled regular expression, enabling a DoS vector. #T97083
  • Extension:Widgets - MediaWiki developer Majr reported a potential HTML injection (xss) vector. (T88964)

Bugfixes
  • Update jQuery from v1.11.2 to v1.11.3.
  • (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html

1.24.2

(release di sicurezza)
31 Marzo 2015 - 100MBThis is a security and maintenance release.

Security fixes
  • (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
  • (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
  • (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
  • (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
  • (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
  • (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
  • (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.

Bugfixes
  • Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
  • (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
  • (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html

1.24.1

(release di sicurezza)
17 Dicembre 2014 - 100MBThis is a regular security and maintenance release.

Security fixes
  • (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
  • (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.

Bugfixes
  • (bug T74222) The original patch for T74222 was reverted as unnecessary.
  • Fixed a couple of entries in RELEASE-NOTES-1.24.
  • (bug T76168) OutputPage: Add accessors for some protected properties.
  • (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
  • Add missing $ in front of variable in OutputPage.php

Security fixes in extensions
  • (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
  • (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
  • (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
  • (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
  • (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
  • (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.

Per saperne di più: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html

1.24.0

(versione principale)
27 Novembre 2014 - 100MBThis is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users.

What's new?
  • MediaWiki 1.24 includes all changes released in the smaller 1.24wmfX software deployments to Wikimedia sites.

Preferences made easier
  • MediaWiki is known to be extremely flexible and customisable, but few users use its full potential. In 1.24, we aim to make dozens obscure preferences easily discoverable and obvious to use.

New features
  • Category pages can now be moved (bug 5451).
  • MergeHistory for all administrators by default (bug 66155).
  • Improvements have been made to the password storage system, allowing improved security against offline attacks should a wiki's database be compromised by attackers. Then, the default password storage algorithm was changed to PBKDF2. PBKDF2 and Bcrypt have built-in support in PHP. The new extensible password API makes it trivial to implement scrypt support if we wanted to.

Usability
  • The move feature and other actions are now discoverable in Vector, thanks to a label for the dropdown where they're hidden by default (bug 44591).
  • Specify default language on a per-page basis
  • Redirect to Special:UserLogin when logging is in required to proceed, instead of showing an error message

Performance
  • In 2014, MediaWiki development has a new focus on frontend performance.
  • (bug 39035) Improved Vector skin performance by removing collapsibleNav, which used to collapse some sidebar elements by default. This removes -list id suffixes like p-lang-list: instead of using things like #p-lang-list, you can do #p-lang .body ul. If you would like CollapsibleNav back please use the CollapsibleVector extension.

Per saperne di più: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000169.html

I nostri hosting Web compatibili con
MediaWiki

Web

Solo l'hosting Web

Hosting Web 100% SSD
100 GB e +
Gestione multisito
Certificati SSL gratuiti
Protezione Anti-DDoS
10 GB di VOD


Per maggiori informazioni

a partire da 5.75 €/mese

Classic

L'offerta completa Web+Mail

Hosting Web 100% SSD
100 GB e +
Gestione multisito
Certificati SSL gratuiti
Protezione Anti-DDoS
10 GB di VOD


Posta professionale
25 indirizzi e-mail con spazio illimitato


WorkSpace
Messaggistica online
Messaggistica istantanea
Sincronizzazione dei contatti e agende


Per maggiori informazioni

a partire da 7.42 €/mese

Server Cloud

Gestito

Hosting Web 100% SSD
100 GB e +
Multi-hosting e multisito
Certificati SSL gratuiti
Protezione Anti-DDoS
10 GB di VOD


Potenza
2 CPU e +
6 GB di RAM e +
100% SSD
Risorse 100% dedicate


Gestione
Infomaniak gestisce il suo server


Per maggiori informazioni

a partire da 29 €/mese

Prezzo in EUR Tasse incluse