MediaWiki release notes
Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can.
September 10, 2007
This is the Fall 2007 snapshot release of MediaWiki.
MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
Changes since 1.11.0rc1
A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed.
The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:
$wgEnableAPI = false;
(This is the default setting in 1.8.x.)
Not vulnerable versions:
- 1.11 >= 1.11.0
- 1.10 >= 1.10.2
- 1.9 >= 1.9.4
- 1.8 >= 1.8.5
- 1.11 <= 1.11.0rc1
- 1.10 <= 1.10.1
- 1.9 <= 1.9.3
- 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
MediaWiki 1.7 and below are not affected as they do not include the faulty function, however the BotQuery extension is similarly vulnerable unless updated to the latest SVN version.
Configuration changes since 1.10
- $wgThumbUpright - Adjust width of upright images when parameter 'upright' is
- $wgAddGroups, $wgRemoveGroups - Finer control over who can assign which
- $wgEnotifImpersonal, $wgEnotifUseJobQ - Bulk mail options for large sites
- $wgShowHostnames - Expose server host names through the API and HTML comments
- $wgSaveDeletedFiles has been removed, the feature is now enabled unconditionally
New features since 1.10
- (bug 8868) Separate "blocked" message for autoblocks
- Adding expiry of block to block messages
- Links to redirect pages in categories are wrapped in
- Introduced 'ImageOpenShowImageInlineBefore' hook; see docs/hooks.txt for
- (bug 9628) Show warnings about slave lag on Special:Contributions,
- (bug 8818) Expose "wpDestFile" as parameter $1 to "uploaddisabledtext"
- Introducing new image keyword 'upright' and corresponding variable
$wgThumbUpright. This allows better proportional view of upright images related to landscape images on a page without nailing the width of upright images to a fix value which makes views for anon unproportional and user preferences useless
- (bug 6072) Introducing 'border' keyword to the [[Image:]] syntax
- Introducing 'frameless' keyword to [[Image:]] syntax which respects the
user preferences for image width like 'thumb' but without a frame.
- (bug 7960) Link to "what links here" for each "what links here" entry
- Added support for configuration of an arbitrary number of commons-style
- Added a Content-Disposition header to thumb.php output
- Improved thumb.php error handling
- Display file history on local image description pages of shared images
- Added $wgArticleRobotPolicies
- (bug 10076) Additional parameter $7 added to MediaWiki:Blockedtext
containing, the ip, ip range, or username whose block is affecting the
- (bug 7691) Show relevant lines from the deletion log when re-creating a
previously deleted article
- Added variables 'wgRestrictionEdit' and 'wgRestrictionMove' for JS to header
- (bug 9898) Allow viewing all namespaces in Special:Newpages
- (bug 10139) Introduce 'EditSectionLink' and 'EditSectionLinkForOther' hooks;
see docs/hooks.txt for details
- (bug 9769) Provide "watch this page" toggle on protection form
- (bug 9886) Provide clear example "stub link" in Special:Preferences
- (bug 10055) Populate email address and real name properties of User objects
passed to the 'AbortNewAccount' hook
- Show result of Special:Booksources in wiki content language always, it's
normally better maintained than the generic list from the standard message files
- (bug 7997) Allow users to be blocked from using Special:Emailuser
- (bug 8989) Blacklist 'mhtml' and 'mht' files from upload
- (bug 8760) Allow wiki links in "protectexpiry" message
- (bug 5908) Add "DEFAULTSORTKEY" and "DEFAULTCATEGORYSORT" aliases for
"DEFAULTSORT" magic word
- (bug 10181) Support the XCache object caching mechanism
- (bug 9058) Introduce '--aconf' option for all maintenance scripts, to provide
a path to the AdminSettings.php file
- (bug 8781) Remind users to check file permissions for LocalSettings.php
- Use shared.css for all skins and oldshared.css in place of common.css for
pre-Monobook skins. As always, modifications should go in-wiki to MediaWiki: Common.css and MediaWiki:Monobook.css.
- (bug 8869) Introduce Special:Uncategorizedtemplates
- (bug 8734) Different log message when article protection level is changed
- (bug 8458, 10338) Limit custom signature length to $wgMaxSigChars Unicode
- (bug 10096) Added an ability to query interwiki map table
- On reupload, add a null revision to the image description page
- Group log output by date
- Kurdish interface latin/arabic writing system with transliteration
- Support wiki text in all query page headers
- Add 'Orphanedpages' as an alias to Special:Lonelypages
- (bug 9328) Use "revision-info-current" message in place of "revision-info"
when viewing the current revision of a page, if available
- (bug 8890) Enable wiki text for "license" message
- Throw a showstopper exception when a hook function fails to return a value.
Forgetting to give a 'true' return value is a very common error which tends to cause hard-to-track-down interactions between extensions.
- Use $wgJobClasses to determine the correct Job to instantiate for a particular
queued task; allows extensions to introduce custom jobs
- (bug 10326) AJAX-based page watching and unwatching has been cleaned up and
enabled by default.
- Added option to install to MyISAM
- (bug 9250) Remove hardcoded minimum image name length of three characters
- Fixed DISPLAYTITLE behaviour to reject titles which don't normalise to the
same title as the current page, and enabled per default
tag, like user JS/CSS
- (bug 10196) Add classes and dir="ltr" to the
s on CSS and JS pages (new
Bugfixes since 1.10