= MediaWiki release notes =
== MediaWiki 1.16.0 ==
2010-07-28
This is a stable release of the MediaWiki 1.16 branch.
=== Summary of selected changes in 1.16 ===
Selected changes since MediaWiki 1.15 that may be of interest:
* Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden,
since Atom is a better protocol and is supported by virtually all clients.
* It's now possible to block users from sending email via Special:Emailuser.
* The maintenance script system was overhauled. Most maintenance scripts now
have a useful help page when you run them with --help.
* AdminSettings.php is no longer required in order to run maintenance scripts.
You can just set $wgDBadminuser and $wgDBadminpassword in your
LocalSettings.php instead.
* The preferences system was overhauled. Preferences are stored in a more
compact format. Changes to site default preferences will automatically
affect all users who have not chosen a different preference.
* Support for SQLite was improved. Some broken features were fixed, and it
now has an efficient full-text search.
* The user groups ACL system was improved by allowing rights to be revoked,
instead of just granted.
* A new localisation caching system was introduced, which will make MediaWiki
faster for almost everyone, especially when lots of extensions are enabled.
By default, this new system makes a lot of database queries. If your database
is particularly slow, or if your system administrator limits your query count,
or if you want to squeeze as much performance as possible out of Mediawiki,
set $wgCacheDirectory to a writable path on the local filesystem. Make sure
you have the DBA extension for PHP installed, this will improve performance
further.
== Changes since 1.16 beta 3 ==
* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in
1.16 beta 1, but is currently poorly supported by browsers.
* (bug 23175) Re-added window.ta variable for backwards compatibility.
* (bug 23264) Fixed breakage of various command line scripts due to extra line
endings being inserted by Maintenance::output().
* Fixed HTTP client functionality with safe_mode=On.
* Fixed parser tests broken in 1.16 beta 3.
* For Oracle DB backend: fixed parser tests and table prefix feature.
* (bug 23767) Fixed PHP warning when REQUEST_URI is blank (IIS issue).
* Fixed plural function for Northern Sami (se)
* (bug 23597) Fixed conflicts between ID attributes in the Vector skin and
parser-generated heading IDs. Renamed head, panel, head-base and page-base.
* Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet.
* (bug 23465) Don't ignore the predefined destination filename on
Special:Upload after following a red link to a file.
* In SQLite full-text search feature: fixed "move page" feature, was non-
functional.
* (bug 24565) Fixed Cache-Control headers sent from API modules, to protect
user privacy in the case where an attacker can access the wiki through the
same HTTP proxy as a logged-in user.
* Fixed an XSS vulnerability in profileinfo.php for installations with
$wgEnableProfileInfo = true (false by default)
* Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being
false. Fixed a minor header parsing issue when $wgUseXVO = true.
* Fixed a register_globals arbitrary inclusion vulnerability in
MediaWikiParserTest.php, introduced in 1.16 beta 1.
== Changes since 1.16 beta 2 ==
* Fixed bugs in the [[Special:Userlogin]] and [[Special:Emailuser]] handling of
invalid usernames.
* Fixed sorting in [[Special:Allmessages]]
* (bug 23113) Fixed title in the show/hide links on diff pages
* (bug 23117) Fixed API rollback, was returning "badtoken" for valid requests
* (bug 23127) Re-added missing $1 parameter to the uploadtext message
* Fixed a bug in the Vector skin where personal tools display behind the logo
* (bug 23139) Fixed a bug in edit conflict resolution, where both textboxes
showed the same text.
* (bug 23115, bug 23124) Fixed various problems with
and
elements
in page views and previews when the language converter is enabled.
* (bug 23148) Fixed a local path disclosure vulnerability in ImageMagick image
scaling, which was introduced in 1.16 beta 1.
* Improved error checking on installer.
* (bug 22970) Fixed a JavaScript error in the upload destination conflict
check.
* (bug 23167) Check the watch checkbox by default if the watchcreations
preference is set.
* (bug 23171) Improve IE6 version check to avoid false positives.
* (bug 23176) Fixed upload warning override feature "upload new version",
broken in 1.16 beta 1.
* Fixed regression in unwatch links sent out in notification emails. When the
mailing job was deferred via the job queue, the title was incorrect.
* (bug 23534) Fixed SQL query error in API list=allusers.
* Fixed a bug in uploads for non-JavaScript clients. An empty string was used
as the default destination filename, instead of the source filename as
expected.
* (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create
account" and "create by e-mail" features of [[Special:Userlogin]]
* (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS
validation issue.
* Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick
expanded wildcard characters "?" and "*" in image filenames, potentially
causing large numbers of images to be scaled in response to a single request.
The fix for this involves breaking the scaling of such image filenames until
ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details.
* (bug 23608) Fixed invalid HTML in diff pages.
=== Changes since 1.16 beta 1 ===
* Fixed errors in maintenance/patchSql.php
* (bug 19627) Fix regression from r57867 where HTMLForm would output
rather than
* Fixed broken "-r" option to maintenance/lag.php
* (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to
be submitted along with the user name and password.
=== Configuration changes in 1.16 ===
* (bug 18222) $wgMinimalPasswordLength default is now 1
* $wgSessionHandler can be used to configure session.save_handler
* $wgLocalFileRepo/$wgForeignFileRepos now have a 'fileMode' parameter to
be used when uploading/moving files
* (bug 18761) $wgHiddenPrefs is a new array for specifying preferences not
to be shown to users
* $wgAllowRealName and $wgAllowUserSkin were deprecated in favor of
$wgHiddenPrefs[] = 'realname', but the former are still retained
for backwards-compatibility
* (bug 9257) $wgRCMaxAge now defaults to three months
* $wgDevelopmentWarnings can be set to true to show warnings about deprecated
functions and other potential errors when developing.
* Subpages are now enabled in the MediaWiki namespace by default. This is
mainly a cosmetic change, and does not in any way affect the MessageCache,
which was already effectively treating the namespace as if it had subpages.
* Oracle: maintenance/ora/user.sql script for creating DB user on oracle with
appropriate privileges. Creating this user with web-install page requires
oci8.privileged_connect set to On in php.ini.
* Removed UserrightsChangeableGroups hook introduced in 1.14
* Added $wgCacheDirectory, to replace $wgFileCacheDirectory,
$wgLocalMessageCache, and any other local caches which need a place to put
files.
* $wgFileCacheDirectory is no longer set to anything by default, and so either
needs to be set explicitly, or $wgCacheDirectory needs to be set instead.
* $wgLocalMessageCache has been removed. Instead, set $wgUseLocalMessageCache
to true
* Removed $wgEnableSerializedMessages and $wgCheckSerialized. Similar
functionality is now available via $wgLocalisationCacheConf.
* $wgMessageCache->addMessages() is deprecated. Messages added via this
interface will not appear in Special:AllMessages.
* $wgRegisterInternalExternals can be used to record external links pointing
to same server
* (bug 19907) $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainExceptions added
to control which external domains may access the API via cross-site AJAX.
* $wgMaintenanceScripts for extensions to add their scripts to the default list
* $wgMemoryLimit has been added, default value '50M'
* $wgExtraRandompageSQL is deprecated, the SpecialRandomGetRandomTitle hook
should be used instead
* (bug 20489) $wgIllegalFileChars added to override the default list of illegal
characters in file names.
* (bug 19646) $wgImgAuthDetails added to display reason access to uploaded file
was denied to users(img_auth only)
* (bug 19646) $wgImgAuthPublicTest added to test to see if img_auth set up
correctly (img_auth only)
* $wgUploadMaintenance added to disable file deletions and restorations during
maintenance
* $wgCapitalLinkOverrides added to configure per-namespace capitalization
* (bug 21172) $wgSorbsUrl can now be an array with multiple DNSBL and renamed
to $wgDnsBlacklistUrls (backward compatibility kept)
* $wgEnableHtmlDiff has been removed
* (bug 3340) $wgBlockCIDRLimit added (default: 16) to configure the low end of
CIDR ranges for blocking
* $wgUseInstantCommons added for quick and easy enabling of Commons as a remote
file repository
* $wgDBAhandler added to choose a DBA handler when using CACHE_DBA
* $wgPreviewOnOpenNamespaces for extensions that create namespaces that behave
similarly to the category namespace.
* $wgEnableSorbs renamed to $wgDnsBlacklistUrls ($wgEnableSorbs kept for
backward compatibility)
* $wgUploadNavigationUrl now also affects images inline images that do not
exist. In that case the URL will get (?|&)wpDestFile= appended to
it as appropriate.
* If $wgLocaltimezone is null, use the server's timezone as the default for
signatures. This was always the behaviour documented in DefaultSettings.php
but has not been the actual behaviour for some time: instead, UTC was used
by default.
* Added $wgExtensionAssetsPath, to decouple assets serving from $wgScriptPath.
If not specified it will default to $wgScriptPath/extensions
* Added $wgCountTotalSearchHits to make search UI display total number of hits
with some search engines.
* Added $wgAdvertisedFeedTypes to decide what feed types (RSS, Atom, both, or
neither) MediaWiki advertises. Default is array( 'atom' ), so RSS is no
longer advertised by default (but it still works).
* Added $wgMemCachedTimeout, controls how long to wait for data from the
memcached servers.
* New configuration variables $wgDebugTimestamps and $wgDebugPrintHttpHeaders
for controlling debug output.
* New $wgBlockDisablesLogin when set to true disallows blocked users from
logging in.
* (bug 8790) Metadata edition ($wgUseMetadataEdit) has been moved to a separate
extension "MetadataEdit".
=== New features in 1.16 ===
* Add CSS defintion of the 'wikitable' class to shared.css
* (bug 17163) Added MediaWiki:Talkpageheader which will be displayed when
viewing talk pages
* Superfluous border="0" removed from images
* Added new hook 'MessageCacheReplace' into MessageCache.php. For instance
to allow extensions to update caches in similar way as MediaWiki invalidates
a cached MonoBook sidebar
* Special:AllPages: Move hardcoded styles from code to CSS
* (bug 18529) New hook: SoftwareInfo for adding information about the software
to Special:Version
* Added $wgExtPGAlteredFields to allow extensions to easily alter the data
type of columns when using the Postgres backend.
* (bug 16950) Show move log when viewing/creating a deleted page
* (bug 18242) Show the Subversion revision number per extensions in
Special:Version
* (bug 18420) Missing file revisions are handled gracefully now
* (bug 9219) Auth plugins can control editing RealName/Email/Nick preferences
* (bug 18466) Add note or warning when overruling a move (semi-)protection
* (bug 18342) insertTags works in edit summary box
* (bug 18411) The upload form also checks post_max_size
* Watchlist now has a specialized
tag that contains a unique class for
each page
* Added Minguo calendar support for the Taiwan Chinese language
* Database: unionQueries function to be used for UNION sql construction, so
it can be overloaded on DB abstraction level for DB specific functionality
* (bug 18849) Implement Japanese and North Korean calendars
* (bug 5755) Introduce {{CURRENTMONTH1}} and {{LOCALMONTH1}} to display the
month number without the leading zero
* (bug 13456) categoriespagetext supports PLURAL
* (bug 18860) Blocks of IPs affecting registered users can now block email
* (bug 17093) Date and time are separate parameters in Special:BlockList
* (bug 11484) Added ISO speed rating to default collapsed EXIF metadata view
* (bug 14866) Messages 'recentchangeslinked-toolbox' and
'recentchangeslinked-toolbox' were added to allow more fine grained
customisation of the user interface
* DISPLAYTITLE now accepts a limited amount of wiki markup (the single-quote
items)
* Special:Search now could search terms in all variant-forms. ONLY apply on
wikis enabled LanguageConverter.
* Add autopromote condition APCOND_BLOCKED to autopromote blocked users to
various user groups.
* Add $wgRevokePermissions as a means of restricting a group's rights. The
syntax is identical to $wgGroupPermissions, but users in these groups will
have these rights stripped from them.
* Added a PHP port of CDB (constant database), for improved local caching when
the DBA extension is not available.
* Introduced a new system for localisation caching. The system is based around
fast fetches of individual messages, minimising memory overhead and startup
time in the typical case. The database backend will be used by default, but
set $wgCacheDirectory to get a faster CDB-based implementation.
* Expanded the number of variables which can be set in the extension messages
files.
* Added a feature to allow per-article process pool size control for the parsing
task, to limit resource usage when the cache for a heavily-viewed article is
invalidated. Requires an external daemon.
* (bug 19576) Moved the id attribues from the anchors accompanying section
headers to the elements within the section headers,
removing the redundant anchor elements.
* Parser::setFunctionTagHook now can be used to add a new tag which is parsed at
preprocesor level.
* Added $wgShowArchiveThumbnails, allowing sysadmins to disable thumbnail
display for old versions of images.
* In watchlists and Special:RecentChanges, the difference in page size now
appears in dark green if bytes were added and dark red if bytes were removed.
* Added FSRepo configuration properties thumbUrl and thumbDir, to allow the
thumbnails to be stored in a separate location to the source images.
* If config/ directory is not executable, the command to make it executable
now asks the user to cd to the correct directory
* Add experimental new external authentication framework, ExternalAuth
* (bug 18768) Remove AdminSettings requirements. Maintenance environment
will still load it if it exists, but it's not required for anything
* (bug 19900) The "listgrouprights-key" message is now wrapped in a div with
class "mw-listgrouprights-key"
* (bug 471) Allow RSS feeds for watchlist, using an opt-in security token
* (bug 10812) Interwiki links can have names and descriptions, fetched from
message 'interwiki-desc-PREFIX', not really used anywhere yet though
* (bug 9691) Add type (signup or login) parameter to
AuthPlugin::ModifyUITemplate()
* (bug 14454) "Member of group(s)" in Special:Preferences causes language
difficulties
* (bug 16697) Unicode combining characters are difficult to edit in some
browsers
* Parser test supports uploading results to remote CodeReview instance
* (bug 20013) Added CSS class "mw-version-ext-version" is wrapped on the
extension version in Special:Version
* (bug 20014) Added CSS class "mw-listgrouprights-right-name" is wrapped on the
right name in Special:ListGroupRights
* (bug 12920) New CoreParserFunction {{nse:...}} as an url-friendly equivalent
to {{ns:...}}
* (bug 16322) Allow maintenance scripts to accept DB user/pass over input or
params
* (bug 18566) Maintenance script to un/protect pages
* (bug 671) The HTML tag is now permitted.
* RecentChanges now has a legend to explain what the Nmb! flags mean, and the
flags have tooltips.
* (bug 15209) New hook BeforeInitialize called after everything has been setup
but before Mediawiki::performRequestForTitle()
* wgMainPageTitle variable now available to JavaScript code to identify the main
page link, so it doesn't have to be extracted from the link URLs.
* (bug 16836) Display preview of signature in user preferences and describe its
use
* The default output format is now HTML 5 instead of XHTML 1.0 Transitional.
This can be disabled by setting $wgHtml5 = false;. Specific features enabled
if HTML 5 is used:
** Some extra inputs will be autofocused, in supporting browsers.
** The summary attribute has been removed from tables of contents. summary is
obsolete in HTML 5 and wasn't useful here anyway.
** Unnecessary type="" attribute removed for CSS and JS.
** If $wgWellFormedXml is set to false, some bytes will be shaved off of HTML
output by omitting some things like quotation marks where HTML 5 allows.
** (bug 16921) maxlength enabled for page move comments
* The description message in $wgExtensionCredits can be an array with parameters
* New hook SpecialRandomGetRandomTitle allows extensions to modify the selection
criteria used by Special:Random and subclasses, or substitute a custom result,
deprecating the $wgExtraRandompageSQL config variable
* (bug 20318) Distinct CSS classes for ISBN/RFC/PMID special links added
* (bug 20404) Custom fields in the user creation form template can now have
detail labels in prefsectiontip divs.
* MakeSysop and MakeBot are now aliases for Special:UserRights
* IndexPager->mLimitsShown can now be an associative array of limit => text-to-
display-in-limit-form.
* (bug 18880) LogEventsList::showLogExtract() can now take a string-by-reference
and add its HTML to it, rather than having to go straight to $wgOut.
* Added $wgShowDBErrorBacktrace, to allow users to easily gather backtraces for
database connection and query errors.
* Show change block / unblock link on Special:Contributions if user is blocked
* Display note on Special:Contributions if the user is blocked, and provide an
excerpt from the block log.
* (bug 19646) New hook: ImgAuthBeforeStream for tests and functionality before
file is streamed to user, but only when using img_auth
* Note on non-existing user and user talk pages if user does not exist
* New hook ShowMissingArticle so extensions can modify the output for
non-existent pages.
* Admins could disable some variants using $wgDisabledVariants now. ONLY apply
on wikis enabled LanguageConverter.
* (bug 16310) Credits page now lists IP addresses rather than saying the number
of anonymous users that edited the page
* New permission 'sendemail' added. Default right for all registered users. Can
for example be used to prevent new accounts from sending spam.
* (bug 16979) Tracking categories for __INDEX__ and __NOINDEX__
* Two new hooks, ConfirmEmailComplete and InvalidateEmailComplete, which are
called after a user's email has been successfully confirmed or invalidated.
* (bug 19741) Moved the XCF files out of the main MediaWiki distribution, for
a smaller subversion checkout.
* (bug 13750) First letter capitalization can now be a per-namespace setting
* (bug 21073) "User does not exist" message no longer displayed on sub-sub-pages
of existing users
* (bug 21095) Tracking categories produced by the parser (expensive parser
function limit exceeded, __NOINDEX__ tracking, etc) can now be disabled by
setting the system message ([[MediaWiki:expensive-parserfunction-category]]
etc) to "-".
* Added maintenance script sqlite.php for SQLite-specific maintenance tasks.
* Rewrote Special:Upload to allow easier extension.
* Upload errors that can be solved by changing the filename now do not require
reuploading.
* Added $wgRateLimitsExcludedIPs, to allow specific IPs to be whitelisted from
rate limits.
* (bug 21222) When $wgUseTeX is not enabled,