[MediaWiki-l] Announcing MediaWiki 1.35.0

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Announcing MediaWiki 1.35.0

Sam Reed
I am happy to announce the belated availability of the general release of MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidates and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.35 final release. To see what's changed in 1.35, see the release notes below.

Please note that the PHP version requirement has been raised from 7.2.9 in MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security fixes that weren't in the release candidates, which came out yesterday for the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer need a separate Node.js service. The documentation for this still may still require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work using SQLite as the database backend for MediaWiki. This is due to the lack of write concurrency in SQLite. If you wish to use this feature, it is recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still experimental. It should become stable in a later point release. Please report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] [Wikitech-l] Announcing MediaWiki 1.35.0

Krabina Bernhard
This is great, thank you!

As an LTS user, does anybody know about an overview what has changed since 1.31 LTS?

Would be a great help to have some information about differences/new features/breakting changes between LTS versions and maybe also specific upgrade instructions.

regards,
Bernhard

----- Am 25. Sep 2020 um 18:19 schrieb Sam Reed <[hidden email]>:
I am happy to announce the belated availability of the general release of MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidates and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.35 final release. To see what's changed in 1.35, see the release notes below.

Please note that the PHP version requirement has been raised from 7.2.9 in MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security fixes that weren't in the release candidates, which came out yesterday for the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer need a separate Node.js service. The documentation for this still may still require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work using SQLite as the database backend for MediaWiki. This is due to the lack of write concurrency in SQLite. If you wish to use this feature, it is recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still experimental. It should become stable in a later point release. Please report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] [Wikitech-l] Announcing MediaWiki 1.35.0

Bryan Davis
On Wed, Sep 30, 2020 at 2:51 AM Krabina Bernhard <[hidden email]> wrote:
>
> This is great, thank you!
>
> As an LTS user, does anybody know about an overview what has changed since 1.31 LTS?
>
> Would be a great help to have some information about differences/new features/breakting changes between LTS versions and maybe also specific upgrade instructions.

From https://www.mediawiki.org/wiki/Release_notes you can find these links:

* https://www.mediawiki.org/wiki/Release_notes/1.32
* https://www.mediawiki.org/wiki/Release_notes/1.33
* https://www.mediawiki.org/wiki/Release_notes/1.34
* https://www.mediawiki.org/wiki/Release_notes/1.35

Bryan
--
Bryan Davis              Technical Engagement      Wikimedia Foundation
Principal Software Engineer                               Boise, ID USA
[[m:User:BDavis_(WMF)]]                                      irc: bd808

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Rehman Abubakr
In reply to this post by Sam Reed
Hello,

Apologies in advance if this has been discussed. I have just subscribed to this list.

A number of users have complained about VisualEditor not working out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]

Is this a known issue (i.e. actually a bug)? And has a solution been shared yet?

Sorry if this is the wrong place. It just seems (to me) like it is not accepted as an actual bug yet, despite a number of feedbacks. Feel free to reply to the onsite pages.



Yours truly,

Rehman



From: MediaWiki-announce <[hidden email]> on behalf of Sam Reed <[hidden email]>
Sent: 25 September 2020 21:49
To: MediaWiki announcements and site admin list <[hidden email]>; [hidden email] <[hidden email]>; [hidden email] <[hidden email]>
Subject: [MediaWiki-announce] Announcing MediaWiki 1.35.0
 
I am happy to announce the belated availability of the general release of
MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to
those who tested out the release candidates and provided feedback, as well
as the developers who worked hard to get several important fixes merged in
time for the 1.35 final release. To see what's changed in 1.35, see the
release notes below.

Please note that the PHP version requirement has been raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of
September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due
to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security
fixes that weren't in the release candidates, which came out yesterday for
the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate Node.js service. The documentation for this still may still
require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work
using SQLite as the database backend for MediaWiki. This is due to the lack
of write concurrency in SQLite. If you wish to use this feature, it is
recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still
experimental. It should become stable in a later point release. Please
report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in
ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when
clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to
ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Bartosz Dziewoński
On 2020-10-14 13:56, Rehman Abubakr wrote:

>
> A number of users have complained about VisualEditor not working
> out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]
>
> Is this a known issue (i.e. actually a bug)? And has a solution been
> shared yet?
>
> Sorry if this is the wrong place. It just seems (to me) like it is not
> accepted as an actual bug yet, despite a number of feedbacks. Feel free
> to reply to the onsite pages.

My impression has been that if you have the simplest possible setup,
then everything does work out-of-the-box.

But if you have configured any of many reasonable things (e.g. you have
some hardened security settings, or you're running multiple wikis, or
you have a caching proxy in front of your site), then you might also
need to configure VisualEditor with that in mind.

Unfortunately our documentation for configuring VisualEditor is lacking.
You could probably consider that a bug, even if most of the issues being
reported don't actually require any code changes on our side to fix.

--
Bartosz Dziewoński

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Rehman Abubakr
Thanks for the reply.

I had purchased the domain/hosting purely to test MW before I do a demo for a company to install a private instance.

Hence, the setup is as basic as it could be. Nothing has been modified beyond the defaults.


Yours truly,

Rehman



From: MediaWiki-l <[hidden email]> on behalf of Bartosz Dziewoński <[hidden email]>
Sent: 14 October 2020 18:14
To: [hidden email] <[hidden email]>
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 
On 2020-10-14 13:56, Rehman Abubakr wrote:
>
> A number of users have complained about VisualEditor not working
> out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]
>
> Is this a known issue (i.e. actually a bug)? And has a solution been
> shared yet?
>
> Sorry if this is the wrong place. It just seems (to me) like it is not
> accepted as an actual bug yet, despite a number of feedbacks. Feel free
> to reply to the onsite pages.

My impression has been that if you have the simplest possible setup,
then everything does work out-of-the-box.

But if you have configured any of many reasonable things (e.g. you have
some hardened security settings, or you're running multiple wikis, or
you have a caching proxy in front of your site), then you might also
need to configure VisualEditor with that in mind.

Unfortunately our documentation for configuring VisualEditor is lacking.
You could probably consider that a bug, even if most of the issues being
reported don't actually require any code changes on our side to fix.

--
Bartosz Dziewoński

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Subramanya Sastry

For private instances, it won't work out of the box. You need to manually configure your LocalSettings.php. 

See https://www.mediawiki.org/wiki/Extension:VisualEditor#Linking_with_Parsoid_in_private_wikis


-Subbu.


On 10/14/20 7:54 AM, Rehman Abubakr wrote:
Thanks for the reply.

I had purchased the domain/hosting purely to test MW before I do a demo for a company to install a private instance.

Hence, the setup is as basic as it could be. Nothing has been modified beyond the defaults.


Yours truly,

Rehman



From: MediaWiki-l [hidden email] on behalf of Bartosz Dziewoński [hidden email]
Sent: 14 October 2020 18:14
To: [hidden email] [hidden email]
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 
On 2020-10-14 13:56, Rehman Abubakr wrote:
>
> A number of users have complained about VisualEditor not working
> out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]
>
> Is this a known issue (i.e. actually a bug)? And has a solution been
> shared yet?
>
> Sorry if this is the wrong place. It just seems (to me) like it is not
> accepted as an actual bug yet, despite a number of feedbacks. Feel free
> to reply to the onsite pages.

My impression has been that if you have the simplest possible setup,
then everything does work out-of-the-box.

But if you have configured any of many reasonable things (e.g. you have
some hardened security settings, or you're running multiple wikis, or
you have a caching proxy in front of your site), then you might also
need to configure VisualEditor with that in mind.

Unfortunately our documentation for configuring VisualEditor is lacking.
You could probably consider that a bug, even if most of the issues being
reported don't actually require any code changes on our side to fix.

--
Bartosz Dziewoński

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Rehman Abubakr
Hi Subbu,

Thank you for replying.

I'm afraid the result is the same. I've first tried adding the blue bit, outcome was same. Then tried red bit, same. And then both, same.

$wgVirtualRestConfig['modules']['parsoid']['forwardCookies'] = true;


$PARSOID_INSTALL_DIR = 'vendor/wikimedia/parsoid'; # bundled copy
#$PARSOID_INSTALL_DIR = '/my/path/to/git/checkout/of/Parsoid';

// For developers: ensure Parsoid is executed from $PARSOID_INSTALL_DIR,
// (not the version included in mediawiki-core by default)
// Must occur *before* wfLoadExtension()
if ( $PARSOID_INSTALL_DIR !== 'vendor/wikimedia/parsoid' ) {
    AutoLoader::$psr4Namespaces += [
        // Keep this in sync with the "autoload" clause in
        // $PARSOID_INSTALL_DIR/composer.json
        'Wikimedia\\Parsoid\\' => "$PARSOID_INSTALL_DIR/src",
    ];
}

wfLoadExtension( 'Parsoid', "$PARSOID_INSTALL_DIR/extension.json" );

# Manually configure Parsoid
$wgVisualEditorParsoidAutoConfig = false;
$wgParsoidSettings = [
    'useSelser' => true,
    'rtTestMode' => false,
    'linting' => false,
];
$wgVirtualRestConfig['modules']['parsoid'] = [];

The blue code is from your link. And the red code is from the footnote link within your link.

For a basic freshly-installed private wiki, in order to use the bundled VisualEditor feature, what code do you suggest please?


Yours truly,

Rehman



From: Subramanya Sastry <[hidden email]>
Sent: 15 October 2020 18:36
To: MediaWiki announcements and site admin list <[hidden email]>; Rehman Abubakr <[hidden email]>
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 

For private instances, it won't work out of the box. You need to manually configure your LocalSettings.php. 

See https://www.mediawiki.org/wiki/Extension:VisualEditor#Linking_with_Parsoid_in_private_wikis


-Subbu.


On 10/14/20 7:54 AM, Rehman Abubakr wrote:
Thanks for the reply.

I had purchased the domain/hosting purely to test MW before I do a demo for a company to install a private instance.

Hence, the setup is as basic as it could be. Nothing has been modified beyond the defaults.


Yours truly,

Rehman



From: MediaWiki-l [hidden email] on behalf of Bartosz Dziewoński [hidden email]
Sent: 14 October 2020 18:14
To: [hidden email] [hidden email]
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 
On 2020-10-14 13:56, Rehman Abubakr wrote:
>
> A number of users have complained about VisualEditor not working
> out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]
>
> Is this a known issue (i.e. actually a bug)? And has a solution been
> shared yet?
>
> Sorry if this is the wrong place. It just seems (to me) like it is not
> accepted as an actual bug yet, despite a number of feedbacks. Feel free
> to reply to the onsite pages.

My impression has been that if you have the simplest possible setup,
then everything does work out-of-the-box.

But if you have configured any of many reasonable things (e.g. you have
some hardened security settings, or you're running multiple wikis, or
you have a caching proxy in front of your site), then you might also
need to configure VisualEditor with that in mind.

Unfortunately our documentation for configuring VisualEditor is lacking.
You could probably consider that a bug, even if most of the issues being
reported don't actually require any code changes on our side to fix.

--
Bartosz Dziewoński

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Subramanya Sastry

It is also hard to say what is going on with your install without more information or error messages.


Looking at https://www.mediawiki.org/wiki/Topic:Vv9zl5e9gre77rgq, it looks like you are also on NameCheap and you might benefit from whatever that other user has tried to get NameCheap to update some security rules. So, let us start there on that Flow thread.


As Bartosz said earlier, our docs don't cover all these various scenarios that users encounter and so most of the problems are related to our missing documentation for these use cases. We are limited in our ability to capture them all and support them all and do rely on users helping each other out.


Anyway, let us move this conversation on the wiki talk page so we can actually look at error messages.


Subbu.


On 10/15/20 8:37 AM, Rehman Abubakr wrote:
Hi Subbu,

Thank you for replying.

I'm afraid the result is the same. I've first tried adding the blue bit, outcome was same. Then tried red bit, same. And then both, same.

$wgVirtualRestConfig['modules']['parsoid']['forwardCookies'] = true;


$PARSOID_INSTALL_DIR = 'vendor/wikimedia/parsoid'; # bundled copy
#$PARSOID_INSTALL_DIR = '/my/path/to/git/checkout/of/Parsoid';

// For developers: ensure Parsoid is executed from $PARSOID_INSTALL_DIR,
// (not the version included in mediawiki-core by default)
// Must occur *before* wfLoadExtension()
if ( $PARSOID_INSTALL_DIR !== 'vendor/wikimedia/parsoid' ) {
    AutoLoader::$psr4Namespaces += [
        // Keep this in sync with the "autoload" clause in
        // $PARSOID_INSTALL_DIR/composer.json
        'Wikimedia\\Parsoid\\' => "$PARSOID_INSTALL_DIR/src",
    ];
}

wfLoadExtension( 'Parsoid', "$PARSOID_INSTALL_DIR/extension.json" );

# Manually configure Parsoid
$wgVisualEditorParsoidAutoConfig = false;
$wgParsoidSettings = [
    'useSelser' => true,
    'rtTestMode' => false,
    'linting' => false,
];
$wgVirtualRestConfig['modules']['parsoid'] = [];

The blue code is from your link. And the red code is from the footnote link within your link.

For a basic freshly-installed private wiki, in order to use the bundled VisualEditor feature, what code do you suggest please?


Yours truly,

Rehman



From: Subramanya Sastry [hidden email]
Sent: 15 October 2020 18:36
To: MediaWiki announcements and site admin list [hidden email]; Rehman Abubakr [hidden email]
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 

For private instances, it won't work out of the box. You need to manually configure your LocalSettings.php. 

See https://www.mediawiki.org/wiki/Extension:VisualEditor#Linking_with_Parsoid_in_private_wikis


-Subbu.


On 10/14/20 7:54 AM, Rehman Abubakr wrote:
Thanks for the reply.

I had purchased the domain/hosting purely to test MW before I do a demo for a company to install a private instance.

Hence, the setup is as basic as it could be. Nothing has been modified beyond the defaults.


Yours truly,

Rehman



From: MediaWiki-l [hidden email] on behalf of Bartosz Dziewoński [hidden email]
Sent: 14 October 2020 18:14
To: [hidden email] [hidden email]
Subject: Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 
On 2020-10-14 13:56, Rehman Abubakr wrote:
>
> A number of users have complained about VisualEditor not working
> out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]
>
> Is this a known issue (i.e. actually a bug)? And has a solution been
> shared yet?
>
> Sorry if this is the wrong place. It just seems (to me) like it is not
> accepted as an actual bug yet, despite a number of feedbacks. Feel free
> to reply to the onsite pages.

My impression has been that if you have the simplest possible setup,
then everything does work out-of-the-box.

But if you have configured any of many reasonable things (e.g. you have
some hardened security settings, or you're running multiple wikis, or
you have a caching proxy in front of your site), then you might also
need to configure VisualEditor with that in mind.

Unfortunately our documentation for configuring VisualEditor is lacking.
You could probably consider that a bug, even if most of the issues being
reported don't actually require any code changes on our side to fix.

--
Bartosz Dziewoński

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35

Rehman Abubakr
In reply to this post by Rehman Abubakr
Dear all,

Thank you for the replies, and all the off-list responses.

The issue is resolved. For me, the cause of the issue is explained at https://www.mediawiki.org/wiki/Topic:Vv9zl5e9gre77rgq

I suspect the other users who faced the same error in similar conditions, may also apply this solution to resolve the issue.

Hope this helps.


Yours truly,

Rehman



From: MediaWiki-l <[hidden email]> on behalf of Rehman Abubakr <[hidden email]>
Sent: 14 October 2020 17:26
To: MediaWiki announcements and site admin list <[hidden email]>
Subject: [MediaWiki-l] Issue with VisualEditor on MediaWiki 1.35
 
Hello,

Apologies in advance if this has been discussed. I have just subscribed to this list.

A number of users have complained about VisualEditor not working out-of-the-box for MW 1.35.0 (even on fresh install). [1][2][3]

Is this a known issue (i.e. actually a bug)? And has a solution been shared yet?

Sorry if this is the wrong place. It just seems (to me) like it is not accepted as an actual bug yet, despite a number of feedbacks. Feel free to reply to the onsite pages.



Yours truly,

Rehman



From: MediaWiki-announce <[hidden email]> on behalf of Sam Reed <[hidden email]>
Sent: 25 September 2020 21:49
To: MediaWiki announcements and site admin list <[hidden email]>; [hidden email] <[hidden email]>; [hidden email] <[hidden email]>
Subject: [MediaWiki-announce] Announcing MediaWiki 1.35.0
 
I am happy to announce the belated availability of the general release of
MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to
those who tested out the release candidates and provided feedback, as well
as the developers who worked hard to get several important fixes merged in
time for the 1.35 final release. To see what's changed in 1.35, see the
release notes below.

Please note that the PHP version requirement has been raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of
September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due
to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security
fixes that weren't in the release candidates, which came out yesterday for
the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate Node.js service. The documentation for this still may still
require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work
using SQLite as the database backend for MediaWiki. This is due to the lack
of write concurrency in SQLite. If you wish to use this feature, it is
recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still
experimental. It should become stable in a later point release. Please
report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in
ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when
clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to
ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l