Release notes/1.9

= MediaWiki 1.9 =

MediaWiki 1.9.6
March 2, 2008


 * Correction for API path fix, broken in 1.9.5

MediaWiki 1.9.5
January 23, 2008

This is a security update to the Winter 2007 quarterly release. A potential XSS injection vector affecting api.php only for Microsoft Internet Explorer users has been closed.

To work around the vulnerability without upgrading, you may disable the API if you don't need it:


 * = false;

Not vulnerable versions:
 * 1.12 or later
 * 1.11 >= 1.11.1
 * 1.10 >= 1.10.3
 * 1.9 >= 1.9.5
 * 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
 * 1.11 <= 1.11.0rc1
 * 1.10 <= 1.10.2
 * 1.9 <= 1.9.4
 * 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the API functionality, however the BotQuery extension is similarly vulnerable unless updated to the latest SVN version.

MediaWiki 1.9.4
September 10, 2007

This is a security and bug fix update to the Winter 2007 quarterly release. Minor compatibility fixes for IIS 5 are included.


 * (bug 8847) Strip spurious #fragments from request URI to fix redirect loops on some server configurations
 * A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed.

The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:


 * = false;

Not vulnerable versions:
 * 1.11 >= 1.11.0
 * 1.10 >= 1.10.2
 * 1.9 >= 1.9.4
 * 1.8 >= 1.8.5

Vulnerable versions:
 * 1.11 <= 1.11.0rc1
 * 1.10 <= 1.10.1
 * 1.9 <= 1.9.3
 * 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty function, however the BotQuery extension is similarly vulnerable unless updated to the latest SVN version.

MediaWiki 1.9.3
February 20, 2007

This is a security and bug-fix update to the Winter 2007 quarterly release. Minor compatibility fixes for IIS and PostgreSQL are included.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix:


 * 1.9: fixed in 1.9.3
 * 1.8: fixed in 1.8.4
 * 1.7: fixed in 1.7.3
 * 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.


 * (8992) Fix a remaining raw use of REQUEST_URI in history
 * (8984) Fix a database error in Special:Recentchangeslinked when using the PostgreSQL database.
 * Add charset to Content-Type headers on various HTTP error responses to forestall additional UTF-7-autodetect XSS issues. PHP sends only text/html by default when the script didn't specify more details, which some inconsiderate browsers consider a license to autodetect the deadly, hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message on MSIE when $wgUseAjax is enabled (not default configuration); this UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA from BugSec: http://www.bugsec.com/articles.php?Security=24
 * Trackback responses now specify XML content type

MediaWiki 1.9.2
February 4, 2007

This is a bug-fix update that fixes some installation and other minor issues with the 1.9.1 release as well as a security issue which was introduced in the 1.9 branch.

JavaScript code which regenerated the "sortable tables" feature did not properly sanitize input, leading to an HTML injection vulnerability.


 * (8774) Fix path for GNU FDL rights icon on new installs
 * (8819) Fix full path disclosure with skins dependencies
 * (8819) Fixed data-loss bug in compressOld batch text compression affecting pages which had null edits (move, protect, etc) as second edit in a batch group. Isolated and patched by Travis Derouin.
 * Security fix for sortable tables JavaScript

MediaWiki 1.9.1
January 24, 2007

This is a bug-fix update that fixes some installation and upgrade issues with the original 1.9.0 release.


 * (3000) Fall back to SCRIPT_NAME plus QUERY_STRING when REQUEST_URI is not available, as on IIS with PHP-CGI
 * Security fix for DjVu images. (Only affects servers where .djvu file uploads are enabled and $wgDjvuToXML is set.)
 * (8638) Fix update from 1.4 and earlier
 * (8641) Fix order of updates to ipblocks table for updates from <=1.7
 * (8673) Minor fix for web service API content-type header
 * Fix API revision list on PHP 5.2.1; bad reference assignment
 * Fixed up the AjaxSearch
 * Exclude settings files when generating documentation. That could expose the database user and password to remote users.
 * ar: fix the 'create a new page' on search page when no exact match found
 * Correct tooltip accesskey hint for Opera on the Macintosh (uses Shift-Esc-, not Ctrl-).
 * (8719) Firefox release notes lie! Fix tooltips for Firefox 2 on x11; accesskeys default settings appear to be same as Windows.

MediaWiki 1.9
January 10, 2007

This is the quarterly release snapshot for Winter 2007. While the code has been running on Wikipedia for some time, installation and upgrade bits may be less well tested. Bug fix releases may follow in the coming days or weeks.

MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature development happen will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it from source control: Download from SVN

Security fixes
An XSS injection vulnerability was located in the AJAX support module, affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix:


 * 1.9: fixed in 1.9.0rc2
 * 1.8: fixed in 1.8.3
 * 1.7: fixed in 1.7.2
 * 1.6: fixed in 1.6.9

Zend Optimizer
A bug in some versions of PHP 5 and Zend Optimizer which was triggered under MediaWiki 1.8.x has been worked around by disabling some internal debugging features when Zend Optimizer is loaded. This should solve some common "blank page" problems.

PHP 5.0 64-bit
MediaWiki now checks for a condition where PHP 5.0.x corrupts array data on 64-bit systems and warns you to upgrade PHP to solve the problem. This bug causes Special: pages to fail on affected systems under MediaWiki 1.8 and higher, and subtler data corruption on earlier versions.

The only known workaround is to upgrade PHP to 5.1 or later, which you probably should do anyway for security reasons!

MySQL 5
MediaWiki should now install and run correctly on MySQL 5.0 and higher when MySQL's "strict mode" is enabled. (This is now the default for many Windows installations, though it seems to remain off by default on Unix.)

This fixes errors about "cannot default default value for BLOB/TEXT fields".

ImageMagick
Note that ImageMagick older than 6.x may no longer work for image resizing due to use of the -thumbnail option.

Localized special pages
The names of Special: pages can now be localized, so links and URLs to them are more legible in languages that aren't English.

Not all languages have included localized names yet.

E-mail password
Users are now required to set a new password for themselves when they first log in with a newly generated e-mailed password.

Requesting passwords frequently is prevented to reduce abusive mailbombing.

Undo revision
An "undo" link now appears in diff view for easier reverting of older edits. When GNU diff3 is available for edit conflict merging, this can make it much easier to "undo" the changes of an older edit when there are surrounding changes elsewhere in the page.

The changes must be manually reviewed and approved, as with conventional full-revision reverts.

Blocking
User blocks can be set to disable the automatic blocking of IP addresses the account logs in with.

Database changes

 * new 'redirect' table stores data on page redirects
 * new 'querycachetwo' table used for some cached special pages
 * 'ipblocks' table adds 'ipb_enable_autoblock'
 * 'recentchanges' table adds 'rc_old_len', 'rc_new_len' for size tracking
 * 'user' table has added 'user_newpass_time' and 'user_editcount' fields
 * some indexes have been updated on 'recentchanges'

Configuration changes
Several configuration options have changed since 1.8:

$wgEnableAPI
The experimental machine API interface is now enabled by default, read-only. You can disable it by setting $wgEnableAPI = false; in LocalSettings.php.

$wgPathInfo
The use of PATH_INFO (the text after the script name in 'index.php/Blah') is controlled by the $wgUsePathInfo setting. This is now explicitly disabled for CGI, apache2filter, and ISAPI configurations of PHP, for more consistency with the autodetection from the installer.

In some rarer configurations you may have to switch $wgUsePathInfo from false to true or, perhaps, from true to false to make things work properly if bad PATH_INFO data comes through the server.

The wiki now tries to detect this condition and should show you an error message describing what to change instead of sending the browser into an infinite redirect loop.

$wgScript and other path settings
The following configuration variables are now automatically set in Setup.php if they are not overridden in LocalSettings.php:

from $wgScriptPath: + $wgScript | \- $wgArticlePath + $wgRedirectScript + $wgStylePath + $wgUploadPath \- $wgLogo + $wgMathPath

from $IP: - $wgStyleDirectory + $wgUploadDirectory \- $wgMathDirectory + $wgTmpDirectory + $wgReadOnlyFile + $wgFileCacheDirectory

Newly generated configuration files will by default include only $wgScriptPath (hardcoded from the installer) and $IP (detected at runtime).

Old configuration files which specify all these values explicitly should continue to work just fine, but if you use the defaults you can remove them to reduce clutter.

$wgGroupPermissions
The sysop group now holds the "autopatrol" and "ipblock-exempt" rights by default.

"autopatrol" replaces the preference for marking ones own edits patrolled by default; users holding this permission will automatically have their edits patrolled, while others cannot mark their own edits as patrolled even if they have patrolling rights.

"ipblock-exempt" excludes the user from IP blocks; accounts which are blocked explicitly by name will still be blocked, however. This is given to sysops to minimize annoyance from accidental "collateral damage"; remember that a sysop will be able to lift the block if they desire.

The bot group now holds the "nominornewtalk" right. A user with this right will not trigger new message notifications when making minor edits to user talk pages. This is meant to minimize annoyance from maintenance bot processes.

$wgUseWatchlistCache
Watchlist caching has been removed. The feature was not maintained, and has been unnecessary since switching to the 'recentchanges' database table reduced server pressure for Wikipedia's watchlists.

$wgBreakFrames
MediaWiki in the past attempted to detect when it was embedded in a frameset and "break out" of it, assuming it to be hostile.

This behavior is now disabled by default, but can be reenabled by setting $wgBreakFrames to true in LocalSettings.php.

$wgVariantArticlePath
For languages with script variant support (Chinese, Serbian, and others), it's possible to use alternate URL paths to select the variant for article display, setting $wgVariantArticlePath.

Documentation for this setting would be useful.

$wgMaxMsgCacheEntrySize
The message cache can now skip items larger than a given size; this allows it to better handle the primary caching case when large CSS and JS blobs are present.

$wgStyleVersion
When making significant changes to skin stylesheets and JavaScript files, you can append a string to this variable to tweak the generated URLs, forcing newly rendered pages to bring in a fresh version despite server- or browser-side caching.

Normally this will be set in the course of MediaWiki development, but if doing development on a custom skin you may wish to poke it as well.

$wgRCShowChangedSize
Special:Recentchanges and Special:Watchlist now show the number of bytes added or removed to an article to give an idea of the size of the edit. This information was previously available only in the IRC update feeds.

To disable this site-wide, set $wgRCShowChangedSize to false. (Individual users can suppress the data in custom CSS.)

Adjust $wgRCChangedSizeThreshold to trigger highlighting of particularly large changes.

The formatting of the size figure can be adjusted through the MediaWiki:Rc-change-size message.

$wgQueryCacheLimit
The number of rows stored for "expensive" special pages in miser mode can now be adjusted up or down from the default 1000.

$wgDisableQueryPageUpdate
Individual "expensive" special pages can be skipped in processing by updateSpecialPages if added to this list.

$wgSorbsUrl
The base hostname for the DNS-based proxy blacklist can now be overridden when $wgEnableSorbs is set, to use a different blacklist instead of SORBS. The blacklist would need to respond the same was as SORBS; any positive response will be taken as a proxy.

$wgAjaxWatch
Experimental AJAX mode for the watch/unwatch tabs to execute inline. Does not include the UI messages describing how to reach the watchlist, so you may not want it on a general-audience site just yet.

$wgParserTestFiles
MediaWiki's parser test suite can now be expanded with additional test files. Custom extensions can add their test files to this array, and they will be run along with the main tests by maintenance/parserTests.php

Changes since 1.8

 * (8200) Make category lists sorted by name when using Postgres.
 * (7841) Support 'IGNORE' inserts for Postgres, fixes watchlist adding problem.
 * (6835) Removing the includes/Parser.php::getTemplateArgs function, because it seems to be unused.
 * (7139) Increasing the visual width of the edit summary field on larger screen sizes, for the default monobook skin.
 * Fix PHP notice and estimates for dumpBackup.php and friends
 * Improved register_globals paranoia checks
 * (7545) Fix PHP version check on install
 * Disable PHP exception backtrace printing unless $wgShowExceptionDetails is set. Backtraces may contain sensitive information in function call parameters.
 * (6164) Avoid smashing Cite state if message transformation triggers during bad image list check, by skipping message transformation. This isn't a good permanent fix.
 * (6918) Stopped borders and backgrounds from showing through floated tables in Monobook
 * (6868) Un-hardcode section edit link style
 * (3205) Stop right floats from stacking horizontally in non-Monobook skins
 * Added global $wgStyleVersion to centralize bumping CSS and JS file versions for cache-friendly style and script updating
 * (7562) Fix non-ASCII namespaces on Windows/XAMPP servers
 * Friendlier check for PHP 5 in command-line scripts; it's common for parallel PHP 4 and 5 installations to interfere on the command-line.
 * Fix regression in autoconfirm permission check
 * (3015) Add CSS ids to subcategory and page sections on category pages
 * (7587) Fix erroneous id for specialpage tab, enabling informative popup
 * (7599) Fix thumbnail purging, PHP notices on HTCP image page purge
 * (7581) Update language name for cbk-zam
 * (7444) Update namespace translations for Telugu (te), kept old values as alias for compatibility
 * (4525) Move section links down visually to same level as headings (editsection links are now inside the heading elements)
 * Workaround for http://bugs.php.net/bug.php?id=31892, PATH_INFO and hence URLs of the style /index.php/Main_Page were broken on some CGI installations.
 * (7623) Validate custom HTML id's correctly in Monobook interface
 * (2241) Fix collision of 'w' and 'd' accesskeys
 * (5795) CSS class added to body based on page name for page-specific styling
 * (6276) Stopped search field from getting too large in Cologne Blue
 * (7644) User creations that are aborted by hooks shouldn't be counted against account creations per day limit
 * (7636) Show Firefox 2 users correct accesskey prefix
 * (6427) Block blocked IPs from using the mail password function to allow blocking of flooders
 * Include common.css from classic-style skins in main HTML with the bump URL
 * (7607) Add Karakalpak (kaa) to Names.php and stub message file for linktrail
 * (7582) Add 'tog-nolangconversion' to MessagesEn.php. This key is need for languages with variants (zh, sr, kk)
 * (7606) MediaWiki messages for "rss" and "atom" missing
 * (7609) Add some more '*-summary' messages to MessagesEn.php with empty strings to allow better localisation via Special:Allmessages. Mark this new messages as optional for localisation.
 * Fix user_newpass upgrade for prefixed tables (reported by Fyren)
 * (7663) Include language variant switcher links on Nostalgia skin
 * (6531) Fix PHP fatal error on installation page with bad username input.
 * (6977) Remove 404 link for autogenerated database documentation.
 * (7369) Allow "Show Changes" without requiring edit token.
 * (7687) Fix movetalk box checks itself when confirming a delete and move.
 * (7684) Obey watchcreated preference for Special:Upload watch checkbox
 * (7686) Include id attribute on delete form confirmation button
 * Allow compound interwiki prefixes in $wgImportSources
 * (7304) Added redirect table to store redirect targets.
 * Added querycachetwo table (similar to querycache but has two titles)
 * PageArchive can now return a Revision object for more convenient processing of deleted revision data
 * Added 'UndeleteShowRevision' hook in Special:Undelete
 * Error message on attempt to view invalid or missing deleted revisions
 * Remove unsightly "_" from namespace in Special:Allpages, Special:Prefixindex
 * (3224) Allow minor edits by bots to skip new message notification on user talk pages. This can be disabled by adjusting the 'nominornewtalk' permission. Patch by Werdna.
 * (7741) MATH: fixed broken syntax of underbrace etc. Fixed arrays
 * Fix purging for updated SVG files
 * (7745) Add id attribute to search button in Monobook
 * (7749) MATH: added some more LaTeX symbols, e.g. parallel, diamond, ast, ...
 * (7304) Added code in Article.php to keep redirect table up to date.
 * Made special page names case-insensitive and localisable. Care has been taken to maintain backwards compatibility.
 * Used special page subpages in a few more places, instead of query parameters.
 * (7758) Added wrapper span to "templates used" explanation to allow CSS styling (class="mw-templatesUsedExplanation").
 * Added parser function, to give the local default title for special pages
 * (7766) Remove redundant / from AJAX requests, can break some servers
 * Add tab links from extensions to classic-based skins (SkinTemplateTab hook) Provides better cross-skin compatibility for extensions using the modern skin hooks, such as Oversight
 * Moved variant language links on Cologne Blue and Nostalgia to before the login/logout link
 * Fix for parser tests with MySQL 5 in strict mode
 * Added block option "enable autoblocks"
 * Amend Special:Ipblocklist to note when a block has autoblock DISABLED.
 * (7780) Fix regression in editing redirects
 * Add whitespace above "templates included on this page" using CSS, not hardcoded line break.
 * Remove entries from redirect table on article deletion
 * (7788) Force section headers in new section links for users who have 'prompt for blank edit summaries' on.
 * (1133) Special:Emailuser : add an option to send yourself a copy of your mail.
 * (461) Allow "Categories:" link at bottom of pages to be customized via pagecategorieslink message.
 * Sort the list of skins in "My Preferences" -> Skins by alphabetical order.
 * (7785) Postgres compatibility for timestamps in RC feeds
 * (7550) Normalize user parameter normally on Special:Log
 * (7294) Fix PATH search for diff3 on install
 * Various fixes related to the blocking change re: autoblocks. On inserting an IP block, the ipb_enable_autoblock field is now automagically blanked, because it doesn't make any sense for an IP. Additionally, IP blocks without the ipb_enable_autoblock option no longer show up as "autoblock disabled" on Special:Ipblocklist.
 * (7774) MATH: aded more amstex functions
 * (1182) MATH: fixed inconsistent rendering of upper case Greek letters in TeX
 * Fix regression in streaming page dump generation
 * (7801) Add support for parser function hooks in parser tests
 * checkUsernames.php now uses wfDebugLog instead of hardcoded path to log
 * (7810) Update talk namespaces for Occitan
 * Allow case-sensitive URLs to be used for uploading from URLs.
 * (1109) Correct fix for compressed 304 responses when additional output buffers have been installed within the compression handler
 * (7819) Move automatic redirect edit summary after pre-save transform to work properly with subst: fun
 * (7826) Fix typos in two English messages.
 * (5365) Stop users being prompted to enter an edit summary for null edits, if they have selected that option in preferences.
 * (5936) Show an 'm' to the left of the edit summary on diff pages for minor edits.
 * (7820) Improve error reporting for uploads via URL.
 * (5149) When autoblocks are enabled, retroactively apply an autoblock to the most recently used IP of a user when they are blocked.
 * Add an index on (rc_user_text,rc_timestamp) on the recentchanges table. This will make CheckUser.php and the new retroactive autoblock functionality faster.
 * Fix regression in Special:Undelete for revisions deleted under MediaWiki 1.4 with compression or legacy encoding
 * (6737) Fixes for MySQL 5 schema in strict mode
 * Approximate height for client-side scaling fallback instead of passing -1 into the HTML output.
 * Make the DNSBL to check for proxy blocking configurable via $wgSorbsUrl
 * Add experimental recording/reporting mode to parser tests runner, to compare changes against the previous run. Additional tables 'testrun' and 'testitem' are in maintenance/testRunner.sql, source this and pass --record option to parserTests.php
 * Make the set of default parser test input files extensible via $wgParserTestFiles. This can now be appended to by extensions or local configuration files so that extension or custom tests can be automatically run along with the main batch.
 * Run PHP install version checks on update.php so command-line updaters see new version requirements
 * Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive as of MW 1.8 than it used to be. Install or upgrade now aborts with a warning and a request to upgrade.
 * (6440) Updated indexes to improve backlinking queries (links, templates, images)
 * Switched 'anon-only' block mode to default for IP blocks
 * (3687, 7892) Add distinct heading for media files in category display, with count.
 * (1578) Add different icons for external links to audio, video, or PDF in Monobook.
 * Made autoblocks block account creation if the user block has that option enabled.
 * Add auto-summaries to blankings and large removals without summaries.
 * (7811) Allow preview of edit summaries.
 * (6839) Wikibits.js minor changes to make JS-lint happier.
 * (7932) Make sure that edit toolbar clears floats so it appears correctly.
 * (6873) When viewing old revisions, add link to diff to current version.
 * (3315) Provide rollback link directly on history page.
 * Replace 'old-revision-navigation' message with 'revision-info' and 'revision-nav' messages, wrapped in divs with appropriate id's.
 * (4178) MediaWiki:Common.js will now be included for all users if $wgUseSiteJs is enabled, in addition to (if applicable) MediaWiki:Monobook.js and user JS subpages.
 * (7918) "Templates used on this page" changes during preview to reflect any added or removed templates, and works as expected for section edits.
 * (7919) "Templates used on this page" is now shown for read-only pages.
 * (7688) When viewing diff, section anchors in autosummary jump to section on current page instead of loading the latest version.
 * (7970) Use current connection explicitly on Database::getServerVersion
 * (2001) Tables with class="sortable" can now be dynamically sorted via JavaScript.
 * Added autosummary for new pages with 500 or less characters, and refactor the autosummary code so it's all done in one function. doEdit is getting too big!
 * (7554) The correct MIME type for SVG images is now displayed on the image page (image/svg+xml, not image/svg).
 * (7883) Added autoblock whitelisting feature, using which specific ranges can be protected from autoblocking. These ranges are specified, in list format, in the autoblock_whitelist system message.
 * Added placeholders for text injection by hooks to EditPage.php
 * (8009) Automatic edit summary for redirects is not filled for edits in existing pages
 * Installer support for experimental MySQL 4.1/5.0 binary-safe schema
 * Use INSERT IGNORE for db-based BagOStuff add/insert, for more memcache-like behavior when keys already exist on add (instead of dying with an error...)
 * Add a hook 'UploadForm:initial' before the upload form is generated, and two member variable for text injection into the form, which can be filled by the hooks.
 * (6925) Add a "revision patching" functionality, where an edit can be undone (with a functionality similar to diff rev1 rev2 | patch -R rev3 -o rev3). This is triggered by including &undo=revid in an edit URL. A link to a URL that will undo a given edit is shown on NEW revision headers on diff pages. The link leads to a "Show Changes" page showing what will be done to undo the edit.
 * Fix display of link in "already rolled back" message for image/category pages
 * (6016) Left-aligned images should stack vertically, like right-aligned images, not horizontally.
 * Patch from LeonWP: added UploadForm:BeforeProcessing hook in SpecialUpload.php
 * Add AuthPluginSetup hook to override $wgAuth after configuration
 * Fix regression in authentication hook auto-creation on login
 * (8110) Allow spaces in ISBNs
 * (8024) Introduce "send me copies of emails I send to others" preference
 * Added 'EditPage::attemptSave' hook before an article is saved.
 * (8083) Applied patch for sk localisation
 * Add a backslash character to the edit token, to prevent edits via certain broken proxies that mangle such characters in form submissions
 * (7461) Allow overwriting pages using importTextFile.php
 * (7946) importTextFile.php doesn't perform pre-save transform
 * (8117) showed weird default if $wgLocalTZoffset set; now uses current time for previews and if timestamp can't be loaded from DB
 * now uses site local timezone instead of user timezone to ensure consistent behavior
 * and friends should now work on non-MySQL backends
 * (7671) Observe canonical media namespace prefix in Linker::formatComment
 * Added js variable wgCurRevisionId to the output
 * (8141) Cleanup of Parser::doTableStuff, patch by AzaTht
 * (8042) Make miser mode caching limits settable via $wgQueryCacheLimit instead of hardcoding to 1000
 * Enable QueryPage classes to override list formatting
 * (5485) Show number of intervening revisions in diff view
 * (8100) Fix XHTML validity in Taiwanese localization
 * Added redirect to section feature. Use it wisely.
 * Added a configuration variable allowing the "break out of framesets" feature to be switched on and off ($wgBreakFrames). Off by default.
 * Allow Xml::check $attribs parameter to override 'value' attribute
 * DB schema change: added two columns (rc_old_len and rc_new_len) to the recentchanges table to store the text lengths before and after the edit
 * (1085) Made Special:Recentchanges show the character difference between the changed revisions
 * Removed a redundant tag from diff pages that was causing display issues for some users
 * (8203) The keyboard shortcut for "log out" was removed, because users were pressing it when they intended to press the shortcut for "preview".
 * (8148) Handle non-removable output buffers gracefully when cleaning buffers for HTTP 304 responses, StreamFile, and Special:Export. Duplicated code merged into wfResetOutputBuffers and wfClearOutputBuffers
 * Special:AllPages : 'next page' link now point to the first title of the next chunk instead of pointing to the last title of current chunk.
 * (4673) Special:AllPages : add a 'previous' link (new message 'prevpage')
 * (8121) wfRandom was not between 0 and 1
 * Add static method Parser::createAssocArgs($args), so parser functions can use the same code to parse arguments as the templates do.
 * Change behavior of logins using the temporary e-mailed password (as stored in user_newpassword hash field). Instead of just logging in silently and leaving the previous user_password field in place indefinitely, the user is now prompted to set a new password. The password-changing form is at Special:Resetpass; currently it's only usable for changing from the temporary password during login, but it could perhaps be generalized, replacing the subform in preferences. Once the new password is set successfully, the temporary password is wiped so it cannot be used to login a second time, and the login process is completed.
 * Suppress 'mail new password' button on login form if $wgAuth forbids changing user passwords; it wouldn't work very well...
 * Consolidate password length checks and $wgAuth manipulation into User::setPassword to avoid duplicate code in different places that set passwords.
 * User::setPassword now throws PasswordError exceptions if the password is illegal or cannot be set via $wgAuth. These can be caught and a human-readable error message displayed by UI code.
 * Added Title::isSubpage
 * (8241) Don't consider user pages of User:Foo.css to be CSS subpages
 * Set an explicit class on framed thumbnail inner divs and images, changed some CSS to use these instead of using descendent selectors.
 * Accept null parameter to User::setPassword as indicating the password field should be cleared to an unusable state. Login will only be possible after the password is reset, for instance by e-mail.
 * (6394) Invalidate the password set for "by e-mail" account creations to avoid accidental empty password creations.
 * Made the show change size function work on page moves, page creations, and log entries. Also fixed it in the javascript recentchanges.
 * (8239) correctly get 50 new contributions when clicking '(50 next)'
 * (2259) Fix old regression where e-mail addresses were no longer confirmed on login with mailed password.
 * Add a notification about the confirmation mail sent during account creation, so people don't immediately go off to request a second one.
 * Add a warning on Special:Confirmemail if a code was already sent and has not yet expired.
 * Add user_editcount field to provide data for heuristics on account use. Incremented on edit, with lazy initialization from past revision data. Can batch-initialize with maintenance/initEditCount.php (not yet friendly to replication environments, this will do all accounts in one query).
 * Allow raw SQL subsections in Database::update SET portion as well as for WHERE portion. Handy for increments and such.
 * User::getOption now accept a default value to override default user values this makes it consistent with WebRequest::get* methods. Corrected code in various places accordingly.
 * (8264) Fix JavaScript global vars for XHTML mode
 * Make $wgSiteNotice value wikitext again, for consistency with editable MediaWiki:Sitenotice and MediaWiki:Anonnotice.
 * (8044) When redirecting from the canonical name of the special page to the localised one, parameters/subpages are omitted
 * (8164) Special:Booksources should use GET for form submission
 * Rewrite Special:Booksources to clean up interface and remove redundant code
 * (7925) Change Special:Allmessages message name filter javascript to be a bit more responsive and easier on the CPU
 * (4488) Support watching pages on deletion; introduces new user preference
 * Minor restructuring of Special:Preferences; "watch pages I edit" and "watch pages I create" options now accessible under "Watchlist" options
 * (8153)  doesn't work in site notice
 * (6690) wfMsgNoTrans transforms messages
 * (8274) Wrap edit tools in a  with a specified class
 * Detect PHP 5.0.x 64-bit bug and abort in WebStart.php; too many things break mysteriously otherwise (detection code copied from install-utils.inc)
 * (8295) Change handling of tags in doBlockLevels to match that of
 * (8110) Make magic ISBN linking stricter: only match ten-digit sequences (plus optional ISBN-13 prefix) with no immediately following alphanumeric character, disallow multiple consecutive internal redirects
 * (2785) Accept optional colon prefix in links when formatting comments
 * Don't show "you can view and copy the source of this page" message for pages which don't exist
 * (8310) Blank line added to top of 'post' when page is blank
 * (8109) Template parameters ignored in "recentchangestext"
 * Gracefully skip redirect-to-fragment on WebKit versions less than 420; it messes up on current versions of Safari but is ok in the latest nightlies. Checking the version number will allow it to automatically work when new releases of Safari appear.
 * Fix regression in thumb styles; size and padding didn't match with new arrangement.
 * (8333) Fix quick user data update on login password change on replication database setups. User data is now pulled from master instead of slave in User::loadFromDatabase, ensuring that it is fresh and accurate when read and then saved back into cache. This was breaking with the Special:Rename operation which automatically logs the user in with the new password after changing it; pulling from slave meant the record was often not the updated one.
 * (8335) Set image width to the first valid parameter found.
 * (8350) Fix watchlist viewing bug when using Postgres.
 * (6603) When warning about invalid file extensions, output the bit of the extension we actually checked
 * (7669) Drop defaults on BLOB/TEXT columns for better compatibility with MySQL's strict mode, often enabled by the Windows installer. The defaults are ignored anyway when strict mode is off...
 * (7685) Use explicit values for ar_text and ar_flags when deleting, for better compatibility with MySQL's strict mode
 * Update default interwiki values to reflect changed location of ursine:
 * (5411) Remove autopatrol preference
 * Users who have the "autopatrol" permission will have their edits marked as patrolled automatically
 * Users who do not have the "autopatrol" permission will no longer be able to mark their own edits as patrolled
 * Introduce 'PingLimiter' hook; see docs/hooks.txt for more information
 * (532) Tweaked alt text for some interface messages
 * (8231) Gave useful alt text to the main &lt;img> on image pages
 * (371) Remove alt text for "Enlarge" icon on thumbnails
 * Initialize user_editcount to 0 instead of NULL for newly created accounts
 * (3696) Strip LRM and RLM characters from titles to work around the problem some people have where titles cut-and-pasted from lists include the bidi override characters appended to the lists. A more thorough blacklist for forbidden and translatable characters would be wise, though, as might a cleaner method for the lists in the first place.
 * Fix regression in email password resets on read-restricted sites
 * Set tabindex on fields in deletion form so you don't have to tab through the links in the sitenotice
 * (8271) Show full time and date on viewer for individual deleted revisions
 * (8214) Output file size limit and actual file size in appropriate units on Special:Upload
 * (8016) Purge objectcache table during upgrade processes - use the --nopurge option to prevent this when running maintenance/update.php
 * (7612) Remove superfluous link to Special:Categories from result items on Special:Mostcategories
 * NaN undefineds now handles formatted numbers correctly
 * (8331) Added the change size value to watchlists; therefore made watchlists use RecentChange::newFromRow instead of newFromCurRow
 * (8351) Fix undo for simple reverts
 * (6856) User::clearNotification does not respect read-only mode
 * (6853) Use a checkbox on the installer form to indicate that a superuser account should be used; this is clearer than the old check which relied on the password never being an obscure value
 * Remove old unused watchlist cache, which was a leftover from the old schema where watchlists were more expensive to generate
 * Minor cosmetic changes to Special:Userrights
 * Added wgCanonicalSpecialPageName to JavaScript variables
 * Fix image deleting when using Postgres.
 * Output both source and destination titles in maintenance/moveBatch.php
 * Added basic parser tests for language variants
 * Enable selflinks and categories to be written in some of the language variants
 * Prevent conversion of JavaScript code in language variants
 * Output software version number in maintenance/parserTests.php
 * (7169) Use Ajax to watch/unwatch articles if enabled
 * Make variant table caching a little more robust, using main language code in cache key. Probably this is still a bit wonky, though. Was breaking parser tests when Chinese tables were getting loaded into Serbian code.
 * (8380) Be nicer about blank lines in deleteBatch.php
 * (8401) Fix regression in SORBS lookup for some DNS setups
 * Use raw file descriptor in posix_isatty check to avoid warning on Linux systems with at least some versions of PHP
 * (5908) Allow overriding the default category sort key for all items on a page using
 * (6449) Throw a more definitive error message when installation fails due to an invalid database name
 * (5827) Use full text for option link labels on Special:Watchlist
 * (8018) Allow hiding minor edits from the watchlist
 * (8427) MonoBook RTL IE 7.0 tweaks failed when sidebar's navigation section is renamed; no longer relies on first section name
 * Stabilize client-side table sorting even if the underlying Javascript sort implementation is unstable
 * Add hook for extensions to add user information to the panel in preferences, next to the user name and ID.
 * (8392) Display protection status of transcluded pages in the edit page template list. Patch by Fyren, with i18n naming tweak.
 * Fix for interwiki transclusion where target wiki uses query string for title
 * Resolve namespaces on interwiki Title objects using canonical namespace names if possible (should not happen, though, outside interwiki transclusion... and maybe not even then, but it does)
 * (8447) Fix SQL typo breaking non-default $wgHitcounterUpdateFreq
 * Do not allow previews of deleted images to be cached
 * Add global variable $wgDefaultLanguageVariant used to set the default language variant of a wiki to something different than the main language code
 * Add 'variant' option to parserTests - runs test with the given variant as preferred, utilize it for more parser tests of language variants code
 * (6503) Fix bug that stopped certain irrelevant links from being hidden for printing
 * Avoid PHP warning in Creative Commons metadata when a creative commons license is not actually set up
 * (8463) Don't print external link icons for Monobook
 * (8461) Support watching pages on move
 * (8041) Work around bug with debug_backtrace when Zend Optimizer is loaded by skipping the function. Use wfDebugBacktrace wrapper function.
 * Reduce config file clutter by setting various script and upload paths based on $IP or $wgScriptPath in Setup.php. They can still be explicitly overridden in LocalSettings.php if desired...
 * Attempt to detect redirect loops for the canonical title redirect, and give some hints to the poor confused administrator.
 * Introduce new flag 'R' - raw output for language variant escape tags
 * Advise users when updates for a query page have been disabled using $wgDisableQueryPageUpdate
 * (8413) Improve comments for $wgNamespaceRobotPolicies
 * (8330) Show "bytes" suffix on recent changes diff counter optionally... if set in rc-changes-size message (default empty for now)
 * (8489) Support basic links in caption attribute
 * (8485) Correct Lingala number formatting
 * The MediaWiki namespace is no longer pre-filled with default messages on install. All default messages will be removed from the MediaWiki namespace on upgrade.
 * Recentchanges RSS/Atom feeds now use a separate message for the description to avoid cluttering it with useless wiki formatting
 * (8417) Handle EXIF unknown dates
 * (8372) Return nothing on empty tags.
 * New maintenance script to show the cached statistics : showStats.php.
 * Count deleted edits when regenerating total edits in maintenance/initStats.php
 * (3706) Allow users to be exempted from IP blocks. The ipblock-exempt permission key has been added to enable this behaviour, by default assigned to sysops.
 * (7948) importDump.php now warn that Recentchanges need to be rebuild.
 * (7667) allow XHTML namespaces customization
 * (8531) Correct local name of Lingála (patch by Raymond)
 * Fix regression with default lock file and cache directories; threw visible warning with open_basedir

Languages updated

 * Basque (eu)
 * Bishnupriya Manipuri (bpy)
 * Cantonese (zh-yue)
 * Finnish (fi)
 * Frisian (fy)
 * German (de)
 * Hebrew (he)
 * Indonesian (id)
 * Italian (it)
 * Japanese (ja)
 * Kazakh (kk)
 * Kongo (kg)
 * Latin (la)
 * Limburgish (li)
 * Lingala (ln)
 * Lithuanian (lt)
 * Maltese (mt)
 * Maori (mi)
 * Norwegian (no)
 * Occitan (oc)
 * Old Church Slavonic (cu)
 * Polish (pl)
 * Portuguese (pt)
 * Ripurian (ksh)
 * Russian (ru)
 * Slovak (sk)
 * Swedish (sv)
 * Taiwanese/Holo: (bug 8217) changed language code to nan (from zh-min-nan) due to http://www.sil.org/iso639-3/codes.asp?order=639_3&letter=n
 * Upper Sorbian (hsb)
 * Vietnamese (vi)

Compatibility
MediaWiki 1.9 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.

PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing: http://bugs.php.net/bug.php?id=34879 Upgrade affected systems to PHP 5.1 or higher.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

Upgrading
Some minor database changes have been made since 1.7:
 * new fields and indexes on ipblocks
 * index change on recentchanges

Several changes from 1.5 and 1.6 do require updates to be run on upgrade. To ensure that these tables are filled with data, run refreshLinks.php after the upgrade.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

Caveats
Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.)

For notes on 1.8.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is currently being built up on Meta-Wikipedia, and is covered under the GNU Free Documentation License:

Documentation

Mailing list
A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: mediawiki-l A low-traffic announcements-only list is also available: mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in the IRC channel.