Release notes/1.5

= MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can.

MediaWiki 1.5.9

 * (bug 3359) Add hooks on completion of file upload

MediaWiki 1.5.8
March 26, 2006 MediaWiki 1.5.8 is a security and bugfix maintenance release. A bug in decoding of certain encoded links could allow injection of raw HTML into page output; this could potentially lead to XSS attacks. Some minor UI fixes were also made, see the change log at the bottom of this file.

MediaWiki 1.5.7
March 2, 2006 MediaWiki 1.5.7 is a bugfix maintenance release. Most importantly, a security issue in the installer has been fixed. The bug affects new installations of 1.5.6 only. If the user specified the MySQL root password, to allow the installer to create an unprivileged account, the  installer would not only create the new account but also change the root  password to be equal to the password of the new account. Anyone affected by this bug will need to change the root password back manually. For information about how to change passwords in MySQL please see: http://dev.mysql.com/doc/refman/5.1/en/passwords.html This version includes fixes for compatibility with Internet Explorer 7 beta 2, and various other bugs; see the full changelog at the end of the release notes.

MediaWiki 1.5.6
January 19, 2006 MediaWiki 1.5.6 is a security and bugfix maintenance release. A bug in edit comment formatting could send PHP into an infinite loop if certain malformed links were included. In most installations, this would cause the script to fail after PHP's 30-second failsafe timeout. Some improvements have been made to the installer which should make installation possible on a system with a broken MySQL "root" account. For several other minor fixes, see the complete changelog at the end of this file.

MediaWiki 1.5.5
January 5, 2006 MediaWiki 1.5.5 is a security and bugfix maintenance release. Detection for uploads of Windows Metafile (.wmf) images has been added to help protect against a client-side vulnerability in unpatched Microsoft Windows operating systems. Sites which have enabled uploads and added non-standard file types (such as .ogg, .doc, or .pdf) should upgrade to this release to ensure that malicious .wmf files can't be uploaded with a fake extension; such files could put visitors to the site at risk. For more details on this, see: http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability Additionally, a maintenance script removeUnusedAccounts.php has been added; this replaces an older Perl script which had not been updated for the new schema in 1.5.

MediaWiki 1.5.4
December 21, 2005 MediaWiki 1.5.4 is a security and bugfix maintenance release. A hardcoded internal placeholder string has been replaced with a random one. This closes a hole where security checks in inline style attributes could be bypassed, injecting JavaScript code that could execute in Microsoft Internet Explorer. Other browsers would not be vulnerable. Several minor fixes are included in this release, most notably a fix to clear the "you have new messages" flag properly for usernames containing spaces when e-mail notification is enabled. See the changelog at the end of the release notes for a full list of fixes.

MediaWiki 1.5.3
December 4, 2005 MediaWiki 1.5.3 is a security and bugfix maintenance release. Validation of the user language option was broken by a code change in May 2005, opening the possibility of remote code execution as this parameter is used in forming a class name dynamically created with eval. The validation has been corrected in this version. All prior 1.5 release and prelease versions are affected; 1.4 and earlier and not affected. Additionally several bugs have been fixed; see the changelog later in this file for a complete list.

MediaWiki 1.5.2
November 2, 2005 MediaWiki 1.5.2 is a bugfix maintenance release. A change in PHP 4.4.1 and PHP 5.1.0RC broke handling of extension and  sections, causing garbage data to be inserted in output and saved edits. This version works around the change. Several other glitches with MySQL 5.0 and PHP 5.0.5 were also fixed; see the change log below for a complete list.

MediaWiki 1.5.1
October 26, 2005 MediaWiki 1.5.1 is a bugfix and security maintenance release, and is a recommended upgrade for all installations. This release includes further corrections to the inline CSS style sanitation which works around a JavaScript "feature" on Microsoft Internet Explorer. Users of Microsoft Internet Explorer for Windows may be vulnerable to XSS injections on prior versions; users of standards-compliant browsers are not vulnerable. Major fixes include:
 * Image pages work again with resizing disabled
 * Works in MySQL 5.0 strict mode There is experimental support in this release for explicitly declaring the UTF-8 charset in the database; this has been tested with MySQL 5.0.15 but should work on 4.1 as well. IMPORTANT: Changing this setting on an existing wiki may produce interesting data corruption, depending on server configuration. Page contents should, usually, be unaffected, but page titles and other items may be. Limitations in MySQL's Unicode support mean that characters outside the BMP cannot be used in page titles or various other fields when using this mode. Table definitions are in maintenance/mysql5/tables.sql, and the runtime option to send 'SET NAMES utf8' is set by $wgDBmysql5 = true. (MySQL 3.23.x and 4.0.x do not support character set declarations; on these versions MediaWiki simply works with UTF-8 data and MySQL is blissfully unaware of it.)

MediaWiki 1.5.0 final
October 5, 2005 MediaWiki 1.5.0 is the new stable release branch of MediaWiki, and is recommended for all new installations. Any wikis running a 1.5 beta or release candidate are strongly recommended to upgrade to the final release, which includes a number of bug fixes and a security fix for CSS bugs in Microsoft Internet Explorer. IMPORTANT: Running a 1.3 or 1.4 wiki and don't want to jump to 1.5 yet? Be sure to upgrade to 1.3.17 or 1.4.11, also released today. Versions prior to 1.3.16 and 1.4.10 have a serious data corruption bug which is triggered by a spambot known to operate in the wild.

What's new in 1.5?
Schema: The core table schema has changed significantly. This should make betteruse of the database's cache and disk I/O, and make significantly speed up rename and delete operations on pages with very long edit histories. Unfortunately this does mean upgrading a wiki of size from 1.4 will require some downtime for the schema restructuring, but future storage backend changes should be able to integrate into the new system more easily. Permalinks: The current revision of a page now has a permanent 'oldid' number assigned immediately, and the id numbers are now preserved across deletion/undeletion. A permanent reference to the current revision of a page is now just a matter of going to the 'history' tab and copying the first link in the list. Page move log: Renames of pages are now recorded in Special:Log and the page history. A handy revert link is available from the log for sysops. Editing diff: Ever lost track of what you'd done so far during an edit? A 'Show diff' button on the edit page now makes it easy to remember. Uploads: It's now possible to specify the final filename of an upload distinct from the original filename on your disk. An image link for a missing file will now take you straight to the upload page. More metadata is pre-extracted from uploaded images, which will ease pressure on disk or NFS volumes used to store images. EXIF metadata is displayed on the image description page if PHP is configured with the necessary module. If .svg files are added to the upload whitelist, you can choose to render them to rasterized .png images for inline display using one of several external helper programs. See DefaultSettings.php for SVG options. User accounts: There are some changes to the user permissions system, with assignable groups. Note that this does *not* allow you to make pages which are only accessible to certain groups. For details see: http://meta.wikimedia.org/wiki/Help:User_rights E-mail: User-to-user e-mail can now be restricted to require a mail-back confirmation first to reduce potential for abuse with false addresses. Updates to user talk pages and watchlist entries can optionally send e-mail notifications. External hooks: A somewhat experimental interface for hooking in an external editor application is included. And... A bunch of stuff we forgot to mention.

What's gone?
Latin-1: Wikis must now be encoded in Unicode UTF-8; this has been the default for some time, but some languages could optionally be installed in Latin-1 mode. This is no longer supported. You can check if your current wiki is in Latin-1 mode by using your browser's "view source"; look for a line like this:  If it says charset=utf-8, you're ready. If it says charset=iso8859-1, you may need to convert your data. (English-language wikis avoiding any accented characters may be able to get away without conversion.) MySQL 3.x: Some optimization hacks for MySQL 3.x have been removed as part of the schema clean-up (specifically, the inverse_timestamp fields). MediaWiki 1.5 may still run on 3.x, but wikis of non-trivial size should very seriously consider upgrading to a more modern release. MySQL 3.x support will probably be entirely dropped in the next major release. Special:Maintenance These tools were, ironically enough, not really maintained. This special page has been removed; insofar as some of its pieces were useful and haven't already been supplanted by other special pages they should be rewritten inan efficient and safe manner in the future.

Caveats
Upgrade: Wikis in Latin-1 encoding are no longer supported; only Unicode UTF-8. A new option $wgLegacyEncoding is provided to allow on-the-fly recoding of old page text entries, but other metadata fields (titles, comments etc) need to be pre-converted. The standard upgrade process does not yet fully automate this, but you can try the alternate partial-upgrader in upgrade1_5.php. The upgrade from 1.4 to 1.5 schema has not been tested for all cases, so it's possible you may experience problems in some combinations. Backups: The text entries of deleted pages are no longer removed from the main text table on deletion. If you provide public backup dumps of your databases, you will probably want to use the new XML-format dump generator, available as maintenance/dumpBackup.php. For more information on how we run our own public data dumps at Wikimedia, see http://meta.wikimedia.org/wiki/Data_dumps PostgreSQL: The table definitions for PostgreSQL install are out of date. PostgreSQL support may return in later releases, pending appropriate patches. MySQL 4.1+: Some users may encounter installation problems with MySQL 4.1 or higher due to strange charset encoding / collation configurations. Try setting to 'latin1' or 'utf8' if you encounter problems.

MediaWiki 1.5 release candidate 4
August 29, 2005 MediaWiki 1.5rc4 is a preview release of the new 1.5 release series. It fixes compatibility with PHP 5.1, and corrects two cross-site scripting security bugs:
 * tags were handled incorrectly when TeX rendering support is off, as in the default configuration.
 * Extension or  sections in Wiki table syntax could bypass HTML style attribute restrictions for cross-site scripting attacks against Microsoft Internet Explorer Wikis where the optional math support has been *enabled* are not vulnerable to the first, but are vulnerable to the second.

MediaWiki 1.5 release candidate 3
August 24, 2005 MediaWiki 1.5rc3 is a preview release of the new 1.5 release series. It fixes several major problems in 1.5rc2:
 * Fixed a cross-site scripting injection in the search form (broken since 1.5beta1)
 * Fixed upgrades from 1.4 database schema (broken since 1.5rc2) 1.3 and 1.4 releases are not vulnerable to the XSS bug, but anyone running an earlier 1.5 beta or release candidate should upgrade immediately.

MediaWiki 1.5 release candidate 2
August 23, 2005 MediaWiki 1.5rc2 is a preview release of the new 1.5 release series. Numerous bug fixes since last beta, plus a security fix; see change log below for full details. A flaw in the interaction between extensions and HTML attribute sanitization was discovered which could allow unauthorized use of offsite resources in style sheets, and possible exploitation of a JavaScript injection feature on Microsoft Internet Explorer. This version expands the returned text and properly checks it before output. A 1.5rc1 release was mistakenly made from the incorrect source code branch; 1.5rc2 is identical to the actual 1.5rc1 in revision control except for version number.

MediaWiki 1.5 beta 4
July 30, 2005 MediaWiki 1.5 beta 4 is a preview release of the new 1.5 release series. A number of bugs have been fixed since beta 3; see the full changelist below.

MediaWiki 1.5 beta 3
July 7, 2005 MediaWiki 1.5 beta 3 is a preview release of the new 1.5 release series, with a security update over beta 2. Incorrect escaping of a parameter in the page move template could be used to inject JavaScript code by getting a victim to visit a maliciously constructed URL. Users of vulnerable releases are recommended to upgrade to this release. Vulnerable versions: This release also includes several bug fixes and localization updates. See the changelog at the end of this file for a detailed list.
 * 1.5 preview series: n <= 1.5beta2 vulnerable, fixed in 1.5beta3
 * 1.4 stable series: 1.4beta6 <= n <= 1.4.5 vulnerable, fixed in 1.4.6
 * 1.3 legacy series: not vulnerable

MediaWiki 1.5 beta 2
July 5, 2005 MediaWiki 1.5 beta 2 is a preview release of the new 1.5 release series. While most exciting new bugs should have been ironed out at this point, third-party wiki operators should probably not run this beta release on a public site without closely following additional development. Anyone who _has_ been running beta 1 is very very strongly advised to upgrade to beta 2, as it fixes many bugs from the previous beta including a couple of HTML and SQL injections. This release should be followed by one or two release candidates and a 1.5.0 final within the next few weeks. Beta upgraders, note there are some minor database changes. For upgrades from 1.4, see the file UPGRADE for details on significant database and configuration file changes. Beta 2 includes a preliminary command-line XML wiki dump importer tool, maintenance/importDump.php, paired with maintenance/dumpBackup.php. These use the same format as Special:Export and Special:Import, able to package a wiki's entire page set independent of the backend database and compression format.

MediaWiki 1.5 beta 1
June 26, 2005 MediaWiki 1.5 beta 1 is a preview release, pretty much feature complete, of the new 1.5 release series. There are several known and likely a number of unknown bugs; it is not recommended to use this release in a production environment but would be recommended for testing in mind of an upcoming deployment. A number of significant changes have been made since the alpha releases, including database changes and a reworking of the user permissions settings. See the file UPGRADE for details of upgrading and changing your prior configuration settings for the new system.

MediaWiki 1.5 alpha 2
June 3, 2005 MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges, and a security update. Incorrect handling of page template inclusions made it possible to inject JavaScript code into HTML attributes, which could lead to cross-site scripting attacks on a publicly editable wiki. Vulnerable releases and fix:
 * 1.5 prerelease: fixed in 1.5alpha2
 * 1.4 stable series: fixed in 1.4.5
 * 1.3 legacy series: fixed in 1.3.13
 * 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended

MediaWiki 1.5 alpha 1
May 3, 2005 This is a testing preview release, being put out mainly to aid testers in finding installation bugs and other major problems. It is strongly recommended NOT to run a live production web site on this alpha release.
 * WARNING: USE OF THIS ALPHA RELEASE MAY INFEST YOUR HOUSE WITH **
 * TERMITES, ROT YOUR TEETH, GROW HAIR ON YOUR PALMS, AND PASTE  **
 * INNUENDO INTO  YOUR  C.V.  RIGHT  BEFORE  A  JOB  INTERVIEW!  **
 * DON'T SAY WE DIDN'T WARN YOU, MAN. WE TOTALLY DID RIGHT HERE. **

Smaller changes since 1.4
Various bugfixes, small features, and a few experimental things:
 * 'live preview' reduces preview reload burden on supported browsers
 * support for external editors for files and wiki pages: http://meta.wikimedia.org/wiki/Help:External_editors
 * Schema reworking: http://meta.wikimedia.org/wiki/Proposed_Database_Schema_Changes/October_2004
 * (bug 15) Allow editors to view diff of their change before actually submitting an edit
 * (bug 190) Hide your own edits on the watchlist
 * (bug 510): Special:Randompage now works for other namespaces than NS_MAIN.
 * (bug 1015) support for the full wikisyntax in captions.
 * (bug 1105) A "Destination filename" (save as) added to Special:Upload Upload.
 * (bug 1352) Images on description pages now get thumbnailed regardless of whether the thumbnail is larger than the original.
 * (bug 1662) A new magicword, August returns the abbreviation of the current month
 * (bug 1668) 'Date format' supported for other languages than English, see: http://mail.wikipedia.org/pipermail/wikitech-l/2005-March/028364.html
 * (bug 1739) A new magicword, give you the article or diff database revision id, useful for proper citation.
 * (bug 1998) Updated the Russian translation.
 * (bug 2064) Configurable JavaScript mimetype with $wgJsMimeType
 * (bug 2084) Fixed a regular expression in includes/Title.php that was accepting invalid syntax like #REDIRECT [[foo] in redirects
 * It's now possible to invert the namespace selection at Special:Allpages and Special:Contributions
 * No longer using sorbs.net to check for open proxies by default.
 * What was $wgDisableUploads is now $wgEnableUploads, and should be set to true if one wishes to enable uploads.
 * Supplying a reason for a block is no longer mandatory
 * Language conversion support for category pages
 * $wgStyleSheetDirectory is no longer an alias for $wgStyleDirectory;
 * Special:Movepage can now take paramaters like Special:Movepage/Page_to_move (used to just be able to take paramaters via a GET request like index.php?title=Special:Movepage&target=Page_to_move)
 * (bug 2151) The delete summary now includes editor name, if only one has edited the article.
 * (bug 2105) Fixed from argument to the PHP mail function. A missing space could prevent sending mail with some versions of sendmail.
 * (bug 2228) Updated the Slovak translation
 * ...and more!

Changes since 1.5alpha1

 * (bug 73) Category sort key is set to file name when adding category to file description from upload page (previously it would be set to "Special:Upload", causing problems with category paging)
 * (bug 419) The contents of the navigation toolbar are now editable through the MediaWiki namespace on the MediaWiki:navbar page.
 * (bug 498) The Views heading in MonoBook.php is now localizable
 * (bug 898) The wiki can now do advanced sanity check on uploaded files including virus checks using external programs.
 * (bug 1692) Fix margin on unwatch tab
 * (bug 1906) Generalize project namespace for Latin localization, update namespaces
 * (bug 1975) The name for Limburgish (li) changed from "Lèmburgs" to "Limburgs
 * (bug 2019) Wrapped the output of Special:Version in in order to preserve the correct flow of text on RTL wikis.
 * (bug 2067) Fixed crash on empty quoted HTML attribute
 * (bug 2075) Corrected namespace definitions in Tamil localization
 * (bug 2079) Removed links to Special:Maintenance from movepagetext message
 * (bug 2094) Multiple use of a template produced wrong results in some cases
 * (bug 2095) Triple-closing-bracket thing partly fixed
 * (bug 2110) "noarticletext" should not display on Image page for "sharedupload" media
 * (bug 2150) Fix tab indexes on edit form
 * (bug 2152) Add missing bgcolor to attribute whitelist for  and
 * (bug 2176) Section edit 'show changes' button works correctly now
 * (bug 2178) Use temp dir from environment in parser tests
 * (bug 2217) Negative ISO years were incorrectly converted to BC notation
 * (bug 2234) allow special chars in database passwords during install
 * Deprecated the syntax for referring to templates, {{msg: is now the wikisyntax representation of wfMsgForContent
 * Fix for reading incorrectly re-gzipped HistoryBlob entries
 * HistoryBlobStub: the last-used HistoryBlob is kept open to speed up multiple-revision pulls
 * Add $wgLegacySchemaConversion update-time option to reduce amount of copying during the schema upgrade: creates HistoryBlobCurStub reference records in text instead of copying all the cur_text fields. Requires that the cur table be left in place until/unless such fields are migrated into the main text store.
 * Special:Export now includes page, revision, and user id numbers by default (previously this was disabled for no particular reason)
 * dumpBackup.php can dump the full database to Export XML, with current revisions only or complete histories.
 * The group table was renamed to groups because "group" is a reserved word in SQL which caused some inconveniances.
 * New fileicons for c, cpp, deb, dvi, exe, h, html, iso, java, mid, mov, o, ogg, pdf, ps, rm, rpm, tar, tex, ttf and txt files based on the KDE crystalsvg theme.
 * Fixed a bug in Special:Newimages that made it impossible to search for '0'
 * Added language variant support for Icelandic, now supports "Íslenzka"
 * The #p-nav id in MonoBook is now #p-navigation
 * Putting $4 in msg:userstatstext will now give the percentage of admnistrators out of normal users.
 * links and brokenlinks tables merged to pagelinks; this will reduce pain dealing with moves and deletes of widely-linked pages.
 * Add validate table and val_ip column through the updater.
 * Simple rate limiter for edits and page moves; set $wgRateLimits (somewhat experimental; currently needs memcached)
 * (bug 2262) Hide math preferences when TeX is not enabled
 * (bug 2267) Don't generate thumbnail at the same size as the source image.
 * Fix rebuildtextindex.inc for new schema
 * Remove linkscc table code, no longer used.
 * (bug 2271) Use faster text-only link replacement in image alt text instead of rerunning expensive link lookup and HTML generation.
 * Only build the HTML attribute whitelist tree once.
 * Replace wfMungeToUtf8 and do_html_entity_decode with a single function that does both numeric and named chars: Sanitizer::decodeCharReferences
 * Removed some obsolete UTF-8 converter functions
 * Fix function comment in debug dump of SQL statements
 * (bug 2275) Update search index more or less right on page move
 * (bug 2053) Move comment whitespace trimming from edit page to save; leaves the whitespace from the section comment there on preview.
 * (bug 2274) Respect stub threshold in category page list
 * (bug 2173) Fatal error when removing an article with an empty title from the watchlist
 * Removed -f parameter from mail usage, likely to cause failures and bounces.
 * (bug 2130) Fixed interwiki links with fragments
 * (bug 684) Accept an attribute parameter array on parser hook tags
 * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external LDAP authentication plugin
 * (bug 2034) Armor HTML attributes against template inclusion and links munging

Changes since 1.5alpha2

 * (bug 2319) Fix parse hook tag matching
 * (bug 2329) Fix title formatting in several special pages
 * (bug 2223) Add unique index on user_name field to prevent duplicate accounts
 * (bug 1976) fix shared user database with a table prefix set
 * (bug 2334) Accept null for attribs in wfElement without PHP warning
 * (bug 2309) Allow templates and template parameters in HTML attribute zone, with proper validation checks. (regression from fix for 2304)
 * Disallow close tags and enforce empty tags for  and
 * Changed user_groups format quite a bit.
 * (bug 2368) Avoid fatally breaking PHP 4.1.2 in a debug line
 * (bug 2367) Insert correct redirect link record on page move
 * (bug 2372) Fix rendering of empty-title inline interwiki links
 * (bug 2384) Fix typo in regex for IP address checking
 * (bug 650) Prominently link MySQL 4.1 help page in installer if a possible version conflict is detected
 * (bug 2394) Undo incompatible breakage to  compatiblity includes
 * (bug 1322) Use a shorter cl_sortkey field to avoid breaking on MySQL 4.1 when the default charset is set to utf8
 * (bug 2400) don't send confirmation mail on account creation if $wgEmailAuthentication is false.
 * (bug 2172) Fix problem with nowiki beeing replaced by marker strings when a template with a gallery was used.
 * Guard Special:Userrights against form submission forgery
 * (bug 2408) page_is_new was inverted (whoops!)
 * Added wfMsgHtml function for escaping messages and leaving params intact
 * Fix ordering of Special:Listusers; fix groups list so it shows all groups when searching for a specific group and can't be split across pages
 * (bug 1702) Display a handy upload link instead of a useless blank link for [[media:]] links to nonexistent files.
 * (bug 873) Fix usage of createaccount permission; replaces $wgWhitelistAccount
 * (bug 1805) Initialise $wgContLang before $wgUser
 * (bug 2277) Added Friulian language file
 * (bug 2457) The "Special page" href now links to the current special page rather than to "".
 * (bug 1120) Updated the Czech translation
 * A new magic word,, returns $wgScriptPath
 * A new magic word,, returns $wgServerName
 * A new magic word,, returns the number of rows in the image table
 * Special:Imagelist displays titles with " " instead of "_"
 * Less gratuitous munging of content sample in delete summary
 * badaccess/badaccesstext to supercede sysop*, developer* messages
 * Changed $wgGroupPermissions to more cut-n-paste-friendly format
 * 'developer' group deprecated by default
 * Special:Upload now uses 'upload' permission instead of hardcoding login check
 * Add 'importupload' permission to disable direct uploads to Special:Import
 * (bug 2459) Correct escaping in Special:Log prev/next links
 * (bug 2462 etc) Taking out the experimental dash conversion; it broke too many things for the current parser to handle cleanly
 * (bug 2467) Added a Turkish language file
 * Fixed a bug in Special:Contributions that caused the namespace selection to be forgotten between submits
 * Special:Watchlist/edit now has namespace subheadings
 * (bug 1714) the "Save page" button now has right margin to seperate it from "Show preview" and "Show changes"
 * Special:Statistics now supports action=raw, useful for bots designed to Harvest e.g. article counts from multiple wikis.
 * The copyright confirmation box at Special:Upload is now turned off by default and can be turned back on by setting $wgCopyrightAffirmation to a true value.
 * Restored prior text for password reminder button and e-mail, replacing the factually inaccurate text that was there.
 * (bug 2178) Fix temp dir check again
 * (bug 2488) Format 'deletedtext' message as wikitext
 * (bug 750) Keep line endings consistent in LocalSettings.php
 * (bug 1577) Add 'printable version' tab in MonoBook for people who don't realize you can just hit print to get a nicely formatted printable page.
 * Trim whitespace from option values to weather line-ending corruption problems
 * Fixed a typo in the Romanian language file (NS_MESIA => NS_MEDIA)
 * (bug 2504) Updated the Finnish translation
 * (bug 2506, 2512) Updated the Nynorsk translation
 * (bug 996) Replace $wgWhitelistEdit with 'edit' permission; fixup UPGRADE documentation about edit and read whitelists.
 * (bug 2515) Fix incremental link table update
 * Removed some wikipedia-specifica from LanguageXx.php's
 * (bug 2496) Allow MediaWiki:edithelppage to point to external page
 * Added a versionRequired function to OutputPage, useful for extension writers that want to control what version of MediaWiki their extension can be used with.
 * Serialized user objects now checked for versioning
 * Fix for interwiki link regression
 * Printable link shorter in monobook
 * Experimental Latin-1-and-replication-friendly upgrader script
 * (bug 2520) Don't show enotif options when disabled

Changes since 1.5beta1

 * (bug 2531) Changed the interwiki name for sh (Serbocroatian) to Srpskohrvatski/Српскохрватски (was Српскохрватски (Srbskohrvatski))
 * Nonzero return code for command-line scripts on wfDebugDieBacktrace
 * Conversion fix for empty old table in upgrade1_5.php
 * Try reading revisions from master if no result on slave
 * (bug 2538) Suppress notice on user serialized checks
 * Fix paging on Special:Contributions
 * (bug 2541) Fix unprotect tab
 * (bug 1242) category list now show on edit page
 * Skip sidebar entries where link text is '-'
 * Convert non-UTF-8 URL parameters even if referer is local
 * (bug 2460) width & height properly filled when resizing image
 * (bug 2273) deletion log comment used user interface langage
 * Try reading revision _text_ from master if no result on slave
 * Use content-language message cache for raw view of message pages
 * (bug 2530) Not displaying talk pages on Special:Watchlist/edit
 * Fixed a bug that would occour if $wgCapitalLinks was set to false, a user agent could create a username that began with a lower case letter that was not in the ASCII character set ( now user $wgContLang->ucfirst instead of PHP ucfirst )
 * Moved the user name / password validity checking from LoginForm::addNewAccountInternal to two new functions, User::isValidUserName and User::isValidPassword, extensions can now do these checks without rewriting code.
 * Fix $wgSiteNotice when MediaWiki:Sitenotice is set to default '-'
 * Fixed a bug where the watchlist count without talk pages would be off by a factor of two.
 * upgrade1_5.php uses insert ignore, allows to skip image info initialization
 * Fix namespaces in category list.
 * Add rebuildImages.php to update image metadata fields
 * Special:Ancientpages is expensive in new schema for now
 * (bug 2568) Fixed a logic error in the Special:Statistics code which caused the displayed percentage of admins to be totally off.
 * (bug 2560) Don't show blank width/height attributes for missing size
 * Don't show bogus messages about watchlist notifications when disabled
 * Don't show old debug messages in watchlist
 * (bug 2576) Fix recording of transclusion links
 * (bug 2577) Allow sysops to enter non-standard block times
 * Fixed a bug where Special:Contributions wouldn't remember the 'invert' status between next/previous buttons.
 * Move MonoBook printable link from tab to sidebar
 * (bug 2567) Fix HTML escaping on category titles in list
 * (bug 2562) Show rollback link for current revisions on diff pages
 * (bug 2583) Add --missinig option on rebuildImages.php to add db entries for uploaded files that don't have them
 * (bug 2572) Fix edit conflict handling
 * (bug 2595) Show "Earlier" and "Latest" links on history go to the first/last page in the article history pager.
 * Don't show empty-page text in 'Show changes' on new page
 * (bug 2591) Check for end, fix limits on Whatlinkshere
 * (bug 2584) Fix output of subcategory list
 * (bug 2597) Don't crash when undeleting an image description page
 * (bug 2564) Don't show "editingold" warning for recent revision
 * Various code cleanup and HTML escaping fixlets
 * Copy IRC-over-UDP update option from REL1_4
 * (bug 2548) Keep summary on 'show changes' of section edit
 * Move center on toc to title part to avoid breaking .toc style usage
 * HTML sanitizer: correct multiple attributes by keeping last, not first
 * (bug 2614) Fix section edit links on diff-to-current with oldid set Also fix navigation links on current-with-oldid view.
 * (bug 2620) Return to prior behavior for some more things (such as subpage parent links) on current-diff view.
 * (bug 2618) Fix regression from another fix; show initial preview for categories only if the page does not exist.
 * (bug 2625) Keep group & user settings when paging in Listusers
 * (bug 2627) Fix regression: diff radio button initial selection
 * Copy fix for old search URLs with Lucene search plugin from REL1_4
 * (bug 619) Don't use incompatible diff3 executable on non-Linux systems.
 * (bug 2631) Fix Hebrew namespaces.
 * (bug 2630) Indicate no-longer-valid cached entries in BrokenRedirects list
 * (bug 2644, 2645) "cur" diff links in page history, watchlist and recentchanges should specify current ID explicitly.
 * (bug 2609) Fix text justification preferenced with MonoBook skin.
 * (bug 2594) Display article tab as red for non-existent articles.
 * (bug 2656) Fix regression: prevent blocked users from reverting images
 * (bug 2629) Automatically capitalize usernames again instead of rejecting lowercase with a useless error message
 * (bug 2661) Fix link generation in contribs
 * Add support for &preload=Page_name (load text of an existing page into edit area) and &editintro=Page_name (load text of an existing page instead of MediaWiki:Newpagetext) to &action=edit, if page is new.
 * (bugs 2633, 2672, 2685, 2695) Fix Estonian, Portuguese, Italian, Finnish and Spanish numeric formatting
 * Fixed Swedish numeric formatting
 * (bug 2658) Fix signature time, localtime to match timezone offset again
 * Files from shared repositories (e.g. commons) now display with their image description pages when viewed on local wikis.
 * Restore compatibility namespace aliases for French Wikipedia
 * Fix diff order on Enhanced RC 'changes' link
 * (bug 2650) Fix national date type display on wikis that don't support dynamic date conversion.
 * FiveUpgrade: large table hacks, install iw_trans update before links
 * (bug 2648) Rename namespaces in Afrikaanse
 * Special:Booksources checks if custom list page exists before using it
 * (bug 1170) Fixed linktrail for da: and ru:
 * (bug 2683) Really fix apostrophe escaping for toolbox tips
 * (bug 923) Fix title and subtitle for rclinked special page
 * (bug 2642) watchdetails message in several languages used  instead of [ ]
 * (bug 2181) basic CSB language localisation by Tomasz G. Sienicki (thanks for the patch)
 * Fix correct use of escaping in edit toolbar bits
 * Removed language conversion support from Icelandic
 * (bug 2616) Fix proportional image scaling, giving correct height
 * (bug 2640) Include width and height attributes on unscaled images
 * Workaround for mysterious problem with bogus epoch If-Last-Modified reqs
 * (bug 1109) Suppress compressed output on 304 responses
 * (bug 2674) Include some site configuration info in export data: namespaces definitions, case-sensitivity, site name, version.
 * Use xml:space="preserve" hint on export elements
 * Make language variant selection work again for zh

Changes since 1.5beta2

 * Escaped & correctly in Special:Contributions
 * (bug 2534) Hide edit sections with CSS to make right click to edit section work
 * (bug 2708) Avoid undefined notice on cookieless login attempt
 * (bug 2188) Correct template namespace for Greek localization
 * Fixed number formatting for Dutch
 * (bug 1355) add class noprint to commonPrint.css
 * (bug 2350) Massive update for Limburgish (li) language using Wikipédia
 * Massive update for Arab (ar) language using Wikipédia
 * (bug 1560) Massive update for Kurdish (ku) language using Wikipédia
 * (bug 2709) Some messages were not read from database
 * (bug 2416) Don't allow search engine robots to index or follow nonexisting articles
 * Fix escaping in page move template.
 * (bug 153) Discrepancy between thumbnail size and height attribute

Changes since 1.5beta3

 * Fix talk page move handling
 * (bug 2721) New language file for Vietnamese with the Vietnamese number notation
 * (bug 2749)  would appear as a literal in image galleries for Cs, Fr, Fur, Pl and Sv
 * (bug 787) external links being rendered when they only have one slash
 * Fixed a missing typecast in Language::dateFormat that would cause some interesting errors with signitures.
 * (bug 2764) Number format for Nds
 * (bug 1553) Stop forcing lowercase in Monobook skin for German language.
 * (bug 1064) Implements Special:Unusedcategories
 * (bug 2311) New language file for Macedonian
 * Fix nohistory message on empty page history
 * Fix fatal error in history when validation on
 * Cleaned up email notification message formatting
 * Finally fixed Special:Disambiguations that was broke since SCHEMA_WORK
 * (bug 2761) fix capitalization of "i" in Turkish
 * (bug 2789) memcached image metadata now cleared after deletion
 * Add serialized version number to image metadata cache records
 * (bug 2780) Fix thumbnail generation with GD for new image schema
 * (bug 2791) Slovene numeric format
 * (bug 655) Provide empty search form when searching for nothing
 * Nynorsk numeric format fix
 * (bug 2825) Fix regression in newtalk notifications for anons w/ enotif off
 * (bug 2833) Fix bug in previous fix
 * With $wgCapitalLinks off, accept off-by-first-letter-case in 'go' match
 * Optional parameters for Special:Listusers
 * (bug 2832) Special:Listadmins redirects to Special:Listusers/sysop
 * (bug 785) Parser did not get out of  with list elements
 * Some shared upload fixes
 * (bug 2768) section=new on nonexistent talk page does not add heading
 * support preload= parameter for section=new
 * show comment subject in preview when using section=new
 * use comment form when creating a new talk page
 * (bug 460) Properly handle tags as a block.
 * Undo inconsistent editing behavior change
 * (bug 2835) Back out fix for bug 2802, caused regressions in category sort
 * PHP 4.1.2 compatibility fix: define floatval equivalent if missing
 * (bug 2901) Number format for Catalan
 * Special:Allpages performance hacks: index memcached caching, removed inverse checkbox, use friendlier relative offsets in index build
 * Bring back "Chick" skin for mobile devices. It needs testing.
 * Fix spelling of $wgForwardSearchUrl in DefaultSettings.php
 * Specify USE INDEX on Allpages chunk queries, sometimes gets lost due to bogus optimization
 * (bug 275) Section duplication fix
 * Remove unused use of undefined variable in UserMailer
 * Fix notice on search index update due to non-array
 * (bug 2885) Fix fatal errors and notices in PHP 5.1.0beta3
 * (bug 2931) Fix additional notices on reference use in PHP 4.4.0
 * (bug 2774) Add three new $wgHooks to LogPage which enable extensions to add their own logtypes, see extensions/Renameuser/SpecialRenameuser.php for an example of this.
 * (bug 740) Messages from extensions now appear in Special:Allmessages
 * (bug 2857) fixed parsing of lists in  sections
 * (bug 796) Trackback support
 * Fix 1.5 regression: weird, backwards diff links on new pages in enhanced RC are now suppressed as before.
 * New skin: Simple
 * "uselang" and "useskin" URL parameters can now be used in the URL when viewing a page, to change the language and skin of a page respectively.
 * Skins can now be previewed in preferences
 * (bug 2943) AuthPlugin::getCanonicalName name canonicalization hook, patch from robla
 * Wrap revision insert & page update in a transaction, rollback on late edit conflict.
 * (bug 2953) 'other' didn't work in Special:Blockip when localized
 * (bug 2958) Rollback and delete auto-summary should be in the project's content language
 * Removed useless protectreason message
 * Spelling fix: $wgUrlProtcols -> $wgUrlProtocols
 * Switch Moldovan local name to cyrillic
 * Fix typo in undefined array index access prevention
 * (bug 2947) Update namespaces for sr localization
 * (bug 2952) Added Asturian language file with translated namespaces
 * (bug 2676) Apply a protective transformation on editing input/output for browsers that hit the Unicode blacklist. Patch by plugwash.
 * (bug 2999) Fix encoding conversion of pl_title in upgrade1_5.php
 * compressOld.php disabled, as it's known to be broken.

Changes since 1.5beta4

 * Fix Special:Allmessages under PHP 5
 * (bug 2911) Special:Watchlist allowed only one type of limit at a time
 * (bug 693) Special:Allmessages is excessively wide and redundant
 * (bug 3001) Updated and applied live hack for recentchanges-based watchlist
 * (bug 145) Finish 'exclude redirect' implementation in search form
 * Rearranged Special:Movepage form to reduce confusion between destination title and reason input boxes
 * (bug 2527) Always set destination filename when new file is selected
 * (bug 3056) MySQL 3 compatibility fix: USE INDEX instead of FORCE INDEX
 * PHP 4.1 compatibility fix: don't use new_link parameter to mysql_connect if running prior to 4.2.0 as it causes the call to fail
 * (bug 3117) Fix display of upload size and type with tidy on
 * (bug 1487) invalid html on empty list in banlist
 * (bug 3017) Hotkey conflict for delete and show changes
 * made pixel unit translateable and blocklistline now eats infiniteblock and expiringblock
 * (bug 3092) Wrong numerical separator for big numbers in Serbian.
 * (bug 2855) Credit for a uniq author showed its realname even with $wgAllowRealName=false.
 * New special page: SpecialMostlinked
 * (bug 2393) Fix MIME type for Atom feeds ( application/rss+atom )
 * Fix display of read-only lockfile message
 * Added a new hook, 'AddNewAccount', which is run after account creation
 * Update all stats fields on recount.sql
 * Include software-visible client IP address in Special:Version comment as a proxy debugging aid
 * (bug 3162) Fix 'undefined property page_is_new' error on watchlist
 * (bug 1734) granting db permissions failed with db usernames containg '-'
 * (bug 3170) wikititlesuffix was removed, use pagetitle instead
 * (bug 3187) watchlist text refer to unexistent "Stop watching" action
 * (bug 3190) Added some date format choices for language sr
 * (bug 1334) LanguageGa.php update
 * (bug 1020) Changing user interface language does not work immediately
 * (bug 2753) Some namespaces were not translated in LanguageTa.php (Tamil)
 * (bug 3204) Fix typo breaking special pages in fy localization
 * (bug 3210) Fix Media: links with remote image URL path
 * (bug 3220) Fix escaping of block URLs in Recentchanges
 * (bug 3238): Updated LanguageNn.php for 1_5 branch
 * (bug 3192): properly check 'limit' parameter on Special:Contributions
 * (bug 3244) Fix remote image loading hack, JavaScript injection on MSIE
 * Fix URL sanitization in HTML attributes, which broke in this branch
 * (bug 3475) anon contrib links on Special:Newpages

Changes since 1.5rc2

 * Fix upgrade from 1.4 due to version number check breakage
 * Fix upgrade from 1.4 with no old revisions
 * (bug 2108) Sort entries when using category browser
 * XSS issue : now sanitize search query input

Changes since 1.5rc3

 * (bug 3280) Respect 'move' group permission on page moves
 * (bug 2885) More PHP 5.1 fixes: skin, search, log, undelete
 * Security fix for
 * Security fix for tables

Changes since 1.5rc4

 * (bug 3292) Fix move-over-redirect test when current entries are not plaintext
 * (bug 2078) Don't hide watch tab on preview
 * (bug 3306) Document $wgLocalTZoffset
 * Support SVG rendering with rsvg
 * Cap arbitrary SVG renders to given image size or $wgSVGMaxSize pixels wide
 * (bug 3127) Render large SVGs at image page size correctly
 * (bug 3448) Set page_len on undelete
 * (bug 2800) Don't scale up small iamges on |thumb| without explicit size
 * Use the real file link instead of the default-size rasterized version for large SVG images on image description page
 * Include the file name/type/size line for non-resized images
 * (bug 3412) Clean up date format handling so ~ -sigs work with default format as designed. Documentation comments updated.
 * (bug 1423) LanguageJa.php update
 * (bug 3405) Don't use raw letters as aliases of MSGNW: and SUBST:
 * (bug 3485) Fix bogus warning about filename capitalization when off
 * (bug 2792) Update rebuildrecentchanges.inc for new schema
 * Special:Import/importDump fixes: report XML parse errors, accept
 * (bug 3489) PHP 5.1 compat problem with captioned images
 * (bug 3350) Missing label for move talk page checkbox.
 * (bug 2570) Add 'watch this page' checkbox on uploads, watch uploads by default when 'watchdefault' option is on
 * (bug 3182) Clear link cache during import to prevent memory leak
 * (bug 3573) Full Greek Translation
 * (bug 3595) Warn and abort if importDump.php called in read-only mode.
 * (bug 3598) Update message cache on message page deletion, patch by Tietew
 * Blacklist additional MSIE CSS safety tricks

Changes since 1.5.0

 * (bug 3629) Fix date & time format for Frisian
 * (bug 3641) Fix handling of unrecognized file uploads with known extensions
 * (bug 3643) Fix image page display of large images with resizing disabled
 * Fix meta robots tag on Special:Version again to avoid listing vulnerable versions for convenient harvesting by automated worms
 * (bug 3684) Fix typo in fatal error backtraces in Hooks.php
 * Backport fix for reference usage notice in Special:Search on PHP 4.4.0
 * Backport database connect error display fix from HEAD
 * (bug 2773) Print style sheet no longer overrides RTL text direction
 * MonoBook skin top link id changed from "contentTop" to "top" (shared with name attribute)
 * Wrap message page insertions in a transaction to speed up installation
 * Fix Special:MovePage invalid HTML attribute for reason textarea
 * Avoid notice warning on edit with no User-Agent header
 * (bug 3734) Swapped out obsolete recount.sql with initStats.php
 * (bug 3735) Fix to run under MySQL 5's strict mode
 * (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode NOTE: Enabling this may break existing wikis, and still doesn't work for all Unicode characters due to MySQL limitations.
 * Sanitizer CSS comment processing order fix

Changes since 1.5.1

 * Fix Special:BrokenRedirects on MySQL 5.0
 * (bug 3809) Backport fix for detecting diff3 failure
 * MySQL 5.0 strict mode fix for moving unwatched pages
 * (bug 3782) Throw fatal installation warning if mbstring.func_overload on. Why do people invent these crazy options that change language semantics?
 * (bug 3762) Define missing Special:Import UI messages
 * (bug 3771) Handle internal functions in backtrace in wfAbruptExit
 * (bug 3649) Remove obsolete, broken moveCustomMessages script
 * (bug 3667) Add missing global in page move code
 * (bug 3761) Avoid deprecation warnings in Special:Import
 * (bug 2885) Remove unnecessary reference parameter which broke classic skin talk notification on PHP 5.0.5
 * (bug 3845) Update attribute.php for 1.5 schema
 * Fix Parser::unstrip on PHP 4.4.1 and PHP 5.1.0RC4

Changes since 1.5.2

 * (bug 3612) Remove old broken version of maintenance/compressOld.php The working version is in maintenance/storage/compressOld.php
 * (bug 2740) Accept image deletions on 'enter' submit from MSIE
 * (bug 3933) specify XML namespace for Atom 0.3 feeds
 * (bug 3939) Don't try to load text for interwiki redirect target
 * (bug 3948) Avoid notice warning in debug statement in bad search
 * Recognize Special:Search consistently so read whitelist works
 * (bug 4013) typo in fr
 * (bug 3996) Fix text for new entries in RC RSS/Atom feed
 * (bug 2894) Enhanced Recent Changes link fixes
 * (bug 3065) Update both watched namespaces when renaming pages
 * Move parentheses out of  link in Special:Contributions
 * (bug 4071) Generate passwords long enough for $wgMinimalPasswordLength
 * (bug 4035) Fix prev/next revision links on edit page
 * (bug 4165) Correct validation for user language selection (data taint)
 * Clearer message in DefaultSettings.php: edit LocalSettings.php instead

Changes since 1.5.3

 * (bug 3805) Clear 'new messages' flag properly in enotif mode for usernames containing spaces
 * (bug 2714) Backlink from special:whatlinkshere was hard set as 'existing'
 * (bug 4249) Typo in entities2literals.pl
 * (bug 4233) Update for japanese language
 * (bug 4279) Small correction to LanguageDa.php
 * (bug 4267) Switch dv sd ug ks arc languages to RTL
 * (bug 3991) Allow the operation of wikicode on Protect move only text
 * Added AutoAuthenticate hook for external User object suppliers
 * Parser internal placeholder string now fully randomized for safety

Changes since 1.5.4

 * Maintenance script to delete unused user accounts
 * Added detection for WMF files (application/x-msmetafile), added this MIME type to the default blacklist. Prevented inline display of images which are not of known image types. This is in response to http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

Changes since 1.5.5

 * (bug 4258) When installing under IIS, $wgArticlePath = "$wgScript?title=$1" should be set
 * (bug 4510) Correct Barnes & Noble bookstore URLs
 * (bug 4504) Use site language for namespace name resolution
 * Installer fixes from HEAD backported; now uses a more sensible method of establishing which mySQL user to use, which clears up bug 921 et al. Minor changes to installer.
 * Fix problem reported on mailing list where re-initialising stats didn't work (can't insert duplicate rows with the same id field)
 * (bug 1122) gray out 'older revision' when viewing first article revision.
 * Respect database prefix in dumpHTML.inc
 * Minor improvements to removeUnusedAccounts.php maintenance script
 * Fix for single-digit week numbers from, broken by PHP 4.4.1
 * Removed read-only check from Database::query
 * Added --conf option to command line scripts, allowing the user to specify a different LocalSettings.php.

Changes since 1.5.6

 * Default main page content improved per bug 4690
 * Fix dependence on hardcoded UNIQ_PREFIX in LanguageConverter.php
 * Fixed Special:Unlockdb
 * Maintenance script to delete unused text records
 * Maintenance script to delete non-current revisions
 * Maintenance script to wipe a page and all revisions from the database
 * (bug 4768) Wrong Russian translation (typo)
 * Performance bugfix: propagate equality manually for Revision fetches
 * (bug 4773) PHP fatal error when invalid title passed to Special:Export
 * Added missing table defs. for transcache to installer schemas
 * (bug 4824) IE7 beta 2 broke compatibility with PNG logo workarounds, and seems to work ok with other bits. No longer including the IE workarounds JavaScript for IE 7 and above.
 * (bug 2532) Image directory structure migration bug
 * (bug 4881) Correction to the fix for 1487; Ipblocklist showed 'no blocks' message at the end of the list even if there were blocks.
 * (bug 4805) Removed more wikipedia-references from LanguageUk.php
 * Introduce $wgWantedPagesThreshold per bug 5011; Special:Wantedpages will not list pages with less than this number of links. Defaults to 1.
 * Allow customisation of paging limits for items in categories using the $wgCategoryPagingLimit global, per bug 4970.
 * Improve "nogomatch" text to make it more obvious that a page can be created.
 * (bug 5113) Spelling error in French language file
 * Don't change the password of the MySQL root user.

Changes since 1.5.7

 * (bug 5180) User login page shows inappropriate email blurb
 * Add the "AbortNewAccount" hook on account creation; see hooks.txt for more info.
 * Update default "exporttext" to reflect that Special:Import exists
 * Add links to useful material to the default main page content
 * Fix fragment HTML injection

Changes since 1.5.8

 * Fixed obvious mistakes in Finnish (fi) translation
 * Fixed obvious mistakes in Kurdish (ku) translation
 * Merge two #p-search .pBody statements i monobook/main.css
 * (bug 5156) Update for Hebrew language (he) translation
 * Add the "UserRights" hook on user group changes; see hooks.txt for more info.
 * Translated "listingcontinuesabbrev" for German

Caveats
Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.) For notes on 1.4.x and older releases, see HISTORY

Online documentation
Documentation for both end-users and site administrators is currently being built up on Meta-Wikipedia, and is covered under the GNU Free Documentation License: http://meta.wikipedia.org/wiki/Help:Contents

Mailing list
A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in #mediawiki on irc.freenode.net