배포 노트/1.27

This is a maintenance release of the MediaWiki 1.27 branch.

Changes since MediaWiki 1.27.6

• Add missing `use MediaWiki\MediaWikiServices;` to LogEventsList.php.
• Remove broken tests from ApiBlockTest.php.

This is a security and maintenance release of the MediaWiki 1.27 branch.

Changes since MediaWiki 1.27.5

• (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query all titles when asked for none.
• (T109121) Remove deprecated pear/mail_mime-decode from composer suggested libraries.
• (T207241) Augment precision of updatelist time.
• (T207540) Include IP address in "Login for $1 succeeded" log entry.
• (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
• (T207603) SECURITY: User JS may no longer be loaded with MIME type text/javascript if there is no account associated with the username.
• (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME type if non-admins can edit the page.
• (T207541) Pass email address to mail().
• (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
• (T213359) Update mediawiki/mediawiki-codesniffer to 0.8.1.
• (T208871) The hard-coded Google search form on the database error page was removed.
• (T216968) Return pageid as int in both list=iwbacklinks and list=langbacklinks.
• (T218608) Fix an issue that prevents Extension:OAuth working when $wgBlockDisablesLogin is true.
• (T219728) Added support for new Japanese era name "Reiwa".
• (T25227) SECURITY: action=logout now requires to be posted and have a csrf token.
• SpecialPage::checkLoginSecurityLevel() will now preserve POST data when re-authenticating.
• FormSpecialPage::execute() will now call checkLoginSecurityLevel() if getLoginSecurityLevel() returns non-false.
• (T197279) SECURITY: Fix re-auth in Special:ChangeEmail.
• (T208881) SECURITY: blacklist CSS var().
• (T209794) SECURITY: Rate-limit and prevent blocked users from changing email.
• (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
• (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
• (T222036, T222038) SECURITY: Add permission check for user is permitted to view the log type.
• (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.

This is a security and maintenance release of the MediaWiki 1.27 branch.

Changes since 1.27.4

• (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides 'newbie'.
• (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's account lock.
• Upgraded Moment.js from v2.8.4 to v2.19.3.
• (T160298) Fixed Special:ActiveUsers due to bad backport.
• (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
• Updated list of SPDX licenses for extensions.
• (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass --with-extensions to enable that feature.
• (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
• Add default edit rate limit of 90 edits/minute for all users.
• (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
• (T196672) The mtime of extension.json files is now able to be zero.
• (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
• (T180403) Validate $length in padleft/padright parser functions.
• (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
• Special:BotPasswords now requires reauthentication.
• (T191608, T187638) Add 'logid' parameter to Special:Log.
• (T193829) Indicate when a Bot Password needs reset.
• (T151415) Log email changes.
• (T118420) Unbreak Oracle installer.

This is a security and maintenance release of the MediaWiki 1.27 branch.

Changes since 1.27.3

• (T100085) Better handling of jobs execution in post-connection shutdown.
• (T141604) Support conditionally registered namespaces.
• (T167798) Fix highlighting for phrase queries and phrase search.
• (T151136) Provide credits information to callbacks.
• (T160462) Allow namespaces defined in extension.json to be overwritten locally.
• (T168856) Allow SVGs created by Dia to be uploaded.
• (T144705) (T148662) Password reset link is no longer shown when no reset options are available.
• (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
• (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies.
• DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
• (T175439) Unbreak Postgres Updater when setting defaults for a column.
• (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
• (T142304) Allow putting the app ID in the password for bot passwords.
• Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
• (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
• (T165846) SECURITY: BotPassword login attempts weren't throttled.
• (T128209) SECURITY: Reflected File Download from api.php.
• (T134100) SECURITY: Do not reveal if user exists during login failure.
• (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
• (T125163) SECURITY: Make anchor for headlines escape > and <.
• (T180237) SECURITY: Protect vendor folder with .htaccess.
• (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
• (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
• (T119158) SECURITY: Handle -{}- syntax in attributes safely.

This is a security release of the MediaWiki 1.27 branch. The fix for T158689 was inadvertently left out of the 1.27.2 release packages, so a new release was made to correct the oversight.

1.27.2에서의 변경

없음

ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0 was released.

1.27.1 에서의 변화

• (T68404) CSS3 attr() function with url type argument is no longer allowed in inline styles.
• $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
• (T152717) Better escaping for PHP mail() command
• Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
• Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
• (T158766) Avoid SQL error on MSSQL when using selectRowCount()
• (T145635) Fix too long index error when installing with MSSQL.
• (T156184) $wgRawHtml will no longer apply to internationalization messages.
• (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
• (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
• (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
• (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
• (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
• (T156184) SECURITY: Escape content model/format url parameter in message.
• (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
• (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
• (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
• (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it.

1.27.0에서의 변화

• BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
• (T139565) SECURITY: API: Generate head items in the context of the given title
• (T137264) SECURITY: XSS in unclosed internal links
• (T133147) SECURITY: Escape '<' and ']]>' in inline ‎<style> blocks
• (T133147) SECURITY: Require login to preview user CSS pages
• (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
• (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
• (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
• (T115333) SECURITY: Check read permission when loading page content in ApiParse
• (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
• (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()

PHP 버전 요구사항

As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility section). Additionally, the following PHP extensions are required:

• ctype
• iconv
• json
• mbstring (new requirement in 1.27)
• xml

The following PHP extensions are strongly recommended:

• openssl

설정 바뀜 내역

• $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed, now always enabled. If you use RDFa on your wiki, you now have to explicitly set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
• $wgUseLinkNamespaceDBFields was removed.
• Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and $wgResourceLoaderMinifierMaxLineLength , because there was little value in making the behavior configurable. The default values (`false` for the former, 1000 for the latter) are now hard-coded.
• $wgDebugDumpSqlLength was removed (1.24에서 구식화됨).
• $wgDebugDBTransactions was removed (1.20에서 구식화됨).
• $wgUseXVO has been removed, as it provides functionality only used by custom Wikimedia patches against Squid 2.x that probably noone uses in production anymore. There is now $wgUseKeyHeader that provides similar functionality but instead of the MediaWiki-specific X-Vary-Options header, uses the draft Key header standard.
• $wgScriptExtension (and support for '.php5' entry points) was removed. See the deprecation notice in the release notes for version 1.25 for advice on how to preserve support for '.php5' entry points via URL rewriting.
• Password handling via the User object has been deprecated and partially removed, pending the future introduction of AuthManager. In particular:
  • expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and getPasswordExpired() have been removed. They were unused outside of core.
  • The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are now private and will be removed in the future.
  • The getPassword() and getTemporaryPassword() methods now throw BadMethodCallException and will be removed in the future.
  • The ability to pass 'password' and 'newpassword' to createNew() has been removed. The only users of it seem to have been using it to set invalid passwords, and so shouldn't be greatly affected.
  • setPassword(), setInternalPassword(), and setNewpassword() have been deprecated, pending the introduction of AuthManager.
  • User::randomPassword() is deprecated in favor of a new method PasswordFactory::generateRandomPasswordString()
  • User::getPasswordFactory() is deprecated, callers should just create a PasswordFactory themselves.
  • A new constructor, User::newSystemUser(), has been added to simplify the creation of passwordless "system" users for logged actions.
• $wgMaxSquidPurgeTitles was removed.
• $wgAjaxWatch was removed. This is now enabled by default.
• $wgUseInstantCommons now hotlinks Commons images by default instead of downloading originals and thumbnailing them locally. This allows wikis to save on CPU and bandwidth while reducing time to first byte for pages, even without a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
• (bug T27397) WebP is enabled by default as an uploadable filetype.
• (bug T48998) $wgArticlePath must now be either a full url, or start with a "/".
• $wgRateLimitLog was removed; use $wgDebugLogGroups ['ratelimit'] instead.
• Deprecated API formats dbg, txt, and yaml have been removed.
• CLDRPluralRule* classes have been replaced with wikimedia/cldr-plural-rule-parser.
• Removed $wgProfilePerHost , $wgUDPProfilerHost , $wgUDPProfilerPort , $wgUDPProfilerFormatString , $wgStatsMethod , $wgAggregateStatsID , $wgStatsFormatString , and $wgProfileCallTree (1.20에서 구식화됨).
• For proper operation of LocalIdLookup with shared user tables, ensure that $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki that all others are sharing from and that $wgLocalDatabases is set to the full list of sharing wikis on all those wikis.
• Massive overhaul to session handling:
  • $wgSessionsInObjectCache is no longer supported and must be true, due to MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer used.
  • ObjectCacheSessionHandler is removed, replaced with MediaWiki\Session\PhpSessionHandler.
  • PHP session handling in general ($_SESSION, session_id(), and so on) is deprecated. Use MediaWiki\Session\SessionManager instead. A new config variable, $wgPHPSessionHandling , is available to cause use of $_SESSION to issue a deprecation warning or to cause most PHP session handling to throw exceptions.
  • Deprecated UserSetCookies hook. Session-handling extensions should generally be creating a custom subclass of CookieSessionProvider. Other extensions messing with cookies can no longer count on user data being saved in cookies versus other methods.
  • Deprecated UserLoadFromSession hook, extensions should create a MediaWiki\Session\SessionProvider.
  • The User cannot be loaded from session until after Setup.php completes. Attempts to do so will be ignored and the User will remain unloaded.
  • CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses the MediaWiki\Session\Token class.
• MediaWiki will now auto-create users as necessary, removing the need for extensions to do so. An 'autocreateaccount' right is added to allow auto-creation when 'createaccount' is not granted to all users.
• Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
• Most cookie-handling methods in User are deprecated.
• $wgAllowAsyncCopyUploads and $wgCopyUploadAsyncTimeout were removed. This was an experimental feature that has never worked.
• Login and createaccount tokens now vary by timestamp.
• LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() return a MediaWiki\Session\Token, and tokens must be checked using that class's methods.
• $wgEnotifUseJobQ was removed and the job queue is always used.
• The functionality of the ApiSandbox extension has been merged into core. The extension should no longer be used.
• $wgPreloadJavaScriptMwUtil was removed (1.26에서 구식화됨). Extensions, skins, gadgets and scripts that use the mediawiki.util module must express a dependency on it.
• $wgIncludeLegacyJavaScript , deprecated in MediaWiki 1.26, now defaults false. Sites with extensions, skins, or gadgets that use the mediawiki.legacy.wikibits module should set this to true.
• Removed configuration option $wgCopyrightIcon (1.18에서 구식화됨). Use $wgFooterIcons ['copyright']['copyright'] instead.
• If the openssl and mcrypt PHP extensions are both unavailable, secure session storage (used for login) will raise an exception. This exception may be bypassed by setting $wgSessionInsecureSecrets = true.
• Massive overhaul to authentication:
  • AuthPlugin and AuthPluginUser are deprecated.
  • LoginForm and associated templates are deprecated. Extensions which called static LoginForm methods should be converted into authentication providers.
  • The following hooks are deprecated:
    • AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
    • AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
    • AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
    • AddNewAccount (use LocalUserCreated instead)
    • AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
    • ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
    • LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
    • UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
    • UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
  • The following hooks are removed:
    • AbortChangePassword
    • LoginPasswordResetMessage
    • PrefsPasswordAudit
  • The UserLoginComplete hook will no longer be called for all logins, only for those via the web UI. Use UserLoggedIn if you need to do something on all logins.
  • $wgRequirePasswordforEmailChange is removed.
• $wgWellFormedXml has been removed.

새로운 기능

• $wgDataCenterUpdateStickTTL was also added. This decides how long a user sticks to the primary DC (via cookies) after they make changes to the site.
• Added a new hook, 'UserMailerTransformContent', to transform the contents of an email. This is similar to the EmailUser hook but applies to all mail sent via UserMailer.
• Added a new hook, 'UserMailerTransformMessage', to transform the contents of an emai after MIME encoding.
• Added a new hook, 'UserMailerSplitTo', to control which users have to be emailed separately (ie. there is a single address in the To: field) so user-specific changes to the email can be applied safely.
• $wgCdnMaxageLagged was added, which limits the CDN cache TTL when any load balancer uses a DB that is lagged beyond the 'max lag' setting in the relevant section of $wgLBFactoryConf .
• User::newSystemUser() may be used to simplify the creation of passwordless "system" users for logged actions from scripts and extensions.
• Extensions can now return detailed error information via the API when preventing user actions using 'getUserPermissionsErrors' and similar hooks by using ApiMessage instances instead of strings for the $result value.
• $wgAPIMaxLagThreshold was added to limit bot changes when databases lag becomes too high.
• Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex) and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create cross-browser-compatible FlexBox rules. Users will still need to add fallback float rules or the like for compatibility with IE9- separately.
• Added MWTimestamp::getTimezoneString() which returns the localized timezone string, if available. To localize this string, see the comments of $wgLocaltimezone in includes/DefaultSettings.php.
• Added CentralIdLookup, a service that allows extensions needing a concept of "central" users to get that without having to know about specific central authentication extensions.
• $wgMaxUserDBWriteDuration added to limit huge user-generated transactions. Regular web request transactions that takes longer than this are aborted.
• Added a new hook, 'TitleMoveCompleting', which runs before a page move is committed.
• $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs from CDN to mitigate DB replication lag and WAN cache purge lag.
• (bug T49162) Installer will default to setting CACHE_ACCEL as the main cache type if it is available.
• It is now possible to patrol file uploads (both for new files and new versions of existing files). Special:NewFiles has gained an option to filter by patrol status. This functionality can be disabled using $wgUseFilePatrol .
• MediaWiki\Session infrastructure allows for easier use of session mechanisms other than the usual cookies.
  • SessionMetadata and SessionCheckInfo hooks allow for setting and checking custom session metadata.
• Added MWGrants and associated configuration settings $wgGrantPermissions and $wgGrantPermissionGroups to hold configuration for authentication features such as OAuth that want to allow restricting the user rights a user may make use of.
  • If you're already using the OAuth extension, these new variables are identical to (and will replace) $wgMWOAuthGrantPermissions and $wgMWOAuthGrantPermissionGroups .
• Added MWRestrictions as a class to check restrictions on a WebRequest, e.g. to assert that the request comes from a particular IP range.
• Added bot passwords, a rights-restricted login mechanism for API-using bots.
• Whitelisted the following HTML attributes for all elements in wikitext: aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
• Removed "presentation" restriction on the HTML role attribute in wikitext. All values are now allowed for the role attribute.
• $wgContentHandlers now also supports callbacks to create an instance of the appropriate ContentHandler subclass.
• Added $wgAuthenticationTokenVersion , which if non-null prevents the user_token database field from being exposed in cookies. Setting this would be a good idea, but will log out all current sessions.
• $wgEventRelayerConfig was added, for managing PubSub event relay configuration, specifically for reliable CDN url purges.
• Requests have unique IDs, equal to the UNIQUE_ID environment variable (when MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly- generated 24-character string. This request ID is used to annotate log records and error messages. It is available client-side via mw.config.get( 'wgRequestId' ). The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId() is deprecated.
• (bug T33313) Add a preference for watching uploads by default, also applies to API-based upload tools.
• $wgJpegPixelFormat was added to override chroma subsampling for JPEG image thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth savings versus the previous behavior on many files.
• MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible configuration of multiple authentication pieces that was possible with AuthPlugin. For example, it's now easy to plug in second-factor authentication, or add additional checks to the login process, or to support multiple login methods at once, or to support non-password-based login methods.
  • Providers are configured via the global setting $wgAuthManagerConfig .
  • New hook, AuthChangeFormFields, to adjust the form fields on AuthManager-related special pages.
  • New hook, AuthManagerLoginAuthenticateAudit, for additional logging of AuthManager-related authentication requests.
  • New hook, ChangeAuthenticationDataAudit, for additional logging of AuthManager-related authentication data changes.
  • New hook, SecuritySensitiveOperationStatus, to work with the new mechanism for requiring a recent login before taking security-sensitive operations like changing a password.
  • Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist can be used to prevent the web UI and the API changing certain authentication data.
• The file upload dialog (available if you install WikiEditor or VisualEditor) can now be configured using $wgUploadDialog .

외부 라이브러리

업그레이드된 외부 라이브러리

• Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
• Updated composer/semver from v1.0.0 to v1.2.0.
• Updated liuggio/statsd-php-client to 1.0.18.
• Updated QUnit from v1.18.0 to v1.22.0.

새 외부 라이브러리

• Added wikimedia/base-convert v1.0.1.
• Added wikimedia/cldr-plural-rule-parser v1.0.0.
• Added wikimedia/relpath v1.0.3.
• Added wikimedia/running-stat v1.1.0.
• Added wikimedia/php-session-serializer v1.0.3.

제거되고 대치된 외부 라이브러리

고쳐진 버그

• Special:Upload will now display correct maximum allowed file size when running under HHVM (bug T116347).
• (bug T54077) The APIEditBeforeSave hook will once again give only the content of the section being edited, rather than the whole revision. This reverts the change made in MediaWiki 1.22.

API 바뀜

• Added list=allrevisions.
• generator=recentchanges now has the option to generate revids.
• ApiPageSet::setRedirectMergePolicy() was added. This allows generator modules to define how generator data for a redirect source gets merged into the redirect destination.
• prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of "was-deleted" warning.
• Added difftotextpst to query=revisions which preforms a pre-save transform on the text before diffing it.
• Deprecated formats dbg, txt, and yaml have been removed.
• (bug T47988) The protect log event details now use new-style formatting.
• The following response properties from action=login are deprecated, and may be removed in the future: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state.
• action=login transparently allows login using bot passwords. Clients should merely need to change the username and password used after setting up a bot password.
• action=upload no longer understands statuskey, asyncdownload or leavemessage.
• action=login is deprecated for uses other than bot passwords.
• list=users can now indicate if a missing username is creatable.
• action=createaccount is changed in a non-backwards-compatible manner.
• Added action=query&meta=authmanagerinfo.
• Added action=clientlogin to be used to log into the main account instead of action=login.
• Added action=linkaccount.
• Added action=unlinkaccount.
• Added action=changeauthenticationdata.
• Added action=removeauthenticationdata.
• Added action=resetpassword.

API 내부의 바뀜

• ApiQueryORM removed.
• The following classes have been removed:
  • ApiFormatDbg
  • ApiFormatTxt
  • ApiFormatYaml
• ApiBase::addTokenProperties() was removed (1.24에서 구식화됨).
• ApiBase::getFinalPossibleErrors() was removed (1.24에서 구식화됨).
• ApiBase::getFinalResultProperties() was removed (1.24에서 구식화됨).
• ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (1.24에서 구식화됨).
• ApiBase::getPossibleErrors() was removed (1.24에서 구식화됨).
• ApiBase::getRequireMaxOneParameterErrorMessages() was removed (1.24에서 구식화됨).
• ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (1.24에서 구식화됨).
• ApiBase::getResultProperties() was removed (1.24에서 구식화됨).
• ApiBase::getTitleOrPageIdErrorMessage() was removed (1.24에서 구식화됨).
• ApiBase::parseErrors() was removed (1.24에서 구식화됨).
• ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and ApiQueryBase::keyPartToTitle() all removed (1.24에서 구식화됨).
• ApiQueryBase::checkRowCount() was removed (1.24에서 구식화됨).
• ApiQueryBase::getDirectionDescription() was removed (1.25에서 구식화됨).
• ApiQuery::getGenerators() was removed (1.21에서 구식화됨).
• ApiQuery::getModules() was removed (1.21에서 구식화됨).
• ApiQuery::getModuleType() was removed (1.21에서 구식화됨).
• ApiQuery::setGeneratorContinue() was removed (1.24에서 구식화됨).
• ApiMain::getModules() was removed (1.21에서 구식화됨).
• ApiBase::getVersion() was removed (1.21에서 구식화됨).
• ApiMain::getShowVersions() was removed (1.21에서 구식화됨).
• ApiMain::addModule() was removed (1.21에서 구식화됨).
• ApiMain::addFormat() was removed (1.21에서 구식화됨).
• ApiMain::getFormats() was removed (1.21에서 구식화됨).
• ApiPageSet::finishPageSetGeneration() was removed (1.21에서 구식화됨).
• ApiCreateAccount is deprecated, and will be removed soon.

갱신된 언어

미디어위키는 350가지가 넘는 언어를 지원하고 있습니다. 그중 많은 언어가 정기적으로 갱신됩니다. 아래에는 새로운 언어와 삭제된 언어가 나타나며 버그질라 리포트를 통한 언어 바뀜도 아래에 나타납니다.

• (bug T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
• (bug T116020) Aliases of magic words in MessagesXx.php are sorted by usage.

기타 바뀜

• Added dependency injection (DI) infrastructure, see docs/injection.txt for details. It is planned to incrementally move MediaWiki code towards using DI, using the service locator (SL) pattern as a stepping stone.
• ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
• WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now ignore the 2nd and 3rd arguments (formerly $id and $commit).
• Removed "loaderScripts" option from ResourceLoaderFileModule class.
• Removed ORM-like wrapper added in 1.20.
• LinkCache::getGoodLinks and LinkCache::getBadLinks were removed (1.26에서 구식화됨)).
• WikiPage::doQuickEdit() was removed (1.21에서 구식화됨).
• Removed SiteObject and SiteArray classes (1.21에서 구식화됨).
• MessageBlobStore::getInstance() was removed (1.25에서 구식화됨).
• (bug T84937) Free external links ("autolinked" urls) will now be terminated by   and HTML entity encodings of &nbsp, <, and >.
• (bug T36948) The default file revert message's timestamp is now in $wgLocaltimezone , instead of UTC.
• The default name of the 'suppress' group page has been changed from 'Project:Oversight' to 'Project:Suppress'.
• DatabaseBase::resultObject() is now protected (use outside Database classes not necessary since 1.11).
• Calling ResourceLoaderFileModule::readStyleFiles() without a ResourceLoaderContext instance is deprecated.
• ResourceLoader::getLessCompiler() now takes an optional parameter of additional LESS variables to set for the compiler.
• wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly instead.
• Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php were removed. The underlying data is sent to StatsD (see $wgStatsdServer ).
• Removed msg_resource_links database table and associated code.
• Removed msg_resource database table and associated code.
• Skin::getNamespaceNotice() was removed.
• wfIsConfiguredProxy() was removed (1.24에서 구식화됨).
• wfDebugTimer() was removed (1.25에서 구식화됨).
• wfIsTrustedProxy() was removed (1.24에서 구식화됨).
• wfGetIP() was removed (1.19에서 구식화됨).
• MWHookException was removed.
• OutputPage::appendSubtitle() was removed (1.19에서 구식화됨).
• OutputPage::loginToUse() was removed (1.19에서 구식화됨).
• Article::loadContent() was removed (1.19에서 구식화됨).
• User::editToken() was removed (1.19에서 구식화됨).
• Removed --force-normal option of dumpBackup.php, as it no longer served any useful purpose since 1.22.
• The functions processOption() and processArgs() on the BackupDumper and TextPassDumper classes have been removed.
• The maintenance/backupTextPass.inc file was deleted. You should include maintenance/dumpTextPass.php instead.
• WikiPage::getUsedTemplates() was removed (1.19에서 구식화됨).
• wfEmptyMsg() was removed (1.18에서 구식화됨).
• OutputPage::permissionRequired() was removed (1.18에서 구식화됨).
• OutputPage::blockedPage() was removed (1.18에서 구식화됨).
• User::getSkin() was removed (1.18에서 구식화됨).
• OutputPage::includeJQuery() was removed (1.17에서 구식화됨).
• WikiPage::updateRestrictions() was removed (1.19에서 구식화됨).
• WikiPage::testPreSaveTransform() was removed (1.19에서 구식화됨).
• LogPage::logName() was removed (1.19에서 구식화됨).
• LogPage::logHeader() was removed (1.19에서 구식화됨).
• wfCheckLimits() was removed (1.24에서 구식화됨).
• Linker::makeKnownLinkObj() was removed (1.16에서 구식화됨).
• Linker::makeLinkObj() was removed (1.16에서 구식화됨).
• wfMsgForContentNoTrans() was removed (1.18에서 구식화됨).
• ChangesList::usePatrol was removed (1.22에서 구식화됨).
• wfMsgNoTrans() was removed (1.18에서 구식화됨).
• Linker::makeImageLink2 was removed (1.20에서 구식화됨).
• Title::userIsWatching() was removed (1.20에서 구식화됨).
• Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT() database function directly instead.
• wfMsg() was removed (1.18에서 구식화됨).
• wfMsgForContent() was removed (1.18에서 구식화됨).
• wfMsgReal() was removed (1.18에서 구식화됨).
• wfMsgGetKey() was removed (1.18에서 구식화됨).
• wfMsgHtml() was removed (1.18에서 구식화됨).
• wfMsgWikiHtml() was removed (1.18에서 구식화됨).
• wfMsgExt() was removed (1.18에서 구식화됨).
• Language::armourMath() was removed (1.22에서 구식화됨).
• LanguageConverter::armourMath() was removed (1.22에서 구식화됨).
• FakeConverter::armourMath() was removed (1.22에서 구식화됨).
• The unused jquery.validate ResourceLoader module was removed.
• FileRepo::getRootUrl() was removed (1.20에서 구식화됨).
• User::generateToken() was removed (1.20에서 구식화됨).
• WikiPage::getRawText() was removed (1.21에서 구식화됨).
• ParserOutput::hasCustomDataUpdates() was removed (1.25에서 구식화됨).
• ParserOutput::addSecondaryDataUpdate() was removed (1.25에서 구식화됨).
• ParserOutput::getSecondaryDataUpdates() was removed (1.25에서 구식화됨).
• Gallery images with multiple caption pipes no longer concatenate them all together but instead pick the final one, similar to image syntax.
• XML-like parser tags (such as ‎<gallery>), when unclosed, will be left unparsed rather than consume everything until the end of the page.
• New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case a user forgot password/account was stolen.
• wfCheckEntropy() was removed (1.27에서 구식화됨).
• Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
• ContentHandler::supportsCategories method added. Default is true. CategoryMembershipChangeJob updates are skipped for content that does not support categories.
• wikidiff difference engine is no longer supported, anyone still using it are encouraged to upgrade to wikidiff2 which is actively maintained and has better package availability.
• Database logic was removed from WatchedItem and a WatchedItemStore was created:
  • WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated. User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
  • WatchedItem::fromUserTitle was deprecated in favour of the constructor.
  • WatchedItem::resetNotificationTimestamp was deprecated.
  • WatchedItem::batchAddWatch was deprecated.
  • WatchedItem::addWatch was deprecated.
  • WatchedItem::removeWatch was deprecated.
  • WatchedItem::isWatched was deprecated.
  • WatchedItem::duplicateEntries was deprecated.
  • EmailNotification::updateWatchlistTimestamp was deprecated.
  • User::getWatchedItem was removed.
• Unit tests don't work with external PHPUnit anymore, Composer is now the only supported way. Run `composer install` to install it and other dev dependencies to run unit tests.
• wl_id field added to the watchlist table.
• Revision::getRawText() was removed (1.21에서 구식화됨).
• WikiPage::replaceSection() was removed (1.21에서 구식화됨).
• Article::replaceSection() was removed (1.21에서 구식화됨).
• Language::getLangObj() was removed (1.24에서 구식화됨).
• Language::getLanguageName() was removed (1.20에서 구식화됨).
• Language::getLanguageNames() was removed (1.20에서 구식화됨).
• Language::getTranslatedLanguageNames() was removed (1.20에서 구식화됨).
• Language::specialPage() was removed (1.24에서 구식화됨).
• MediaWikiTestCase::assertException() was removed (1.22에서 구식화됨).
• OutputPage::getHeadItems() was removed (1.24에서 구식화됨).
• OutputPage::getScript() was removed (1.24에서 구식화됨).
• OutputPage::out() was removed (1.22에서 구식화됨).
• OutputPage::setAllowedModules() was removed (1.24에서 구식화됨).
• UserrightsPage::makeGroupNameListForLog() was removed (1.21에서 구식화됨).
• MediaWikiSite::newFromGlobalId() was removed (1.21에서 구식화됨).
• Title::newFromRedirect() was removed (1.21에서 구식화됨).
• Skin::commonPrintStylesheet() was removed (1.22에서 구식화됨).
• Skin::getCommonStylePath() was removed (1.24에서 구식화됨).
• Skin::newFromKey() was removed (1.24에서 구식화됨).
• Skin::getUsableSkins() was removed (1.23에서 구식화됨).
• LoadBalancer::pickRandom() was removed (1.21에서 구식화됨).
• Article::getUndoText() and WikiPage::getUndoText were removed (1.21에서 구식화됨).
• DifferenceEngine::setText() was removed (1.21에서 구식화됨).
• Title::newFromRedirectArray() was removed (1.21에서 구식화됨).
• UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType as the 6th. These must be passed in the options array now.
• Title::newFromRedirectRecurse() was removed (1.21에서 구식화됨).
• Skin::accesskey was removed (1.21에서 구식화됨).
• Skin::blockLink was removed (1.21에서 구식화됨).
• Skin::buildRollbackLink was removed (1.21에서 구식화됨).
• Skin::emailLink was removed (1.21에서 구식화됨).
• Skin::formatComment was removed (1.21에서 구식화됨).
• Skin::formatHiddenCategories was removed (1.21에서 구식화됨).
• Skin::formatLinksInComment was removed (1.21에서 구식화됨).
• Skin::formatRevisionSize was removed (1.21에서 구식화됨).
• Skin::formatSize was removed (1.21에서 구식화됨).
• Skin::formatTemplates was removed (1.21에서 구식화됨).
• Skin::generateTOC was removed (1.21에서 구식화됨).
• Skin::getInternalLinkAttributes was removed (1.21에서 구식화됨).
• Skin::getInternalLinkAttributesObj was removed (1.21에서 구식화됨).
• Skin::getInterwikiLinkAttributes was removed (1.21에서 구식화됨).
• Skin::getInvalidTitleDescription was removed (1.21에서 구식화됨).
• Skin::getLinkColour was removed (1.21에서 구식화됨).
• Skin::getRevDeleteLink was removed (1.21에서 구식화됨).
• Skin::getRollbackEditCount was removed (1.21에서 구식화됨).
• Skin::makeBrokenImageLinkObj was removed (1.21에서 구식화됨).
• Skin::makeCommentLink was removed (1.21에서 구식화됨).
• Skin::makeExternalImage was removed (1.21에서 구식화됨).
• Skin::makeExternalLink was removed (1.21에서 구식화됨).
• Skin::makeHeadline was removed (1.21에서 구식화됨).
• Skin::makeImageLink was removed (1.21에서 구식화됨).
• Skin::makeMediaLinkFile was removed (1.21에서 구식화됨).
• Skin::makeMediaLinkObj was removed (1.21에서 구식화됨).
• Skin::makeSelfLinkObj was removed (1.21에서 구식화됨).
• Skin::makeThumbLink2 was removed (1.21에서 구식화됨).
• Skin::makeThumbLinkObj was removed (1.21에서 구식화됨).
• Skin::normaliseSpecialPage was removed (1.21에서 구식화됨).
• Skin::normalizeSubpageLink was removed (1.21에서 구식화됨).
• Skin::processResponsiveImages was removed (1.21에서 구식화됨).
• Skin::revComment was removed (1.21에서 구식화됨).
• Skin::revDeleteLink was removed (1.21에서 구식화됨).
• Skin::revDeleteLinkDisabled was removed (1.21에서 구식화됨).
• Skin::revUserLink was removed (1.21에서 구식화됨).
• Skin::revUserTools was removed (1.21에서 구식화됨).
• Skin::specialLink was removed (1.21에서 구식화됨).
• Skin::splitTrail was removed (1.21에서 구식화됨).
• Skin::titleAttrib was removed (1.21에서 구식화됨).
• Skin::tocIndent was removed (1.21에서 구식화됨).
• Skin::tocLine was removed (1.21에서 구식화됨).
• Skin::tocLineEnd was removed (1.21에서 구식화됨).
• Skin::tocList was removed (1.21에서 구식화됨).
• Skin::tocUnindent was removed (1.21에서 구식화됨).
• Skin::tooltip was removed (1.21에서 구식화됨).
• Skin::tooltipAndAccesskeyAttribs was removed (1.21에서 구식화됨).
• Skin::userTalkLink was removed (1.21에서 구식화됨).
• Skin::userToolLinksRedContribs was removed (1.21에서 구식화됨).
• wikidiff3 is now the default and only PHP diff engine. It provides improved diff performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore makes no difference now. Users are still recommended to use wikidiff2 if possible, though.
• User::addNewUserLogEntry() was deprecated.
• User::addNewUserLogEntryAutoCreate() was deprecated.
• User::isPasswordReminderThrottled() was deprecated.
• Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck) were removed.
• Installer can now be customized without patching MediaWiki code, see mw-config/overrides/README for details.

미디어위키 1.27은 PHP 5.5.9 이상을 필요로 합니다. HHVM 3.6.5 이상 버전 또한 실험적으로 지원하고 있습니다.

데이터베이스 MS로 MySQL이 추천됩니다. PostgreSQL이나 SQLite도 쓰일 수 있지만, 이들 지원은 덜 성숙되어 있습니다. Oracle이나 Microsoft SQL Server 또한 실험적으로 지원하고 있습니다.

지원되는 버전들은 다음과 같습니다:

• MySQL 5.0.3+
• PostgreSQL 8.3+
• SQLite 3.3.7+
• Oracle 9.0.1+
• Microsoft SQL Server 2005 (9.00.1399)

1.27 has several database changes since 1.26, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.26.x and older releases, see HISTORY.

사이트 관리자를 위한 정보는 MediaWiki.org에서 열람 가능하며 GNU 자유 문서 사용 허가서에 따라 사용할 수 있습니다.

https://www.mediawiki.org/wiki/Documentation

미디어위키 사용자 지원 및 토론을 위한 메일링 리스트가 있습니다.

https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

미디어위키를 사용하기 위해서 이들 메일링 리스트가 많은 도움이 될 수 있습니다.