Release notes/1.8

MediaWiki 1.8.5
September 10, 2007

This is a security fix update to the Fall 2006 quarterly release snapshot. A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed.

The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:


 * $wgEnableAPI = false;

(This is the default setting in 1.8.x.)

Not vulnerable versions:
 * 1.11 >= 1.11.0
 * 1.10 >= 1.10.2
 * 1.9 >= 1.9.4
 * 1.8 >= 1.8.5

Vulnerable versions:
 * 1.11 <= 1.11.0rc1
 * 1.10 <= 1.10.1
 * 1.9 <= 1.9.3
 * 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty function, however the BotQuery extension is similarly vulnerable unless updated to the latest SVN version.

MediaWiki 1.8.4
February 20, 2007

This is a security and bug-fix update to the Fall 2006 quarterly release.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix:
 * 1.9: fixed in 1.9.3
 * 1.8: fixed in 1.8.4
 * 1.7: fixed in 1.7.3
 * 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.


 * (bug 8819) Fix full path disclosure with skins dependencies
 * Add 'charset' to Content-Type headers on various HTTP error responses to forestall additional UTF-7-autodetect XSS issues. PHP sends only 'text/html' by default when the script didn't specify more details, which some inconsiderate browsers consider a license to autodetect the deadly, hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message on MSIE when $wgUseAjax is enabled (not default configuration); this UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA from BugSec: http://www.bugsec.com/articles.php?Security=24
 * Trackback responses now specify XML content type

MediaWiki 1.8.3
January 9, 2007

MediaWiki 1.8.3 fixes several issues in the Fall 2006 snapshot release:


 * (7831) Regression in AutoAuthenticate hook
 * Run PHP install version checks on update.php so command-line updaters see new version requirements
 * Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive as of MW 1.8 than it used to be. Install or upgrade now aborts with a warning and a request to upgrade.
 * XSS fix in AJAX module

An XSS injection vulnerability was located in the AJAX support module, affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional AJAX module, either disable it or upgrade to a version containing the fix:

MediaWiki 1.8.2
October 13, 2006

MediaWiki 1.8.2 fixes several issues in the Fall 2006 snapshot release3e3e34r4433333333e:


 * (7565) Fixed typos in German localisation
 * (7562) Fix non-ASCII namespaces on Windows/XAMPP servers

MediaWiki 1.8.1
October 11, 2006

MediaWiki 1.8.1 fixes several issues in the Fall 2006 snapshot release:


 * Fix PHP notice and estimates for dumpBackup.php and friends
 * Improved register_globals paranoia checks
 * (7545) Fix PHP version check on install
 * Experimental web API disabled by default
 * Disable PHP exception backtrace printing unless $wgShowExceptionDetails is set. Backtraces may contain sensitive information in function call parameters.

MediaWiki 1.8.0
October 10, 2006

This is the quarterly release snapshot for Fall 2006. While the code has been running on Wikipedia for some time, installation and upgrade bits may be less well tested. Bug fix releases may follow in the coming days or weeks.

MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature development happen will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it from source control: Download from SVN

Configuration changes

 * $wgUseETag, to enable/disable sending of HTTP ETag headers (default: disabled)
 * $wgLegalTitleChars now includes '+' by default for better compatibility with importing data dumps from Wikipedia
 * $wgDefaultUserOptions now includes all default option settings instead of only overrides.

Major new features

 * (7098) Add an option to disable/enable sending of HTTP ETag headers, as it seems to result in broken behaviour in combination with Squid 2.6 (disabled by default).
 * (550) Allow blocks on anonymous users only.
 * (6420) Render thumbnails for DJVU images, support multipage DJVU display on image pages. Added new 'page=' thumbnail option to select a page from a multipage djvu for thumbnail generation.
 * Full Postgres support is now enabled. It requires version 8.1 or better, and needs to have both plpgsql and tsearch2 already installed.
 * (6386) fix grammatical errors in danish naming of talk namespaces.

Changes since 1.7
Set to 0 (disabled) by default.
 * Introduced AjaxResponse object, superceding AjaxCachePolicy
 * Changes to sajax_do_call: optionally accept an element to fill instead of a callback function; take the target function or element as a third parameter; pass the full XMLHttpRequest object to the handler function, instead of just the resultText value; use HTTP response codes to report errors.
 * (6562) Removed unmaintained ParserXml.php for now
 * History paging overlap bug fixed
 * (6586) Regression in "unblocked" subtitle
 * Don't put empty-page message into view-source when page text is blank
 * (6587) Remove redundant "allnonarticles" message
 * Block improvements: Allow blocks on anonymous users only. Optionally allow or disallow account creation from blocked IP addresses. Prevent duplicate blocks. Fixed the problem of expiry and unblocking erroneously affecting multiple blocks. Fixed confusing lack of error message when a blocked user attempts to create an account. Fixed inefficiency of Special:Ipblocklist in the presence of large numbers of blocks; added indexes and implemented an indexed pager.
 * (6448) Allow filtering of Special:Newpages according to username
 * (6618) Improve permissions/error detection in Special:Lockdb
 * Quick hack for extension testing: parser test doesn't create new message cache object.
 * (6299) Maintain parser's revision ID across recursive calls to fix when Cite extension is used
 * (6622) Removed deprecated function Image::newFromTitle
 * (6627) Fix regression in Special:Ipblocklist with table prefix
 * Removed forced dereferencements (new returns a reference in PHP5)
 * Note about $wgUploadSizeWarning using byte
 * (6592) Add most viewed pages summary to Special:Statistics
 * Pre-strip characters ignored in IDNs from URLs so they can't be used to break the blacklists for regular URLs
 * Fix regression in blocking of user accounts
 * (6635) Fix regression searching for range blocks on Ipblocklist
 * Fix regression searching Ipblocklist with ugly URLs
 * (6639) Use a consistent default for upload directories
 * Preserve entered reason when reporting unconfirmed lock on Special:Lockdb
 * (6642) Don't offer to unlock the database when it isn't locked
 * cleanupTitles.php changed from --dry-run option to --fix, so default behavior is now a non-invasive check as with namespaceDupes.php
 * (6660) Fix behaviour of EditPage::blockedPage when the article does not exist; now doesn't show the source box if the user hasn't provided it (blocked mid-edit) and the page doesn't exist
 * Improve default value of "blockedtext"
 * (6680) Added localisation for Dutch bookstore list (nl)
 * Renamed maintainace script redundanttrans.php to unusedMessages.php - clearer usage
 * Fix regression which allowed some blocked users to create additional accounts
 * (6657) Fix Hungarian linktrail
 * (6751) Fix preview of blanked section with edit on first preview option
 * (5456) Separate MediaWiki:Search into messages for both noun and verb, introduced 'MediaWiki:Searchbutton'
 * Made lines from initialiseMessages appear as list items during installation
 * Moved the bulk of the localisation data from the Language*.php files to the Messages*.php files. Deleted most of the Languages*.php files.
 * Introduced "stub global" framework to provide deferred initialisation of core modules.
 * Removed placeholder values for $wgTitle and $wgArticle, these variables will now be null during the initialisation process, until they are set by index.php or another entry point.
 * Added DBA cache type, for BDB-style caches.
 * Removed custom date format functions, replacing them with a format string in the style of PHP's date. Used string identifiers instead of integer identifiers, in both the language files and user preferences. Migration should be transparent in most cases.
 * Simplified the initialisation API for LoadBalancer objects.
 * Removed the broken altencoding feature.
 * Moved default user options and toggles from Language to User. Language objects are still able to define default preference overrides and extra user toggles, via a slightly different interface.
 * Don't include the date option in the parser cache rendering hash unless $wgUseDynamicDates is enabled.
 * Merged LanguageUtf8 with Language. Removed LanguageUtf8.php.
 * Removed inclusion of language files from the bottom of Language.php. This is now consistently done from Language::factory.
 * Add the name of the executing maintenance script to the debug log. Start the profiler during maintenance scripts.
 * Added "serialized" directory, for storing precompiled data in serialized form.
 * Fix regression in auto-set NS_PROJECT_TALK namespace
 * Fix regression in ordering of namespaces
 * (6806, 6030) Added several global JS variables for article path, user name, page title, etc.
 * hooks registered with addOnloadHook are now called at the one of the html body by all skins.
 * Split ajax aided search from core ajax framework. Use wgUseAjax to enable the framework and wgAjaxSearch to enable the suggest feature for the search box.
 * Added experimental installer for extensions. See maintenance/installExtension.php
 * Added Tajic (tg) language file.
 * (6903) Added Cantonese localisation (zh-yue)
 * Fix regression in Korean and Japanese date formatting (day of week)
 * (6919) Add English alias magic words for Tatar (tt) language file.
 * (6753) Fixed broken Kazakh linktrail (kk)
 * (6700) Added Kazakh language variants to Names.php
 * (6827) some i18n specific maintenance scripts fails after merge of localisation-work branch
 * Throwed an exception for the deprecated functions OutputPage::sysopRequired and OutputPage::developerRequired - use OutputPage::permissionRequired instead.
 * Removed the deprecated functions User::isSysop, User::isBureaucrat and User::isDeveloper - use User::isAllowed instead.
 * (769) OutputPage::permissionRequired should suggest groups with the needed permission
 * (6971) Fix regression in Special:Export history view
 * Revamped Special:Imagelist
 * (7000) updated MessagesPl.php
 * (6946) Fix unexpected behavior change with GET hits to Special:Export
 * (1866) Improve navigation on Special:Listusers; user now a starting point as with Special:Allpages, rather than a pure limit.
 * Clean up tab order on Special:Blockip
 * (5969) Clean up tab order on Special:Userlogin forms
 * (3512) namespaceDupes now handles spaces and initial caps properly
 * (7037) Fix regression in login tab order
 * (7031) Report missing email on 'email password' instead of false success
 * (7010) Don't send email notifications for watched talk pages when user has selected to receive only updates for their own talk page
 * Added
 * Added Image:Foo.png style links to the pagelinks table
 * Avoid duplicate revision imports with Special:Import
 * (7054) Validate email address before sending email confirmation message
 * (7061) Format title on "from (page)" links on Special:Allpages
 * (7044) Introduce "padleft" and "padright" colon functions
 * Pass page title as parameters to "linkshere" and "nolinkshere" and update default message text
 * Allows to upload from publicy accessible URL. Set $wgAllowCopyUploads = true ; in LocalSettings.php Limited to $wgMaxUploadSize (default:100MB); URL upload is limited to sysops by default, and displayed as a second line if appropriate
 * (832) Return to user page after emailing a user
 * (366) Add local-system-timezone equivalents for date/time variables
 * (7109) Fix Atom feed version number in header links
 * (7075) List registered parser function hooks on Special:Version
 * (7059) Introduce "anchorencode" colon function
 * Include SVN revision number in output, where applicable
 * Fix bug in wfRunHooks which caused corruption of objects in the hook list
 * (4979) Use simplified email addresses when running on Windows
 * (4434) Show block log fragment on Special:Blockip
 * MediaWiki:Disambiguationspage may optionally contain wiki links to any number of disambiguation templates.
 * Special:Disambiguations now shows pages in NS:0 that link to any pages that embed any of the templates listed at MediaWiki:Disambiguationspage.
 * Fix formatting of titles on Special:Undelete
 * (7026) Fix action=raw&templates=expand
 * (6976) Add namespace and direction classes to classic skins
 * (7144) Don't "return to main" from OutputPage::loginToUse if the user can't read the main page in the first place
 * (7188) Fix minor borkage in HTMLForm
 * (6675) Replaced message 'watchthis' with new message 'watchthisupload in Special:Upload
 * Add a quickie script dumpSisterSites.php for generating a page list in the format for WSR-1 SisterSites support
 * (7223) Monobook.js is used for site content, should not be localized
 * Set default disabled values for DjVu render options
 * Added Xml::option for generating s easily
 * Localized page numbers in drop-down for DjVu page selection
 * Fixed linktrail for vi
 * (6893) "Call to a member function exists on a non-object" on trackback.php with bad input
 * (6886) PHP undefined offset on bad input to Special:Revisiondelete
 * (6887) PHP error for call to getId on bad input to Special:Revisiondelete
 * (6888) PHP error for call to getTimestamp on bad input to Special:Revisiondelete
 * (7252) Use dvipng support in texvc math rastrization. dvipng is required if texvc is rebuilt.
 * (7279) Use wfBaseName in place of basename in more places
 * Clear newtalk marker on diff links with explicit current revision number
 * (7064) Replace hard-coded empty message checks with wfEmptyMsg calls
 * (6777) Remove some PHP 4 compat cruft
 * Add --user, --comment, and --license options to importImages.php
 * (6216) The immobile namespace message does not mention the source page
 * (7299) Normalize username filter on Special:Newpages
 * (7306) RTL text in an LTR wiki breaks appearance of Special:Recentchanges
 * (7312) Don't emit SET NAMES utf8 if connection failed
 * (7305) Proper compare for bot check on RC notify, should fix overrides that force edits by non-bot users to bot mode
 * Set Vary: Cookie on action=raw generated CSS and JS, to ensure that user preferences don't get stuck in proxy caches for other people
 * (7324) Fix error message for failure of Database::sourceFile
 * (7309) Plurals: use singular form for zero in French and Brazilian Portuguese
 * Add page_no_title_convert field to support language variant conversion for page titles which shouldn't be converted on display/linking
 * Lazy extraction of text chunks in Revision objects, may reduce hits to external storage when actual text content is not used
 * Added experimental $wgRevisionCacheExpiry to cache extracted revision text in $wgMemc, to further reduce hits to external storage.
 * Minor changes to the installer.
 * Remove ":" for 'youremail' and 'yourrealname' in includes/templates/Userlogin.php so that ":" could be used in i18n for Special:Preferences (like 'username' and 'uid').
 * Fix layout for Special:Preferences->Date and Time (position for 'timezonetext').
 * Updates to language variant code for Serbian et al
 * (6756) Enabling RTL direction for kk-cn
 * (6701) Kazakh language variants in MessagesEn.php
 * (7335) SVN revision check in Special:Version fails on SVN 1.4 working copy
 * (6518) Replaced 'lastmodified' with 'lastmodifiedat' and 'lastmodifiedby' with 'lastmodifiedatby' with seperated parameters for date and time to allow better localisation. Updated all message files to display the old format for compatibility.
 * (7357) Make supposedly static methods of Skin actually static
 * Added info text to Special:Deadendpages and Special:Lonelypages
 * Fix regression in cachability of generated CSS and JS for MonoBook skin, while avoiding clobbering of different users' cached data
 * (6849) Block @ from usernames; interferes with multi-database tools and was meant to be banned years ago... For now existing accounts will not be prevented fromm login.
 * (6092) Introduce magic words, , , and  
 * (7425) Preceeding whitespace in ... breaks subpages
 * Try to reconnect after transitory database errors in dumpTextPass.php
 * (6023) Fixed mismatch of 0/NULL for wl_notificationtimestamp; now notification mails are working after 'Mark all pages visited' button on Special:Watchlist is clicked
 * Made a core parser function instead of a special case. The syntax and behaviour is largely unchanged.
 * (7448) Fixing the native name for Ewe (ee)
 * (6864) Replace message 'editing' with new message 'editinguser' in Special:Userrights to allow better localisation
 * Add '*-summary' for special pages to MessagesEn.php to allow customizing/translation directly through Special:Allmessages
 * (6130, 5818) Replaced message 'go' with the new message 'searcharticle' in skins to allow better localisation
 * Add + to $wgLegalTitleChars by default. Some sites may have occasional problems with hard-to-reach pages, but it should be less trouble than "I can't import dumps from Wikipedia" complaints
 * (7460) Revert broken patch for bug 7226 which slows down Special:Allmessages by a factor of 16
 * Committed a bunch of live hacks from Wikimedia servers
 * (6889) PHP notices in thumb.php with missing params
 * Cleaner error behavior on thumb.php with invalid page selection
 * (6617) Validate timestamps on Special:Undelete
 * Do fewer unnecessary full writes of user rows; only update user_touched for watch/unwatch, group membership change, and login operations
 * Restructured the languages directory, to avoid problems when people untar MW 1.8 over the top of a 1.7 installation.
 * (6890) SQL query error on bad input to Pager lists due to negative LIMIT clause, caused by integer wraparound.
 * Fixed various bugs related to table prefixes, especially the interaction between table prefixes and memcached, which was formerly completely broken.
 * (7004) PHP iconv notice on bad password input to Special:Userlogin.
 * (6826) Extend pre-save transform context link ("pipe trick") syntax to pages with commas in title
 * Use ImageMagick -thumbnail option instead of -resize to avoid including excessive metadata in thumbs (requires ImageMagick 6.0.0 or newer).
 * (7499) Corrections to Swedish talk namespace names
 * (7508) Added option to compress HTML pages by dumpHTML.php
 * (7519) Add plural in SpecialWatchlist
 * (7459) Magic word variables are always case sensitive
 * Replaced with  in localisation files
 * Fix regression in Special:Watchlist text header
 * (7510) Update article counts etc on undelete
 * (7520) Update article counts on XML import
 * (7526) Make $wgDefaultUserOptions work again
 * (7472) Localize Help namespace for Basque
 * (7529) Including a non-existent category in an article places that article in the category
 * (4528) Lack of important LaTeX functions stackrel, rightleftharpoon
 * (6721) missing symbols ulcorner, urcorner, llcorner, lrcorner, twoheadrightarrow, twoheadleftarrow
 * (7367) Hyphens sometimes erroneously appended to equations when not converted to PNG
 * Add "title" to the opensearch link to allow automatic adding of the search engine in Firefox 2
 * (7537) Add php5 to $wgFileBlacklist
 * (6929) Restore AutoAuthenticate hook

Languages updated

 * Albanian (sq)
 * Bashkir (ba)
 * Bavarian (bar) stub file
 * Belarusian (be)
 * Bishnupriya (bpy) stub file
 * Brazilian Portuguese (pt-br)
 * Cantonese (zh-yue)
 * Catalan (ca)
 * Czech (cs)
 * Dutch (nl)
 * English (en)
 * Finnish (fi)
 * French (fr)
 * Georgian (ka)
 * German (de)
 * Hebrew (he)
 * Hungarian (hu)
 * Indonesian (id)
 * Japanese (ja)
 * Korean (ko)
 * Latin (la)
 * Lojban (jbo)
 * Macedonian (mk)
 * Mazandarani (mzn)
 * Polish (pl)
 * Portuguese (pt)
 * Ripuarian (ksh)
 * Romani (rmy)
 * Russian (ru)
 * Slovak (sk)
 * Spanish (es)
 * Tajic (tg)
 * Tatar (tt)
 * Telugu (te)
 * Uzbek (uz)
 * Yiddish (yi)

Compatibility
MediaWiki 1.8 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

Upgrading
Some minor database changes have been made since 1.7:
 * new fields and indexes on ipblocks
 * index change on recentchanges

Several changes from 1.5 and 1.6 do require updates to be run on upgrade. To ensure that these tables are filled with data, run refreshLinks.php after the upgrade.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

Caveats
Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.)

For notes on 1.5.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is currently being built up on Meta-Wikipedia, and is covered under the GNU Free Documentation License: Documentation

Mailing list
A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: mediawiki-l

A low-traffic announcements-only list is also available:

mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc://irc.freenode.net