MediaWiki 1.37.1

15 December 2021

MediaWiki version 1.37.1 is now available (major release).

Upgrading to MediaWiki 1.37.1

What's New in MediaWiki 1.37.1

• CVE-2021-44858 CVE-2021-44857 SECURITY: Fix permissions checks in undo actions.
  
• CVE-2021-45038 SECURITY: Fix permissions check in action=rollback.
  
• SECURITY: Require 'read' right for most actions.
  
• CVE-2021-44856 SECURITY: Fix use of EditFilterMergedContent hook when changing content model.
  

• Allow inserting new sections named '0'.
  
• Fix path for ZhConversion.php.
  
• nukeNS: don't run purgeRedundantText() after every change.
  
• installer: Fix Postgres mistakes in using changeField method.
  
• RollbackAction: fix missing pagetitle.
  

• New wikipage.indicator hook for JavaScript (change 721324).
  
• MediaWiki now has limited support for JPEG2000 files.
  

• The API methods for fetching tokens which were deprecated in MediaWiki 1.24 have been removed. action=query&meta=tokens&type= should be used instead. Please note, some token types no longer exist, and you should just use type=csrf for those instead.
  

• $wgBrowserFormatDetection - This setting allows the enabling or disabling of automatic detection of possible phone numbers in a webpage in iOS Safari.
  
• $wgParserEnableLegacyMediaDOM - This setting defaults to true, and enables the legacy media HTML structure in the output from the Parser. The alternative modern HTML structure for media is described at https://www.mediawiki.org/wiki/Parsing/Media_structure. In a future release of MediaWiki, this option will default to false, so it's a good idea to test this setting on your wiki early and report any issues.
  

• The PasswordCannotMatchUsername password policy has been removed, please use PasswordCannotBeSubstringInUsername instead. If you have not customised your password policies, there will be nothing to do here.
  
• $wgContentHandlerTextFallback - This migration setting, which defines how to react if a plain text version of a non-text Content object is requested using ContentHandler::getContentText(), is deprecated.
  
• $wgActions – This setting lets sysadmins override which actions can be used. It has been re-worked to support injecting dependencies into Action sub-classes as part of wider work on dependency injection. Previously, $wgActions was an array where the keys were the names of actions, and the values had the following impacts (for a given key 'Foo'): `true`: use the class 'FooAction' unless for a specific page WikiPage::getActionOverrides() wants to override that action; a string: use the class with that name, and do not allow over-riding on a per-page basis; `false`: the action is disabled; a callable: use the Action instance returned by invoking that callback, and do not allow overriding on a per-page basis; an object: use that specific Action instance, and do not allow overriding on a per-page basis.
  
• As part of T253078, values can now be arrays that are not callables, which are treated as ObjectFactory specs, allowing for services to be injected. Additionally, the distinction between values that allow per-page overrides and those that do not be removed - all actions can now be overridden on a per-page basis using WikiPage::getActionOverrides().
  
• $wgShellboxUrl – This setting, new in 1.36 to configure the novel Shellbox encapsulation system, is now deprecated; use $wgShellboxUrls as a mapping of service => URL instead.
  
• $wgIncludejQueryMigrate – This setting, introduced in 1.29 to on whether to provide a migration layer for jQuery, has now switched its default value from true to false. This may break gadgets that depended on methods that were removed in jQuery 3 in 2017. See T280944 for more information.
  
• A number of settings have been renamed. The former configuration variable names are deprecated, but will be used as the fallback if they are still set, and remain temporarily available for extensions which might try to read them: $wgFileBlacklist is now $wgProhibitedFileExtensions; $wgMimeTypeBlacklist is now $wgMimeTypeExclusions; $wgEnableUserEmailBlacklist is now $wgEnableUserEmailMuteList; $wgShortPagesNamespaceBlacklist is now $wgShortPagesNamespaceExclusions.
  
• $wgMimeTypeExclusions - As well as being renamed, this configuration array now also prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types.
  
• $wgFragmentMode - This setting, which determines the encoding of section IDs, has now switched its default value from legacy-first to html5-first: both the HTML5 anchor and the legacy percent-encoding-style anchor will still be generated for section titles, but references to them will use the HTML5 version, resulting in human-readable fragments.
  

• $wgLegacyJavaScriptGlobals, deprecated in 1.36.
  
• $wgAjaxEditStash, deprecated in 1.36.
  
• $wgShowDBErrorBacktrace, deprecated and non-functional since 1.32.
  
• $wgShowSQLErrors, deprecated and non-functional since 1.32.
  
• $wgLangObjCacheSize, without deprecation; the LanguageFactory service now always retains at most 10 objects in its LRU-cache.
  
• $wgDjvuToXML, without deprecation; the tool it enables is obsolete and abandoned upstream. Use $wgDjvuDump to use that tool instead.