Age | Commit message (Collapse) | Author | Files | Lines |
|
Upstream changes:
MediaWiki 1.20.2
This is a maintenance release of the MediaWiki 1.20 branch
[edit]Changes since 1.20.1
(bug 42638) Fix API action=options&reset=1 & unit tests.
(bug 42370) Fixed backport of 60cc060 to use mDoneWrites.
|
|
Upstream changes:
MediaWiki 1.20.1
This is a security release of the MediaWiki 1.20 branch
Changes since 1.20
(bug 42202) Validate options to prevent html injection
(bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
(bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
Javscript Lint fixes
(bug 40632) Remove CleanupPresentationalAttributes feature
[Database] Fixed case where trx idle callbacks might be lost.
MediaWiki 1.20
MediaWiki 1.20 is a stable release.
PHP 5.3 now required
Since 1.20, the lowest supported version of PHP is now 5.3.2. Please upgrade PHP if you have not done so prior to upgrading MediaWiki.
Configuration changes in 1.20
$wgGitRepositoryViewers defines a mapping from Git remote repository to the Gitweb instance URL used in Special:Version.
$wgUsePathInfo = true; is no longer needed to make $wgArticlePath work on servers using like nginx, lighttpd, and apache over fastcgi. MediaWiki now always extracts path info from REQUEST_URI if it's available.
The user right 'upload_by_url' is no longer given to sysops by default. This only affects installations which have $wgAllowCopyUploads set to true.
Removed f-prot support from $wgAntivirusSetup.
New variable $wgDBerrorLogTZ to provide dates in the error log in a different timezone than the wiki timezone set by $wgLocaltimezone.
New variables $wgDBssl and $wgDBcompress to enable SSL and compression for database connections, if either are available for the selected DB type.
$wgUseCombinedLoginLink now defaults to false, making MediaWiki output separate login and create account links by default.
New features in 1.20
Added TitleIsAlwaysKnown hook which gets called when determining if a page exists.
Added NamespaceIsMovable hook which gets called when determining if pages in a certain namespace can be moved.
Added SpecialPageBeforeExecute hook which gets called before SpecialPage::execute.
Added SpecialPageAfterExecute hook which gets called after SpecialPage::execute.
Added ORMTable, ORMRow and ORMResult classes for additional abstraction of database interaction.
Added CacheHelper and associated SpecialCachedPage and CachedAction helper classes.
(bug 32341) Add upload by URL domain limitation.
&useskin=default will now always display the default skin. Useful for users with a preference for the non-default skin to look at something using the default skin.
(bug 27619) Remove preference option to display broken links as link?
(bug 34896) jQuery JSON plugin upgraded to v2.3 (2011-09-17).
(bug 34302) Add CSS classes to email fields in user preferences.
Introduced $wgDebugDBTransactions to trace transaction status (currently PostgreSQL only).
(bug 23795) Add parser itself to ParserMakeImageParams hook.
Introduce a cryptographic random number generator source api for use when generating various tokens.
(bug 30963) Option on Special:Prefixindex and Special:Allpages to not show redirects.
(bug 18062) New message when edit or create the local page of a shared file.
(bug 22870) Separate interface message when creating a page.
(bug 17615) nosummary option should be reassigned on preview/captcha.
(bug 34355) Add a variable and parser function for the namespace number.
(bug 35649) Special:Version now shows hashes of extensions checked out from git.
(bug 35728) Git revisions are now linked on Special:Version.
"Show Changes" on default messages shows now diff against default message text
(bug 23006) create #speciale parser function.
generateSitemap can now optionally skip redirect pages.
(bug 27757) New API command just for retrieving tokens (not page-based).
Added GitViewers hook for extensions using external git repositories to have a web-based repository viewer linked to from Special:Version.
Memcached debug logs can now be sent to their own file logs by setting $wgDebugLogFile['memcached'] to some filepath.
(bug 35685) api.php URL and other entry point URLs are now listed on Special:Version
Edit notices can now be translated.
jQuery upgraded to 1.8.2.
jQuery UI upgraded to 1.8.23.
QUnit upgraded from v1.2.0 to v1.10.0.
(bug 37604) jquery.cookie upgraded to 2011 version.
(bug 22887) Add warning and tracking category for preprocessor errors
(bug 31704) Allow selection of associated namespace on the watchlist
(bug 5445) Now remove autoblocks when a user is unblocked.
Added $wgLogExceptionBacktrace, on by default, to allow logging of exception backtraces.
Added device detection for determining device capabilities.
QUnit.newMwEnvironment now supports passing a custom setup and/or teardown function. Arguments signature has changed. First arguments is now an options object of which 'config' can be a property. Previously 'config' itself was the first and only argument.
New getCreator and getOldestRevision methods added to WikiPage class
(bug 4220) the XML dump format schema now have unique identity constraints for page and revision identifiers. Patch by Elvis Stansvik.
cleanupSpam.php now can delete spam pages if --delete was specified instead of blanking them.
Added new hook ChangePasswordForm to allow adding of additional fields in Special:ChangePassword
Added new function getDomain to AuthPlugin for getting a user's domain
(bug 23427) New magic word {{PAGEID}} which gives the current page ID. Will be null on previewing a page being created.
(bug 37627) UserNotLoggedIn() exception to show a generic error page whenever a user is not logged in.
Watched status in changes lists are no longer indicated by <strong></strong> tags with class "mw-watched". Instead, each line now has a class "mw-changeslist-line-watched" or "mw-changeslist-line-not-watched", and the title itself is surrounded by <span></span> tags with class "mw-title".
Added ContribsPager::reallyDoQuery hook allowing extensions to data to MyContribs
Added new hook ParserAfterParse to allow extensions to affect parsed output after the parse is complete but before block level processing, link holder replacement, and so on.
(bug 34678) Added InternalParseBeforeSanitize hook which gets called during Parser's internalParse method just before the parser removes unwanted/dangerous HTML tags.
Added new hook AfterFinalPageOutput to allow modifications to buffered page output before sent to the client.
(bug 36783) Implement jQuery Promise interface in mediawiki.api module.
Make dates in sortable tables sort according to the page content language instead of the site content language
(bug 37926) Deleterevision will no longer allow users to delete log entries, the new deletelogentry permission is required for this.
(bug 14237) Allow PAGESINCATEGORY to distinguish between 'all', 'pages', 'files' and 'subcats'
(bug 38362) Make Special:Listuser includeable on wiki pages.
Added support in jquery.localize for placeholder attributes.
(bug 38151) Implemented mw.user.getRights for getting and caching the current user's user rights.
Session storage can now configured independently of general object cache storage, by using $wgSessionCacheType. $wgSessionsInMemcached has been renamed to $wgSessionsInObjectCache, with the old name retained for backwards compatibility. When this feature is enabled, the expiry time can now be configured with $wgObjectCacheSessionExpiry.
Added a Redis client for object caching.
Implemented mw.user.getGroups for getting and caching user groups.
(bug 37830) Added $wgRequirePasswordforEmailChange to control whether password confirmation is required for changing an email address or not.
HTMLForm mutators can now be chained (they return $this)
A new message, "api-error-filetype-banned-type", is available for formatting API upload errors due to the file extension blacklist.
New hook 'ParserTestGlobals' allows to set globals before running parser tests.
Allow importing pages as subpage.
Add lang and hreflang attributes to language links on Login page.
(bug 22749) Create Special:MostInterwikis.
Show change tags when transclude Special:Recentchanges(linked) or Special:Newpages.
(bug 23226) Add |class= parameter to image links in order to add class(es) to HTML img tag.
(bug 39431) SVG animated status is now shown in long description.
(bug 39376) jquery.form upgraded to 3.14.
SVG files will now show the actual width in the SVG's specified units in the metadata box.
Added ResourceLoader module "jquery.jStorage" (v0.3.0, http://jStorage.info/).
(bug 39273) Added AJAX support for "Show changes" (diff) in LivePreview.
Added ResourceLoader module "jquery.badge".
mw.util.$content now points to the overall content area in the skin rather than just page text content area. If you need the old behaviour please use $( '#mw-content-text').
jsMessage has been replaced with a floating bubble notification system complete with auto-hide, multi-message support, and message replacement tags.
jquery.messageBox which appears to be unused by both core and extensions has been removed.
(bug 34939) Made link parsing insensitive ([HttP://]).
(bug 40072) Add CSS classes to items in output of ChangesList pages.
Added $wgCopyUploadProxy global to define which proxy to use for copy uploads.
(bug 40448) mediawiki.legacy.mwsuggest has been replaced with a new module, mediawiki.searchSuggest, based on SimpleSeach from Extension:Vector.
|
|
|
|
are called p5-*.
I hope that's all of them.
|
|
It is a security update, fix CVE-2012-4377 CVE-2012-4378 CVE-2012-4379
CVE-2012-4380 CVE-2012-4381 CVE-2012-4382.
Upstream changes:
Changes since 1.19.1
(bug 39700) File: link to non-existing file can inject html
(bug 39823) Hidden block text leaking to admins
(bug 39184) LDAP password leakage
(bug 39180) Disallow framing of api results
(bug 37587) Enforce language codes to be html safe
(bug 39824) Check global blocks on account creation
|
|
=== Changes since 1.19.0 ===
* (bug 36568) Fixed "Illegal string offset 'LIMIT'" warnings in updater
* (bug 36938) Correctly escape uselang attribute to prevent xss
* Expanded Blacklist for SVG Files
|
|
PR 46505 by Wen Heping (take maintainership).
Bump two branches, contains many bug fixes, new features, and some of them
break compatibility, so for migration from 1.17 branch, please refer
release notes:
https://www.mediawiki.org/wiki/Release_notes/1.19
https://www.mediawiki.org/wiki/Release_notes/1.18
|
|
=== Changes since 1.17.2 ===
* (bug 22555) Remove or skip strip markers from tag hooks like <nowiki> in
core parser functions which operate on strings, such as padleft.
* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token
parameter present.
* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated
CSRF attacks.
* (bug 35317) CSRF in Special:Upload.
|
|
== MediaWiki 1.17.2 ==
2012-01-11
This a maintenance and security release of the MediaWiki 1.17 branch.
=== Security changes ===
* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
=== Changes since 1.17.1 ===
* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
== MediaWiki 1.17.1 ==
2011-11-24
This a maintenance and security release of the MediaWiki 1.17 branch.
=== Security changes ===
* (bug 32276) Skins were generating output using the internal page title which
would allow anonymous users to determine wheter a page exists, potentially
leaking private data. In fact, the curid and oldid request parameters would
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal
functions without any read permission checks being done. This could lead to
data leakage on private wikis.
|
|
|
|
|
|
Summary of selected changes in 1.17
Selected changes since MediaWiki 1.16 that may be of interest:
A new installer has been introduced. It has a wizard-style interface which is translated into many languages. Many shortcomings in the old installer were addressed with this rewrite. Note that it is no longer required for the config directory to be made writable by the webserver. Instead the generated LocalSettings.php file is offered as a download, which you must then upload to the wiki's base directory.
ResourceLoader, a new framework for delivering client-side resources such as JavaScript and CSS, has been introduced. These resources are now delivered through the new entry point script "load.php", instead of as static files served directly by the web server. This allows minification, compression and client-side caching to be used more effectively, which should provide a net performance improvement for most users.
Category sorting has been improved.
Sorting is now case insensitive.
Sub-categories, pages and files can now be paged separately.
When several pages are given the same sort key, they sort by their names instead of randomly.
The lowest supported version of PHP is now 5.2.3. If necessary, please upgrade PHP prior to upgrading MediaWiki.
Summary of selected changes in 1.16
Selected changes since MediaWiki 1.15 that may be of interest:
Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden, since Atom is a better protocol and is supported by virtually all clients.
It's now possible to block users from sending email via Special:Emailuser.
The maintenance script system was overhauled. Most maintenance scripts now have a useful help page when you run them with --help.
AdminSettings.php is no longer required in order to run maintenance scripts. You can just set $wgDBadminuser and $wgDBadminpassword in your LocalSettings.php instead.
The preferences system was overhauled. Preferences are stored in a more compact format. Changes to site default preferences will automatically affect all users who have not chosen a different preference.
Support for SQLite was improved. Some broken features were fixed, and it now has an efficient full-text search.
The user groups ACL system was improved by allowing rights to be revoked, instead of just granted.
A new localisation caching system was introduced, which will make MediaWiki faster for almost everyone, especially when lots of extensions are enabled.
By default, this new system makes a lot of database queries. If your database is particularly slow, or if your system administrator limits your query count, or if you want to squeeze as much performance as possible out of Mediawiki, set $wgCacheDirectory to a writable path on the local filesystem. Make sure you have the DBA extension for PHP installed, this will improve performance further.
|
|
|
|
== MediaWiki 1.15.5 ==
2010-07-28
This is a security and maintenance release.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
|
|
This is a security and bugfix release of MediaWiki 1.15.4.
Two security vulnerabilities were discovered.
Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.
Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.
These vulnerabilities are serious and all users are advised to
upgrade. Remember that CSRF and XSS vulnerabilities can be used even
against firewall-protected intranet installations, as long as the
attacker can guess the URL.
|
|
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
|
|
Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.
Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.
|
|
|
|
Please read
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_0/phase3/RELEASE-NOTES
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/000087.html
for details.
Note: Version 1.13.5 did NOT have the XSS vulnerability...
|
|
|
|
|
|
|
|
|
|
|
|
This is a maintenance release which corrects some bugs in the installer,
introduced during the hasty security release of 1.13.4. It is not
necessary to upgrade if you do not intend on using the installer.
|
|
A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php). These
vulnerabilities all require a live installer -- once the installer has been
used to install a wiki, it is deactivated.
Note that cross-site scripting vulnerabilities can be used to attack any
website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used
to attack the active service. If you are hosting an old copy of MediaWiki
that you have never installed, we advise you to remove it from the web.
|
|
This is a security release of MediaWiki 1.13.3. Some of the security issues
affect *all* versions of MediaWiki except the versions released today, so
all site administrators are encouraged to upgrade.
http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
|
|
|
|
General Public License (GPL). It's designed to be run on a large server
farm for a website that gets millions of hits per day. MediaWiki is an
extremely powerful, scalable software and a feature-rich wiki implementation,
that uses PHP to process and display data stored in its MySQL database.
|