Release notes/1.17

MediaWiki 1.17 edit

Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.17.5 edit


This is a security release of the MediaWiki 1.17 branch.

Changes since 1.17.4 edit

  • (bug 36938) Correctly escape uselang attribute to prevent xss
  • Expanded Blacklist for SVG Files

MediaWiki 1.17.4 edit


This a maintenance and security release of the MediaWiki 1.17 branch.

Changes since 1.17.3 edit

  • (bug 35961) Hash comparison should always be strict.
  • Fix broken email confirmation expiration caused by MWCryptRand changes.
  • (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php on line 598.

MediaWiki 1.17.3 edit


This a maintenance and security release of the MediaWiki 1.17 branch.

Changes since 1.17.2 edit

  • (bug 22555) Remove or skip strip markers from tag hooks like <nowiki> in core parser functions which operate on strings, such as padleft.
  • (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token parameter present.
  • (bug 34907) Fixed exposure of tokens through load.php that could have facilitated CSRF attacks.
  • (bug 35317) CSRF in Special:Upload.

MediaWiki 1.17.2 edit


This a maintenance and security release of the MediaWiki 1.17 branch.

Changes since 1.17.1 edit

  • (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
  • (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.

MediaWiki 1.17.1 edit


This a maintenance and security release of the MediaWiki 1.17 branch.

Changes since 1.17.0 edit

  • (bug 29535) Added missing Creative Commons CC0 icon.
  • (bug 29726) Fixed failure to load internationalization messages in client-side scripts on WebKit-based browsers.
  • Fixed a bug in message transformation where the previous language could leak into later transformations in the UI language.
  • (bug 29091) Fixed form of native name for Ossetic language (Иронау -> Ирон)
  • Fixed maintenance scripts upgrade1_5.php and rebuildImages.php, they did not work at all since 1.17 beta 1.
  • (bug 29531) Fixed img_auth.php for thumbnails and other filenames with multiple dots, was broken by the fix for bug 28840.
  • In the maintenance script purgeList.php, fixed a fatal error when a page title is given, instead of a URL.
  • (bug 19514) Unordered list list-style-image should be IE6-compatible (8-bit).
  • Installer checked for magic_quotes_runtime instead of register_globals.
  • $wgSVGMaxSize is now applied to the smaller of width or height, making very wide pano/timeline/diagram SVGs renderable at saner sizes.
  • (bug 29959) Installer fatal when cURL and allow_url_fopen is disabled and user tries to subsribe to mediawiki-announce.
  • Installer checked for magic_quotes_runtime instead of register_globals
  • (bug 30131) XCache with variable caching disabled no longer used for variable caching (CACHE_ACCEL)
  • (bug 30264) Changed installer-generated LocalSettings.php to use require_once() instead require() for included extensions.
  • (bug 26486) ResourceLoader modules with paths to nonexistent files cause PHP warnings/notices to be thrown
  • (bug 30907) Special:Unusedcategories should sort ascendingly.
  • (bug 30219) The page shown when LocalSettings.php does not exist was broken on Windows servers.
  • Hardcoded NLS_NUMERIC_CHARACTERS for Oracle DB to prevent type conversion errors.
  • Fixed recentchanges FK violation on page delete and cache purge error in updater for Oracle DB.
  • (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would allow page titles to be enumerated even when they are not guessable.
  • (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis.

MediaWiki 1.17.0 edit


This is the first stable release of the MediaWiki 1.17 branch.

Summary of selected changes in 1.17 edit

Selected changes since MediaWiki 1.16 that may be of interest:

  • A new installer has been introduced. It has a wizard-style interface which is translated into many languages. Many shortcomings in the old installer were addressed with this rewrite. Note that it is no longer required for the config directory to be made writable by the webserver. Instead the generated LocalSettings.php file is offered as a download, which you must then upload to the wiki's base directory.
  • ResourceLoader, a new framework for delivering client-side resources such as JavaScript and CSS, has been introduced. These resources are now delivered through the new entry point script "load.php", instead of as static files served directly by the web server. This allows minification, compression and client-side caching to be used more effectively, which should provide a net performance improvement for most users.
  • Category sorting has been improved.
    • Sorting is now case insensitive.
    • Sub-categories, pages and files can now be paged separately.
    • When several pages are given the same sort key, they sort by their names instead of randomly.
  • The lowest supported version of PHP is now 5.2.3. If necessary, please upgrade PHP prior to upgrading MediaWiki.

Changes since 1.17.0rc1 edit

  • Fixed syntax error in generated LocalSettings.php when a non-default user rights profile is chosen.
  • (bug 29399) Fixed PostgreSQL installation when the DB user for installation is the same as the one for web access.
  • (bug 29233) Fixed failover for DB slave servers. When a DB slave went down, an error was immediately shown to the user, instead of trying another slave. Was broken since 1.17 beta 1.
  • (bug 29278) Fixed PHP fatal error when attempting to add text to a page via a redirect.
  • (bug 29408) Fixed uploads of files with MIME types that aren't detected by MediaWiki.

Changes since 1.17 beta 1 edit

  • Fixed warning about missing file "password.js".
  • When installing on MySQL, don't attempt to create a new database user if the same user is used for installation and web access.
  • Fixed SQL query errors in queries with table aliases.
  • (bug 27891) Fixed the "chronology protector", broken since 1.17beta1, which ensures that when database replication is used, the new version is seen by the user immediately after they create or edit an article.
  • (bug 28845) Allow PostgreSQL installation using a non-root user account which has role creation abilities.
  • When installing on PostgreSQL and the install account is the same as the web account, check to make sure that the account has suitable privileges in the mediawiki schema.
  • (bug 28172) Fixed error in PostgreSQL installation when creating the wiki sysop account.
  • Fixed an issue with the Oracle installer in cases where the user is different to the database name.
  • Added "unblockself" to the list of available rights.
  • In the installer, fixed the "user rights profile" option, it never worked.
  • (bug 29117) Fixed Hebrew localisation of the installer.
  • (bug 28840) Reduce the collateral damage caused by the fix for bug 28235 (XSS on Internet Explorer 6 due to a file extension in the query string) by reducing the number of URLs that are blocked, and by redirecting the request to a safer URL where possible instead of blocking it.
  • (bug 28812) Fixed documentation of API action=parse.
  • (bug 28979) Fixed styling of <abbr> and <acronym>.
  • Fixed the error message displayed when you try to create an account by email, but an email address is not given.
  • Fixed JS error due to missing dependency for jquery.suggestions.
  • Exposed $wgExtensionAssetsPath in JavaScript.
  • (bug 28738) Made ResourceLoader support environments with small URL length limits. The length limit can be configured via $wgResourceLoaderMaxQueryLength , and this is set automatically in the generated LocalSettings.php when the php.ini variable "suhosin.get.max_value_length" is set. When a URL exceeds this limit, the request is split up. Also, reduced the average length of load.php URLs by using a more compact parameter format.
  • (bug 25262) Fix for minification of hardcoded data: URIs in CSS.
  • (bug 25124) Respect $wgStyleDirectory in ResourceLoader.
  • Allow installation when no HTTP client is available, don't throw an exception.
  • (bug 27465) Fix metadata extraction for SVG files using unusual namespace names.
  • (bug 29174) Fix regression in upload-by-URL: uploading files larger than the PHP memory limit should work again.
  • Fixed the display of comments in the new user log.
  • (bug 28237) When installing extensions using the web-based installer, create any necessary database tables.
  • (bug 28983) Fixed automated installation of extensions that overwrite $path.
  • Fixed error caused by missing magic words.
  • Fixed breakage of article editing in PostgreSQL due to text search configuration errors.
  • Fixed the HTTPS client used when Curl is not available. This avoids an error during install about failure of the mediawiki-announce subscription.
  • (bug 28162) When installing to PostgreSQL, respect the "database port" input, it was ignored.

Configuration changes in 1.17 edit

New features in 1.17 edit

  • (bug 10183) Users can now add personal styles and scripts to all skins via User:<name>/common.css and /common.js (if user css/js is enabled).
  • (bug 22748) Add anchors on Special:ListGroupRights.
  • (bug 21981) Add parameter 'showfilename' to <gallery> to automatically apply the names of the individual files within the gallery.
  • Future-proof redirection to fragments in Gecko, so things work a little nicer if they fix <>.
  • Support git:// and mms:// protocols by default for external links.
  • (bug 15810) Blocked admins can no longer unblock themselves without the 'unblockself' permission (which they have by default).
  • (bug 18499) Added "enhanced" URL parameter to switch between old and enhanced changes list.
  • (bug 22925) "sp-contributions-blocked-notice-anon" message now displayed when viewing contributions of a blocked IP address.
  • (bug 22474) {{urlencode:}} now takes an optional second parameter for type of escaping.
  • Special:Listfiles now supports a username parameter.
  • Special:Random carries over query string parameters.
  • (bug 23206) Add Special::Search hook for detecting successful "Go".
  • When visiting a "red link" of a deleted file, a deletion and move log excerpt is provided on the Upload form.
  • (bug 22647) Add category details in search results.
  • (bug 23276) Add hook to Special:NewPages to modify query.
  • Add accesskey 's' and tooltip to 'Save' button at Special:Preferences.
  • Add accesskey 'b' and tooltip to the summary field of edit mode.
  • (bug 20186) Allow filtering Special:Contributions for RevisionDeleted edits.
  • ajaxwatch now uses the API and JQuery, and can be used to animate arbitrary watch links, not just to watch the page the link is on.
  • (bug 20976) "searchmenu-new-nocreate" message now displayed when when there is no title match in search and the user has no rights to create pages.
  • (bug 23429) Added new hook WatchlistEditorBuildRemoveLine.
  • (bug 22844) Added support for WinCache object caching (for IIS).
  • (bug 23580) Add two new events to LivePreview so that scripts can be notified about the beginning and finishing of LivePreview actions.
  • (bug 21278) Now the sidebar allows inclusion of wiki markup.
  • (bug 23733) Add IDs to messages used on CSS/JS pages.
  • Show validity period of the login cookie in Special:UserLogin and Special:Preferences.
  • Interlanguage links display the page title in their tooltip.
  • (bug 23621) New Special:ComparePages to compare (diff) two articles.
  • (bug 4597) Provide support in Special:Contributions to show only "current" contributions
  • (bug 17857) {{anchorencode}} acts more like how the parser creates section ids
  • (bug 21477) \& can now be used in <math>
  • (bug 11641) \dotsc \dotsm \dotsi \dotso can now be used in <math>
  • (bug 21475) \mathtt and \textsf can now be used in <math>
  • texvc is now run via, to limit execution time.
  • SQLite now supports $wgSharedDB .
  • (bug 8507) Group file links by namespace:title on image pages.
  • Stop emitting named entities, so we can use <!DOCTYPE html> while still being well-formed XML.
  • texvc now supports \bcancel and \xcancel in addition to \cancel and \cancelto
  • Added scriptExtension setting to $wgForeignFileRepos .
  • ForeignApiRepo uses scriptDirUrl if apiBase not set.
  • (bug 24212) Added MediaWiki:Filepage.css which is also included on foreign client wikis.
  • (bug 14685) Double underscore magic word usage is now tracked in the page_props table, as well as the behavioral magic words {{DEFAULTSORT}} and {{DISPLAYTITLE}}
  • (bug 24045) MediaWiki:Ipb-needreblock is now wrapped in a div with class "mw-ipb-needreblock"
  • Non-file pages can no longer be moved to the file namespace, nor vice versa.
  • (bug 671) The <dfn>, <kbd> and <samp> elements have been whitelisted in user input.
  • (bug 21503) There's now a "reason" field when creating account for other users.
  • (bug 24418) action=markpatrolled now requires a token.
  • A variety of category sort-related fixes, including:
    • (bug 164) In English, lowercase and uppercase letters now sort the same.
    • (bug 1211) Subcategories, ordinary pages, and files now page separately.
    • When several pages are given the same sort key, they sort by their names instead of randomly.
  • (bug 23848) Add {{ARTICLEPATH}} Magic Word.
  • (bug 8140) Add dedicated CSS classes to Special:Newpages elements.
  • (bug 11005) Add CSS class to empty pages in Special:Newpages.
  • The parser cache is now shared amongst users whose different settings aren't used in the page.
  • Any attribute beginning with "data-" can now be used in wikitext, per HTML5.
  • (bug 24007) Diff pages now mention the number of users having edited intermediate revisions.
  • Added new hook GetIP.
  • Special:Version now displays whether a SQLite database supports full-text search.
  • TS_ISO_8691_BASIC was added as a time format, which is used by ResourceLoader for versioning.
  • Maintenance scripts get a --memory-limit option to override defaults (which is usually to set it to -1 to disable the limit).
  • (bug 25397) Allow uploading (not displaying) of WebP images, disabled by default.
  • (bug 23194) Special:ListFiles now has thumbnails.
  • Use hreflang to specify canonical and alternate links, search engine friendly when a wiki has multiple variant languages.
  • (bug 19593) Specifying --server in now works for all maintenance scripts.
  • Now rebuildtextindex.php warns if SQLite doesn't support full-text search.
  • (bug 10541) Front/backend separation of installation/upgrade code.
  • (bug 10596) Allow installer to enable extensions already in extensions folder.
  • (bug 20627) Installer should be in languages other than English.
  • Support for metadata in SVG files (title, description).
  • Special:Search: Add CSS classes to 'none found' and 'create link' messages.
  • Add CSS classes (including namespace and pagename) to the enhanced recent changes/watchlist entries.
  • (bug 22463) Add hook 'SkinGetPoweredBy' to make 'powered by' icon/text customizable.
  • Added CSS print pagination to the print stylesheets.
  • (bug 25960) Add <link rel=canonical"> for File pages of shared/foreign file repositories.
  • When viewing a redirect, the redirect arrow and redirection target are both wrapped in a div that has the class "redirectMsg" so that the redirection arrow can be customized with CSS.
  • (bug 21911) Hard coded limit for long page warning removed. New message [[MediaWiki:Longpage-hint]] (empty per default) can be used instead. Parameters: $1 shows the formatted textsize in Byte/KB/MB, $2 is the raw number of the textsize in Byte.
  • (bug 3276) Give image <gallery>s fluid width.
  • Added uploads link to page subtitle in Special:Contributions.
  • Added Special:Myuploads special page that redirects to Special:Listfiles.
  • The footerlinks used in Monobook/Vector/Modern are now part of common skin code, SkinTemplateOutputPageBeforeExec can be used to customize the list.
  • Special wrapping setups can now define MW_CONFIG_FILE to load a config file other than LocalSettings.php. This is like MW_CONFIG_CALLBACK but works in some cases where MW_CONFIG_CALLBACK will not work.
  • (bug 26574) Added 'upload' to $wgRestrictionTypes , allowing upload protected pages to be queried via the API and Special:ProtectedPages, and allowing disabling upload protection by removing it from $wgRestrictionTypes .
  • The name attribute of HTMLForm fields can now be overridden by passing a 'name' key in the descriptor array. Hidden field names are now treated consistently with other fields and, by default, prefixed with 'wp'.
  • (bug 27402) Add support for disabling MWSuggest.
  • (bug 26563) Add bytes changed per revision for stub and full article dumps.
  • (bug 27508) Add $wgSVGMetadataCutoff to limit the maximum amount of an svg we look at when finding metadata to prevent excessive resource usage.
  • (bug 198) $wgUpgradeKey allows unlocking the web installer for upgrades without having to move LocalSettings.php
  • Added $wgAllowImageTag , which can be set to true to whitelist the <img> tag in wikitext.
  • (bug 12797) Add $wgGalleryOptions for adjusting of default gallery display options.
  • Added the $wgAllowUserCssPrefs option which allows disabling CSS-based preferences; which can improve page loading speed.
  • Added $wgSQLMode for setting database SQL modes - either performance (null) or other reasons (such as enabling stricter checks).
  • (bug 20193) Added $wgVectorShowVariantName global configuration variable which causes Vector to render the variants drop-down menu with a label showing the current variant name. This is off by default, pending further research into its user experience implications.
  • The upload link for missing files can now be set separately from the navigation link with $wgUploadMissingFileUrl .
  • $wgAdditionalMailParams added to allow setting extra options to mail() calls.
  • Added $wgSecureLogin to optionally login using HTTPS.
  • (bug 25728) Added $wgPasswordSenderName to make the name associated with $wgPasswordSender configurable.
  • (bug 22463) $wgFooterIcons added to allow configuration of the icons shown in the footers of skins.
  • $wgFileCacheDepth can be used to set the depth of the subdirectory hierarchy. used for the file cache. Default value is 2, which matches former behavior.

Bug fixes in 1.17 edit

  • (bug 17560) Half-broken deletion moved image files to deletion archive without updating database.
  • (bug 22666) Submitting user block form with an invalid user name no longer throws an error.
  • (bug 22665, bug 22667) User '0' can now be unblocked and have its block settings changed.
  • (bug 22606) The body of e-mail address confirmation message is now different when the address changed.
  • (bug 22664) Special:Userrights now accepts '0' as a valid user name.
  • (bug 5210) Preload parser now parses <noinclude>, <includeonly> and redirects.
  • (bug 22709) IIS7 mishandles redirects generated by OutputPage::output() when the URL contains a colon.
  • (bug 22353) Categorised recent changes now works again.
  • (bug 22747) "Reveal my e-mail address in notification e-mails" preference is now only displayed when relevant.
  • (bug 22772) {{#special:}} parser function now works with subpages.
  • (bug 18664) Relative URIs in interwiki links cause failed redirects.
  • (bug 19270) Relative URIs in interwiki links break interwiki transclusion.
  • (bug 22903) Revdelete log entries now show in the user preferred language.
  • (bug 22905) Correctly handle <abbr> followed by ISBN.
  • (bug 22940) Namespace aliases pointing to main namespace don't work.
  • (bug 15810) Blocked admins can no longer block/unblock other users.
  • (bug 22876) Avoid possible PHP Notice if $wgDefaultUserOptions is not correctly set.
  • (bug 14952) Page titles are renormalized after html entities are removed so that links with non-NFC character references work correctly.
  • (bug 22991) wgUserGroups JavaScript variable now reports * group for anonymous users instead of null.
  • (bug 22627) Remove PHP notice when deleting a page only hidden users edited.
  • (bug 21520) Anonymous previews now also gives a warning about not being logged in (anonpreviewwarning).
  • (bug 22935) image/x-ms-bmp mime type added for BMP files.
  • (bug 23024) Special:ListFiles now escapes file names correctly.
  • (bug 22867) "View source" tab is now only displayed if there's source text.
  • (bug 19393) Feeds now format dates in user language rather than content language.
  • (bug 22852) "Served in" comment is now the time used to cache a single page when using rebuildFileCache.php
  • (bug 22496) Viewing diff of a redirect page without specifying "oldid". parameter no longer makes the page displayed as being the redirect target.
  • (bug 22918) Feed cache keys now use $wgRenderHashAppend .
  • (bug 21916) Last-Modified header is now correct when outputting cached feed.
  • (bug 20049) Fixed PHP notice in search highlighter that occurs in some cases.
  • (bug 23017) Special:Disambiguations now list pages in content namespaces rather than only main namespace.
  • (bug 23063) $wgMaxAnimatedGifArea is checked against the total size of all. frames, and $wgMaxImageArea against the size of the first frame, rather than the other way around. Both now default to 12.5 megapixels. Also, images exceeding $wgMaxImageArea can still be embedded at original size.
  • (bug 23078) "All public logs" option on Special:Log is now always the first item.
  • (bug 16817) Group names in user rights log are now singular and in lowercase.
  • Special:Preferences no longer crashes if the wiki default date formatting style is not valid for the user's interface language.
  • (bug 23167) Check the watch checkbox by default if the watchcreations preference is set.
  • Maintenance script cleanupTitles is now able to fix titles stored in a negative namespace (which is invalid).
  • (bug 19858) Removed obsolete <big> in interface messages.
  • (bug 21456) "Bad title" error when showing non-local interwiki pages no longer displays incorrect tabs.
  • (bug 23190) Improved math representation for text browsers.
  • (bug 22015) Improved upload-by-url error handling and error display.
  • (bug 17941) $wgMaxUploadSize is now honored by all upload sources.
  • (bug 23080) New usernames now limited to 235 bytes so that custom skin files work.
  • (bug 23075) Correct MediaTransformError default width in gallery.
  • (bug 16487) The Anonymous user account used on Postgres is no longer displayed on Special:Listusers.
  • (bug 23313) Move watchlisthidepatrolled above token in watchlist preferences to enhance preference grouping.
  • (bug 23298) Interwiki links with prefix only in log summaries now link to the correct link.
  • (bug 23284) Times are now rounded correctly.
  • (bug 23375) Added ogv, oga, spx as extensions for ogg files.
  • (bug 18408) All required permissions for uploading (upload, edit, create). are now checked when loading Special:Upload. Toolbar link for Special:Upload is no longer shown if the user does not have the required permissions.
  • (bug 23397) texvc in html mode renders \sim as ˜ not ∼
  • (bug 23241) License selector should be disabled during upload of a new version.
  • (bug 23240) Add ID to namespace selector form on Special:Watchlist.
  • The pipe | character in urls is now escaped.
  • (bug 23422) mp3 files can now be moved.
  • (bug 23448) MediaWiki:Summary-preview is now displayed instead of MediaWiki:Subject-preview when previewing summary.
  • (bug 23426) The {{REVISIONMONTH}} variable is now zero-padded and added new variable {{REVISIONMONTH1}} when unpadded version is needed.
  • Special:Userrights didn't recognize user as changing his/her own rights if user did not capitalize first letter of username.
  • (bug 23507) Add styles for printing wikitables.
  • (bug 19586) Avoid JS errors in mwsuggest when using old browsers such as Opera 8.
  • (bug 23563) Old skins now support $wgUploadNavigationUrl and take into account upload rights.
  • (bug 1347) Render \phi in math using images, in order to create consistent and correct render results.
  • (bug 16573) Render \epsilon in math using images, in order to create consistent and correct render results.
  • (bug 22541) Support image redirects when using ForeignAPIRepo.
  • (bug 22967) Make edit summary length cut-off behave correctly for multibyte characters.
  • (bug 8689) Long numeric lines no longer kill the parser.
  • (bug 23740) Article::doRedirect() now use $extraQuery parameter correctly if the $noRedir parameter is set to true.
  • (bug 23688) Correct mime types for Office 2007 OpenXML documents.
  • (bug 23787) Corrected $wgDefaultSkin 's comment in DefaultSettings.php.
  • (bug 23797) Xml::input() now allows '0' for the value parameter.
  • (bug 23747) Make sure that on History pages, the RevDel button is not accidentally activated when hitting enter.
  • (bug 23845) Special:ListFiles now uses correct file names without underscores.
  • Ask for permanent login in Special:Preferences only if $wgCookieExpiration > 0.
  • (bug 16356) Repair to use proper normalization.
  • (bug 24006) deleteArchivedRevisions.php maintenance script no longer throws a fatal error.
  • (bug 23465) Don't ignore the predefined destination filename on Special:Upload after following a red link.
  • (bug 23642) Recognize mime types of MS OpenXML documents.
  • (bug 22784) Normalise underscores and spaces in autocomments.
  • (bug 19910) Headings of the form ===+\s+ are now displayed as valid headings.
  • (bug 24022) Only check file extensions on the uploadpage when needed.
  • (bug 24076) Recognize Office 2003 files with OpenXML trailers.
  • (bug 24244) Updated comments in DefaultSettings.php to reflect. Image: --> File: namespace rename.
  • Make wfTimestamp recognize negative unix timestamp values.
  • (bug 24401) SimpleSearch: No button/text indicating 'Search' if image is disabled.
  • (bug 23293) Do not show change tags when Special:RecentChanges(linked) or Special:Newpages is transcluded into another page as it messes up the page.
  • (bug 24517) LocalFile::newFromKey() and OldLocalFile::newFromKey() no longer throw fatal errors.
  • (bug 23380) Uploaded files that are larger than allowed by PHP now show a useful error message.
  • Uploading to a protected title will allow the user to choose a new name instead of showing an error page.
  • (bug 24425) Use Database::replace instead of delete/insert in SqlBagOStuff::set to avoid query errors about duplicate keynames.
  • (bug 15470) First letters of filenames are always capitalized by upload JS.
  • (bug 21215) NoLocalSettings.php doesn't tolerate rewrite rules.
  • (bug 21052) Fix link color for stubs in NewPages.
  • (bug 24714) Usage of {{#dateformat: }} in wikis without $wgUseDynamicDates no longer pollutes the parser cache.
  • (bug 17031) Correct which characters the parser allows in tag attributes (a letter, colon or underscore followed by 0 or more letters, numbers, colons, underscores, hyphens, and/or periods).
  • Save 200 useless queries on each category page view.
  • Shell commands will now work on Linux in filesystems mounted noexec.
  • (bug 24804) Corrected commafying in Polish and Ukrainian.
  • "Difference between pages" is now displayed instead of "Difference between revisions" on diffs when appropriate.
  • (bug 23703) ForeignAPIRepo fails on findBySha1() when using a 1.14 install as a repository due to missing 'name' attribute from the API list=allimages.
  • (bug 24898) MediaWiki uses /tmp even if a vHost-specific tempdir is set, also make wfTempDir() return a sane value for Windows on worst-case.
  • (bug 24824) Support ImageMagick 6.5.6-2+ JPEG decoder size hint, to reduce memory usage when such an ImageMagick is used for scaling.
  • Disable multithreaded behaviour in recent ImageMagick, to avoid a deadlock when a resource limit such as $wgMaxShellMemory is hit.
  • (bug 24981) Allow extensions to access SpecialUpload variables again.
  • (bug 20744) Wiki forgets about an uploaded file.
  • (bug 17913) Don't show "older edit" when no older edit available.
  • (bug 6204) TOC not properly rendered when using $wgMaxTocLevel .
  • (bug 24977) The accesskey in history page now lead directly to the diff. instead of alternating focus between the two buttons.
  • (bug 24987) Special:ListUsers does not take external groups into account.
  • (bug 20633) update.php has mixed language output.
  • SQLite system table names are now never prefixed.
  • (bug 25292) SkinSubPageSubtitle hook now passes the Skin object as second parameter.
  • (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16).
  • (bug 25367) wfShellExec() is more explicit when failing due to disabled passthru().
  • (bug 25462) Fix double-escaping for section edit link tooltips.
  • action=raw was removed for Special:Statistics. This information is still available via the API.
  • (bug 23934) Groups defined in $wgRevokePermissions but not in $wgGroupPermissions now appear on Special:ListGroupRights.
  • (bug 23923) Special:Prefixindex no longer shows results if nothing was requested.
  • (bug 22308) Search now finds text in default main page immediately after setup.
  • (bug 25697) Make sure empty lines render in diff view.
  • Use an actual minus sign in diff views, instead of a hyphen.
  • (bug 23732) Clarified "n links" message on Special:MostLinkedFiles.
  • (bug 23731) Clarified "n links" message on Special:MostLinkedTemplates.
  • (bug 25642) A exception is now thrown instead of a fatal error when using $wgSMTP without PEAR mail package.
  • (bug 19633) When possible, Upscale small SVGs when creating thumbnails.
  • (bug 11013) Database driver detection needs rewriting for robustness.
  • (bug 13409) Installer prompts could use clarification--now has help boxes.
  • (bug 16902) Installer spews warnings when exec() and dl() are not available.
  • (bug 19129) Only show MyISAM/InnoDB when supported.
  • (bug 17762) Only show other e-mail options when e-mail is globally enabled.
  • Cache multiple sizes of InstantCommons thumbnails.
  • (bug 25488) Disallowing anonymous users to read pages no longer throws error on discussion pages with vector as default skin.
  • (bug 24833) Files name in includes/diff/ are now less confusing.
  • (bug 25713) SpecialPage::resolveAlias() now normalise spaces to underscores.
  • (bug 25829) Special:Mypage and Special:Mytalk now forward oldid, diff and dir parameters.
  • (bug 25175) HTML file cache now honor $wgCacheDirectory if $wgFileCacheDirectory is not set.
  • (bug 13353) Diff3 version checks were too strict, did not detect working diff3.
  • (bug 25843) Links to special pages using link= attribute on images are now. normalised like normal links to special pages.
  • (bug 21364) External links using link= attribute on images now respect $wgExternalLinkTarget .
  • (bug 17789) Added a note to the total views on Special:Statistics saying that is doesn't count non-existing pages and special pages.
  • (bug 17996) HTTP redirects are now combined when requesting a special page.
  • (bug 19944) Link on image thumbnails no longer link to "Media:" namespace in some cases.
  • (bug 25670) wfFindFile() now checks the namespace of the given title, only "File" and "Media" are allowed now.
  • (bug 25872) Rename the HttpRequest class to MWHttpRequest to avoid conflict with php extension that defines same class.
  • (bug 20591) There's now a different message on Special:MovePage when $wgFixDoubleRedirects is set to false.
  • Fixed PHP warnings when updating a broken MySQL database.
  • (bug 26023) Corrected deleteBacth.php's documentation.
  • (bug 25451) Improved datetime representation in 32 bit php >= 5.2.
  • Show "skin does not exist error" only when the skin is inputted in the wrong case.
  • (bug 26164) Potential html injection when the database server isn't available.
  • (bug 26160) Upload description set by extensions are not propagated.
  • (bug 9675) generateSitemap.php now takes an --urlpath parameter to allow absolute URLs in the sitemap index (as required e.g. by Google).
  • Partial workaround for bug 6220: at least make files on shared repositories show up as (struck-out) bluelinks instead of redlinks on Special:WantedFiles.
  • rebuildFileCache.php no longer creates inappropriate cache files for redirects.
  • (bug 25512) Subcategory list should not include category prefix for members.
  • (bug 10871) Javascript and CSS pages in MediaWiki namespace are no longer treated as wikitext on preview.
  • Page existence is now not revealed (in the colour of the tabs) to users who cannot read the page in question.
  • (bug 22753) Output from update.php is more clear when things changed, entries indicating nothing changed are now all prefixed by "..."
  • (bug 16019) $wgArticlePath = "/$1" no longer breaks API edit/watch actions.
  • (bug 18372) File types blacklisted by $wgFileBlacklist will no longer be shown as "Permitted file types" on the upload form.
  • (bug 26540) Fixed wrong call to applyPatch in MysqlUpdater.
  • (bug 26034) Make the "View / Read" tab in content_navigation style tabs remain selected when the action is "purge".
  • (bug 26733) Wrap initial table creation in transaction.
  • (bug 26208) Mark directionality of some interlanguage links.
  • (bug 26716) Provide link to instructions for external editor related preferences.
  • (bug 26961) Hide anon edits in watchlist preference now actually works.
  • (bug 1379) Installer directory conflicts with some hosts' configuration panel.
  • (bug 27781) Installer does not warn about 5.1.x. Added a compatibility function for array_key_exists().
  • Fix XML well-formedness on a few pages when $wgHtml5 is true (the default).
  • (bug 28069) MediaWiki fails streaming files when mod_deflate and ob_gzhandler are also set.
  • (bug 26223) Concurrently moving an article to different titles leaks a redirect revision with no page.
  • (bug 15641) Fixed permissions checks in Special:Import which allowed users without the 'import' permission to import pages from configured import sources.
  • (bug 26449) Keep underlines from headings outside of tables and thumbs by adding overflow:hidden to h1,h2,h3,h4,h5,h6 (also fixes editsection bunching).
  • (bug 26708) Remove background-color:white from tables in Monobook and Vector.
  • (bug 26781) {{PAGENAME}} and related parser functions escape their output better.
  • (bug 26716) Provide link to instructions for external editor related preferences and add a comment to the ini control file explaining what is going on.
  • (bug 28422) Remove color:black from tables in Monobook and Vector. And add it to table.wikitable instead.
  • (bug 27560) Search queries no longer fail in walloon language.
  • (bug 27700) The upload protection can now also be set for files that do not exist.
  • (bug 28034) uploading file to local wiki when file exists on shared repository (commons) gives spurious info in the warning message.
  • Usernames get lost when selecting different sorts on Special:listfiles.
  • (bug 28166) UploadBase assumes that 'edit' and 'upload' rights are not per page restrictions.
  • (bug 28242) Make redirects generated by urls containing a local interwiki prefix be a 301 instead of a 302.
  • (bug 28568) Entries in the iwlinks table are now removed on page deletion.
  • (bug 28306) Fix exposure of suppressed usernames in ForeignDBRepo.
  • (bug 28444) Fix regression: edit-on-doubleclick retains revision id again.
  • UtfNormal::cleanUp on an invalid utf-8 sequence no longer returns false if intl installed.
  • (bug 26729) Category pages should return 404 if they do not exist and have no members.
  • (bug 28214) When page not found, sends malformed HTTP/1.x instead of HTTP/1.1 in header of response.
  • (bug 27634) TOC title appears in wrong language.
  • (bug 27761) Fix regression: pages with Esperanto titles containing convertible character sequences became unreachable.
  • (bug 27508) SVGMetadataExtractor takes too much resources on huge svgs.
  • (bug 27465) SVG thumbnail generation.
  • (bug 27467) preload can leave UNIQ.
  • (bug 27539) Allow attributes beginning with a digit in wiktext tag parameters.
  • (bug 27328) using relative paths in CSS imports in MediaWiki:Common.css broken in 1.17.
  • (bug 27333) Fix repetitive last-seen time queries on page history.
  • (bug 26250, bug 23817) Fix wfObjectToArray() to descend into arrays; fixes processing of JSON return values for ForeignAPIRepo when native json module not present.
  • (bug 25675) Fix search suggestions for Special: pages with spaces.
  • (bug 25571) Xml::encodeJsVar now passes floats natively instead of converting to strings.
  • (bug 27338) Gallery in 1.17 breaks for audio/video + ogghandler.
  • (bug 27302) Don't append the current timestamp for user/site modules when no user/site JS/CSS is present.
  • (bug 27016) dumpTextPass.php now consider the "output" parameter.
  • (bug 22606) don't send the "someone registred an account" message when setting email address (i.e. old one empty) in user preferences.
  • (bug 26458) Section edit links appear on pages that user does not have right to edit.
  • (bug 28611) Don't die in SqlBagOStuff::incr() if there's a race condition.
  • (bug 16886) Sister projects box moves down the extract of the first result in IE 7.
  • (bug 17398) Fixed "link" parameter in image links with "thumb" or "frame" parameter.

API changes in 1.17 edit

  • BREAKING CHANGE: action=patrol now requires POST.
  • BREAKING CHANGE: patrol token is no longer the same as edit token.
  • BREAKING CHANGE: Session keys returned by ApiUpload are now strings instead of integers.
  • BREAKING CHANGE: (bug 25303) Fix API parameter integer validation to actually enforce validation on the input values in addition to giving a warning. Also add flag to enforce (die) if integer out of range.
  • (bug 24650) Fix API to work with categorylinks changes.
  • action=parse now correctly returns an error for nonexistent pages.
  • (bug 27201) Special:WhatLinksHere output no longer contains duplicate IDs.
  • (bug 26560) On allusers if limit < total number of users, last user gets duplicated.
  • (bug 27715) imageinfo didn't respect revdelete.
  • (bug 27479) API error when using both prop=pageprops and prop=info&inprop=displaytitle.
  • (bug 27862) Useremail module didn't properly return success on success.
  • (bug 27590) prop=imageinfo now allows querying the media type.
  • (bug 27587) list=filearchive now outputs full title info.
  • (bug 27897) list=allusers and list=users list hidden users.
  • (bug 22738) Allow filtering by action type on query=logevent.
  • (bug 22764) uselang parameter for action=parse.
  • (bug 22944) API: watchlist options are inconsistent.
  • (bug 22868) don't list infinite block expiry date as "now" in API logevents.
  • (bug 22290) prop=revisions now outputs "comment" field even when comment. is empty, for consistency with list=recentchanges.
  • (bug 19721) API action=help should have a way to just list for a specific module.
  • (bug 23458) Add support for pageid parameter to action=parse requests.
  • (bug 23460) Parse action should have a section option.
  • (bug 21346) Make deleted images searchable by hash.
  • (bug 23461) Normalise usage of parameter names in parameter descriptions.
  • (bug 23548) Allow access of another users watchlist through watchlistraw using token and username.
  • (bug 23524) Api Modules as followup to bug 14473 (Add iwlinks table to track inline interwiki link usage).
  • Add pltitles and tltemplates to prop=links and prop=templates respectively, similar to prop=categories's clcategorie.
  • (bug 23834) Invalid "thumbwidth" and "thumbheight" in "imageinfo" query when thumbnailing larger than original image.
  • (bug 23835) Need "thumbmime" result in "imageinfo" query.
  • (bug 23851) Repair diff for file redirect pages.
  • (bug 24009) Include implicit groups in action=query&list=users&usprop=groups.
  • (bug 24016) API: Handle parameters specified in simple string syntax ( 'paramname' => 'defaultval' ) correctly when outputting help.
  • (bug 24089) Logevents causes PHP Notice if leprop=title isn't supplied.
  • (bug 23473) Give description of properties on all modules.
  • (bug 24136) unknownerror when adding new section without summary, but forceditsummary.
  • (bug 22339) Added srwhat=nearmatch to list=search to get a "go" result.
  • (bug 24303) Added new &servedby parameter to all actions which adds the hostname that served the request to the result. It is also added unconditionally on error.
  • (bug 24185) Titles in the Media and Special namespace are now supported for title normalization in action=query. Special pages have their name resolved to the local alias.
  • (bug 24296) Added converttitles parameter to convert titles to their canonical language variant.
  • (bug 23936) Add "displaytitle" to query/info API.
  • (bug 24485) Make iwbacklinks a generator, optionally display iwprefix and iwtitle.
  • (bug 24564) Fix fatal errors when using list=deletedrevs, prop=revisions or one of the backlinks generators with limit=max.
  • (bug 24656) API's parse module needs option to disable PP report.
  • PARAM_REQUIRED parameter flag added. If this flag is set, and the end user does not set the parameter, the API will automatically throw an error.
  • (bug 24665) When starttimestamp is not specified, fake it by setting it to NOW, not to the timestamp of the last edit.
  • (bug 24677) axto= parameters added to allcategories, allimages, alllinks, allmessages, allpages, and allusers.
  • (bug 24236) Add add, remove, add-self, remove-self tags to meta=siteinfo&siprop=usergroups.
  • (bug 24484) Add prop=pageprops module.
  • (bug 24330) Add &redirect parameter to ?action=edit.
  • (bug 24722) For list=allusers&auprop=blockinfo, only show blockedby and blockreason if the user is actually blocked.
  • Add format=dump and format=dumpfm, outputs results in PHP's var_dump() format.
  • For required string parameters, if '' is provided, this is now classed as missing.
  • (bug 24724) list=allusers is out by 1 (shows total users - 1).
  • (bug 24166) API error when using rvprop=tags.
  • Introduced "asynchronous download" mode for upload-by-url. Requires $wgAllowAsyncCopyUploads to be true.
  • sinumberingroup correctly gives size of 'user' group, and omits size of implicit groups rather than showing 0.
  • (bug 25248) API: paraminfo errors with certain modules.
  • (bug 24792) API help for action=purge sometimes wrongly stated whether a POST request was needed due to cache pollution.
  • Added iiprop=parsedcomment to prop=imageinfo, similar to prop=revisions.
  • Added rvparse to parse revisions. For performance reasons if this option is used, rvlimit is enforced to 1.
  • (bug 25748) If a action=parse request provides an oldid that is actually the current revision id, try the parser cache, and save it to it if necessary.
  • (bug 25463) Export header should not be shown if no pages were requested, to reduce confusion.
  • (bug 25648) API discovery information has been added as RSD link in page. <head> and by providing an API module action=rsd. Added hook ApiRsdServiceApis for extensions to add their own service to the services list.
  • The HTML of diff output markers has changed. Hyphens are now minus signs, empty markers are now filled with non-breaking-space characters.
  • (bug 25741) Add more data to list=search's srprop.
  • (bug 25760) counter property still reported by the API when $wgDisableCounters enabled.
  • (bug 25987) prop=info&inprop=watched now also works for missing pages.
  • (bug 26006) prop=langlinks now allows obtaining full URL.
  • (bug 26075) ApiDelete.php now calls correctly ArticleDelete hook.
  • (bug 26089) add block expiration to blockinfo.
  • (bug 26125) prop=imageinfo&iiprop=size now returns the page count if the file is a multi-page file.
  • (bug 10268) Added linktodiffs parameter on action=feedwatchlist.
  • (bug 26219) Show API limits for multi values in description.
  • (bug 28070) Fix watchlist RSS for databases that store timestamps in a real timestamp field.
  • (bug 27722) list=filearchive now supports revdel.

Language support changes in 1.17 edit

MediaWiki supports over 330 languages. Many localizations are updated regularly.

The following languages were added:

  • Moroccan Spoken Arabic (ary)
  • Banjar (bjn)
  • Kabardian (kdb)
  • Kabardian (Cyrillic) (kbd-cyrl)
  • Latgalian (ltg)
  • Minangkabau (min)
  • Dutch (informal) (nl-informal)
  • Rusyn (rue)

Other significant changes to MediaWiki's language support:

  • Fiji Hindi (Devangari script) was removed.
  • Removed deprecated language code "dk" (Danish), use "da" instead.
  • Link trail added for sl and sh.
  • (bug 27633) Add characters to linkTrail for Portuguese (pt and pt-br).
  • (bug 23156) Commafy and search normalization updated for Belarusian (Taraškievica).
  • (bug 23283) Native name for Old English -> Ænglisc.
  • (bug 23364) Native name for Azerbaijani -> Azərbaycanca.
  • (bug 24593) Native name for Sorani now uses only Arabic script.
  • (bug 24628) Generic translations for NS_USER/NS_USER_TALK for Esperanto.
  • (bug 24917) Polish as fallback for Kashubia.
  • (bug 24794) Tatar link trail updated.
  • Esperanto date format corrected.
  • (bug 28159) Change interwiki name of language kbd to Къэбэрдеибзэ / Qabardjajəbza.
  • (bug 28184) Namespaces for the Latgalian Wikipedia.
  • (bug 25010) Bashkir-language interwikis: linktext change from Башҡорт to Башҡортса.
  • (bug 26395) Change name of Cornish language to Kernowek.

Other changes in 1.17 edit

  • DatabaseFunctions.php that was needed for compatibility with pre-1.3 extensions has been removed.
  • XmlFunctions.php has been removed. Use the Xml or Html classes as appropriate.
  • The FailFunction "error handling" method has now been removed
  • Sysops now have the "suppressredirect" right by default
  • Removed $wgRemoteUploads . It was not well supported and superseded by $wgUploadNavigationUrl .
  • (bug 26253) $wgPostCommitUpdateList has been removed
  • The PHPUnit test suite has been removed from this release due to serious issues which should be resolved by the 1.18 release.
  • Oracle DB now uses the __destruct function to commit/close connection as it doesn't commit on close if transaction is triggered in OCI.

Compatibility edit

MediaWiki 1.17 requires PHP 5.2.3 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for IBM DB2 and Microsoft SQL Server.

The supported versions are:

  • MySQL 4.0 or later
  • PostgreSQL 8.3 or later
  • SQLite 3
  • Oracle 9.0.1 or later

Upgrading edit

1.17 has several database changes since 1.16, and will not work without schema updates.

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.16.x and older releases, see HISTORY.

Online documentation edit

Documentation for both end-users and site administrators is available on, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):


Mailing list edit

A mailing list is available for MediaWiki user support and discussion:


A low-traffic announcements-only list is also available:


It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help edit

There's usually someone online in the IRC channel #mediawiki connect.