Release notes/1.28/ko

MediaWiki 1.28.3
This is a security and maintenance release of the MediaWiki 1.28 branch.

Changes since 1.28.2

 * (T168856) Allow SVGs created by Dia to be uploaded.
 * (T157545) Add missing doUpdates call to refreshLinks.php.
 * (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
 * (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
 * (T167798) Fix phrase search and highlighting for phrase queries.
 * (T151136) Provide credits information to callbacks in extension registration.
 * (T160462) Allow namespaces defined in extension.json to be overwritten locally.
 * (T168337) Fix ErrorPageError to work from non-UI contexts.
 * (T143788) Backports for PHP 7.0 and 7.1 support.
 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
 * (T160298) Remove use of implicitGroupBy in ActiveUsersPager.
 * (T174255) Declare uploadCount property in importDump.php.
 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
 * (T128209) SECURITY: Reflected File Download from api.php.
 * (T134100) SECURITY: Do not reveal if user exists during login failure.
 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
 * (T125163) SECURITY: Make anchor for headlines escape > and <.
 * (T180237) SECURITY: Protect vendor folder with .htaccess.
 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.

MediaWiki 1.28.2
This is a security release of the MediaWiki 1.28 branch.

Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did not contain the fix for SyntaxHighlight_GeSHi. This new release does contain that fix.

Changes since 1.28.1
없음

Changes since 1.28.0

 * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
 * (T152717) Better escaping for PHP mail command
 * (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
 * (T158766) Avoid SQL error on MSSQL when using selectRowCount
 * (T145635) Fix too long index error when installing with MSSQL
 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText when $wgAdvancedSearchHighlighting is true.
 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
 * (T156184) SECURITY: Escape content model/format url parameter in message.
 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.

Changes since 1.28.0-rc1

 * (T148957) Replace with  on db errors.
 * (T148956) Only apply to postgres/mssql.
 * (T145991) Introduce separate log action for deleting pages on move.
 * (T141474) (T110464) Bypass login page if no user input is required.

Changes since 1.28.0-rc0

 * (T142210) The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option 'wgPageParseReport' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData and getLimitReportData behave as they did in MediaWiki 1.27 again.
 * (T149510) Value of parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly.
 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26.
 * (T149759) manifest_version: 2 was removed.

환경 설정 변경 내역

 * now affects status code of action=history if the page is not there.
 * BREAKING CHANGE: is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
 * The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown.
 * The number of internal PBKDF2 iterations used to derive the session secret is configurable via.
 * Upload dialog's file upload log comment can now be configured separately for local and foreign uploads.
 * now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog.
 * The deprecated variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension.
 * When is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default.
 * When is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes".
 * The 'editcontentmodel' permission is now granted to all logged-in users ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at Help:ChangeContentModel.
 * is now set to one week by default instead of being disabled.
 * Magic links are now disabled by default, and can be re-enabled by modifying the value of . Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on Requests for comment/Future of magic links and explain your use case(s).
 * New config variable to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting.

새로운 기능

 * User::isBot method for checking if an account is a bot role account.
 * Added a new 'slideshow' mode for galleries.
 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing.
 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash.
 * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed.
 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca- -u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script.
 * Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar.
 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki.
 * After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules.

Upgraded external libraries

 * Updated es5-shim from v4.1.5 to v4.5.8
 * Updated composer/semver from v1.4.1 to v1.4.2
 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

New external libraries

 * Added wikimedia/scoped-callback v1.0.0
 * Added wikimedia/wait-condition-loop v1.0.1

고쳐진 버그

 * (T146496) action=history pages should return 404 HTTP error code if the page does not exist
 * (T137264) SECURITY: XSS in unclosed internal links
 * (T133147) SECURITY: Escape '<' and ']]>' in inline blocks
 * (T133147) SECURITY: Require login to preview user CSS pages
 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
 * (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights

API 변경 내역

 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains the value of $wgMaxArticleSize.
 * Property 'modulemessages' from action=parse&prop=modules was removed (deprecated since 1.26).
 * The following response properties from action=login, deprecated in 1.27, are now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state.
 * Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
 * Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator) instead of the pipe character. This will be useful if some of the multiple values need to contain pipes, e.g. for action=options.
 * The API will now warn if input is not NFC-normalized Unicode or if it contains invalid characters.
 * The 'normalized' list output by action=query and other modules that use ApiPageSet may contain entries where the 'from' value is percent-encoded as the raw value cannot be represented in a valid API response. These are indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
 * (T28680) action=paraminfo can now return info about all submodules of a module without listing them all explicitly.
 * (T146770) It is now possible to assert that the current user is a specific named user, using the 'assertuser' parameter.
 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from the 'TitleIsAlwaysKnown' hook) are output in various modules.

API 내부의 바뀜

 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with ApiParse and ApiExpandTemplates.
 * (T139565) SECURITY: API: Generate head items in the context of the given title
 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
 * ApiBase::getResultData was removed (deprecated since 1.25)
 * ApiBase::makeHelpArrayToString was removed (deprecated since 1.25)
 * ApiBase::makeHelpMsgParameters was removed (deprecated since 1.25)
 * ApiBase::makeHelpMsg was removed (deprecated since 1.25)
 * ApiFormatBase::formatHTML was removed (deprecated since 1.25)
 * ApiFormatBase::getNeedsRawData was removed (deprecated since 1.25)
 * ApiFormatBase::getWantsHelp was removed (deprecated since 1.25)
 * ApiFormatBase::setBufferResult was removed (deprecated since 1.25)
 * ApiFormatBase::setHelp was removed (deprecated since 1.25)
 * ApiFormatBase::setUnescapeAmps was removed (deprecated since 1.25)
 * ApiMain::makeHelpMsgHeader was removed (deprecated since 1.25)
 * ApiMain::reallyMakeHelpMsg was removed (deprecated since 1.25)
 * ApiMain::setHelp was removed (deprecated since 1.25)
 * ApiResult::beginContinuation was removed (deprecated since 1.25)
 * ApiResult::cleanUpUTF8 was removed (deprecated since 1.25)
 * ApiResult::convertStatusToArray was removed (deprecated since 1.25)
 * ApiResult::disableSizeCheck was removed (deprecated since 1.24)
 * ApiResult::enableSizeCheck was removed (deprecated since 1.24)
 * ApiResult::endContinuation was removed (deprecated since 1.25)
 * ApiResult::getData was removed (deprecated since 1.25)
 * ApiResult::getIsRawMode was removed (deprecated since 1.25)
 * ApiResult::setContent was removed (deprecated since 1.25)
 * ApiResult::setContinueParam was removed (deprecated since 1.25)
 * ApiResult::setElement was removed (deprecated since 1.25)
 * ApiResult::setGeneratorContinueParam was removed (deprecated since 1.25)
 * ApiResult::setIndexedTagName_internal was removed (deprecated since 1.25)
 * ApiResult::setIndexedTagName_recursive was removed (deprecated since 1.25)
 * ApiResult::setMainForContinuation was removed (deprecated since 1.25)
 * ApiResult::setParsedLimit was removed (deprecated since 1.25)
 * ApiResult::setRawMode was removed (deprecated since 1.25)
 * ApiResult::size was removed (deprecated since 1.25)
 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. A query module can enable these hooks by passing an array for $hookData to ApiQueryBase::select and by calling ApiQueryBase->processRow before adding a row's data to the result.

갱신된 언어
미디어위키는 350가지가 넘는 언어를 지원하고 있습니다. 그중 많은 언어가 정기적으로 갱신됩니다. 아래에는 새로운 언어와 삭제된 언어가 나타나며 버그질라 리포트를 통한 언어 바뀜도 아래에 나타납니다.


 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru, BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha, Saiddzone Saimawnkham, Saosukham, and Sengwan.
 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

다른 변경사항

 * (T128697) Improved handling of large diffs.
 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can use or update a custom session provider if needed.
 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
 * SiteConfiguration::isLocalVHost was removed (deprecated since 1.25).
 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual login and visiting the login page while already logged in.
 * ResourceLoader::makeLoaderURL was removed (deprecated since 1.24).
 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
 * Linker::link and Linker::linkKnown were deprecated; please instead use MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd respectively. See docs/hooks.txt for the specific changes needed for those hooks.
 * Linker::formatSize was deprecated. Use Language::formatSize directly.
 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
 * Skin::commentBlock (use Linker::commentBlock instead)
 * Skin::generateRollback (use Linker::generateRollback instead)
 * Skin::link (use MediaWiki\Linker\LinkRenderer instead)
 * Skin::linkKnown (use MediaWiki\Linker\LinkRenderer instead)
 * Skin::userLink (use Linker::userLink instead)
 * Skin::userToolLinks (use Linker::userToolLinks instead)
 * The 'ParserLimitReportFormat' hook was removed.
 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is disabled.
 * DifferenceEngine::generateDiffBody was removed (deprecated since 1.21).
 * UploadBase::stashFileGetKey and UploadBase::stashSession were deprecated. Use ...->stashFile->getFileKey instead.
 * "Public domain" was removed as a wiki license option from the installer, in favour of CC-0.
 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED on requests needed by primary providers even if all primaries need them. Primary providers are discouraged from returning multiple REQUIRED requests.
 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option will no longer be automatically infused. You should call `OO.ui.infuse` on them yourself from your JavaScript code.
 * parserTests.php has moved to tests/parser/parserTests.php
 * The command line options specific to parser tests have been removed from phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter. Instead of --keep-uploads, use the same option to parserTests.php, but you must specify a directory with --upload-dir.
 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
 * IP::isConfiguredProxy and IP::isTrustedProxy were removed. Callers should migrate to using the same functions on a ProxyLookup instance, obtainable from MediaWikiServices.
 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation warnings if used.
 * (T68404) CSS3 attr function with url type is no longer allowed in inline styles.
 * Database::getSearchEngine is deprecated, use SearchEngineFactory::getSearchEngineClass instead.

호환성
MediaWiki 1.28 requires PHP 5.5.9 or later. HHVM 3.3.0. 또한 실험적으로 지원하고 있습니다.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. Oracle이나 Microsoft SQL Server 또한 실험적으로 지원하고 있습니다.

지원되는 버전들은 아래에 나열되어 있습니다.


 * MySQL 5.0.3+
 * PostgreSQL 8.3+
 * SQLite 3.3.7+
 * Oracle 9.0.1+
 * Microsoft SQL Server 2005 (9.00.1399)

업그레이드
1.25는 1.24와 상당히 다르기 때문에 업데이트 없이는 잘 동작하지 않을 수 있습니다. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

만약 1.11 이전의 버전에서 업데이트를 진행한다면 업데이트가 잘 진행되는지 수시로 확인하세요. 어떤 경우에는 데이터베이스 바뀜으로 인해 오류가 생길 수 있습니다.

또한 1.7 이전의 버전에서 업데이트를 진행한다면 정상적인 업데이트를 위해 refreshLinks.php를 실행해야 할 수도 있습니다.

1.4.x 버전이나 그 이전의 초기 버전에서 업데이트를 진행한다면 1.5로 먼저 업데이트를 해야 합니다. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

더 자세한 정보가 필요하다면 "UPGRADE" 파일을 참조하세요.

For notes on 1.27.x and older releases, see HISTORY.

온라인 정보
사이트 관리자를 위한 정보는 MediaWiki.org에서 열람 가능하며 GNU 자유 문서 사용 허가서에 따라 사용할 수 있습니다.


 * https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

읽기 목록
A mailing list is available for MediaWiki user support and discussion:


 * https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:


 * https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

미디어위키를 사용하기 위해서 이들 메일링 리스트가 많은 도움이 될 수 있습니다.

IRC 도움말
irc.freenode.net의 #mediawiki 채널에서는 보통 몇몇 사람들이 온라인 상태로 대기하고 있습니다.