Release notes/1.23

Security reminder:

MediaWiki does not require PHP's register_globals.

If you have it on, turn it off if you can.

MediaWiki 1.23.16
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.15

 * (T68404) CSS3 attr function with url type is no longer allowed in inline styles.
 * (T156184) will no longer apply to internationalization messages.
 * Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText when is true.
 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
 * (T156184) SECURITY: Escape content model/format url parameter in message.
 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it.

MediaWiki 1.23.15
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.14

 * BREAKING CHANGE: is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
 * (T139565) SECURITY: API: Generate head items in the context of the given title
 * (T137264) SECURITY: XSS in unclosed internal links
 * (T133147) SECURITY: Escape '<' and ']]>' in inline blocks
 * (T133147) SECURITY: Require login to preview user CSS pages
 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
 * (T129738) SECURITY: Make also restrict logged in permissions
 * (T129738) SECURITY: Make blocks log users out if is true
 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
 * Remove support for = false, all output is now well formed

MediaWiki 1.23.14
This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.13

 * (T122056) Old tokens are remaining valid within a new session
 * (T127114) Login throttle can be tricked using non-canonicalized usernames
 * (T123653) Cross-domain policy regexp is too narrow
 * (T123071) Incorrectly identifying http link in a's href attributes, due to m modifier in regex
 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
 * (T125283) Users occasionally logged in as different users after SessionManager deployment
 * (T103239) Patrol allows click catching and patrolling of any page
 * (T122807) [tracking] Check php crypto primatives
 * (T98313) Graphs can leak tokens, leading to CSRF
 * (T130947) Diff generation should use PoolCounter
 * (T133507) Careless use of is insecure
 * (T132874) API action=move is not rate limited
 * (T110143) strip markers can be used to get around html attribute escaping in (many?) parser tags
 * (T126685) Globally throttle password attempts

MediaWiki 1.23.13
This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.12

 * (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.

MediaWiki 1.23.12
This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.11

 * (T117899) SECURITY: can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.
 * (T119309) SECURITY: Use hash_compare for edit token comparison
 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
 * (T115522) SECURITY: Passwords generated by User::randomPassword can no longer be shorter than
 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

MediaWiki 1.23.11
This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.10

 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails

MediaWiki 1.23.10
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.9

 * (T94116) SECURITY: Compare API watchlist token in constant time
 * (T97391) SECURITY: Escape error message strings in thumb.php
 * (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions
 * (bug 67644) Make AutoLoaderTest handle namespaces
 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.

MediaWiki 1.23.9
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.8

 * SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
 * SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
 * SECURITY: Always expand xml entities when checking SVG's.
 * SECURITY: Escape > in Html::expandAttributes to prevent XSS.
 * SECURITY: Don't execute another user's CSS or JS on preview.
 * SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
 * Fix Special:ActiveUsers page for installations using PostgreSQL.

MediaWiki 1.23.8
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.7

 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in in API calls if it only included an allowed domain as part of its name.
 * (bug T74222) The original patch for T74222 was reverted as unnecessary.

MediaWiki 1.23.7
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.6

 * SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using.
 * SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model.
 * SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.
 * SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.
 * Make allowing site-wide styles on restricted special pages a config option.
 * Added updated version history from 1.19.2 to 1.22.13
 * was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.

MediaWiki 1.23.6
This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.5

 * Allow classes to be registered properly from installer
 * Job queue not running (HTTP 411) due to missing Content-Length: header

MediaWiki 1.23.5
This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.4

 * SECURITY: OutputPage: Remove separation of css and js module allowance.

MediaWiki 1.23.4
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.3

 * SECURITY: Enhance CSS filtering in SVG files. Filter elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
 * Make MySQLi work with non-standard socket.
 * GlobalVarConfig shouldn't throw exceptions for null-valued config settings.

MediaWiki 1.23.3
This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.2

 * Correctly handle incorrect namespace in cleanupTitles.php.
 * Fix support for blobs on DatabaseOracle::update.
 * Display MediaWiki:Loginprompt on the login page.
 * wfShellExec cuts off stdout at multiples of 8192 bytes.
 * Handle invalid language code gracefully in Language::fetchLanguageNames.
 * Restore the number of rows shown on Special:Watchlist.
 * Check for boolean false result from database query in SqlBagOStuff.

MediaWiki 1.23.2
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.1

 * SECURITY: Prepend jsonp callback with comment.
 * SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript, instead of relying on the URL in the link that has been clicked.
 * SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
 * Preferences: Turn stubthreshold back into a combo box.
 * Fix initSiteStats.php maintenance script.
 * Special:ActiveUsers: Fix to work with PostgreSQL.

MediaWiki 1.23.1
This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.0

 * SECURITY: Prevent external resources in SVG files.
 * Special:Watchlist: Don't try to render empty row.
 * Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
 * FileBackend: Avoid using popen when "parallelize" is disabled.
 * MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
 * Removed -x flag on some php files.

MediaWiki 1.23
MediaWiki 1.23.0 is the stable branch and is recommended for use in production.

MediaWiki 1.23 is a large release that contains many new features and bug fixes.

This is the full list of changes in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the beta release and submitting bug reports.

Configuration changes

 * Restored method for clearing a watchlist in web UI so that users with large watchlists don't have to perform contortions to clear them.
 * When is higher that zero, jobs are now executed via an asynchronous HTTP request to a MediaWiki entry point. This may require increasing the number of server worker threads.  has been added to disable this feature if needed, falling back to executing the job on the same process but making the execution synchronously.
 * values may be set to an associative array with a 'destination' key specifying the log destination. The array may also contain a 'sample' key with a positive integer value N indicating that the log group should be sampled by dispatching one in every N messages on average. The sampling is random.
 * In addition to the current exception log format, MediaWiki now serializes exception metadata to JSON and logs it to the 'exception-json' log group. This makes MediaWiki easier to integrate with log aggregation and analysis tools.
 * now supports the use of Classless Inter-Domain Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6 addresses that should be trusted to provide X-Forwarded-For headers.
 * Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add pages I create and files I upload to my watchlist", "Add pages and files I edit to my watchlist", "Email me when a page or file on my watchlist is changed") are now enabled by default. In addition new user accounts' personal and talk pages are now watched by them by default.
 * : Class names have had underscores removed. The configuration should be updated if LBFactory_Simple or LBFactory_Multi is configured.
 * has been removed and is no longer functional. To set a custom mailer name, the system message 'emailsender' should be modified (default: " ").
 * Email notifications were not correctly handling the MediaWiki:Helppage message being set to a full URL (the default). If you customized MediaWiki:Enotif body (the text of email notifications), you'll need to edit it locally to include the URL via the new variable $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise you don't have to do anything.
 * was removed as the only class using it was also removed
 * The 'max threads' setting was removed from.
 * Support for AdminSettings.php has been completely removed. All configuration belongs in LocalSettings.php.
 * , which has been replaceable by since 2005 (r9249), is now formally deprecated.
 * Removed deprecated as it is hardly used anywhere.
 * has been deprecated and replaced by ['ratelimit'].
 * is an array containing multiple local interwiki prefixes (interwiki prefixes that point back to the current wiki). This effectively allows more than one value of to be specified and understood by the parser. The value of  is automatically prepended to the start of this array.
 * has been removed. Query Pages should be added to by using the wgQueryPages hook.
 * has been removed.
 * has been removed as it was unused.
 * is now deprecated; set the log file in ['profileoutput'] to replace it.
 * was removed; use instead
 * Deprecated ResourceLoaderGetStartupModules hook.

New features

 * ResourceLoader can utilize the Web Storage API to cache modules client-side. Compared to the browser cache, caching in Web Storage allows ResourceLoader to be more granular about evicting stale modules from the cache while retaining the ability to retrieve multiple modules in a single HTTP request. This capability can be enabled by setting to true. This feature is currently considered experimental and should only be enabled with care.
 * Add expensive parser functions,  and  (with friends).
 * Add "wgRelevantUserName" to mw.config containing the current Skin::getRelevantUser value.
 * Add content model to the page information.
 * Added Article::MissingArticleConditions hook to give extensions a chance to hide their (unrelated) log entries.
 * Added LonelyPagesQuery hook to let extensions modify the query used to generate Special:LonelyPages.
 * Added defining the default number of entries to show on action=opensearch API call.
 * For namespaces with (including the MediaWiki namespace), the "protect" tab will be shown only if there are restriction levels available that would restrict editing beyond what  already applies. The protection form will offer only those protection levels.
 * Added, allowing extensions to add additional output formatting modules for the API.
 * The MediaWiki:Group-user.{css,js} pages can now be used to add custom CSS or JavaScript enabled only for registered users.
 * Special pages RecentChanges, RecentChangesLinked and Watchlist now include a legend describing the symbols used in lists of changes.
 * Improved the accessibility of the tabs in Special:Preferences.
 * Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook: it's called after everything is set up but before any major processing happens.
 * The jquery.client module now performs a component-wise version comparison in its #test method when strings are used in the browser map: version '1.10' is now correctly considered larger than '1.2'. Using numbers in the version map is not affected.
 * All API modules now support an assert parameter, which can either be 'user' or 'bot'. The API will throw an error if the user is not logged in (user) or does not have the 'bot' userright (bot). Based off of the AssertEdit extension by Steve Sanbeg.
 * WikitextContent will now render redirects with the expected "redirect" header, rather than as an ordered list. Code calling Article::viewRedirect can probably be changed to no longer special-case redirects.
 * Special:Diff was added, allowing users to create internal links to revision comparison pages using syntax such as Special:Diff/12345, Special:Diff/12345/prev or Special:Diff/12345/98765.
 * New user accounts' personal and talk pages are now watched by them by default.
 * Added SkinTemplateGetLanguageLink hook to allow changing the html of language links.
 * Added MessageCache::get hook as a new way to customize messages across multiple sites.
 * Added jquery.throttle-debounce ResourceLoader module to limit the number of callbacks for frequently occurring events.
 * Special:ProtectedPages shows now a table. The timestamp, the reason and the protecting user is also shown.
 * Added experimental support for using Microsoft SQL Server as the database backend.
 * Added new Microsoft SQL Server-specific configuration variable, which makes the web server authenticate against the database server using Integrated Windows Authentication instead of /.
 * HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and 'radio' fields can now use message keys as labels via the 'options-messages' parameter, which overrides the 'options' parameter.
 * Admins can expire users users passwords manually, or on a schedule using the configuration setting.
 * Add new hook SendWatchlistEmailNotification, this will be used to determine whether to send a watchlist email notification.
 * Special:Contributions now includes an option to filter page creations, similar to the topOnly option.
 * Add mediawiki.ui.button styling to all pages so wiki content can use styled buttons.
 * Special:UserLogin/signup now does AJAX checks for invalid and taken usernames, displaying the error live.
 * Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
 * Support has been added for a JSON based localisation file format. The installer has been updated to use it.
 * Changes to content typography (colors, line-height, etc.). See https://www.mediawiki.org/wiki/Typography_refresh for further information.
 * ResourceLoader: mw.loader.using now implements a Promise interface.
 * Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows. If called by the ChangesList consumer this gives extensions a chance to batch process the result set prior to rendering.
 * A PoolCounterRedis class was added which can be make use of in . This requires at least one Redis 2.6+ server.
 * was removed. Set to ProfilerSimpleDB in StartProfiler.php instead of using this.
 * Made it possible to change the indent string (default: 4 spaces) used by FormatJson::encode.

Bug fixes

 * The "updated since last visit" markers (on history pages, recent changes and watchlist) and the talk page message indicator are now correctly updated when the user is viewing old revisions of pages, instead of always acting as if the latest revision was being viewed.
 * Special:ConfirmEmail no longer shows a "Mail a confirmation code" when the email address is already confirmed. Also, consistently use "confirmed", rather than "authenticated", when messaging whether or not the user has confirmed an email address.
 * Show correct link color on cached result of Special:DeadendPages.
 * Classes TitleListDependency and TitleDependency have been removed, as they have been found unused in core and extensions for a long time.
 * SpecialPasswordReset now obeys returnto parameter
 * ResourceLoader will notice when a module's definition changes and recompile it accordingly.
 * SpecialRecentChangesFilters hook is now executed for feeds.
 * Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
 * Updated the plural rules to CLDR 24. They are in new format which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the JavaScript evaluator were updated to support the new format. Plural rules for some languages have changed, most notably Russian. Affected software messages have been updated and marked for review at translatewiki.net.
 * Redirect pages, when viewed with redirect=no, no longer hide the remaining page content.
 * imagelinks now stores both the redirect and target (as templatelinks does).
 * The web installer no longer throws an exception when PHP is compiled without support for MySQL yet with support for another DBMS.
 * Raw option of parser functions must now match complete word, to take effect.
 * Special:PrefixIndex forgot stripprefix=1 for "Next page" link
 * Undoing an already-undone edit will now display an appropriate message instead of leading the user to make a null edit.
 * mediawiki.notification: Notification area remained visible when empty and thus was stealing pointer events from links on the page.
 * When a DBUnexpectedError occurs, DB server hostnames are now hidden unless is true, and  no longer applies in such cases.
 * Avoid doing file_exist checks on data: URIs, as they cause warnings to be printed on Windows due to large path length.
 * Fixed a bug in the installer that could cause to hold the wrong path to the placeholder logo (skins/common/images/wiki.png).
 * jquery.textSelection: Don't throw errors on empty collections.

Web API changes

 * action=parse&prop=categories now indicates hidden and missing categories.
 * action=query&meta=filerepoinfo now returns additional information for each repo.
 * action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in MediaWiki 1.24.
 * action=parse now has disabletoc flag to disable table of contents in output.
 * list=allcategories, list=allimages, list=alllinks, list=allpages, list=deletedrevs and list=filearchive did not handle case-sensitivity properly for all parameters.
 * ApiQueryBase::titlePartToKey allows an extra parameter that indicates the namespace in order to properly capitalize the title part.
 * action=feedcontributions no longer has one item more than limit.
 * All API modules now support an assert parameter. See the new features section for more details.
 * Added prop=contributors to fetch the list of contributors to the page.
 * The following API modules will now return entries where fields have been revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges, list=watchlist. "hidden" indicators will be included, in the same style as is already done for prop=revisions.
 * The following API modules will now return the content of revision-deleted fields, in addition to the "hidden" indicators, if the querying user has the necessary rights: list=logevents, list=usercontribs, prop=imageinfo, prop=revisions.
 * The above modules, where applicable, will now return entries filtered by revision-deleted fields if the querying user has the necessary rights. For example, prop=revisions with rvuser or rvexcludeuser will no longer skip revisions where the user was revision-deleted if the current user has the deletedhistory right.
 * The 'hideuser' right, used when blocking, is no longer necessary or sufficient for seeing contributions with revision-deleted in list=usercontribs.
 * list=watchlist now uses the querying user's rights rather than the wlowner's rights when checking whether wlprop=patrol is allowed.
 * ApiWatch now has pageset capabilities (titles/pageids/generators). Title parameter is now deprecated.
 * Added action=revisiondelete.
 * Added siprop=restrictions to API action=query&meta=siteinfo for querying possible page restriction (protection) levels and types.
 * Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
 * Provide language names on action=parse&prop=langlinks.
 * Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
 * Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
 * prop=redirects is added, to return redirects to the pages in the query.
 * list=allredirects is added, to list all redirects pointing to a namespace.
 * Added ucshow={new,!new,top,!top} to list=usercontribs. Also added newonly to action=feedcontributions.
 * Deprecated uctoponly in favor of ucshow=top.
 * list=search no longer has a "srredirects" parameter. Redirects are now included in all searches.
 * Added list=prefixsearch that works like action=opensearch but can be used as a generator.
 * Various modules will now use unique continuation parameters.
 * Cache RecentChanges Atom feed in varnish for 15 seconds.

Languages updated
MediaWiki supports over 350 languages.

Many localisations are updated regularly.

Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.
 * Support was added for Algerian Spoken Arabic (arq).
 * Support was added for Riograndenser Hunsrückisch (hrx).
 * Support was added for Northern Luri (lrc).

Other changes

 * Added pp_sortkey column to page_props table, so pages can be efficiently queried and sorted by property value . See if you want to postpone the schema change.
 * The rc_type field in the recentchanges table has been superseded by a new rc_source field. The rc_source field is a string representation of the change type where rc_type was a numeric constant.  This field is not yet queried but will be in a future point release of 1.22.
 * Utilize update.php to create and populate this new field. On larger wiki's which do not wish to update recentchanges table in one large update please review the sql and comments in maintenance/archives/patch-rc_source.sql.
 * The rc_type field of recentchanges will be deprecated in a future point release.
 * The global variable has been removed after a lengthy deprecation.
 * The global functions addButton and insertTags (for mw.toolbar.addButton and mw.toolbar.insertTags) now emits mw.log.warn when accessed.
 * The ExpandTemplates extension has been moved into MediaWiki core.
 * Removed "Disable search suggestions" from Preference.
 * Removed "Disable browser page caching" from Preference.
 * Three new modules intended for use by custom skins were added: 'skins.common.elements', 'skins.common.content', and 'skins.common.interface', representing three levels of standard MediaWiki styling. Previously skin creators wishing to use them had to refer to the file names of appropriate files directly, which is now discouraged.
 * The modules 'skins.vector' and 'skins.monobook' have been renamed to 'skins.vector.styles' and 'skins.monobook.styles', respectively, and their definition was changed not to include the common*.css files; the two skins now load the 'skins.common.interface' module instead.
 * A page_links_updated field has been added to the page table.
 * SpecialPage::getTitle has been deprecated in favor of SpecialPage::getPageTitle.
 * BREAKING CHANGE: Two potentially backwards-incompatible changes have been made to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make the hook more consistent with the 'SpecialRecentChangesQuery' one:
 * Several array keys have been renamed: hideMinor → hideminor, hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu, hidePatrolled → hidepatrolled, hideOwn → hidemyself.
 * The parameter value is now a FormOptions object, not a plain array (array access operators should continue to work, as it implements the ArrayAccess interface).
 * Option to mark hooks as deprecated has been added.
 * Preference "Enable section editing via [edit] links" was removed.
 * Preference "Show table of contents (for pages with more than 3 headings)" was removed.
 * Preference "Justify paragraphs" was removed.
 * OutputPage::showErrorPage raises a notice if arguments are incoherent.
 * Thumbnails that keep failing to render in thumb.php will be rate-limited againt further render attempts for 1 hour. can be altered to reset all rate-limited thumbnails at once.
 * Builds of the OOjs and OOjs UI libraries are now available.
 * mw.loader.go and mw.loader.version have been removed.
 * Preference "Enable simplified search bar (Vector skin only)" was removed.
 * A user_password_expires column has been added to the user table. The User object expects this column to exist. Use update.php to create this new field.
 * The jquery.delayedBind ResourceLoader module was deprecated in favor of the jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
 * mw.user.bucket has been deprecated.
 * On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to table.mw-prefixindex-list-table to avoid duplicate ids when the special page is transcluded.
 * window.$j has been deprecated.
 * Preference "Disable link title conversion" was removed.
 * SpecialRecentChanges no longer includes any functionality for generating feeds - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new ones.
 * RecentChange::mExtra['lang'] is no longer set and should no longer be used. Extensions should read from other configuration variables, including, to identify the current wiki.
 * Sections in the parser test framework have been renamed and the old section names are deprecated. Please use "!!wikitext" and "!!html" (or "!!html/php") instead of "!!input" and "!!result".  This allows us to extend parser tests to accommodate additional input/output pairs, such as "!!html/parsoid" (for the output of the Parsoid parser, where it differs from the PHP parser).
 * Special:Search no longer has an "include redirects" option on the advanced tab. Redirects are now included in all searches.
 * mediawiki.api.category's getCategories 'async' parameter was deprecated.
 * The locations of resources have been split between upstream libraries, now in resources/lib/, local libaries in resources/src/, and local forks of upstream libraries, also in resources/src/.
 * BREAKING CHANGE: The automatically-generated function closure with which ResourceLoader wraps all modules' JavaScript code now binds the identifier names 'jQuery' and '$' to the jQuery object of the version of jQuery that is bundled with MediaWiki. If you bind these names to other objects in global scope (like Zepto.js or document.querySelectorAll, for example) you will need to use different names to or re-bind them at the top of each ResourceLoader-loaded module.
 * Preference "Remember my login" was removed.

Removed classes

 * FakeMemCachedClient (deprecated in 1.18)
 * RdfMetaData (unused)
 * TitleDependency (unused)
 * TitleListDependency (unused)
 * WikiError (deprecated in 1.17)
 * WikiXmlError (deprecated in 1.17)
 * WikiErrorMsg (deprecated in 1.17)

Renamed classes

 * CdbReader_DBA to CdbReaderDBA
 * CdbReader_PHP to CdbReaderPHP
 * CdbWriter_DBA to CdbWriterDBA
 * CdbWriter_PHP to CdbWriterPHP
 * DiffOp_Add to DiffOpAdd
 * DiffOp_Change to DiffOpChange
 * DiffOp_Copy to DiffOpCopy
 * DiffOp_Delete to DiffOpDelete
 * HWLDF_WordAccumulator to HWLDFWordAccumulator
 * LBFactory_Fake to LBFactoryFake
 * LBFactory_Multi to LBFactoryMulti
 * LBFactory_Simple to LBFactorySimple
 * LBFactory_Single to LBFactorySingle
 * LCStore_Accel to LCStoreAccel
 * LCStore_CDB to LCStoreCDB
 * LCStore_DB to LCStoreDB
 * LCStore_Null to LCStoreNull
 * LoadBalancer_Single to LoadBalancerSingle
 * LoadMonitor_MySQL to LoadMonitorMySQL
 * LoadMonitor_Null to LoadMonitorNull
 * LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
 * csvStatsOutput to CsvStatsOutput
 * extensionLanguages to ExtensionLanguages
 * languages to Languages
 * statsOutput to StatsOutput
 * textStatsOutput to TextStatsOutput
 * wikiStatsOutput to WikiStatsOutput

Removed methods

 * ApiBase::getValidNamespaces (deprecated in 1.17)
 * ApiMain::setCachePrivate (deprecated in 1.17)
 * ApiMain::setVaryCookie (deprecated in 1.17)
 * CategoryViewer::addSubcategory (deprecated in 1.17)
 * EditPage::spamPage (deprecated since 1.17)
 * Exif::getFormattedData (deprecated in 1.18)
 * Exif::makeFormattedData (deprecated in 1.18)
 * Language::convertLinkToAllVariants (deprecated in 1.17)
 * LanguageConverter::convertLinkToAllVariants (deprecated in 1.17)
 * Linker::makeBrokenLink (deprecated in 1.16)
 * Linker::makeBrokenLinkObj (deprecated in 1.16)
 * Linker::makeColouredLinkObj (deprecated in 1.16)
 * Linker::makeSizeLinkObj (deprecated in 1.17)
 * ProfilerSimple::getCpuTime (deprecated in 1.20)
 * Revision::revText (deprecated in 1.17)
 * SkinTemplate::jstext (deprecated in 1.21)
 * SpecialPage::__call (deprecated in 1.17)
 * SpecialPage::executePath (deprecated in 1.18)
 * SpecialPage::exists (deprecated in 1.18)
 * SpecialPage::file (deprecated in 1.18)
 * SpecialPage::func (deprecated in 1.18)
 * SpecialPage::getGroup (deprecated in 1.18)
 * SpecialPage::getPage (deprecated in 1.18)
 * SpecialPage::getPageByAlias (deprecated in 1.18)
 * SpecialPage::getLocalNameFor (deprecated in 1.18)
 * SpecialPage::getRegularPages (deprecated in 1.18)
 * SpecialPage::getRestrictedPages (deprecated in 1.18)
 * SpecialPage::getTitleForAlias (deprecated in 1.18)
 * SpecialPage::getUsablePages (deprecated in 1.18)
 * SpecialPage::includable (deprecated in 1.18)
 * SpecialPage::init
 * SpecialPage::initAliasList (deprecated in 1.18)
 * SpecialPage::initList (deprecated in 1.18)
 * SpecialPage::name (deprecated in 1.18)
 * SpecialPage::removePage (deprecated in 1.18)
 * SpecialPage::resolveAlias (deprecated in 1.18)
 * SpecialPage::resolveAliasWithSubpage (deprecated in 1.18)
 * SpecialPage::restriction (deprecated in 1.18)
 * SpecialPage::setGroup (deprecated in 1.18)
 * SpecialRecentChanges::feedSetup
 * SpecialRevisionDelete::extractBitField (deprecated in 1.22)
 * User::getPageRenderingHash (deprecated in 1.17)
 * WebRequest::getFileSize (deprecated in 1.17)
 * WebRequest::isPathInfoBad (deprecated in 1.17)
 * WikiPage::quickEdit (deprecated in 1.18)
 * WikiPage::useParserCache (deprecated in 1.18)
 * WikiPage::viewUpdates (deprecated in 1.18)

Removed globals

 * (deprecated in 1.18)

Compatibility
MediaWiki 1.23 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS.

PostgreSQL or SQLite can also be used, but support for them is somewhat less mature.

There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:


 * MySQL 5.0.2 or later


 * PostgreSQL 8.3 or later


 * SQLite 3.3.7 or later


 * Oracle 9.0.1 or later
 * Microsoft SQL Server 2005 (9.00.1399)

Upgrading
1.23 has several database changes since 1.22, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site). If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes. If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data. If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21. Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed upgrade instructions. For notes on 1.21.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net.