1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
|
= MediaWiki release notes =
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
== MediaWiki 1.11.1 ==
January 23, 2008
This is a security and bugfix release of the Fall 2007 snapshot release of
MediaWiki. A potential XSS injection vector affecting api.php only for
Microsoft Internet Explorer users has been closed.
Changes in this release:
* (bug 11450) Fix creation of objectcache table on upgrade
* (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name
* Fix regression in LinkBatch.php breaking PHP 5.0
* Security fix for API on MSIE
To work around the vulnerability without upgrading, you may disable the
API if you don't need it:
$wgEnableAPI = false;
Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)
Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)
MediaWiki 1.7 and below are not affected as they do not include
the API functionality, however the BotQuery extension is similarly
vulnerable unless updated to the latest SVN version.
== MediaWiki 1.11.0 ==
September 10, 2007
This is the Fall 2007 snapshot release of MediaWiki.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
== Changes since 1.11.0rc1 ==
A possible HTML/XSS injection vector in the API pretty-printing mode has
been found and fixed.
The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
LocalSettings.php:
$wgEnableAPI = false;
(This is the default setting in 1.8.x.)
Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5
Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
MediaWiki 1.7 and below are not affected as they do not include
the faulty function, however the BotQuery extension is similarly
vulnerable unless updated to the latest SVN version.
== Configuration changes since 1.10 ==
* $wgThumbUpright - Adjust width of upright images when parameter 'upright' is
used
* $wgAddGroups, $wgRemoveGroups - Finer control over who can assign which
usergroups
* $wgEnotifImpersonal, $wgEnotifUseJobQ - Bulk mail options for large sites
* $wgShowHostnames - Expose server host names through the API and HTML comments
* $wgSaveDeletedFiles has been removed, the feature is now enabled unconditionally
== New features since 1.10 ==
* (bug 8868) Separate "blocked" message for autoblocks
* Adding expiry of block to block messages
* Links to redirect pages in categories are wrapped in
<span class="redirect-in-category"></span>
* Introduced 'ImageOpenShowImageInlineBefore' hook; see docs/hooks.txt for
more information
* (bug 9628) Show warnings about slave lag on Special:Contributions,
Special:Watchlist
* (bug 8818) Expose "wpDestFile" as parameter $1 to "uploaddisabledtext"
* Introducing new image keyword 'upright' and corresponding variable
$wgThumbUpright. This allows better proportional view of upright images
related to landscape images on a page without nailing the width of upright
images to a fix value which makes views for anon unproportional and user
preferences useless
* (bug 6072) Introducing 'border' keyword to the [[Image:]] syntax
* Introducing 'frameless' keyword to [[Image:]] syntax which respects the
user preferences for image width like 'thumb' but without a frame.
* (bug 7960) Link to "what links here" for each "what links here" entry
* Added support for configuration of an arbitrary number of commons-style
file repositories.
* Added a Content-Disposition header to thumb.php output
* Improved thumb.php error handling
* Display file history on local image description pages of shared images
* Added $wgArticleRobotPolicies
* (bug 10076) Additional parameter $7 added to MediaWiki:Blockedtext
containing, the ip, ip range, or username whose block is affecting the
* (bug 7691) Show relevant lines from the deletion log when re-creating a
previously deleted article
* Added variables 'wgRestrictionEdit' and 'wgRestrictionMove' for JS to header
* (bug 9898) Allow viewing all namespaces in Special:Newpages
* (bug 10139) Introduce 'EditSectionLink' and 'EditSectionLinkForOther' hooks;
see docs/hooks.txt for details
* (bug 9769) Provide "watch this page" toggle on protection form
* (bug 9886) Provide clear example "stub link" in Special:Preferences
* (bug 10055) Populate email address and real name properties of User objects
passed to the 'AbortNewAccount' hook
* Show result of Special:Booksources in wiki content language always, it's
normally better maintained than the generic list from the standard message
files
* (bug 7997) Allow users to be blocked from using Special:Emailuser
* (bug 8989) Blacklist 'mhtml' and 'mht' files from upload
* (bug 8760) Allow wiki links in "protectexpiry" message
* (bug 5908) Add "DEFAULTSORTKEY" and "DEFAULTCATEGORYSORT" aliases for
"DEFAULTSORT" magic word
* (bug 10181) Support the XCache object caching mechanism
* (bug 9058) Introduce '--aconf' option for all maintenance scripts, to provide
a path to the AdminSettings.php file
* (bug 8781) Remind users to check file permissions for LocalSettings.php
post-installation
* Use shared.css for all skins and oldshared.css in place of common.css for
pre-Monobook skins. As always, modifications should go in-wiki to MediaWiki:
Common.css and MediaWiki:Monobook.css.
* (bug 8869) Introduce Special:Uncategorizedtemplates
* (bug 8734) Different log message when article protection level is changed
* (bug 8458, 10338) Limit custom signature length to $wgMaxSigChars Unicode
characters
* (bug 10096) Added an ability to query interwiki map table
* On reupload, add a null revision to the image description page
* Group log output by date
* Kurdish interface latin/arabic writing system with transliteration
* Support wiki text in all query page headers
* Add 'Orphanedpages' as an alias to Special:Lonelypages
* (bug 9328) Use "revision-info-current" message in place of "revision-info"
when viewing the current revision of a page, if available
* (bug 8890) Enable wiki text for "license" message
* Throw a showstopper exception when a hook function fails to return a value.
Forgetting to give a 'true' return value is a very common error which tends
to cause hard-to-track-down interactions between extensions.
* Use $wgJobClasses to determine the correct Job to instantiate for a particular
queued task; allows extensions to introduce custom jobs
* (bug 10326) AJAX-based page watching and unwatching has been cleaned up and
enabled by default.
* Added option to install to MyISAM
* (bug 9250) Remove hardcoded minimum image name length of three characters
* Fixed DISPLAYTITLE behaviour to reject titles which don't normalise to the
same title as the current page, and enabled per default
* Wrap site CSS and JavaScript in a <pre> tag, like user JS/CSS
* (bug 10196) Add classes and dir="ltr" to the <pre>s on CSS and JS pages (new
classes: mw-code, mw-css, mw-js)
* (bug 6711) Add $wgAddGroups and $wgRemoveGroups to allow finer control over
usergroup assignment.
* Introduce 'UserEffectiveGroups' hook; see docs/hooks.txt for more information
* (bug 10387) Detect and handle '.php5' extension environments at install time
* Introduce 'ShowRawCssJs' hook; see docs/hooks.txt for more information
* (bug 10404) Show rights log for the selected user in Special:Userrights
* New javascript for upload page that will show a warning if a file with the
"destination filename" already exists.
* Add 'editsection-brackets' message to allow localization (or removal) of the
brackets in the "[edit]" link for sections
* (bug 10437) Move texvc styling to shared.css
* Introduce "raw editing" mode for the watchlist, to allow bulk additions,
removals, and convenient exporting of watchlist contents
* Show "undo" links in page histories
* Option to jump to specified time period in user contributions
* Improved feedback on "rollback success" page
* Show distinct 'namespaceprotected' message to users when namespace protection
prevents page editing
* (bug 9936) Per-edit suppression of preview-on-first edit with "preview=no"
* Allow showing a one-off preview on first edit with "preview=yes"
* (bug 9151) Remove timed redirects on "Return to X" pages for accessibility.
* Link to user logs in toolbox when viewing a user page
* (bug 10508) Allow HTML attributes on <gallery>
* (bug 1962) Allow HTML attributes on <math>
* (bug 10530) Introduce optional "sp-contributions-explain" message for
additional explanation in Special:Contributions
* (bug 10520) Preview licences during upload via AJAX (toggle with
$wgAjaxLicensePreview)
* New Parser::setTransparentTagHook for parser extension and template
compatibility
* Introduced 'ContributionsToolLinks' hook; see docs/hooks.txt for more
information
* Add a message if category is empty
* Add CSS compatibility for Opera 9.5
* Remove largely untested handheld stylesheet, which was causing more trouble
than good. Proper handheld support will be added at a future date. For now,
display should be acceptable either with CSS turned off or when using a so-
phisticated handheld browser.
* (bug 3173) Option to offer exported pages as a download, rather than displaying
inline, as in most browsers
* Pass the user as an argument to 'isValidPassword' hook callbacks; see
docs/hooks.txt for more information
* Introduce 'UserGetRights' hook; see docs/hooks.txt for more information
* (bug 9595) Pass new Revision to the 'ArticleInsertComplete' and
'ArticleSaveComplete' hooks; see docs/hooks.txt for more information
* (bug 9575) Accept upload description from GET parameters
* Skip the difference engine cache when 'action=purge' is used while requesting
a difference page, to allow refreshing the cache in case of errors
* (bug 10701) Link to Special:Listusers in default Special:Statistics messages
* Improved file history presentation
* (bug 10739) Users can now enter comments when reverting files
* Improved handling of permissions errors
* (bug 10793) "Mark patrolled" links will now be shown for users with
patrol permissions on all eligible diff pages
* (bug 10655) Show standard tool links for blocked users in block log messages
* Show standard tool links for blocked users in Special:Ipblocklist
* Miscellaneous aesthetic improvements to Special:Ipblocklist
* (bug 10826) Added link trail with Cyrillic characters for Mongolian language
* (bug 10859) Introduce 'UserGetImplicitGroups' hook; see docs/hooks.txt for
more information
* (bug 10832) Include user information when viewing a deleted revision
* (bug 10872) Fall back to sane defaults when generating protection selector
labels for custom restriction levels
* Show edit count in user preferences
* Improved support for audio/video extensions
* (bug 10937) Distinguish overwritten files in upload log
* Introduce 'ArticleUpdateBeforeRedirect' hook; see docs/hooks.txt for more
information
* Confirmation is now required when deleting old versions of files
* (bug 7535) Users can now enter comments when deleting old versions of files
* (bug 11001) Submit Special:Newpages as a GET, rather than a POST request
* The <strong></strong> around links to watched pages in change lists now
has a class - "mw-watched"
* (bug 9002) Provide a "view/restore deleted edits" link on Special:Upload
when a destination filename is provided that corresponds with previous
deleted files
* Make the "invalid special page" message clearer
* Add accesskey 's' and tooltip to 'upload file' button at Special:Upload
* Introduced 'SkinAfterBottomScripts' hook; see docs/hooks.txt for
more information
* (bug 11095) Honour "preview on first edit" preference when preloading
text for a non-existent page
* (bug 11022) Use a more accurate page title for Special:Whatlinkshere and
Special:Recentchangeslinked
* Add link to user contributions in normal watchlist edit mode
* (bug 9426) Add 'newsectionheaderdefaultlevel' message to allow
modification of the heading formatting for new sections when section=new
argument is supplied
* (bug 10836) Add 'newsectionsummary' message to allow modification of the
text that prefixes a new section link in Recent Changes
== Bugfixes since 1.10 ==
* (bug 9712) Use Arabic comma in date/time formats for Arabic and Farsi
* (bug 9670) Follow redirects when render edit section links to transcluded
templates.
* (bug 6204) Fix incorrect unindentation with $wgMaxTocLevel
* (bug 3431) Suppress "next page" link in Special:Search at end of results
* Don't show unblock form if the user doesn't have permission to use it
(cosmetic change, no vulnerabilities existed)
* Subtitle success message when unblocking a block ID instead of a pseudo link
like [[User:#123|#123]]
* Use the standard HTTP fetch functions when retrieving remote wiki pages
through transwiki, so we can take advantage of cURL goodies if available
* Disable user JavaScript on Special:Userlogin, Special:Resetpass and
Special:Preferences, to avoid a compromised script sniffing passwords, etc.
* (bug 9854, 3770) Clip overflow text in gallery boxes for visual cleanliness
instead of letting it flow outside the box or trigger ugly scroll bars.
* Tooltips for print version and permalink
* Links to the MediaWiki namespace for system messages having their default
values are no longer shown as nonexistent (e.g., in red)
* Special:Ipblocklist differentiates between empty list and no search results.
* (bug 5375) profiling does not respect read-only mode.
* (bug 7070) monobook/user.gif has antialias artifacts
* (bug 9123) Safer way when applying $wgLocalTZoffset
* (bug 9896) Documentation for $wgSquidServers and X-FORWARDED-FOR
* (bug 9417) Uploading new versions of images when using Postgres no longer
throws warnings.
* (bug 9908) Using tsearch2 with Postgres 8.1 no longer gives an error.
* (bug 1438) Fix for diff table layout on very wide lines.
Diff style rules have been broken out to common/diff.css,
and the dupes removed from the default skin files.
Skins can still override the default rules.
* (bug 1229) Balance columns in diff display evenly
* Right-align diff line numbers in RTL language display
* (bug 9332) Fix instructions in tests/README
* (bug 9813) Reject usernames containing '#' to avoid silent truncation
of fragments during the normalisation process
* (bug 7989) RSS feeds content now use black text when using white background.
* (bug 9971) Typo in a french language message.
* (bug 9973) Changed size was shown in advanced recentchanges collapsible items
with $wgRCShowChangedSized = false.
* Fix PHP strict standards warning in enhanced recent changes.
* (bug 5850) Added hexadecimal html entities comments for $digitTransformTable
entries.
* (bug 7432) Change language name for Aromanian (roa-rup)
* (bug 908) Unexistent special pages now generate a red link.
* (bug 7899) Added \hline and \vline to the list of allowed TeX commands
* (bug 7993) support mathematical symbol classes
* (bug 10007) Allow Block IP to work with Postgrs again.
* Add Google Wireless Transcoder to the Unicode editing blacklist
* (bug 10083) Fix for Special:Version breakage on PHP 5.2 with some hooks
* (bug 3624) TeX: \ker, \hom, \arg, \dim treated like \sin & \cos
* (bug 10132, 10134) Restore back-compatibility Image::imageUrl() function
* (bug 10113) Fix double-click for view source on protected pages
* (bug 10117) Special:Wantedpages doesn't handle invalid titles in result
set [now prints out a warning]
* (bug 10118) Introduced Special:Mostlinkedtemplates, report which lists
templates with a high number of inclusion links
* (bug 10104) Fixed Database::getLag() for PostgreSQL and Oracle
* (bug 9820) session.save_path check no longer halts installation, but
warns of possible bad values
* (bug 9978) Fixed session.save_path validation when using extended
configuration format, e.g. "5;/tmp"
* Don't generate a diff link in the patrol log if the page doesn't exist
* (bug 10067) Translations for former skins removed from message files
* (bug 9993) Force $wgShowExceptionDetails on during installation
* (bug 9980) Validate administrator username and password during
installation
* (bug 9383) Don't set a default value for BLOB column in rc-deleted
database patch
* (bug 10149) Don't show full template list on section-0 edit
* (bug 9909) Ensure access to binary fields in the math table use encodeBlob()
and decodeBlob()
* (bug 6743) Don't link broken image links to the upload form when uploads
are disabled
* (bug 9679) Improve documentation for $wgSiteNotice
* (bug 10215) Show custom editing introduction when editing existing pages
* (bug 10223) Fix edit link in noarticletext localizations for fr, oc
* (bug 10247) Fix IP address regex to avoid false positive IPv6 matches
* (bug 9948) Workaround for diff regression with old Mozilla versions
* (bug 10265) Fix regression in category image gallery paging
* (bug 8577) Fix some weird misapplications of time zones.
{{CURRENT*}} functions now consistently use UTC as intended, while
{{LOCAL*}} functions return local time per server config or $wgLocaltimezone.
Signature dates for Japanese and other languages including weekday now show
the correct day to match the rest of the time in local time.
* Escape the output of magic variables that return page name or part of it
* (bug 10309) Initialise parser state properly in extractSections(), fixes
some cases where section edits broke because tags were improperly stripped
* Avoid PHP notice errors when doing HTTP proxy purges for an empty list
* As intended, *skip* the HTTP proxy purges when doing HTCP purges
* (bug 9696) Fix handling of brace transformations in "pagemovedtext"
* (bug 10325) Fix regression in form action on Special:Listusers
* Fixed installation on MyISAM or old InnoDB with charset=utf8, was giving
overlong key errors.
* Fixed zero-padding issues with MySQL 5 binary schema
* (bug 10344) Don't follow a redirect after changing its protection level
* (bug 10333) Correct date format in Slovenian
* (bug 10160) Show error message for unknown namespace on Special:Allpages and
Special:Prefixindex; making forms prettier for RTL wikis.
* (bug 10334) Replace normal spaces before percent (%) signs with non-breaking
spaces
* (bug 10372) namespaceDupes.php no longer ignores namespace aliases
* (bug 10198) namespaceDupes.php no longer ignores interwiki prefixes
* namespaceDupes.php should work better for initial-lowercase wikis
* (bug 10377) "Permanent links" to revisions still work if the page is moved
and the redirect deleted
* (bug 7071) Properly handle an 'oldid' passed to view or edit that doesn't
match the given title. Fixes inconsistencies with talk, history, edit links.
* (bug 10397) Fix AJAX watch error fallback when we receive a bogus result
* (bug 10396) Fix AJAX error when $wgScriptPath/index.php is not valid;
using $wgScript now included in JS info
* Use native XMLHttpRequest class in preference to ActiveX on IE 7; this
avoids the "ActiveX "Do you want to allow ActiveX?" prompt when something
security settings are cranked this way and AJAX-y gets used.
* Delay AJAX watch initialization until click so IE 6 with ugly security
settings doesn't prompt you until you use the link.
* (bug 10401) Provide non-redirecting link to original title in Special:Movepage
* Fix broken handling of log views for page titles consisting of one
or more zeros, e.g. "0", "00" etc.
* Fix read permission check for special pages with subpage parameters, e.g.
Special:Confirmemail
* Fix read permission check for unreadable page titles which are numerically
equivalent to a whitelisted title
* '?>' closing tag removed from all files to help avoid problems with extraneous
whitespace (broken XML feeds, etc.)
* Don't use garbled parser cache output when viewing custom CSS or JavaScript
pages
* (bug 10406) Fix Special:Listusers filter form for non-ASCII localizations
* Fix empty message checks for message names containing &
This corrects some odd behavior with sidebar items and custom namespaces
containing ampersands.
* (bug 10375) Change thousands separator character to for Latin (la)
* (bug 10477) Fix AJAX watch for Farsi on Firefox: JavaScript encoding tweak
* (bug 10496) Fix broken DISTINCT option logic in database backend
* Fix CSS media declaration for "screen, projection"; was causing some
validation issues
* (bug 10495) $wgMemcachedDebug set twice in includes/DefaultSettings.php
* (bug 10316) Prevent inconsistent cached skin settings in gen=js by setting
the intended skin directly in the URL.
* (bug 9903) Don't mark redirects in categories as stubs
* (bug 6965) Cannot include "Template:R" with {{R}} (magic word conflict)
* Padding parser functions now work with strings like '0' that evaluate to false
* (bug 10332) Title->userCan( 'edit' ) may return false positive
* Fix bug with <nowiki> in front of links for wikis where linkPrefixExtension is true
* (bug 10552) Suppress rollback link in history for single-revision pages
* (bug 10538) Gracefully handle invalid input on move success page
* Fix for Esperanto double-x-encoding in move success page
* (bug 10526) Fix toolbar/insertTags behavior for IE 6/7 and Opera (8+)
Now matches the selection behavior on Mozilla / Safari.
Patch by Alex Smotrov.
* Don't show non-functional toolbar buttons on Opera 7 anymore
* (bug 9151) Fix relative subpage links with section fragments
* (bug 10560) Adding a space between category letter heading and "continues"
* (bug 4650) Keep impossibly large/small counts off Special:Statistics
* (bug 10608) PHP notice when installing with PostgreSQL
* (bug 10615) Fix for transwiki import when CURL not available
* (bug 8054) Return search page for empty search requests with ugly URLs
* (bug 10572) Force refresh after clearing visitation timestamps on watchlist
* (bug 10631) Warn when illegal characters are removed from filename at upload
* Fix several JavaScript bugs under MSIE 5/Macintosh
* (bug 10591) Use Arabic numerals (0,1,2...) for the Malayam language
* (bug 10642) Fix shift-click checkbox behavior for Opera 9.0+ and 6.0
* Work around Safari bug with pages ending in ".gz" or ".tgz"
* Removed obsolete maintenance/changeuser.sql script; use RenameUser extension
* (bug 2735) "Preview" shown in title bar for action=submit on special pages
* Removed "restore" links from the deletion log embedded in Special:Undelete
* Improved error reporting and robustness for file delete/undelete.
* Improved speed of file delete by storing the SHA-1 hash in image/oldimage
* Fixed leading zero in base 36 SHA-1 hash
* Protection form no longer produces JavaScript errors
* (bug 10741) File histories show "delete" links for non-sysops
* (bug 10744) Treat "noarticletext" and "noarticletextanon" as wiki text when
used on a non-existent page with "action=info"
* Fix escaping of raw message text when used on a non-existent page with
"action=info"
* (bug 10683) Fix inconsistent handling of URL-encoded titles in links
used in redirects (i.e. they now work)
* (bug 8878) Changes to $dateFormats in German localization (removing unused,
nonexistent formats, putting time after date)
* (bug 10769) Database::update() should return boolean result
* Fix preference checkbox display for right-to-left languages which caused
them to be hidden in IE in some cases
* Fix upload form display in right-to-left languages
* Fixed regression in blocking of username '0'
* (bug 9437) Don't overwrite edit form submission handler when setting up
edit box scroll position preserve/restore behaviour
* (bug 10805) Fix "undo" link when viewing the diff of the most recent
change to a page using "diff=0"
* (bug 10765) img_auth.php will now refuse logged-out requests where
$wgWhitelistRead is undefined, instead of (incorrectly) honouring them
* Fixed img_auth.php file name extraction for whitelist checking
* Tweak spacing of email preference display
* Table sorting JavaScript prefers textContent over innerText to allow hidden
sort keys to work on Safari
* (bug 4530) Fix local name of Kurdish language
* (bug 10830) Fix local name of Haitian Creole language
* Fix invalid XHTML in Special:Protectedpages
* Fix comments in contributions and log pages for right-to-left languages
* Make installer include_path-independent, so it should work on hosts which
disable user setting of PHP include_path setting
* glob() is horribly unreliable and doesn't work on some systems, including
free.fr shared hosting. No longer using it in Language::getLanguageNames()
* (bug 10763) Fix multi-insert logic for PostgreSQL
* Fix invalid XHTML when viewing a deleted revision
* Fix syntax error in translations of magic words in Romanian language
* (bug 8737) Fix warnings caused by incorrect use of `/dev/null` when piping
process error output under Windows
* (bug 7890) Don't list redirects to special pages in Special:BrokenRedirects
* (bug 10783) Resizing PNG-24 images with GD no longer causes all alpha
channel transparency to be lost and transparent pixels to be turned black
* (bug 9339) General error pages were transforming messages and their parameters
in the wrong order
* (bug 9026) Incorrect heading numbering when viewing Special:Statistics with
"auto-numbered headings" enabled
* Fixed invalid XHTML in Special:Upload
* (bug 11013) Make sure dl() is available before attempting to use it to check
available databases in installer
* Resizing transparent GIF images with GD now retains transparency by skipping
resampling
* (bug 11065) Fix regression in handling of wiki-formatted EXIF metadata
* Double encoding broke Special:Newpages for some languages
* Adding a newline before the statistics footer, to prevent parsing problems
* Preventing the TOC from appearing in Special:Statistics
* (bug 11082) Fix check for fully-specced table names in Database::tableName
* (bug 11067) Fix regression in upload conflict thumbnail display
* (bug 10985) Resolved cached entries on Special:DoubleRedirects were being
supressed, breaking paging - now strikes out "fixed" results
* (bug 8393) <sup> and <sub> need to be preserved (without attributes) for
entries in the table of contents
* (bug 11114) Fix regression in read-only mode error display during editing
* Force non-MySQL databases to use an ORDER BY in SpecialAllpages to ensure
that the first page_title is truly the first page title.
* (bug 10836) Change the summary on creating of new section
* Inclusion of Special:Wantedpages now works again
== API changes since 1.10 ==
Full API documentation is available at http://www.mediawiki.org/wiki/API
* New properties: links, templates, images, langlinks, categories, external
links
* Breaking Change: imagelinks renamed into imageusage (il->iu)
* Bug fix: incorrect generator behavior in some cases
* JSON format allows an optional callback function to wrap the result.
* Login module disabled until a more secure solution can be implemented
* (bug 9938) Querying by revision identifier returns the most recent revision
for the corresponding page, rather than the requested revision
* (bug 8772) Filter page revision queries by user
* (bug 9927) User contributions queries do not accept IP addresses
* Watchlist feed now reports a proper feed item when the user is not logged in
* Watchlist feed date bug fixed - automatically shows one last day
* Watchlist feed now allows to specify number of hours to monitor
* list=allpages now returns a list instead of a map in JSON format
* Breaking Change: in json, revisions are now returned as a list, not as a map.
* Add: prop=info can show page is new flag, current page length, and visit
counter.
* Change: Query watchlist now shows flags only when explicitly requested with
wlparam=flags
* rc_this_oldid (textid) is no longer accessible from query watchlist
* action=usercontribs: additional filtering by ucshow=; selection of needed
fields with ucprop=; the textid (rev_text_id) is no longer being exposed
* (bug 9970) Breaking Change: backlinks, embeddedin and imageusage now return
lists in JSON instead of a map, and do not return anything when titles do
not exist
* (bug 9121) Introduced indexpageids query parameter to list the page_id
values of all returned page items
* (bug 10147) Now interwiki titles are not processed but added to a separate
"interwiki" section of the output.
* Added categorymembers list to query for pages in a category.
* (bug 10260) Show page protection status
* (bug 10392) Include MediaWiki version details in version output
* (bug 10411) Site language in meta=siteinfo
* (bug 10391) action=help doesn't return help if format is fancy markup
* backlinks, embeddedin and imageusage lists should use (bl|ei|iu)title parameter
instead of titles. Titles for these lists is obsolete and might stop working soon.
* Added prop=imageinfo - gets image properties and upload history
* (bug 10211) Added db server replication lag information in meta=siteinfo
* Added external url search within wiki pages (list=exturlusage)
* Added link enumeration (list=alllinks)
* Added registered users enumeration (list=allusers)
* Added full text search in titles and content (list=search)
* (bug 10684) Expanded list=allusers functionality
* Possible breaking change: prop=revisions no longer includes pageid for rvprop=ids
* Added rvprop=size to prop=revisions (The size will not be shown if it is NULL in the database)
* list=allpages now allows to filter by article min/max size and protection status
* Added site statistics (siprop=statistics for meta=siteinfo)
* (bug 10902) Unable to fetch user contributions from IP addresses
* `list=usercontribs` no longer requires that the user exist
* (bug 10971) `aufrom` parameter doesn't work with spaces
* Fix username handling issue with `auprefix` parameter
* Treat underscores as spaces for `aufrom` and `auprefix` parameters
* Added edit/delete/... token retrieval to prop=info
* Added meta=userinfo - logged-in user information, group membership, rights
* (bug 11072) Fix regression in API image history query
* (bug 11115) Adding SHA1 hash to imageinfo query
* (bug 10898) API does not return an edit token for non-existent pages
* (bug 10890) Timestamp support for categorymembers query
* (bug 10980) Add exclude redirects on backlinks
* IPv6 titles in User namespace are normalized (run cleanupTitles.php to fix any old stray pages)
* Sysops now have the same limits on the number of items they can request in a query as bots.
== Maintenance script changes since 1.10 ==
* Add support for wgMaxTocLevel option in parserTests
* (bug 6823) Disable article view counter in maintenance/dumpHTML.php
* Fix maintenance/importImages.php so it doesn't barf PHP errors when no
suitable files are found, and make the list of extensions an option (defaults
to $wgFileExtensions)
* Add option to maintenance/createAndPromote.php to give the user bureaucrat
permissions (--bureaucrat)
* Allow overwriting existing files with a conflicting name using
maintenance/importImages.php
* (bug 10266) Use native newlines when rebuilding a messages file.
== Languages updated since 1.10 ==
* Afrikaans (af)
* Arabic (ar)
* Bikol (bcl)
* Bulgarian (bg)
* Catalan (ca)
* Danish (da)
* German (de)
* Greek (el)
* Esperanto (eo)
* Spanish (es)
* Estonian (et)
* Extremaduran (ext)
* Farsi (fa)
* Finnish (fi)
* Vöro (fiu-vro)
* French (fr)
* Français Cadien (frc) (new)
* Franco-Provençal/Arpetan (frp)
* Galician (gl)
* Hakka (hak)
* Hebrew (he)
* Upper Sorbian (hsb)
* Haitian (ht)
* Indonesian (id)
* Icelandic (is)
* Italian (it)
* Japanese (ja)
* Georgian (ka)
* Kabyle (kab)
* Kazakh (kk)
* Korean (ko)
* Kinaray-a (krj) (new)
* Kurdish (ku)
* Latin (la)
* Lao (lo)
* Lithuanian (lt)
* Latviešu (lv)
* Malayalam (ml)
* Bahasa Melayu (ms)
* Burmese (my)
* Low German (nds)
* Dutch (nl)
* Norwegian (no)
* Occitan (oc)
* Punjabi (Gurmukhi) (pa)
* Polish (pl)
* Piedmontese (pms)
* Portuguese (pt)
* Romani (rmy)
* Romanian (ro)
* Aromanian (roa-rup)
* Russian (ru)
* Sakha (sah)
* Sango (se) (new)
* Slovak (sk)
* Slovenian (sl)
* Shona (sn)
* Somali (so)
* Albanian (sq)
* Sundanese (su)
* Swedish (sv)
* Tamil (ta)
* Thai (th)
* Tigrinya (ti)
* Setswana (tn)
* Tok Pisin (tpi)
* Uyghur (ug)
* Volapük (vo)
* Winaray (war) (new)
* Yiddish (yi)
* Old Chinese / Late Middle Chinese (zh-classical)
* Chinese (PRC) (zh-cn)
* Chinese (Taiwan) (zh-tw)
* Cantonese (zh-yue)
== Compatibility ==
MediaWiki 1.11 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.
PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing:
http://bugs.php.net/bug.php?id=34879
Upgrade affected systems to PHP 5.1 or higher.
MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.
== Upgrading ==
1.11 has several database changes since 1.10, and will not work without schema
updates.
If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.
If upgrading from before 1.11, and you are using a wiki as a commons repository,
make sure that it is updated as well. Otherwise, errors may arise due to
database schema changes.
If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions.
=== Caveats ===
Some output, particularly involving user-supplied inline HTML, may not
produce 100% valid or well-formed XHTML output. Testers are welcome to
set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)
For notes on 1.10.x and older releases, see HISTORY.
=== Online documentation ===
Documentation for both end-users and site administrators is currently being
built up on MediaWiki.org, and is covered under the GNU Free Documentation
License (except for pages that explicitly state that their contents are in
the public domain) :
http://www.mediawiki.org/wiki/Documentation
=== Mailing list ===
A MediaWiki-l mailing list has been set up distinct from the Wikipedia
wikitech-l list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
=== IRC help ===
There's usually someone online in #mediawiki on irc.freenode.net
|