15 December 2021
MediaWiki version 1.37.1 is now available.
Upgrading to MediaWiki 1.37.1
MediaWiki 1.37.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.37.1 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.37.1
- CVE-2021-44858 CVE-2021-44857 SECURITY: Fix permissions checks in undo actions.
- CVE-2021-45038 SECURITY: Fix permissions check in action=rollback.
- SECURITY: Require 'read' right for most actions.
- CVE-2021-44856 SECURITY: Fix use of EditFilterMergedContent hook when changing content model.
- Allow inserting new sections named '0'.
- Fix path for ZhConversion.php.
- nukeNS: don't run purgeRedundantText() after every change.
- installer: Fix Postgres mistakes in using changeField method.
- RollbackAction: fix missing pagetitle.
- MediaWiki now has limited support for JPEG2000 files.
Action API changes
- The API methods for fetching tokens which were deprecated in MediaWiki 1.24 have been removed. action=query&meta=tokens&type= should be used instead. Please note, some token types no longer exist, and you should just use type=csrf for those instead.
New configuration variables
- $wgBrowserFormatDetection - This setting allows the enabling or disabling of automatic detection of possible phone numbers in a webpage in iOS Safari.
- $wgParserEnableLegacyMediaDOM - This setting defaults to true, and enables the legacy media HTML structure in the output from the Parser. The alternative modern HTML structure for media is described at https://www.mediawiki.org/wiki/Parsing/Media_structure. In a future release of MediaWiki, this option will default to false, so it's a good idea to test this setting on your wiki early and report any issues.
Changed configuration variables
- The PasswordCannotMatchUsername password policy has been removed, please use PasswordCannotBeSubstringInUsername instead. If you have not customised your password policies, there will be nothing to do here.
- $wgContentHandlerTextFallback - This migration setting, which defines how to react if a plain text version of a non-text Content object is requested using ContentHandler::getContentText(), is deprecated.
- $wgActions – This setting lets sysadmins override which actions can be used. It has been re-worked to support injecting dependencies into Action sub-classes as part of wider work on dependency injection. Previously, $wgActions was an array where the keys were the names of actions, and the values had the following impacts (for a given key 'Foo'): `true`: use the class 'FooAction' unless for a specific page WikiPage::getActionOverrides() wants to override that action; a string: use the class with that name, and do not allow over-riding on a per-page basis; `false`: the action is disabled; a callable: use the Action instance returned by invoking that callback, and do not allow overriding on a per-page basis; an object: use that specific Action instance, and do not allow overriding on a per-page basis.
- As part of T253078, values can now be arrays that are not callables, which are treated as ObjectFactory specs, allowing for services to be injected. Additionally, the distinction between values that allow per-page overrides and those that do not be removed - all actions can now be overridden on a per-page basis using WikiPage::getActionOverrides().
- $wgShellboxUrl – This setting, new in 1.36 to configure the novel Shellbox encapsulation system, is now deprecated; use $wgShellboxUrls as a mapping of service => URL instead.
- $wgIncludejQueryMigrate – This setting, introduced in 1.29 to on whether to provide a migration layer for jQuery, has now switched its default value from true to false. This may break gadgets that depended on methods that were removed in jQuery 3 in 2017. See T280944 for more information.
- A number of settings have been renamed. The former configuration variable names are deprecated, but will be used as the fallback if they are still set, and remain temporarily available for extensions which might try to read them: $wgFileBlacklist is now $wgProhibitedFileExtensions; $wgMimeTypeBlacklist is now $wgMimeTypeExclusions; $wgEnableUserEmailBlacklist is now $wgEnableUserEmailMuteList; $wgShortPagesNamespaceBlacklist is now $wgShortPagesNamespaceExclusions.
- $wgFragmentMode - This setting, which determines the encoding of section IDs, has now switched its default value from legacy-first to html5-first: both the HTML5 anchor and the legacy percent-encoding-style anchor will still be generated for section titles, but references to them will use the HTML5 version, resulting in human-readable fragments.
Removed configuration variables
- $wgAjaxEditStash, deprecated in 1.36.
- $wgShowDBErrorBacktrace, deprecated and non-functional since 1.32.
- $wgShowSQLErrors, deprecated and non-functional since 1.32.
- $wgLangObjCacheSize, without deprecation; the LanguageFactory service now always retains at most 10 objects in its LRU-cache.
- $wgDjvuToXML, without deprecation; the tool it enables is obsolete and abandoned upstream. Use $wgDjvuDump to use that tool instead.