MediaWiki 1.31.10
7 October 2020
MediaWiki version 1.31.10 is now available (security release).
Upgrading to MediaWiki 1.31.10
MediaWiki 1.31.10 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.31.10 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.31.10
1.31.10
Security
- Fixed issues relating to backporting of changes for previous fixes.
1.31.9
Security
- In the web installer, use secure session cookies.
- Special:UserRights exposes the existence of hidden users.
- Prevent invoking firejail's --output functionality.
- mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
- mediawiki.js: Escape HTML in mw.message( ... ).parse().
- ActorMigration: Load user from the correct database.
- ensure actor ID from correct wiki is used.
- User::pingLimiter: add user-global rate limit type.
Changes and Bug Fixes
- shell: Expand documentation in firejail.profile.
- Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We recommend this be set * to true on pure HTTPS wikis.
- Added $wgCookieSameSite, which allows login cookies to be sent with SameSite=None. This is required for cross-site CentralAuth autologin after Chrome 84.
- Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to SameSite=None cookies for browsers which implemented an incompatible draft version of the specification.
- Disable WebResponse setters for post-send processing.
- WebReponse: Use values altered in 'WebResponseSetCookie' hook.
- Fix runBatchedQuery.php for no result from select.
- Add Edge to MediaWiki:Clearyourcache.
- Use IPset in MWRestrictions::checkIP.
- Add application/font-sfnt to MimeMap for ttf files.
- shell: Make ->restrict( RESTRICT_NONE ) actually work.
- Fixes shell edge-cases in Windows.
- Add CentralIdLookup::factoryNonLocal().
- User: Fix pingLimiter() to use makeGlobalKey() for global rate limits.
- User: enforce pingLimiter() expiry time.
- don't include null page ids in query list for category dumps.
- Sanitizer: Truncate IDs to a reasonable length.
- Explicitly wrap some XML calls in libxml_disable_entity_loader().
- Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php.
1.31.8
Security
- img_auth.php may leak private extension images into the public cache.
Changes and Bug Fixes
- Don't invalidate BotPasswords if a password reset email is sent.
- PasswordReset performance improvements.
- Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
- Remove some rotten and out of date documentation.
- Improvements to some older SQLite update patches.
- Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
- Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
- Update the change_tag table in rebuildrecentchanges.php.
- Call ob_start() before running tests.
- Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately.