Release notes/1.21

Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.21 is a stable branch and is recommended for use in production.

MediaWiki 1.21.11
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.10

 * SECURITY: Prevent external resources in SVG files.
 * MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.

MediaWiki 1.21.10
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.9

 * SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
 * Add space between two feed links.

MediaWiki 1.21.9
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.8

 * SECURITY: Escape sortKey in pageInfo.
 * Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.

MediaWiki 1.21.8
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.7

 * SECURITY: Add CSRF token on Special:ChangePassword.
 * Set a title for the context during import on the cli.

MediaWiki 1.21.7
This is a maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.6

 * Use the correct branch of the extensions' git repositories.

MediaWiki 1.21.6
This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.5

 * SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
 * SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
 * SECURITY: API: Don't find links in the middle of api.php links.

MediaWiki 1.21.5
This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.4

 * SECURITY: Sanitize shell arguments to DjVu files, and other media formats

MediaWiki 1.21.4
This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.3

 * SECURITY: Disallow stylesheets in SVG Uploads
 * SECURITY: Don't normalize U+FF3C to \ in CSS Checks
 * SECURITY: Disallow -o-link in styles
 * SECURITY: Return error on invalid XML for SVG Uploads
 * SECURITY: Fix RevDel log entry information leaks

MediaWiki 1.21.3
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.2

 * SECURITY: Don't cache when a call could autocreate
 * SECURITY: Improve css javascript detection
 * Fix behaviour $wgVerifyMimeType = false; in Upload
 * Fix comma errors in various js files
 * Translations

MediaWiki 1.21.2
This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.1

 * SECURITY: Fix extension detection with 2 .'s
 * SECURITY: Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed.
 * SECURITY: Sanitize ResourceLoader exception messages
 * Purge upstream caches when deleting file assets.
 * Unit test suite now runs the AutoLoader tests. Also fixed the autoloading entry for the PageORMTableForTesting class though it had no impact.

MediaWiki 1.21.1
This is a maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.0

 * An incorrect version number was used for 1.21.0. 1.21.1 has the correct number.
 * A problem with the Oracle SQL table creation was fixed.
 * (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.

Configuration changes

 * has been added and is false by default.
 * is now enabled by default.
 * Deprecated is removed. Use [] = 'realname' instead.
 * Added, specifying minimum count of page watchers required for the number to be accessible to users without the unwatchedpages permission.
 * has been removed.
 * has been removed and its functionality disabled.

New features

 * Add parser method to call parser functions.
 * Schema changes (adding or dropping tables, indices and fields) can be now be done separately from from other changes that update.php makes. This is useful in environments that use database  permissions to restrict schema changes but allow the DB user that  MediaWiki normally runs as to perform other changes that update.php  makes.  Schema changes can be run separately.  See the file UPGRADE  for more information.
 * jquery.makeCollapsible has been improved in performance.
 * Added ContentHandler facility to allow extensions to support other content than wikitext. See docs/contenthandler.txt for details.
 * New feature was developed for showing high-DPI thumbnails for high-DPI mobile and desktop displays (configurable with ).
 * Added new backend to represent and store information about sites and site specific configuration.
 * jQuery upgraded from 1.8.2 to 1.8.3.
 * jQuery UI upgraded from 1.8.23 to 1.8.24.
 * Added separate fa_sha1 field to filearchive table. This allows sha1 searches with the api in miser mode for deleted files.
 * Add initial and programmatic sorting for tablesorter.
 * Add the event "sortEnd.tablesorter", triggered after sorting has completed.
 * The Job system was refactored to allow for different backing stores for queues as well as cross-wiki access to queues, among other things. The schema  for the DB queue was changed to support better concurrency and reduce  deadlock errors.
 * Added ApiQueryORM class to facilitate creation of query API modules based on tables that have a corresponding ORMTable class.
 * Icon for PSD (Adobe Photoshop) file types.
 * Implemented Special:Version/Credits with a list of contributors.
 * Implemented one-click AJAX patrolling.
 * The &lt;data&gt;, &lt;time&gt;, &lt;meta&gt;, and &lt;link&gt; elements are allowed within WikiText for use with Microdata.
 * The HTML5 &lt;mark&gt; tag has been whitelisted.
 * Added ParserCloned hook for when the Parser object is cloned.
 * Added AlternateEditPreview hook to allow extensions to replace the page preview from the edit page.
 * Added EditPage::showStandardInputs:options hook to allow extensions to add new fields to the "editOptions" area of the edit form.
 * Upload stash DB schema altered to improve upload performance.
 * The following global functions are now reporting deprecated warnings in debug mode: wfMsg, wfMsgNoTrans, wfMsgForContent, wfMsgForContentNoTrans,  wfMsgReal, wfMsgGetKey, wfMsgHtml, wfMsgWikiHtml, wfMsgExt, wfEmptyMsg. Use  the Message class, or the global method wfMessage.
 * Added, off by default. If enabled, a &lt;link rel=canonical&gt; tag is added to every page indicating the correct server  to use.
 * Debug message emitted by wfDebugLog will now be prefixed with the group name when its logged to the default log file. That is the case whenever the  group has no key in wgDebugLogGroups, that will help triage the default log.
 * Add types to LogFormatter.
 * jQuery JSON upgraded from 2.3 to 2.4.0.
 * Added GetDoubleUnderscoreIDs hook, for modifying the list of magic words.
 * DatabaseUpdater class has two new methods to ease extensions schema changes: dropExtensionIndex and renameExtensionIndex.
 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
 * Hide rollback link if a user is the only contributor of the page.
 * limits the list size of transcluded articles on the info action. Default is 50.
 * Added action=createaccount to allow user account creation.
 * action=options API also allows for setting of arbitrary preferences, provided that their names are prefixed with 'userjs-'. This  officially reenables the feature that was undocumented and defective  in MW 1.20 (saving preferences using Special:Preferences cleared any  additional fields) and which has been disabled in 1.20.1 as a part of  a security fix.
 * Added option to specify "others" as author in extension credits using "..." as author name.
 * Added the ability to limit the wall clock time used by shell processes, as well as the CPU time. Configurable with.
 * Allow memory of shell subprocesses to be limited using Linux cgroups instead of ulimit -v, which tends to cause deadlocks in recent versions  of ImageMagick. Configurable with.
 * Added for regex whitelisting.
 * Categories that are redirects will be displayed italic in the category links section at the bottom of a page.
 * New maintenance script deleteEqualMessages.php.
 * You can now create checkbox option matrices through the HTMLCheckMatrix subclass in HTMLForm.
 * WikiText now permits the use of WAI-ARIA's role="presentation" inside of html elements and tables. This allows presentational markup, especially  tables. To be marked up as such.
 * maintenance/sql.php learned the --cluster option. Let you run the script on some external cluster instead of the primary cluster for a given wiki.
 * test the parsing of inline URLs.
 * Added Special:PagesWithProp, which lists pages using a particular page property.
 * Implemented language-specific collations for category sorting for 67 languages based in latin, greek and cyrillic alphabets. This allows one to *finally* get  articles to be correctly sorted on category pages. They are named  'uca-&lt;langcode&gt;', where &lt;langcode&gt; is one of: af, ast, az, be, bg, br, bs, ca,  co, cs, cy, da, de, dsb, el, en, eo, es, et, eu, fi, fo, fr, fur, fy, ga, gd,  gl, hr, hsb, hu, is, it, kk, kl, ku, ky, la, lb, lt, lv, mk, mo, mt, nl, no,  oc, pl, pt, rm, ro, ru, rup, sco, sk, sl, smn, sq, sr, sv, tk, tl, tr, tt, uk,  uz, vi.
 * Added 'CategoryAfterPageAdded' and 'CategoryAfterPageRemoved' hooks.
 * Added 'HistoryRevisionTools' and 'DiffRevisionTools' hooks.
 * Added 'SpecialSearchResultsPrepend' and 'SpecialSearchResultsAppend' hooks.
 * Add image rotation api "imagerotate"
 * Add "User rights management" link on user page toolbox.
 * Add QUnit assertion helper "QUnit.assert.htmlEqual" for asserting structual equality of HTML (ignoring insignificant differences like  quotmarks, order and whitespace in the attribute list).

Bug fixes

 * Chunked uploads allow arbitrary data to be dropped on the server
 * $wgContentHandlerUseDB should be set to false during the upgrade
 * Sanitize $limitReport before outputting.
 * Disable external entities in XMLReader.
 * Disable external entities in Import.
 * PHP Fatal error: Call to a member function isLocal on a non-object in Title.php
 * Special:ProtectedPages results in whitepage when a bad title is protected
 * Installer can now customize the logo in LocalSettings.php
 * SpecialDoubleRedirect should support interwiki redirects.
 * fixDoubleRedirects.php should support interwiki redirects.
 * SpecialBrokenRedirect should not list interwiki redirects.
 * Drop unused fields rc_moved_to_ns and rc_moved_to_title from recentchanges table.
 * Do not register internal externals with absolute protocol, when server has relative protocol.
 * When purging proxies listed in using HTTP PURGE  method requests, we now send a Host header by default, for Varnish  compatibility. This also works with Squid in reverse-proxy mode. If you wish  to support Squid configured in forward-proxy mode, set   to false.
 * sql.php with readline eats semicolon.
 * Properly handle optionally-closed HTML tags when Tidy is disabled, and don't wrap HTML-syntax definition lists in paragraphs.
 * Diffs while editing an old revision should again diff against the current revision.
 * Honor when logging non-API exceptions  caught during API execution.
 * Fixed loading process for user options.
 * Update filename field on Upload page after having sanitized it.
 * Contribution links to users with 0 edits on Special:ListUsers didn't show up red.
 * A PHP notice no longer occurs when using the "rvcontinue" API parameter.
 * Account creation emails now contain canonical (not protocol-relative) URLs.
 * Fix regression: API edit with redirect=true and lacking starttimestamp and basetimestamp should not cause an edit conflict.
 * EditPage: Preloaded page should be converted if possible and needed.
 * Rowspans are no longer exploded by tablesorter until the table is actually sorted.
 * User interface HTML elements don't use lang attribute. (completed the fix by adding the lang attribute to firstHeading).
 * Removed namespace prefixes on Special:UncategorizedCategories.
 * Log in "returnto" feature forgets query parameters if no title parameter was specified.
 * API action=edit now returns correct timestamp for the new edit.
 * Email notification mistakes log action for new page creation. Enotif no longer sends "page has been created" notifications for some log  actions. The following events now have a correct message: page creation,  deletion, move, restore (undeletion), change (edit). Parameter  $CHANGEDORCREATED is deprecated in 'enotif_body' and scheduled for removal in  MediaWiki 1.23.
 * In the sidebar of Vector, CologneBlue, Monobook, and Monobook-based skins, the heading levels have been changed from (variously per skin)  &lt;h4&gt;, &lt;h5&gt; or &lt;h6&gt; to only &lt;h3&gt;s, with a &lt;h2&gt; hidden heading above them.  If you are styling or scripting the headings in a custom way, this change  will require updates to your site's CSS or JS.
 * jquery.suggestions should cancel any active (async) fetches before it triggers another fetch.
 * missing second variable.
 * removeUnusedAccounts.php maintenance script now ignores newuser log when determining whether an account is used.
 * Gracefully fail if rev_len is unavailable for a revision on the History page.
 * API no longer assumes all exceptions are MWException.
 * Hide "New user message" (.usermessage) element from printable view.
 * Special:Contributions will display changes that don't have a parent id instead of just an empty bullet item.
 * "LinkCache doesn't currently know about this title" error fixed.
 * wfMerge now works if contains spaces
 * mediawiki.action.view.dblClickEdit.dblClickEdit should trigger ca-edit click instead opening URL directly.
 * Invalid value of "link" parameter in &lt;gallery&gt; no longer produces a fatal error.
 * The username field is not pre-filled when creating an account.
 * wfParseUrl no longer produces a PHP notice if passed a "mailto:" URL without address
 * Creating an account by e-mail can no longer show a "password mismatch" error.
 * On Special:Version, HEADs for submodule checkouts (e.g. for extensions) performed using Git 1.7.8+ should now appear.
 * Check if files exist with a different extension during uploading
 * Updated CSS for Atom/RSS recent changes feeds to match on-wiki diffs.
 * Calling numRows on MySQL no longer propagates unrelated errors.
 * Removed mention of non-existing maintenance/migrateCurStubs.php script in includes/DefaultSettings.php
 * jquery.badge: Treat non-Latin variants of zero as zero as well.
 * mwdocgen.php should not ignore exit code of doxygen command.
 * Fix $.tablesorter rowspan exploding for complex cases.
 * Installer now automatically selects the next-best database type if the PHP mysql extension is not loaded, preventing fatal errors in some cases.
 * wikibits: FF2Fixes.css should not be loaded in Firefox 20.

API changes

 * BREAKING CHANGE
 * Chunked uploads are now disabled by default. You can re-enable them by setting =true


 * BREAKING CHANGE
 * list=logevents output format changed for details of some log types. Specifically, details that were formerly reported under a key like "4::foo" will now be reported under a key of simply "foo".


 * BREAKING CHANGE
 * '??_badcontinue' error code was changed to '??badcontinue' for all query modules.


 * prop=revisions can now report the contentmodel and contentformat. See docs/contenthandler.txt.
 * action=edit and action=parse now support contentmodel and contentformat parameters to control the interpretation of page content. See docs/contenthandler.txt for details.
 * ApiQueryImageInfo now suppresses errors when unserializing metadata.
 * Disable minor edit for page/section creation by API.
 * Revert change to action=parse&page=... behavior when the page does not exist.
 * Add timestamp sort to list=allimages.
 * Don't return the sha1 of revisions through the API if the content is revision-deleted.
 * ApiQueryImageInfo now also returns imageinfo for redirects.
 * list=alltransclusions added to enumerate every instance of page embedding
 * list=alllinks & alltransclusions now allow both 'from' and 'continue' in the same query. When both are present, 'from' is simply ignored.
 * list=alllinks & alltransclusions now allow 'unique' in generators, to yield a list of all link/template target pages instead of source pages.
 * ApiQueryBase adds 'badcontinue' error code if module has 'continue' parameter.
 * Removed version parameter and all getVersion methods.
 * action=options now takes a "resetkinds" option, which allows only resetting certain types of preferences when the "reset" option is set.
 * ApiQueryImageInfo now returns imageinfo for the redirect target when queried with &redirects=.
 * ApiQueryImageInfo no longer gets confused when asked for info on a redirect and its target.
 * ApiQueryImageInfo no longer throws exceptions with ForeignDBRepo redirects.
 * On error, any warnings generated before that error will be shown in the result.
 * action=help supports generalized submodules (modules=query+value), querymodules obsolete
 * ApiQueryImageInfo continuation is more reliable. The only major change is that the imagerepository property will no longer be set on page objects not processed in the current query (i.e. non-images or those skipped due to iicontinue).
 * Add supports for all pageset capabilities - generators, redirects, converttitles to action=purge and action=setnotificationtimestamp.
 * prop=pageprops&ppprop= now accepts multiple props to query.
 * ApiQueryImageInfo will now limit the number of calls to File::transform made in any one query. If there are too many, iicontinue will be returned.
 * action=query&meta=siteinfo&siprop=general will now return the regexes used for link trails and link prefixes. Added for Parsoid support.
 * Added an API query module list=pageswithprop, which lists pages using a particular page property.
 * Added an API query module list=pagepropnames, which lists all page prop names currently in use on the wiki.
 * ApiMain::execute will now return after the CORS check for an HTTP OPTIONS request.
 * action=upload works correctly if the entire file is uploaded in the first chunk.
 * Added 'continue=' parameter to streamline client iteration over complex query results
 * API parameters may now be marked as type "upload", which is now used for action=upload's 'file' and 'chunk' parameters. This type will raise an error during parameter validation if the parameter is given but not recognized as an uploaded file.
 * prop=info may now return the number of people watching each page.
 * list=allpages will no longer return duplicate entries when querying protection.
 * list=allpages will now find really old indefinite protections.
 * meta=allmessages will report a syntactically invalid lang as a proper error instead of as an uncaught exception.
 * SpecialStatistics::getOtherStats now uses the user language.

API internal changes

 * BREAKING CHANGE
 * ApiPageSet constructor now has two params instead of three, with only the first one keeping its meaning. ApiPageSet is now derived from ApiBase.


 * BREAKING CHANGE
 * ApiQuery::newGenerator and executeGeneratorModule were deleted.


 * For debugging only, a new global removes many API restrictions when true. Never use on the production servers, as this flag introduces security holes. Whenever enabled, a warning will also be added to all output.
 * ApiModuleManager now handles all submodules (actions,props,lists) and instantiation
 * Query stores prop/list/meta as submodules
 * ApiPageSet can now be used in any action to process titles/pageids/revids or any generator.
 * ApiQueryGeneratorBase::setGeneratorMode now requires a pageset param.
 * is now obsolete and will be ignored.
 * Added flags ApiResult::OVERRIDE and ADD_ON_TOP to setElement and addValue
 * Internal API calls will now include &lt;warnings&gt; in case of unused parameters

Languages updated
MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.


 * South Azerbaijani (azb) added.
 * Autonym for nds-nl is now 'Nedersaksies' (was 'Nedersaksisch').
 * Autonym for pi (Pali) is now 'पालि' (was 'पाळि').
 * Now formatted numbers in Spanish use space as separator for thousands, as mandated by the Real Academia Española.
 * Kurdish formatted numbers now use period and comma as separators for thousands and decimals respectively.

Other changes

 * Experimental IBM DB2 support was removed due to lack of interest and maintainership.
 * BREAKING CHANGE
 * Removed the jquery.collapsibleTabs module and moved it to the Vector extension. It was entirely Vector-extension-specific, deeply interconnected with the extension, and this functionality really belongs to the extension instead of the skin anyway. In the unlikely case you were using it, you have to either copy it to your extension, or install the Vector extension (and possibly disable its features using config settings if you don't want them).


 * BREAKING CHANGE
 * Filenames of maintenance scripts were standardized into lowerCamelCase format, and made more explicit:
 * clear_stats.php &rarr; clearCacheStats.php
 * clear_interwiki_cache.php &rarr; clearInterwikiCache.php
 * initStats.php &rarr; initSiteStats.php
 * proxy_check.php &rarr; proxyCheck.php
 * stats.php &rarr; showCacheStats.php
 * showStats.php &rarr; showSiteStats.php.
 * Class names were renamed accordingly:
 * clear_stats &rarr; ClearCacheStats
 * InitStats &rarr; InitSiteStats
 * CacheStats &rarr; ShowCacheStats
 * ShowStats &rarr; ShowSiteStats.


 * BREAKING CHANGE
 * Removed the mediawiki.api.titleblacklist module and moved it to the TitleBlacklist extension.

Compatibility
MediaWiki 1.21 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle.

The supported versions are:


 * MySQL 5.0.2 or later


 * PostgreSQL 8.3 or later


 * SQLite 3.3.7 or later


 * Oracle 9.0.1 or later

Upgrading
1.21 has several database changes since 1.20, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.19.x and older releases, see HISTORY.

Online documentation
Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):


 * Documentation

Mailing list
A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help
There's usually someone online in the IRC channel.