MediaWiki 1.34.4
7 October 2020
MediaWiki version 1.34.4 is now available (security release).
Upgrading to MediaWiki 1.34.4
MediaWiki 1.34.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.34.4 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.34.4
1.34.4
Security
- Fixed issues relating to backporting of changes for T260485.
1.34.3
Security
- Special:UserRights exposes the existence of hidden users.
- User::pingLimiter: add user-global rate limit type.
- SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
- Unescaped message used in HTML on Special:Contributions.
- Unescaped message used in HTML within LogEventsList.
- Prevent invoking firejail's --output functionality.
- mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
- mediawiki.js: Escape HTML in mw.message( ... ).parse().
- ActorMigration: Load user from the correct database.
- ensure actor ID from correct wiki is used.
Changes and Bug Fixes
- In the web installer, use secure session cookies.
- Make UsersPager::requestedGroup public.
- Split patch-drop-user-fields.sql into patch per table.
- Split patch-drop-comment-fields.sql into patch per table.
- Undeprecate WebInstaller::getInfoBox().
Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We recommend this be set * to true on pure HTTPS wikis.
- Added $wgCookieSameSite, which allows login cookies to be sent with SameSite=None. This is required for cross-site CentralAuth autologin after Chrome 84.
- Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to SameSite=None cookies for browsers which implemented an incompatible draft version of the specification.
- shell: Expand documentation in firejail.profile.
- Give the "remember me" checkbox a specific CSS class so skins like Minerva can only hide that checkbox.
- rdbms: improve DBConnRef domain selection exception message.
- phpunit: Acknowledge known dberror from SpecialPageFatalTest.
- Cleanup up excess commit() call in LocalRepoTest.
- Fix runBatchedQuery.php for no result from select.
- Add Edge to MediaWiki:Clearyourcache.
- reassignEdits: Update script to use User::newFromName for anon users.
- GlobalFunctions: Use php_uname instead of posix_uname.
- Use IPset in MWRestrictions::checkIP.
- Add application/font-sfnt to MimeMap for ttf files.
- shell: Make ->restrict( RESTRICT_NONE ) actually work.
- Fixes shell edge-cases in Windows.
- Add CentralIdLookup::factoryNonLocal().
- User: Fix pingLimiter() to use makeGlobalKey() for global rate limits.
- User: enforce pingLimiter() expiry time.
- don't include null page ids in query list for category dumps.
- Sanitizer: Truncate IDs to a reasonable length.
- Fix failure of rebuildLocalisationCache.php due to a ResourceLoader hook.
- Explicitly wrap some XML calls in libxml_disable_entity_loader().
- Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php.
1.34.2
Security
- img_auth.php may leak private extension images into the public cache.
Changes and Bug Fixes
- PasswordReset performance improvements.
- The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked.
- Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
- Let $wgResourceLoaderMaxQueryLength=-1 fallback to default.
- Remove some rotten and out of date documentation.
- Improvements to some older SQLite update patches.
- Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
- cleanupUsersWithNoId.php: Handle missing fields.
- Set recentchanges.rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
- Update the change_tag table in rebuildrecentchanges.php.
- Password Reset Updates.
- Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately.