Release notes/1.30

MediaWiki 1.30.2
This is a security and maintenance release of the MediaWiki 1.30 branch.

Changes since MediaWiki 1.30.1

 * (T204729) WatchedItemStore::countVisitingWatchersMultiple shouldn't query all titles when asked for none.
 * (T109121) Remove deprecated  from composer suggested libraries.
 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
 * (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
 * (T207603) SECURITY: User JS may no longer be loaded with mime type  if there is no account associated with the username.
 * (T113042) SECURITY: Do not allow loading pages raw with a  MIME type if non-admins can edit the page.
 * (T207541) Pass email address to.
 * Fix addition of  column to   table on MSSQL.
 * (T204531) rdbms: reduce LoadBalancer replication log spam.
 * (T213489) Avoid session double-start in.
 * (T195525) Fix db error outage page.
 * (T208871) The hard-coded Google search form on the database error page was removed.
 * (T216968) Return  as   in both   and.
 * (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when  is true.
 * (T25227) SECURITY: action=logout now requires to be posted and have a csrf token.
 * (T222385) resourceloader: Use AND instead of OR for upsert conds in.
 * (T224374) Fix message parameters so that the message that says SQLite is out of date makes sense.
 * will now preserve POST data when re-authenticating.
 * will now call  if   returns non-false.
 * (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
 * (T208881) SECURITY: blacklist CSS.
 * (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
 * (T199540) SECURITY: API: Respect  in action=block.
 * (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
 * (T222036, T222038) SECURITY: Add permission check for user is permitted to view the log type.
 * (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.

MediaWiki 1.30.1
This is a security and maintenance release of the MediaWiki 1.30 branch.

Changes since MediaWiki 1.30.0

 * (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.
 * (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.
 * (T87572) Make FormatMetadata::flattenArrayReal work for an associative array.
 * Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
 * (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature.
 * (T190503) Let built-in web server (maintenance/dev) handle .php requests.
 * (T167507) selenium: Run Chrome headlessly.
 * selenium: Pass -no-sandbox to Chrome under Docker.
 * (T179190) selenium: Move logic for running tests from package.json to selenium.sh
 * (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds.
 * Add default edit rate limit of 90 edits/minute for all users.
 * (T186565) Fix PHP Notice from `ob_end_flush` in `FileRepo::streamFile`.
 * oojs/oojs-ui updated to remove an unnecessary dependancy.
 * (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
 * (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
 * (T196672) The mtime of extension.json files is now able to be zero
 * (T180403) Validate $length in padleft/padright parser functions.
 * (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
 * (T193995) Fix undefined patchPath method call in parser tests.
 * Special:BotPasswords now requires reauthentication.
 * (T191608, T187638) Add 'logid' parameter to Special:Log.
 * (T193829) Indicate when a Bot Password needs reset.
 * (T151415) Log email changes.
 * (T200861) Fix total breakage of SQLite web upgrade.
 * (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
 * (T190539) Explicitly require Postgres 9.1.
 * (T118420) Unbreak Oracle installer.

Changes since MediaWiki 1.30.0-rc.0

 * Upgraded Moment.js from v2.15.0 to v2.19.3.
 * Add ip_changes to postgres/tables.sql.
 * Skip null shell parameters.
 * Add wfWaitForSlaves to maintenance/migrateComments.php.
 * (T182245) Fix join conditions in ImageListPager.
 * (T178626) Revert #contentSub and #jump-to-nav margin changes.

MySQL version requirement in 1.30
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility section).

Configuration changes in 1.30

 * The "C.UTF-8" locale should be used for, if available, to avoid unexpected behavior when code uses locale-sensitive string comparisons. For example, the Scribunto extension considers "bar" < "Foo" in most locales since it ignores case.
 * now affects LC_ALL rather than only LC_CTYPE. See documentation of for details.
 * is now applied for all requests. wfInitShellLocale is deprecated and a no-op, as it is no longer needed.
 * may now specify callback functions as an alternative to plain class names. This is intended for extensions that want control over the instantiation of their jobs, to allow for proper dependency injection.
 * may now specify callback functions as an alternative to plain class names, using the 'factory' key in the module description array. This allows dependency injection to be used for ResourceLoader modules.
 * has been removed.
 * (T163562) was introduced to control the size of IP ranges that can be queried at Special:Contributions.
 * (T45547) added (off by default).
 * (T152540) MediaWiki now supports a section ID escaping style that allows to display non-Latin characters verbatim on many modern browsers. This is controlled by the new configuration setting,.
 * is now deprecated and will be removed in a future version, use to migrate off it to a modern alternative.
 * was introduced to control how fragments in sinterwikis going outside of current wiki farm are encoded.
 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly requested through the configuration parameter . However some maintenance scripts (bitnami?) still may rely on "mysql".
 * was removed, as it is now the default. This was documented as a temporary variable during the migration period.

New features in 1.30.0

 * (T37247) Output from Parser::parse will now be wrapped in a div with class="mw-parser-output" by default. This may be changed or disabled using ParserOptions::setWrapOutputClass.
 * (T163562) Added ability to search for contributions within an IP ranges at Special:Contributions.
 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software- specific tags to be added by users.
 * Added a 'ParserOptionsRegister' hook to allow extensions to register additional parser options.
 * (T45547) Included Pig Latin, a language game in English, as a LanguageConverter variant. This allows English-speaking developers to develop and test LanguageConverter more easily.  Pig Latin can be enabled by setting  to true.
 * Added RecentChangesPurgeRows hook to allow extensions to purge data that depends on the recentchanges table.
 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the 'watchlistunwatchlinks' preference option is enabled). With JavaScript enabled, these links toggle so the user can also re-watch pages that have just been unwatched.
 * Added, where mock media handlers can be passed to MediaHandlerFactory for parser tests.
 * Edit summaries, block reasons, and other "comments" are now stored in a separate database table. Use the CommentFormatter class to access them.
 * This is currently gated by . Most wikis can set this to MIGRATION_NEW and run maintenance/migrateComments.php as soon as any necessary extensions are updated.
 * (T138166) Added ability for users to prohibit other users from sending them emails with Special:Emailuser. Can be enabled by setting to true.
 * (T67297) is deprecated, and changing it will have no effect. Instead, users using browsers that do not support Unicode will be unable to edit and should upgrade to a modern browser instead.

Upgraded external libraries

 * Updated justinrainbow/json-schema from v3.0 to v5.2.
 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
 * Updated OOjs from v2.0.0 to v2.1.0.
 * Updated OOUI from v0.21.1 to v0.23.0.
 * Updated QUnit from v1.23.1 to v2.4.0.
 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
 * Upgraded Moment.js from v2.15.0 to v2.19.3.

New external libraries

 * The class \TestingAccessWrapper has been moved to the external library wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
 * Purtle, a fast, lightweight RDF generator.

Bug fixes in 1.30

 * (T151633) Ordered list items use now Devanagari digits in Nepalese (thanks to Sfic)

Action API changes in 1.30

 * (T37247) action=parse output will be wrapped in a div with class="mw-parser-output" by default. This may be changed or disabled using the new 'wrapoutputclass' parameter.
 * When errorformat is not 'bc', abort reasons from action=login will be formatted as specified by the error formatter parameters.
 * action=compare can now handle arbitrary text, deleted revisions, and returning users and edit comments.
 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto', 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree' parameters to prop=revisions are deprecated, as are the similarly named parameters to prop=deletedrevisions, list=allrevisions, and list=alldeletedrevisions. Use action=compare, action=parse, or action=expandtemplates instead.

Action API internal changes in 1.30

 * ApiBase::getDescriptionMessage and the "apihelp-*-description" messages are deprecated. The existing message should be split between "apihelp-*-summary" and "apihelp-*-extended-description".
 * (T123931) Individual values of multi-valued parameters can now be marked as deprecated.

Languages updated in 1.30
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.


 * Added: kbp (Kabɩyɛ / Kabiyè)
 * Added: skr (Saraiki, سرائیکی)
 * Added: tay (Tayal / Atayal)
 * Removed: tokipona (Toki Pona)

Pig Latin added

 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin), for easier variant development and testing. Disabled by default. It can be enabled by setting to true.

Other changes in 1.30

 * The use of an associative array for, where the IP address is in the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]). Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
 * mw.user.bucket (deprecated in 1.23) was removed.
 * LoadBalancer::getServerInfo and LoadBalancer::setServerInfo are deprecated. There are no known callers.
 * File::getStreamHeaders was deprecated.
 * MediaHandler::getStreamHeaders was deprecated.
 * Title::canTalk was deprecated. The new Title::canHaveTalkPage should be used instead.
 * MWNamespace::canTalk was deprecated. The new MWNamespace::hasTalkNamespace should be used instead.
 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both deprecated in 1.24) were removed.
 * wfMemcKey and wfGlobalCacheKey were deprecated. BagOStuff::makeKey and BagOStuff::makeGlobalKey should be used instead.
 * (T146304) Preprocessor handling of LanguageConverter markup has been improved. As a result of the new uniform handling, '-{' may need to be escaped (for example, as '-&lt;nowiki/>{') where it occurs inside template arguments or wikilinks.
 * (T163966) Page moves are now counted as edits for the purposes of autopromotion, i.e., they increment the user_editcount field in the database.
 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for manipulating Special:Log and Special:NewPages lines.
 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData, PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding hooks have an additional parameter, for manipulating HTML data attributes of RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the $data['attribs'] subarray.
 * (T130632) The OutputPage::enableTOC method was removed.
 * WikiPage::getParserOutput will now throw an exception if passed ParserOptions that would pollute the parser cache. Callers should use WikiPage::makeParserOptions to create the ParserOptions object and only change options that affect the parser cache key.
 * Article::viewRedirect is deprecated.
 * IP::isValidBlock was deprecated. Use the equivalent IP::isValidRange.
 * DeprecatedGlobal no longer supports passing in a direct value, it requires a callable factory function or a class name.
 * The $parserMemc global, wfGetParserCacheStorage, and ParserCache::singleton are all deprecated. The main ParserCache instance should be obtained from MediaWikiServices instead. Access to the underlying BagOStuff is possible through the new ParserCache::getCacheStorage method.
 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
 * Sanitizer::escapeId was deprecated, use escapeIdForAttribute, escapeIdForLink or escapeIdForExternalInterwiki instead.
 * Title::escapeFragmentForURL was deprecated, use one of the aforementioned Sanitizer functions or, if possible, Title::getFragmentForURL.
 * Second parameter to Sanitizer::escapeIdReferenceList ($options) now does nothing and is deprecated.
 * mw.util.escapeId was deprecated, use escapeIdForAttribute or escapeIdForLink.
 * MagicWord::replaceMultiple (deprecated in 1.25) was removed.
 * WikiImporter now requires the second parameter to be an instance of the Config, class. Prior to that, the Config parameter was optional (a behavior deprecated in 1.25).
 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette any more.
 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed. The namespaced classes in the Cdb namespace should be used instead.
 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet should be used instead.
 * RunningStat class (deprecated in 1.27) was removed. The namespaced RunningStat\RunningStat should be used instead.
 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed. The MemcachedClient class should be used instead.
 * EditPage underwent some refactoring and deprecations:
 * EditPage::isOouiEnabled is deprecated and will always return true.
 * EditPage::getSummaryInput and ::getSummaryInputOOUI are deprecated. Please use ::getSummaryInputWidget instead.
 * EditPage::getCheckboxes and ::getCheckboxesOOUI are deprecated. Please use ::getCheckboxesWidget instead.
 * Creating an EditPage instance without calling EditPage::setContextTitle should be avoided and will be deprecated in a future release.
 * EditPage::safeUnicodeInput and ::safeUnicodeOutput are deprecated and no-ops.
 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The corresponding methods from Title should be used instead.
 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters ::getArticle and ::getTitle should be used instead.
 * Trying to control or fake EditPage context by overriding, , , and is no longer supported and won't work. The IContextSource returned from EditPage::getContext must be modified instead.
 * Parser::getRandomString (deprecated in 1.26) was removed.
 * Parser::uniqPrefix (deprecated in 1.26) was removed.
 * Parser::extractTagsAndParams now only accepts three arguments. The fourth, $uniq_prefix was deprecated in 1.26 and has now been removed.
 * (T172514) The following tables have had their UNIQUE indexes turned into proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats, templatelinks, text, transcache, user_former_groups, user_properties.
 * IDatabase::nextSequenceValue is no longer needed by any database backends (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into a PRIMARY KEY.
 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id, page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and user_properties.up_user have all been made unsigned on MySQL.
 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
 * wfUsePHP is deprecated.
 * wfFixSessionID was removed.
 * wfShellExec and related functions are deprecated, use Shell::command. This also slightly changes the behavior of how execution time limits are calculated when only some of defaults are overridden per-call. When in doubt, always override both wall clock and CPU time.
 * (T138166) SpecialEmailUser::getTarget now requires a second argument, the sending user object. Using the method without the second argument is deprecated.
 * (T67297) Browsers that don't support Unicode will have their edits rejected.
 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a future release. For notifying the user of an event, the Notifications ("Echo") system should be used instead.
 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
 * (T165846) SECURITY: BotPassword login attempts weren't throttled

Compatibility
MediaWiki 1.30 requires PHP 5.5.9 or later. There is experimental support for HHVM 3.6.5 or later.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:


 * MySQL 5.5.8 or later
 * PostgreSQL 8.3 or later
 * SQLite 3.3.7 or later
 * Oracle 9.0.1 or later
 * Microsoft SQL Server 2005 (9.00.1399)

Upgrading
1.30 has several database changes since 1.29, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take a long time (minutes on a medium sized site, many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including important information when upgrading from versions prior to 1.11.

For notes on 1.29.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):


 * https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion:


 * https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:


 * https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net.