= MediaWiki release notes =
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
== MediaWiki 1.11.0 ==
September 10, 2007
This is the Fall 2007 snapshot release of MediaWiki.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
== Changes since 1.11.0rc1 ==
A possible HTML/XSS injection vector in the API pretty-printing mode has
been found and fixed.
The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
LocalSettings.php:
$wgEnableAPI = false;
(This is the default setting in 1.8.x.)
Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5
Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
MediaWiki 1.7 and below are not affected as they do not include
the faulty function, however the BotQuery extension is similarly
vulnerable unless updated to the latest SVN version.
== Configuration changes since 1.10 ==
* $wgThumbUpright - Adjust width of upright images when parameter 'upright' is
used
* $wgAddGroups, $wgRemoveGroups - Finer control over who can assign which
usergroups
* $wgEnotifImpersonal, $wgEnotifUseJobQ - Bulk mail options for large sites
* $wgShowHostnames - Expose server host names through the API and HTML comments
* $wgSaveDeletedFiles has been removed, the feature is now enabled unconditionally
== New features since 1.10 ==
* (bug 8868) Separate "blocked" message for autoblocks
* Adding expiry of block to block messages
* Links to redirect pages in categories are wrapped in
* Introduced 'ImageOpenShowImageInlineBefore' hook; see docs/hooks.txt for
more information
* (bug 9628) Show warnings about slave lag on Special:Contributions,
Special:Watchlist
* (bug 8818) Expose "wpDestFile" as parameter $1 to "uploaddisabledtext"
* Introducing new image keyword 'upright' and corresponding variable
$wgThumbUpright. This allows better proportional view of upright images
related to landscape images on a page without nailing the width of upright
images to a fix value which makes views for anon unproportional and user
preferences useless
* (bug 6072) Introducing 'border' keyword to the [[Image:]] syntax
* Introducing 'frameless' keyword to [[Image:]] syntax which respects the
user preferences for image width like 'thumb' but without a frame.
* (bug 7960) Link to "what links here" for each "what links here" entry
* Added support for configuration of an arbitrary number of commons-style
file repositories.
* Added a Content-Disposition header to thumb.php output
* Improved thumb.php error handling
* Display file history on local image description pages of shared images
* Added $wgArticleRobotPolicies
* (bug 10076) Additional parameter $7 added to MediaWiki:Blockedtext
containing, the ip, ip range, or username whose block is affecting the
* (bug 7691) Show relevant lines from the deletion log when re-creating a
previously deleted article
* Added variables 'wgRestrictionEdit' and 'wgRestrictionMove' for JS to header
* (bug 9898) Allow viewing all namespaces in Special:Newpages
* (bug 10139) Introduce 'EditSectionLink' and 'EditSectionLinkForOther' hooks;
see docs/hooks.txt for details
* (bug 9769) Provide "watch this page" toggle on protection form
* (bug 9886) Provide clear example "stub link" in Special:Preferences
* (bug 10055) Populate email address and real name properties of User objects
passed to the 'AbortNewAccount' hook
* Show result of Special:Booksources in wiki content language always, it's
normally better maintained than the generic list from the standard message
files
* (bug 7997) Allow users to be blocked from using Special:Emailuser
* (bug 8989) Blacklist 'mhtml' and 'mht' files from upload
* (bug 8760) Allow wiki links in "protectexpiry" message
* (bug 5908) Add "DEFAULTSORTKEY" and "DEFAULTCATEGORYSORT" aliases for
"DEFAULTSORT" magic word
* (bug 10181) Support the XCache object caching mechanism
* (bug 9058) Introduce '--aconf' option for all maintenance scripts, to provide
a path to the AdminSettings.php file
* (bug 8781) Remind users to check file permissions for LocalSettings.php
post-installation
* Use shared.css for all skins and oldshared.css in place of common.css for
pre-Monobook skins. As always, modifications should go in-wiki to MediaWiki:
Common.css and MediaWiki:Monobook.css.
* (bug 8869) Introduce Special:Uncategorizedtemplates
* (bug 8734) Different log message when article protection level is changed
* (bug 8458, 10338) Limit custom signature length to $wgMaxSigChars Unicode
characters
* (bug 10096) Added an ability to query interwiki map table
* On reupload, add a null revision to the image description page
* Group log output by date
* Kurdish interface latin/arabic writing system with transliteration
* Support wiki text in all query page headers
* Add 'Orphanedpages' as an alias to Special:Lonelypages
* (bug 9328) Use "revision-info-current" message in place of "revision-info"
when viewing the current revision of a page, if available
* (bug 8890) Enable wiki text for "license" message
* Throw a showstopper exception when a hook function fails to return a value.
Forgetting to give a 'true' return value is a very common error which tends
to cause hard-to-track-down interactions between extensions.
* Use $wgJobClasses to determine the correct Job to instantiate for a particular
queued task; allows extensions to introduce custom jobs
* (bug 10326) AJAX-based page watching and unwatching has been cleaned up and
enabled by default.
* Added option to install to MyISAM
* (bug 9250) Remove hardcoded minimum image name length of three characters
* Fixed DISPLAYTITLE behaviour to reject titles which don't normalise to the
same title as the current page, and enabled per default
* Wrap site CSS and JavaScript in a
tag, like user JS/CSS
* (bug 10196) Add classes and dir="ltr" to the s on CSS and JS pages (new
classes: mw-code, mw-css, mw-js)
* (bug 6711) Add $wgAddGroups and $wgRemoveGroups to allow finer control over
usergroup assignment.
* Introduce 'UserEffectiveGroups' hook; see docs/hooks.txt for more information
* (bug 10387) Detect and handle '.php5' extension environments at install time
* Introduce 'ShowRawCssJs' hook; see docs/hooks.txt for more information
* (bug 10404) Show rights log for the selected user in Special:Userrights
* New javascript for upload page that will show a warning if a file with the
"destination filename" already exists.
* Add 'editsection-brackets' message to allow localization (or removal) of the
brackets in the "[edit]" link for sections
* (bug 10437) Move texvc styling to shared.css
* Introduce "raw editing" mode for the watchlist, to allow bulk additions,
removals, and convenient exporting of watchlist contents
* Show "undo" links in page histories
* Option to jump to specified time period in user contributions
* Improved feedback on "rollback success" page
* Show distinct 'namespaceprotected' message to users when namespace protection
prevents page editing
* (bug 9936) Per-edit suppression of preview-on-first edit with "preview=no"
* Allow showing a one-off preview on first edit with "preview=yes"
* (bug 9151) Remove timed redirects on "Return to X" pages for accessibility.
* Link to user logs in toolbox when viewing a user page
* (bug 10508) Allow HTML attributes on
* (bug 1962) Allow HTML attributes on