= MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. == Mediawiki 1.6.8 == July 8, 2006 MediaWiki 1.6.8 is a security and bugfix maintenance release of the Spring 2006 snapshot: A potential HTML/JavaScript-injection vulnerability in a debugging script has been fixed. Only versions and configurations of PHP vulnerable to the $GLOBALS overwrite vulnerability are affected. As a workaround for existing installs, profileinfo.php may simply be deleted if it's not being used. * (bug 5957) Updates to Hebrew translation (he) * Respect language directionality when displaying arrow in Special:Brokenredirects * (bug 6415) Typo in Parser.php * Fixed potential XSS in profileinfo.php == Mediawiki 1.6.7 == June 6, 2006 MediaWiki 1.6.7 is a security and bugfix maintenance release of the Spring 2006 snapshot: An HTML/JavaScript-injection vulnerability in the edit form has been closed. This vulnerability was new in 1.6.0; MediaWiki versions 1.5.x or earlier are not affected. Extensions, comments, and sections are now handled in a one-pass way which is more reliable and safer. Under earlier versions of MediaWiki, certain extensions could be abused to inject HTML/JavaScript into the page. Additional precautions are made against offsite form submissions when the restricted raw HTML mode is enabled. Some small localization and user interface updates are also included. * (bug 6051) Improvement to German localisation (de) * (bug 6017) Update bookstore list for German language (de) * (bug 6138) Minor grammar tweak in "loginreqlink" * (bug 5957) Update for Hebrew language (he) * Increase robustness of parser placeholders; fixes some glitches when adjacent to identifier-ish constructs such as URLs. * (bug 5384) Fix in extension * Nesting of different tag extensions and comments should now work more consistently and more safely. A cleaner, one-pass tag strip lets the 'outer' tag either take source (-style) or pass it down to further parsing (-style). There should no longer be surprise expansion of foreign extensions inside HTML output, or differences in behavior based on the order tags are loaded. * (bug 885) Pre-save transform no longer silently appends close tags * Pre-save transform no longer changes the case of close tags * Edit security precautions in raw HTML mode, etc == MediaWiki 1.6.6 == May 23, 2006 MediaWiki 1.6.6 is a security and bugfix maintenance release. An XSS injection vector in brace replacement has been fixed, as have some potential problems with table parsing. Upgrading is strongly recommended for all users of 1.6. MediaWiki versions 1.5 and earlier are not affected. Additionally some localization and user interface updates are included. * Correct "revertpage" message in English * (bug 5507) Logouttext uses now wiki markup * (bug 5857, 5957) Update for German localisation (de) * (bug 5586) treated text as links * (bug 5957) Update for Hebrew language (he) * (bug 6025) SpecialImport: wrong message when no file selected * (bug 6015) EditPage: add spacing in the boxes "edit is minor" and "watch this" * (bug 6018) Userrights: new message when no user specified ('nouserspecified') * (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins) * Reordered wiki table handling and __TOC__ extraction in the parser to better handle some overlapping tag cases. * Only the first __TOC__ is now turned into a TOC. * (bug 361) URL in URL, they were almost fixed. Now they are. == MediaWiki 1.6.5 == May 2, 2006 * Rolled back the buggy patch for bug 5497 == MediaWiki 1.6.4 == May 2, 2006 * Further improvements to Hebrew localisation * (bug 5544) Fix redirect arrow in Special:Listredirects for right-to-left languages * Replace "doubleredirectsarrow" with a content language check that picks the appropriate arrow * Remove live debugging hack which caused errors with certain database names * (bug 5510) Warning produced when using {{SUBPAGENAME}} in some namespaces * (bug 5548) Improvements to Indonesian localisation [patch: Ivan Lanin] * (bug 5403) Fix Special:Newpages RSS/Atom feeds * (bug 3359) Add hooks on completion of file upload * (bug 5184) CSS misapplied to elements in Special:Allmessages due to conflicting anchor identifiers * (bug 5519) Allow sidebar cache to be disabled; disable it by default. * Add $wgReservedUsernames configuration directive to block account creation/use * (bug 5576) Remove debugging hack in session check * (bug 5181) Update "nogomatch" for Slovak * (bug 5594) Id translation up to '# Login and logout pages' section * (bug 5536) Use content language for editing help link * Minor improvements to English language files * Improvements to German localisation files * (bug 5628) Translations for MessagesHr.php * (bug 5595, 5644) Localisation for Bosnian language (bs) * (bug 5592) Actions are logged with the default language for the wiki, not the language of the user performing the operation. * (bug 5646) Compare for identical types in wfElement() * Fix for concurrency problem in job queue (image description page invalidation) * (bug 5497) regeression in HTML normalization in 1.6 (unclosed
  • ,
    ,
    ) * (bug 5709) Allow customisation of separator for categories * (bug 4834) Fix XHTML output when using $wgMaxTocLevel * Improvements to update scripts; print out the version, check for superuser credentials before attempting a connection, and produce a friendlier error if the connection fails * (bug 5005): Fix XHTML output. * (bug 5315) "Expires: -1" HTTP header made strictly valid (using 1970 date). * (bug 4825): note in DefaultSettings.php about 'profiling' table creation * Remove unneeded extra whitespace at top of Special:Categories * Rewrite reassignEdits script to be more efficient; support optional updates to recent changes table; add reporting and silent modes * Updated initStats maintenance script * (bug 5723) Don't count pages linked to from the MediaWiki namespace as "wanted" * (bug 5789) Treat "loginreqpagetext" as wikitext * (bug 5796) We require MySQL >=4.0.14 == MediaWiki 1.6.3 == April 10, 2006 * Fix disappearing red-linked items in the watchlist editing view * (bug 5512) Spacing in "page has a history" deletion warning * (bug 5508) Switch ENGINE in table statements back to TYPE; fixes regression where some versions of MySQL 4.0.x wouldn't work * Added note about $wgUrlProtocols format change == MediaWiki 1.6.2 == April 8, 2006 * Further improvements to Hebrew localisation * Fix 'copyright' message for Romanian * (bug 5476) Invalid xhtml in German localization * (bug 5479) Id translation for preferences tabs caption * (bug 5493) Id translation for special pages * Additional path fixes in the updater * (bug 5344) Fix regression that broke slashes in extension tag parameters == MediaWiki 1.6.1 == April 5, 2006 Some minor issues in the 1.6.0 release have been corrected: * (bug 5458) Fix double-URL encoding in block log link in contribs and contribs link in block log * (bug 5462) Bogus missing patch warning in updater * (bug 5461) Use of deprecated "showhideminor" in Special:Recentchangeslinked * PHP warning when allow_call_time_pass_reference is off * Update to Finnish localization == MediaWiki 1.6.0 == April 5, 2006 MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia. Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature development happen will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN === What's new in 1.6 === User interface: * The account creation form has been separated from the user login form. * Page protection/unprotection uses a new, expanded form Templates: * Categories and "what links here" now update as expected when adding or removing links in a template. * Template parameters can now have default values, as {{{name|default value}}} Uploads: * Optional support for rasterizing SVG images to PNG for inline dislay Feeds: * Feed generation upgraded to Atom 1.0 * Diffs in RSS and Atom feeds are now colored for improved readability. Database: * MySQL 3.23.x support dropped; 4.0 or later required * Experimental support for Unicode mode of MySQL 4.1/5.0 (moderately tested) * Experimental Oracle support (not well tested!) Anti-spam extension support: * Spam blacklist extension now has support for automated cleanup: http://meta.wikimedia.org/wiki/SpamBlacklist_extension * Support for a captcha extension to restrict automated spam edits: http://meta.wikimedia.org/wiki/ConfirmEdit_extension Numerous bug fixes and other behind-the-scenes changes have been made; see the file HISTORY for a complete change list. == Compatibility == Older PHP 4.2 and 4.1 releases are no longer supported; PHP 4 users must upgrade to 4.3.3 or later. MediaWiki 1.6 is the last major version to support PHP 4; future versions will require PHP 5. MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases. == Upgrading == Several changes to the database have been made from 1.5; these are relatively minor but do require that the update process be run before the new code will work properly: * A new "templatelinks" table tracks template inclusions. * A new "externallinks" table tracks URL links; this can be used by a mass spam-cleanup tool in the SpamBlacklist extension. * A new "jobs" table stores a queue of pages to update in the background; this is used to update links in including pages when templates are edited. To ensure that these tables are filled with data, run refreshLinks.php after the upgrade. The format of the $wgUrlProtocols has changed from 1.5; it is now an array instead of a regular expression string. If you have customized this setting you will need to change it or external links will not work properly. See includes/DefaultSettings.php for the updated format. If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed upgrade instructions. === Caveats === Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.) For notes on 1.5.x and older releases, see HISTORY. === Online documentation === Documentation for both end-users and site administrators is currently being built up on Meta-Wikipedia, and is covered under the GNU Free Documentation License: http://www.mediawiki.org/wiki/Documentation === Mailing list === A MediaWiki-l mailing list has been set up distinct from the Wikipedia wikitech-l list: http://mail.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. === IRC help === There's usually someone online in #mediawiki on irc.freenode.net