Release notes/1.19

Sdafyltc s =

Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.19.2
This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.1

 * (bug 39700) File: link to non-existing file can inject html
 * (bug 39823) Hidden block text leaking to admins
 * (bug 39184) LDAP password leakage
 * (bug 39180) Disallow framing of api results
 * (bug 37587) Enforce language codes to be html safe
 * (bug 39824) Check global blocks on account creation

MediaWiki 1.19.1
This is a security release of the MediaWiki 1.19 branch

Changes since 1.19.0

 * (bug 38406) Properly quote table names in DatabaseBase::tableName

MediaWiki 1.19
This is a stable release of the MediaWiki 1.19 branch. Please test it and let us know what you think of it. Beta releases are not recommended for use in production.

Changes since 1.19.0

 * (bug 36568) Fixed "Illegal string offset 'LIMIT'" warnings in updater
 * (bug 36938) Correctly escape uselang attribute to prevent xss
 * Expanded Blacklist for SVG Files

=== Changes since
 * Special:Watchlist no longer sets links to feed when the user is anonymous
 * (bug 35565) Special:Log/patrol doesn't indicate whether patrolling was automatic

Changes since 1.19 beta 1

 * (bug 35014) Including a special page no longer sets the page's title to the included page.
 * (bug 35019) Edit summaries are no longer transformed in notification e-mails.
 * (bug 35152) Help message for e-mail is shown again in user preferences.
 * (bug 34887) $3 and $4 parameters are now substituted correctly in message "movepage-moved".
 * (bug 34841) Edit links are no longer displayed when display old page versions
 * (bug 34889) User name should be normalized on Special:Contributions.
 * (bug 35051) If heading has a trailing space after == then its name is not preloaded into edit summary on section edit.
 * (bug 31417) New ID mw-content-text around the actual page text, without categories, contentSub, ... The same div often also contains the class mw-content-ltr/rtl.
 * (bug 35303) Proxy and DNS blacklist blocking works again
 * (bug 35294) jquery.byteLimit shouldn't set element specific variables outside the "return this.each" loop.
 * (bug 22555) Remove or skip strip markers from tag hooks like &lt;nowiki&gt; in core parser functions which operate on strings, such as padleft.
 * (bug 18295) Don't expose strip markers when a tag appears inside a link inside a heading.
 * (bug 34907) Fixed exposure of tokens through load.php that could have facilitated CSRF attacks

Configuration changes in 1.19

 * Removed SkinTemplateSetupPageCss hook; use BeforePageDisplay instead.
 * (bug 27132) movefile right granted by default to registered users.
 * Default cookie lifetime ($wgCookieExpiration) is increased to 180 days.
 * (bug 31204) Removed old user.user_options.
 * $wgMaxImageArea now applies to jpeg files if they are not scaled with ImageMagick.
 * Introduced $wgQueryPageDefaultLimit (defaults to 50) for the number of items to show by default on query pages (special pages such as Whatlinkshere).
 * (bug 32470) Increase the length of ug_group.
 * (bug 32239) Removed $wgEnableTooltipsAndAccesskeys.
 * Removed $wgVectorShowVariantName.
 * Removed $wgExtensionAliasesFiles. Use $wgExtensionMessagesFiles.
 * Removed $wgResourceLoaderInlinePrivateModules, now always enabled.

New features in 1.19

 * (bug 19838) Add ability to get all interwiki prefixes also if the interwiki cache is used.
 * $wgDnsBlacklistUrls now accepts an array with url and key as the elements to work with DNSBLs that require keys, such as Project Honeypot.
 * (bug 30022) Add support for custom loadScript sources to ResourceLoader.
 * (bug 19052) Unicode space separator characters (Zs) now terminates external links and images links.
 * (bug 30160) Add public method to mw.loader to get module names from registry.
 * (bug 15558) Parameters to special pages included in wikitext can now be passed as with templates.
 * Installer now issues a warning if mod_security is present.
 * (bug 29455) Add support for a filter callback function in jQuery byteLimit plugin.
 * Added two new GetLocalURL hooks to better serve extensions working on a limited type of titles.
 * Added a --no-updates flag to importDump.php that skips updating the links tables.
 * Most presentational html attributes like valign are now converted to inline css style rules. These attributes were removed from html5 and so we clean them up when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes.
 * Magic words (time and number-formatting ones, plus DIRECTIONMARK, but not NAMESPACE) now depend on the page content language instead of the site language. In theory this sets the right magic words in system messages, although they are not used there.
 * (bug 30451) Add page_props to RefreshLinks::deleteLinksFromNonexistent.
 * (bug 30450) Clear page_props table on page deletion.
 * Hook added to check for exempt from account creation throttle.
 * (bug 30344) Add configuration variable for setting custom priorities when generating sitemaps.
 * (bug 96170) Add array support for space-separated list attributes (like 'class') in the Html helper class.
 * (bug 26470) Add checkered background image on hover on files pages.
 * (bug 30774) mediawiki.html: Add support for numbers and booleans in the attribute values and element contents.
 * Conversion script between Tifinagh and Latin for the Tachelhit language.
 * (bug 16755) Add options 'noreplace' and 'noerror' to to stop it from replace an already existing default sort, and suppress error.
 * (bug 18578) Rewrote revision delete related messages to allow better localisation.
 * (bug 30364) LanguageConverter now depends on the page content language instead of the wiki content language.
 * Jump links will now be usable in CSS-capable browsers instead of only in outdated text browsers.
 * New common*.css files usable by skins instead of having to copy piles of generic styles from MonoBook or Vector's css.
 * Some deprecated presentational html attributes will now be automatically converted to css.
 * (bug 31297) Add support for namespaces in Special:RecentChanges subpage filter syntax.
 * The default user signature now contains a talk link in addition to the user link.
 * (bug 25306) Add link of old page title to MediaWiki:Delete_and_move_reason.
 * Added hook BitmapHandlerCheckImageArea.
 * (bug 30062) Add $wgDBprefix option to cli installer.
 * getUserPermissionsErrors and getUserPermissionsErrorsExpensive hooks are now also called when checking for 'read' permission.
 * Introduce $wgEnableSearchContributorsByIP which controls whether searching for an IP address redirects to the contributions list for that IP.
 * (bug 8859) Database::update should take array of tables too.
 * (bug 19698) Add "Inverse namespaces" option to Special:Contributions.
 * (bug 24037) Add byte length of revision to Special:Contributions.
 * (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
 * New path mappings can be added using the WebRequestPathInfoRouter hook and adding paths to the PathRouter.
 * (bug 32666) Special:ActiveUsers now allows a subpage to be used as value for the "target" query parameter (eg. Special:ActiveUsers/Username).
 * New JavaScript variable wgPageContentLanguage.
 * Added new debugging toolbar, enabled with $wgDebugToolbar.
 * Differences in the history page now uses slightly better colors for people perceiving colors differently.
 * (bug 32879) Upgrade jQuery to 1.7.1.
 * jQuery UI upgraded to 1.8.17.
 * Extensions can use the 'Language::getMessagesFileName' hook to define new languages using messages files outside of core.
 * (bug 32512) Add 'Associated namespace' checkbox to Special:Contributions.
 * Added $wgSend404Code, true by default, which can be set to false to send a 200 status code instead of 404 for nonexistent articles.
 * (bug 33447) Link to the broken image tracking category from Special:Wantedfiles.
 * (bug 27724) Add timestamp to job queue.
 * (bug 30339) Implement SpecialPage for running javascript tests. Disabled by default, due to tests potentially being harmful, not to be run on a production wiki. Enable by setting $wgEnableJavaScriptTest to true.
 * Extensions can use the RequestContextCreateSkin hook to override what skin is loaded in some contexts.
 * (bug 33456) Show $wgQueryCacheLimit on cached query pages.
 * (bug 10574) Add an option to allow all pages to be exported by Special:Export.
 * mediawiki.js Message object constructor is now publicly available as mw.Message.
 * (bug 29309) Allow CSS class per tooltip (tipsy).
 * (bug 33565) Add accesskey/tooltip to submit buttons on Special:EditWatchlist.
 * (bug 17959) Inline rendering/thumbnailing for Gimp XCF images.
 * (bug 27775) Namespace has it's own XML tag in the XML dump file.
 * (bug 30513) Redirect tag is now resolved in XML dump file.
 * sha1 xml tag added to XML dump file.
 * (bug 33646) Badtitle error page now emits a 400 HTTP status.
 * Special:MovePage now has a dropdown menu for namespaces.
 * (bug 34420) Special:Version now shows git HEAD sha1 when available.
 * (bug 33952) Refactor mw.toolbar to allow dynamic additions at any time.
 * Now possible to specify separate section title and edit summary when adding a new section to a page via the edit API action.

Bug fixes in 1.19

 * $wgUploadNavigationUrl should be used for file redlinks if $wgUploadMissingFileUrl is not set. The first was used for this until the second was introduced in 1.17.
 * BREAKING CHANGE: Style rules for wikitable are now more specific and prevent inheritance to nested tables which caused various issues (bug 30485 and bug 33434). If your wiki has overriden rules for ".wikitable", please revise them and adjust where neccecary. For comparison, use the "table.wikitable" section in skins/common/shared.css as base.
 * $wgUploadNavigationUrl is now used for file redlinks if $wgUploadMissingFileUrl is not set. The former was used for this until the second was introduced in 1.17.
 * (bug 27894) Move 'editondblclick' event listener down from body to div#bodyContent.
 * (bug 30172) The check for posix_isatty in maintenance scripts did not detect when the function exists but is disabled. Introduced Maintenance::posix_isatty.
 * (bug 30264) Changed installer-generated LocalSettings.php to use require_once instead require for included extensions.
 * Do not convert text in the user interface language to another script.
 * (bug 26283) Previewing user JS/CSS pages didn't load other user JS/CSS pages.
 * (bug 26486) ResourceLoader modules with paths to nonexistent files cause PHP warnings/notices to be thrown.
 * (bug 30335) Fix for HTMLForms using GET that were breaking when non-friendly URLs are used.
 * (bug 28649) Preventing half truncated multi-byte unicode characters when truncating log comments.
 * Show --batch-size option in help of maintenance scripts that support it.
 * (bug 4381) Magic quotes cleaning was not comprehensive, key strings were not unescaped.
 * (bug 23057) Importers no longer can 'edit' or 'create' a fully-protected page by importing a new revision into it.
 * Allow moving the associated talk pages of subpages even if the base page has no subpage.
 * Per page edit-notices now work in namespaces without subpages enabled.
 * (bug 31081) $wgEnotifUseJobQ is no longer unconditionally enqueueing jobs.
 * (bug 30202) File names are now restricted on upload to 240 bytes, because of restrictions on some of the database fields.
 * Timezones are now recognised in user preferences when offset is different due to DST.
 * (bug 31692) "summary" parameter now also works when undoing revisions.
 * (bug 18823) "move succeeded" text displayed bluelinks even when redirect was suppressed.
 * (bug 19186) Special:UserLogin's title on Special:SpecialPages now says "create account" when the user cannot create an account.
 * (bug 31818) 'usercreated' message now supports GENDER.
 * (bug 32022) Our phpunit.php script can now be executed from another directory.
 * (bug 26020) Setting $wgEmailConfirmToEdit to true no longer removes diffs. from recent changes feeds.
 * (bug 30232) add current time to message wlnote on Special:Watchlist.
 * (bug 29110) $wgFeedDiffCutoff did not affect new pages.
 * (bug 32168) Add wfRemoveDotSegments for use in wfExpandUrl.
 * (bug 32358) Do not display "No higher resolution available" for dimensionless files (like audio files).
 * (bug 32168) Add wfAssembleUrl for use in wfExpandUrl.
 * (bug 32168) fixed - wfExpandUrl expands dot segments now.
 * (bug 31535) Upload comments now truncated properly, and don't have brackets.
 * (bug 32086) Special:PermanentLink now show an error message when no subpage was specified.
 * (bug 30368) Special:Newpages now shows the new page name for moved pages.
 * (bug 1697) The way to search blocked usernames in block log should be clearer.
 * (bug 29747) eAccelerator shared memory caching has been removed since it is now disabled by default and is buggy. APC, XCache and WinCache are not affected.
 * Installer now refuses to install if php was not compiled with Ctype support.
 * (bug 29475) Remove "trackback" feature entirely from core.
 * (bug 32665) Special:BlockList prefills the username in the input field if using the Special:BlockList/username URL.
 * (bug 27721) Make JavaScript variables wgSeparatorTransformTable and wgDigitTransformTable depend on page content language so the sort script sorts correctly more often.
 * (bug 32230) Expose wgRedirectedFrom in JavaScript.
 * (bug 31212) History tab not collapsed when the screen is narrow.
 * (bug 15521) Use new section summary when the action of adding a new section also happens to create the page.
 * (bug 32960) Remove EmailAuthenticationTimestamp from database when a email address is removed.
 * (bug 32414) Empty page get a empty bytes attribute in Export/Dump.
 * (bug 33101) Viewing a User or User talk of username resembling IP ending with .xxx causes Internal error.
 * Warning about undefined index in certain situations when $wgLogRestrictions causes the first log type requested to be removed but not the others.
 * Use separate message ('prefixindex-namespace') for title of Special:PrefixIndex rather then re-using Special:AllPages's allinnamespace.
 * (bug 33156) Special:Block now allows you to confirm you want to block yourself when using non-normalized username.
 * (bug 33246) News icon shown for news:// URLs but not for news: URLs.
 * (bug 33305) Make mw.util.addCSS resistant to IE's @font-face bug by setting cssText after DOM insertion.
 * (bug 30711) When adding a new section to a page with section=new, the text is now always added to the current version of the page.
 * (bug 31719) Fix uploads of SVGs exported by Adobe Illustrator by expanding XML entities correctly.
 * (bug 30914) Embeddable ResourceLoader modules (user.options, user.tokens) should be loaded in &lt;head&gt; for proper dependency resolution.
 * (bug 32702) Removed method Skin::makeGlobalVariablesScript has been readded for backward compatibility.
 * (bug 31469) Make sure tracking category messages expand variables like relative to correct title.
 * (bug 33454) ISO-8601 week-based year number (format character 'o') is now calculated correctly with respect to timezone.
 * (bug 32219) InstantCommons now fetches content from Wikimedia Commons using HTTPS when the local wiki is served over HTTPS.
 * (bug 33525) clearTagHooks doesn't clear function hooks.
 * (bug 33523) Function tag hooks don't appear on Special:Version.
 * Files with IPTC blocks we can't read no longer prevent extraction of exif or other metadata.
 * (bug 33587) Remove action "historysubmit" from history pages.
 * (bug 25800) mw.config wgAction should contain the actually performed action instead of whatever the query value contains.
 * (bug 4438) Add CSS hook for current WikiPage action.
 * (bug 33703) Common border-bottom color for &lt;abbr&gt; should inherit default (text) color.
 * (bug 33819) Display file sizes in appropriate units.
 * (bug 32948) and related variables are no longer blank after doing a null edit.
 * (bug 33880) $wgUsersNotifiedOnAllChanges should not send e-mail to user who made the edit.
 * (bug 33902) Decoding %2B with mw.Uri.decode results in ' ' instead of +.
 * (bug 33762) QueryPage-based special pages no longer misses *-summary message.
 * Other sizes links are no longer generated for wikis without a 404 thumbnail handler.
 * (bug 29454) Enforce byteLimit for page title input on Special:MovePage.
 * (bug 34114) CSSMin::remap doesn't respect its $embed parameter.
 * Special:Contributions/newbies now shows the contributions for the user "newbies". New user contributions are obtained using the form or using ?contribs=newbie in URL.
 * It is now possible to delete images that have no corresponding description pages.
 * (bug 33165) GlobalFunctions.php line 1312: Call to a member function getText on a non-object.
 * (bug 31676) Group dynamically inserted CSS into a single &lt;style&gt; tag, to work around a bug where not all styles were applied in Internet Explorer.
 * (bug 28936, bug 5280) Broken or invalid titles can't be removed from watchlist.
 * (bug 34600) Older skins using useHeadElement=false were broken in 1.18.
 * (bug 34604) [mw.config] wgActionPaths should be an object instead of a numeral array.
 * (bug 29753) mw.util.tooltipAccessKeyPrefix should be alt-shift for Chrome on Windows
 * (bug 25095) Special:Categories should also include the first relevant item when "from" is filled.
 * (bug 12262) Indents and lists are now aligned
 * (bug 34972) An error occurred while changing your watchlist settings for Special:WhatLinksHere/Example

API changes in 1.19

 * Made action=edit less likely to return "unknownerror", by returning the actual error message (which may have come from a hook call or similar).
 * (bug 19838) siprop=interwikimap can now use the interwiki cache.
 * (bug 29748) Add API search prefix support.
 * (bug 29684) Set forgotten parameter types in ApiQueryIWLinks.
 * (bug 29685) do not output NULL parentid with list=deletedrevs&drprop=parentid.
 * siprop=interwikimap and siprop=languages can use silanguagecode to have a best effort language name translation. Use CLDR extension for best result.
 * (bug 30230) action=expandtemplates should not silently override invalid title inputs.
 * (bug 18634) Create API to fetch MediaWiki's language fallback tree structure.
 * (bug 26885) Allow show/hide of account blocks, temporary blocks and single IP address blocks for list=blocks.
 * (bug 30591) Add support to only return keys in ApiAllMessages.
 * The API now respects $wgShowHostnames and won't share the hostname in severedby if it's set to false.
 * wlexcludeuser parameter added to ApiFeedWatchlist.
 * (bug 7304) Links on redirect pages no longer cause the redirect page to show up as a redirect to the linked page on Special:Whatlinkshere.
 * (bug 32609) API: Move captchaid/captchaword of action=edit from core to Captcha extension(s).
 * Added 'APIGetDescription' hook.
 * (bug 32688) Paraminfo for parameter "generator" of the query module shows too many types.
 * (bug 32415) Empty page get no size attribute in API output.
 * (bug 31759) Undefined property notice in querypages API.
 * (bug 32495) API should allow purge by pageids.
 * (bug 33147) API examples should explain what they do.
 * (bug 33482) Api incorrectly calls ApiBase::parseMultiValue if allowed values is given as an array.
 * (bug 32948) and related variables are no longer blank after calling action=purge&forcelinkupdate.
 * (bug 34377) action=watch now parses messages using the correct title instead of "API".
 * (bug 35036) ResourceLoaderWikiModule should auto-update when messages (created or overwritten) in the MediaWiki namespace change.

Languages updated in 1.19
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.


 * Canadian English (en-ca) (new).
 * Norwegian (bokmål) (nb) (renamed from no).
 * Uighur (Latin) (ug-latn) was incorrectly marked as right-to-left language.
 * (bug 30217) Make pt-br a fallback of pt.
 * (bug 31193) Set fallback language of Assamese from Bengali to English.
 * Update date format for dsb and hsb: month names need the genitive.
 * (bug 28643) Serbian variant conversion improvements (Nikola Smolenski).
 * (bug 29405, bug 30809) Lower diacritics are invisible in titles in Indic languages Assamese, Bengali, Hindi, Malyalam and Odiya.
 * (bug 32826) Titles in indic languages are partially cut.
 * (bug 33367) Gendered namespaces for Czech.
 * (bug 33014) Language::formatSize/formatBitrate should be able to deal with larger numbers (tera-yotta).

Other changes in 1.19

 * BREAKING CHANGE: Legacy global array 'ta' and global function 'akeytt' have been removed from wikibits.js.
 * jquery.mwPrototypes module was renamed to jquery.mwExtension.
 * The maintenance script populateSha1.php was renamed to the more concise populateImageSha1.php.
 * The Client-IP header is no longer checked for when trying to resolve a client's real IP address.
 * (bug 22096) Although IE5.x and below was already unsupported officially, stylesheets existing exclusively for IE5.0 and IE5.5 have now been removed (which were in skins 'chick' and 'monobook').
 * The constructor for CategoryView has changed, the second parameter is now a Context source and is required.
 * The Title::escape{Local,Full,Canonical}URL methods are deprecated, please use proper html building methods to escape the normal get{...}URL methods instead.
 * The $variant arguments in the Title::get{Local,Full,Link,Canonical}URL methods have been replaced with a secondary query argument.
 * The $variant argument in the hooks for the Title::get{Local,Full,Link,Canonical}URL methods have been removed, the variant is now part of the $query argument.
 * Removed Title::isValidCssJsSubpage, deprecated since 1.17 in favor of using Title::isCssJsSubpage or checking Title::isWrongCaseCssJsPage.
 * Support for the deprecated hook MagicWordMagicWords was removed.
 * The Xml::namespaceSelector method has been deprecated, please use Html::namespaceSelector instead (note that the parameters have changed also).
 * (bug 33746) Preload popular ResourceLoader modules (mediawiki.util) as stop-gap for scripts missing dependencies. New configuration variable $wgPreloadJavaScriptMwUtil has been introduced for this (set to false by default for new installations). Set to true if your wiki has a large amount of user/site scripts that are lacking dependency information. In the short to medium term these user/site scripts should be fixed by adding the used modules to the dependencies in the module registry and/or wrapping them in a callback to mw.loader.using.
 * MediaWiki now requires MySQL 5.0.2 or later when using a MySQL database.

Compatibility
MediaWiki 1.19 requires PHP 5.2.3. PHP 4 is no longer supported.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for IBM DB2 and Oracle.

The supported versions are:


 * MySQL 5.0.2 or later
 * PostgreSQL 8.3 or later
 * SQLite 3.3.7 or later
 * Oracle 9.0.1 or later

Upgrading
1.19 has several database changes since 1.18, and will not work without schema updates.

As of 1.19 several JavaScript interfaces that were deprecated or superseded in MediaWiki 1.17, MediaWiki 1.16 or even earlier have been removed. They are listed at the top of the "Other changes" list as a "BREAKING CHANGE".

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.18.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

https://www.mediawiki.org/wiki/Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net.