From MediaWiki.org
Jump to navigation Jump to search
This page is a translated version of the page Release notes/1.28 and the translation is 91% complete.

Other languages:
български • ‎Deutsch • ‎English • ‎español • ‎日本語 • ‎한국어

MediaWiki 1.28.3

This is a security and maintenance release of the MediaWiki 1.28 branch.

Changes since 1.28.2

  • (T168856) Allow SVGs created by Dia to be uploaded.
  • (T157545) Add missing doUpdates() call to refreshLinks.php.
  • (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
  • (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
  • (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
  • (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
  • (T167798) Fix phrase search and highlighting for phrase queries.
  • (T151136) Provide credits information to callbacks in extension registration.
  • (T160462) Allow namespaces defined in extension.json to be overwritten locally.
  • (T168337) Fix ErrorPageError to work from non-UI contexts.
  • (T143788) Backports for PHP 7.0 and 7.1 support.
  • (T175439) Unbreak Postgres Updater when setting defaults for a column.
  • (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
  • (T174255) Declare uploadCount property in importDump.php.
  • (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
  • (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
  • (T165846) SECURITY: BotPassword login attempts weren't throttled.
  • (T128209) SECURITY: Reflected File Download from api.php.
  • (T134100) SECURITY: Do not reveal if user exists during login failure.
  • (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
  • (T125163) SECURITY: Make anchor for headlines escape > and <.
  • (T180237) SECURITY: Protect vendor folder with .htaccess.
  • (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
  • (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
  • (T119158) SECURITY: Handle -{}- syntax in attributes safely.

MediaWiki 1.28.2

これは MediaWiki 1.28 ブランチのセキュリティ リリースです。

Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did not contain the fix for SyntaxHighlight_GeSHi. This new release does contain that fix.

1.28.1 からの変更点


MediaWiki 1.28.1

1.28.0 からの変更点

  • $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
  • Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
  • (T152717) Better escaping for PHP mail() command
  • (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
  • (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
  • (T158766) Avoid SQL error on MSSQL when using selectRowCount()
  • (T145635) Fix too long index error when installing with MSSQL
  • (T156184) $wgRawHtml will no longer apply to internationalization messages.
  • (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
  • (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
  • (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
  • (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
  • (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
  • (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
  • (T156184) SECURITY: Escape content model/format url parameter in message.
  • (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
  • (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
  • (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.

MediaWiki 1.28

1.28.0-rc1 からの変更点

1.28.0-rc0 からの変更点

  • (T142210) The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option 'wgPageParseReport' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData() and getLimitReportData() behave as they did in MediaWiki 1.27 again.
  • (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly.
  • (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26.
  • (T149759) manifest_version: 2 was removed.



  • User::isBot() method for checking if an account is a bot role account.
  • Added a new 'slideshow' mode for galleries.
  • Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
  • Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing.
  • Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash.
  • (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed.
  • (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script.
  • Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar.
  • mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki.
  • After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
  • Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules.



  • Updated es5-shim from v4.1.5 to v4.5.8
  • Updated composer/semver from v1.4.1 to v1.4.2
  • Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4


  • Added wikimedia/scoped-callback v1.0.0
  • Added wikimedia/wait-condition-loop v1.0.1


  • (T146496) action=history pages should return 404 HTTP error code if the page does not exist
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()

操作 API の変更

  • Added 'maxarticlesize' property to action=query&meta=siteinfo which contains the value of $wgMaxArticleSize.
  • Property 'modulemessages' from action=parse&prop=modules was removed (deprecated since 1.26).
  • The following response properties from action=login, deprecated in 1.27, are now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state.
  • Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator) instead of the pipe character. This will be useful if some of the multiple values need to contain pipes, e.g. for action=options.
  • The API will now warn if input is not NFC-normalized Unicode or if it contains invalid characters.
  • The 'normalized' list output by action=query and other modules that use ApiPageSet may contain entries where the 'from' value is percent-encoded as the raw value cannot be represented in a valid API response. These are indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
  • (T28680) action=paraminfo can now return info about all submodules of a module without listing them all explicitly.
  • (T146770) It is now possible to assert that the current user is a specific named user, using the 'assertuser' parameter.
  • (T141963) Added a 'known' property when missing-but-known titles (e.g. from the 'TitleIsAlwaysKnown' hook) are output in various modules.

操作 API の内部的な変更

  • Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with ApiParse and ApiExpandTemplates.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • ApiBase::getResultData() was removed (deprecated since 1.25)
  • ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
  • ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
  • ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
  • ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
  • ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
  • ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
  • ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
  • ApiFormatBase::setHelp() was removed (deprecated since 1.25)
  • ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
  • ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
  • ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
  • ApiMain::setHelp() was removed (deprecated since 1.25)
  • ApiResult::beginContinuation() was removed (deprecated since 1.25)
  • ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
  • ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
  • ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
  • ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
  • ApiResult::endContinuation() was removed (deprecated since 1.25)
  • ApiResult::getData() was removed (deprecated since 1.25)
  • ApiResult::getIsRawMode() was removed (deprecated since 1.25)
  • ApiResult::setContent() was removed (deprecated since 1.25)
  • ApiResult::setContinueParam() was removed (deprecated since 1.25)
  • ApiResult::setElement() was removed (deprecated since 1.25)
  • ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
  • ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
  • ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
  • ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
  • ApiResult::setParsedLimit() was removed (deprecated since 1.25)
  • ApiResult::setRawMode() was removed (deprecated since 1.25)
  • ApiResult::size() was removed (deprecated since 1.25)
  • Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. A query module can enable these hooks by passing an array for $hookData to ApiQueryBase::select() and by calling ApiQueryBase->processRow() before adding a row's data to the result.


MediaWiki は 350 種類以上の言語に対応しています。 多数の地域化が、定期的に更新されています。 Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

  • (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru, BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
  • (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha, Saiddzone Saimawnkham, Saosukham, and Sengwan.
  • Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
  • (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.


  • (T128697) Improved handling of large diffs.
  • [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can use or update a custom session provider if needed.
  • Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
  • The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
  • SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
  • The 'UserLoginComplete' hook has a new parameter to differentiate between actual login and visiting the login page while already logged in.
  • ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
  • $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
  • mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
  • mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
  • Linker::link() and Linker::linkKnown() were deprecated; please instead use MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd respectively. See docs/hooks.txt for the specific changes needed for those hooks.
  • Linker::formatSize() was deprecated. Use Language::formatSize() directly.
  • Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
    • Skin::commentBlock() (use Linker::commentBlock() instead)
    • Skin::generateRollback() (use Linker::generateRollback() instead)
    • Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
    • Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
    • Skin::userLink() (use Linker::userLink() instead)
    • Skin::userToolLinks() (use Linker::userToolLinks() instead)
  • The 'ParserLimitReportFormat' hook was removed.
  • Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is disabled.
  • DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
  • UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated. Use ...->stashFile()->getFileKey() instead.
  • "Public domain" was removed as a wiki license option from the installer, in favour of CC-0.
  • AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED on requests needed by primary providers even if all primaries need them. Primary providers are discouraged from returning multiple REQUIRED requests.
  • OOjs UI PHP widgets constructed with the `'infusable' => true` config option will no longer be automatically infused. You should call `OO.ui.infuse()` on them yourself from your JavaScript code.
  • parserTests.php has moved to tests/parser/parserTests.php
  • The command line options specific to parser tests have been removed from phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter. Instead of --keep-uploads, use the same option to parserTests.php, but you must specify a directory with --upload-dir.
  • The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
  • IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should migrate to using the same functions on a ProxyLookup instance, obtainable from MediaWikiServices.
  • The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete, ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and ShowRawCssJs hooks will now emit deprecation warnings if used.
  • (T68404) CSS3 attr() function with url type is no longer allowed in inline styles.
  • Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass instead.


MediaWiki 1.28 には PHP 5.5.9 以降が必要です。 HHVM 3.6.5 以降には実験的に対応しています。

MySQL が推奨される DBMS です。 PostgreSQL または SQLite も使用できますが、それらへの対応はやや成熟していません。 Oracle および Microsoft SQL Server には実験的に対応しています。


  • MySQL 5.0.3+
  • PostgreSQL 8.3+
  • SQLite 3.3.7+
  • Oracle 9.0.1+
  • Microsoft SQL Server 2005 (9.00.1399)


1.28 には 1.27 からいくつかのデータベース変更があり、スキーマ更新をしなければ動作しません。 リビジョンテーブルのようないくつかのとても大きなテーブルへの変更のため、スキーマ更新には非常に長い時間(中規模サイトで数分、大規模サイトで数時間)がかかる可能性があることに注意してください。

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

1.7 以前からのアップグレードの場合、新しいデータベースフィールドに確実にデータを満たすため、refreshLinks.php を実行するとよいでしょう。

MediaWiki 1.4.x またはそれ以前からアップグレードする場合は、まず先に 1.5 にアップグレードする必要があります。 アップグレードスクリプト maintenance/upgrade1_5.php は MediaWiki 1.2.1 で取り除かれています。


詳細なアップグレード手順についてはファイル UPGRADE を参照してください。

1.27.x 以前のリリースのリリースノートについては、HISTORY を参照してください。


エンドユーザー向けとサイト管理者向けの両方の文書が MediaWiki.org において利用可能です。これらは GNU Free Documentation License の下でカバーされています(内容がパブリックドメインと明示されているページを除く)。

メーリング リスト

MediaWiki のユーザーサポートとディスカッションのためのメーリングリストが利用可能です:


公開の MediaWiki を運営する予定がある場合、セキュリティ修正が通知されるように、これらのリストのうちひとつに参加することを強くお勧めします。

IRC ヘルプ

通常 irc.freenode.net の #mediawiki にオンラインメンバーがいます。