MediaWiki 1.35.1
18 December 2020
MediaWiki version 1.35.1 is now available (security release).
Upgrading to MediaWiki 1.35.1
MediaWiki 1.35.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.35.1 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.35.1
Security
- SECURITY: Use Html::element in ChangeListSpecialPage for sanity. (CVE-2020-35474)
- SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity. (CVE-2020-35478, CVE-2020-35479)
- SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. (CVE-2020-35477)
- SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. (CVE-2020-35480)
Bug Fixes and Changes
- purgeList.php Fix all-namespaces option to match one used in code.
- ParserCache::get - fix wfDeprecated call.
- WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab.
- Preload mediawiki.watchstar.widgets before api request.
- ApiEditPage: Show existing watchlist expiry if status is not being changed.
- Fix PHP 8 compat with strcspn() $length parameter exceeding string.
- Remove final modifier on private function.
- Remove ipb_anon_only from ipb_address_unique index addition.
- Add days left messages to changes-lists' clock icons.
- Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave.
- Preload class used in HeaderCallback.
- (T260868, T260009) Normalize WatchedItem expiry field.
- Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields.
- ApiPageSet: Avoid infinite loop when merging redirects.
- Empty Monolog loggers are now real blackholes.
- WatchAction: avoid UPDATE when old and new watch period is indefinite.
- Parser: Adjust typehint to show that getTitle can return null.
- media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData().
- BaseTemplate: Guard against passing zero arg to array_merge().
- Fix base path handling for MessagePosterModule registration.
- Fix Database::getTempTableWrites for multi table DDLs.
- Fix switch/case indentation per mediawiki coding conventions.
- Flip Yoda conditionals.
- Move SkinTemplate::getFooterLinks() to Skin.
- build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
- Make ImageBuilder::checkMissingImage public.
- Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
- Support new style hook registration on install and update.
- Fix unsetting of copyright icon in FooterIcons.
- upload.js: Don't assume that warnings array will include 'code' key.
- upload.js: Fix typo in upload API.
- (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded.
- importTextFiles.php: Replace deprecated WikiRevision:setText().
- composer.json: add requirement for composer-plugin-api ^1.1.
- Add ARIA attributes to watchlink and its notification.
- Change invalid 'Content-Encoding: none' header.
- Fix trailing ; in patch-sites-site_language-35.sql.
- wfAssembleUrl: Handle empty query field in URL bits.
- Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0).
- migrateComments: Cast array keys back to string before passing to the DB.
- Introduce new $wgThumbPath config.
- MemcachedClient: Cast Resource to integer.
- Use the old HookContainer to set up the post-reset services.
- Change "site cache" to just "cache" in the right-purge message.
- [UploadedFileStreamTest] Skip test with chmod.
- Updating composer/semver (1.5.1 => 1.7.2).
- Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0).
- BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database.
- Fix English/*nix specific error messages in FSFileBackend.
- Split dropping of image.img_user_timestamp.
- [FileTest] Do not assume /tmp exists on windows.
- Clean up temp files correctly after unit tests.
- Skip undo related phpunit tests when diff3 is missing.
- rdbms: Remove outer parentheses in insert query for Postgres.
- In MWExceptionHandler::report(), catch all throwables.
- Use Xml::element in SpecialUserrights for sanity.
- Fixed mixed escaping in Language::translateBlockExpiry.
- UserOptionsManager: don't differentiate anons caches.
- HeaderCallback: pre-cache request ID.
- Parsoid updated to v0.12.1.
- Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP.