MediaWiki 1.29.2
29 November 2017
MediaWiki version 1.29.2 is now available (major release).
Upgrading to MediaWiki 1.29.2
MediaWiki 1.29.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.29.2 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.29.2
WARNING
DUE TO CHANGES IN THE DATABASE SCHEMA, UPDATING TO 1.29.x FROM A PREVIOUS BRANCH MAY TAKE QUITE LONG (MINUTES ON A MEDIUM SIZED SITE, POTENTIALLY MANY HOURS ON A LARGE SITE).
1.29.2
This is a security and maintenance release of the MediaWiki 1.29 branch.
Security
- Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
- BotPassword login attempts weren't throttled.
- Reflected File Download from api.php.
- Do not reveal if user exists during login failure.
- Ensure Message::rawParams can't lead to XSS.
- Make anchor for headlines escape > and <.
- Protect vendor folder with .htaccess.
- Remove PHPUnit file with known RCE if exists in update.php.
- XSS in langconverter when regex hits pcre.backtrack_limit.
- Handle -{}- syntax in attributes safely.
- "api.log contains passwords in plaintext" wasn't correctly fixed in all branches in the previous security release.
Bug Fixes
- Avoid scoped lock errors in Category::refreshCounts() due to nesting.
- Unbreak Postgres Updater when setting defaults for a column.
- Remove use of implicitGroupBy() in ActiveUsersPager.
- Fixed login button label to accept RawMessage.
- Fixed case of SpecialRecentChanges class usage.
- Declare uploadCount property in importDump.php.
- Pass a string not an int to mysql_real_escape_string().
- Bump justinrainbow/json-schema development dependency to ~5.2.
- Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
1.29.1
This is a maintenance release of the MediaWiki 1.29 branch.
- Fix bundled extensions; SimpleAntiSpam and Vector (the extension) shouldn't have been included but were, and PdfHandler and SpamBlacklist should but weren't.
- mw.Upload.Dialog: Define .static.name
- refreshLinks.php: Fix fatal when using --category parameter
1.29
This is a new major branch of MediWiki.
Features
- A cookie can now be set when a user is autoblocked, to track that user if they move to a new IP address. This is disabled by default.
- Added ILocalizedException interface to standardize the use of localized exceptions, largely so the API can handle them more sensibly.
- Blocks created automatically by MediaWiki, such as for configured proxies or dnsbls, are now indicated as such and use a new i18n message when displayed.
- Added new $wgHTTPImportTimeout setting. Sets timeout for downloading the XML dump during a transwiki import in seconds.
- Parser limit report is now available in machine-readable format to JavaScript via mw.config.get('wgPageParseReport').
- Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits from certain IP ranges (e.g. private IPs).
- Added new magic word {{PAGELANGUAGE}} which returns the language code of the page being parsed.
- HTML5 form validation attributes will no longer be suppressed. Originally browsers had poor support for them, but modern browsers handle them fine. This might affect some forms that used them and only worked because the attributes were not actually being set.
- Expiry times can now be specified when users are added to user groups.
- Completely new user interface for the RecentChanges page, which structures filters into user-friendly groups. This has corresponding changes to how filters are registered by core and extensions.
- The edit form now uses pretty OOjs UI buttons, checkboxes and summary input. Because this change can cause problems for extensions and on-wiki scripts depending on the exact HTML, the old version is still available and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php. This will be removed later and OOjs UI will become the only option. To make testing easier, users can also force either mode by adding &ooui=true or &ooui=false to the action=edit URL.
Configuration Changes
- Default cookie expiration time has been reduced to 30 days. Login cookie expiration time is kept at 180 days.
- A new configuration variable has been added: $wgCookieSetOnAutoblock. This determines whether to set a cookie when a user is autoblocked. Doing so means that a blocked user, even after logging out and moving to a new IP address, will still be blocked.
- The resetpassword right and associated password reset capture feature has been removed.
- The $error parameter to the EmailUser hook should be set to a Status object or boolean false. This should be compatible with at least MediaWiki 1.23 if not earlier. Returning a raw HTML string is now deprecated.
- The $message parameter to the ApiCheckCanExecute hook should be set to an ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a code for ApiBase::parseMsg() will no longer work.
- ApiBase::$messageMap is no longer public. Code attempting to access it will result in a PHP fatal error.
- $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies.
- Subpages are now enabled by default in the Template namespace. Set $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
- $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
- "Unknown user" has been added to $wgReservedUsernames.
- $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
- $wgDummyLanguageCodes is deprecated. Additional language code mappings may be added to $wgExtraLanguageCodes instead.
- LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
- The user right 'editusercssjs' (deprecated in 1.16) was removed. Use 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
Plus dozens more library changes, bug fixes, API changes, and compatibility changes.