PATH:
var
/
softaculous
/
mw19
= MediaWiki 1.43 = PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ PHP 8.4 workboard: https://phabricator.wikimedia.org/tag/php_8.4_support/ PHP 8.5 workboard: https://phabricator.wikimedia.org/tag/php_8.5_support/ == MediaWiki 1.43.9 == This is a security and maintenance release of the MediaWiki 1.43 branch. === Changes since 1.43.8 === * Localisation updates. * (T419192) Actions: Fix incorrect variable shadowing. * (T421659) Installer: Skip dropIndex() when table does not exists. * (T413545, T422879) Update wikimedia/parsoid to 0.20.8. * (T423185) HashSiteStore: Don't trigger PHP 8.5 warnings if the Site has no globalID. * Make CacheTime/ParserOutput JsonCodecable; deprecate older json classes. * ParserOutput: Add JsonCodec hints for TOCData and WarningMsgs. * (T414805) Media: Re-apply Use previous step for non-standard width between steps and original. * (T418745, T423895) Media: Fallback to the largest standard size if an overly large one is requested. * (T328921) Drop various PHP 7.4/8.0 support hacks, no longer needed. * (T261260) Re-add preloading of classes used in the header callback. * (T261260) Limit preloading workaround for autoload bug to PHP<8.6. * Upload: Avoid null array key in UploadBase::getMaxUploadSize. * (T395204) Unify logging of IP / user agent / etc on sensitive operations. * (T423502) AuthManager: Log status changes from SecuritySensitiveOperationStatusHook call. * (T419768) RawAction: Restrict content type to javascript. * HTMLForm: Add 'type' => 'button'. * (T395204) Update GetSecurityLogContext @since tags for backports. * (T402792, T414805, T416620, T418178) DjvuHandler: Make it follow thumb steps. * TextContentHandler::fillParserOutput: Drop old support for Content::getHtml, no longer needed. * (T410934) Remove noop xml_parser_free() call. * Drop empty ids. * (T425742) ApiQueryInfo: Pass an empty string instead of null to EditFormPreloadText hook. * (T424114) Media: Improve $wgThumbnailSteps docs. * resetUserEmail: Log email change to authentication log. * resetUserEmail: Add reason option for email change. * resetUserEmail: Log more events from script. * changePassword/resetUserEmail: Invalidate user sessions upon password change. * (T426861) composer.json: Updated symfony/yaml from 5.4.45 to 5.4.52. * (T366986) Parser: Improve recursive lock error message. * Add GitHub to $wgGitRepositoryViewers. * (T425818) changePassword: Log password change to authentication log. * changePassword: Add reason option for password change. * (T429826) Updated guzzlehttp/guzzle from 7.10.0 to 7.12.1. * (T423617) Check the target url for redirects are allowed. * (T429965) Updated guzzlehttp/guzzle from 7.12.1 to 7.12.3. * (T389161) Client-side date/time formatter library. * (T382781) Changed Levantine Arabic numerals to Western numerals. * (T382781) [PHP 8.4] Ensure Levantine Arabic numerals stay as Western numerals. * (T383047) UserMailer: hack: preserve multiple error callbacks. * (T383047) Mail: Extract sendWithMailFunction() from UserMailer::send(). * (T429720) FileRepo: Fix typos in schema compatibility checks. * (T383047) Mail: Log PHP mail() send failures with recipient count. * (T425406, CVE-2026-58036) SECURITY: Fix ApiQueryUsers leaking status of private user conditions for user. * (T422306, CVE-2026-58028) SECURITY: Disallow user JS in pretty-print api.php responses. * (T427235, CVE-2026-58033) SECURITY: Exclude rev-deleted usernames from distinct authors query. * (T426867, CVE-2026-58032) SECURITY: mw.Api.getErrorMessage: Treat formatversion=1 as text. * (T299359, CVE-2026-58026) SECURITY: Make sure the actual title that's being transcluded is includable. * (T422085, CVE-2026-58024) SECURITY: Restrict interwiki user lookup in ApiUserrights. * (T422676, CVE-2026-58029) SECURITY: Check for editmyprivateinfo right in more places. * (T422995, CVE-2026-58037) SECURITY: LogFormatter: 'raw' parameter format is no longer raw HTML. * (T422244, CVE-2026-58025) SECURITY: Safely unserialize log entry parameters. == MediaWiki 1.43.8 == This is a maintenance release of the MediaWiki 1.43 branch. === Changes since 1.43.7 === * Fixed backport issues. == MediaWiki 1.43.7 == This is a security and maintenance release of the MediaWiki 1.43 branch. === Changes since 1.43.6 === * Localisation updates. * (T386108) Upgrade pear/pear-core-minimal to v1.10.17. * (T412194) Upgrading justinrainbow/json-schema (5.3.0 => 5.3.1). * (T413538) MultiHttpClient: Remove curl_close() call. * (T413545) Upgrading wikimedia/parsoid (v0.20.4 => v0.20.5). * (T411213) Updated wikimedia/less.php from 5.1.2 to 5.5.0. * (T413565) Search: Replace deprecated SplObjectStorage methods. * Mime: Change mime type video/x-matroska to video/matroska. * Fix incorrect uses of ScopedCallback objects. * profiler: Correct function types documentation. * (T413582) ShellboxClientFactory: Handle $service being null in getUrl(). * (T413672) EtcdConfigTest: Add return value for some MultiHttpClient mocks. * (T413675) DBConnRefTest: Add a temporary variable for return value in testRoleExceptions. * (T413580) LanguageCodeTest: Remove unnecessary null assertion. * Allow wikimedia/testing-access-wrapper ^4.0.0. * Logging: Handle possible null as type for LogPage. * (T411019) Logging: Set default for log type on dropdown via LogEventsList. * (T413690) libs: Fix closure detection in MemoizedCallable. * (T378563) [BlockManager] Don't assume autoblocks have ::getParentBlockId. * (T378563) Fix bug in BlockManager::getUniqueBlocks. * (T413923) Don't use null offsets in BlockManager::getUniqueBlocks. * SiteConfiguration: Optimize processSetting for default-only case. * SiteConfiguration: Use \array_key_exists(). * SiteConfiguration: Use use function syntax. * Config: Use use function array_key_exists some more. * (T413924, T413925) tests: PHP 8.5 compatibility in AuthManager tests. * (T381842) Fix core contributions special page tests for legacy Vector. * (T380518) ContributionsSpecialPage: Call IndexPager::getBody if no results. * (T385876) Improve direction of user name used in title in Special:Contributions. * (T413573) [php8.4] Use DOMCompat::innerHTML() instead of Element::nodeValue. * build: Upgrade PHPUnit from 9.6.19 to 9.6.21. * (T413673) tests: Fix PHP8.5 error when casting float(INF) as integer. * (T414355) Fix PHP 8.5 deprecation warnings in IcuCollation. * (T413674) ParamValidator: Suppress cast warning in IntegerDef. * (T413577) Parser: Ignore long user provided int in Sanitizer::decodeCharReferences. * (T413576) Rdbms: Get strings from SQLPlatform::getDatabaseAndTableIdentifier. * (T413579) Site: Handle non-stored Site objects in SiteList. * (T413920) tests: Mock some functions in OutputPageTest. * (T413926) Do not attempt to get handler for unknown file types. * (T413919) tests: Use real TitleFormatter in LinkBatchTest. * (T413930) User: Add fallback 'default' to User::getDatePreference. * (T413934) JobQueueGroup: avoid PHP 8.5 deprecation from null array offsets. * (T413922) Rdbms: Handle null from DatabaseDomain::getDatabase in LBFactoryMulti. * (T413901) Media: Remove deprecated imagedestroy. * (T413931) tests: Set module name in ApiBaseTest::doGetParameterFromSettings. * rdbms::assertTransactionRoundStage: Show transaction name if available. * (T414350) Language: Handle NAN coercion to string in formatting numbers. * (T414336) Disable process timeout for Composer phpunit script. * (T413575) libs>XhprofData: Handle use of NULLs as array keys for PHP8.5. * tests: Use TestingAccessWrapper to run some protected or private methods. * (T406744) tests: Don't use ReflectionProperty::setAccessible(), it's a no-op now. * tests: Improve mocked ParserOptions in ParsoidOutputAccessTest. * (T415443) Upgrading mck89/peast (v1.16.3 => v1.17.4). * Update guzzlehttp/guzzle to 7.9.3. * (T414196) Upgraded guzzlehttp/guzzle. * (T413918) tests: Mock value for RangeChronologicalPager::getTimestampField. * (T413921) LinksUpdate: Handle nullable el_to_path column in ExternalLinksUpdate. * (T413926) Upload: Do not attempt to get handler for unknown file types. * File: Ensure mime type is set for LocalFile::getMimeType. * (T413917) Specials: Use empty string as missing type on Special:RevisionDelete. * (T415723) Updated phpunit/phpunit from 9.6.21 to 9.6.33. * Update phpunit/phpunit from 9.6.33 to 9.6.34. * Update wikimedia/parsoid to 0.20.6 and wikimedia/remex-html to 4.1.2. * (T416050) Update psy/psysh to ^0.12.19. * FileRepo: Add 'userAgent' option in ForeignAPIRepo for wgForeignFileRepos. * (T417390) mediawiki.util: Don't throw in addSubtitle if the skin lacks a subtitle. * (T413545) Update wikimedia/parsoid to 0.20.7. * Make MessageValue JsonCodecable instead of JsonDeserializable. * Forward-compatibility patch for MessageValue serialization hints. * [tests] Add forward-compatibility alias for JsonDeserializableSubClass. * (T367584) JsonCodec/ParserCache: Forward-compatibility test cases. * (T414884) PostgresInstaller: Handle null password in openConnectionToAnyDB. * Forward compatibility with ParserOutput::getTitle(). * (T360589) Introduce thumbnail steps. * (T360589) media: Make SvgHandler respect physicalWidth when building URL for thumb. * (T414805, T418745, T418346) WebPHandler: Allow the original being served on the web. * (T411013) mediawiki.util: Add adjustThumbWidthForSteps for step sizing in JS. * (T411013) mediawiki.util,FileRepo: Improve adjustThumbWidthForSteps test coverage. * (T411125) Round to original file width if there is no steep between that & requested. * (T411125) File: Allow scaling up vectorized images to larger sizes. * (T360589, T415598) Move handling of ThumbnailSteps to media handlers. * (T416518) Disable Composer audit.block-insecure option. * (T419183) ParserOutputFlags: add HAS_SLOT_HEADERS. * (T419479) sql: Mark pl_target_id as non-nullable in abstract schema. * (T329183, T417691) Clarify documentation for action=query&list=tags. * (T391524) EditPage: Handle MWException when serializing the preloaded content. * (T417819) ParserOutputFlags: Back-port new flags added in 1.46 for forward compat. * (T382566) Installer: Fix db type radio button. * (T384147, CVE-2026-34092) SECURITY: Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP. * (T410429, CVE-2026-34088) SECURITY: RecentChanges entries expose suppressed content via generated log page html. * (T411305, CVE-2026-34091) SECURITY: User localization leaked by AbuseFilter + EventStream. * (T411366, CVE-2026-34090) SECURITY: Suggested investigations: Handle suppressed usernames. * (T414547, CVE-2026-34093) SECURITY: Special:UserRights allows viewing user rights from private wiki. * (T416090, CVE-2026-34094) SECURITY: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix. * (T419192, CVE-2026-34095) SECURITY: action=raw with Special:Mypage subpage title responds with "Content-Type) SECURITY: text/html" on ctype=text/javascript request. == MediaWiki 1.43.6 == This is a security and maintenance release of the MediaWiki 1.43 branch. === Changes since 1.43.5 === * Localisation updates. * (T394396) Revert "SECURITY: Escape rawElement $content". * (T394059) DeduplicateStyles: Only transform possible style nodes. * UserGroupManager: Use MainConfigNames::PrivilegedGroups rather than string literal. * (T406391) RemexCompatFormatter: Don't encode HTML entities in raw-text elements. * (T402438) api: Allow ApiResult to override imagerepository key in prop=imageinfo. * ParserOutput: Add default values for JSON deserialization. * (T355853, T407172) Make the login and signup forms wider. * (T292868) Forward-compatibility: allow output flags to be serialized in `OutputFlags`. * ResourceLoader: Update cssjanus/cssjanus to wikimedia/cssjanus. * (T85085) Improve CSS checking in SVG filter. * (T405064) Fix the premature loop exit in Parser.cleanUpTocLine. * (T407289) i18n: deprecate double-underscore magic words which don't start/end with __. * i18n: all behavior switches should start/end with __ (part 2). * (T407289) i18n: Remove deprecated behavior switches without underscores in et/sh-latn/vep. * (T407770) Add symfony/polyfill-php84 and symfony/polyfill-php85. * maintenance/getConfiguration.php: Fix null warning and serialize error. * (T328605) ApiParse: Introduce prop=tocdata as replacement for prop=sections. * (T406283) ApiSandbox: Use POST when we have long URL. * (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by default. * (T410913) SpecialVersion: Fix "Cannot use bool as array" warning. * (T410928) resourceloader: Fix null offset in ClientHtml module sorting. * (T410934) Remove noop xml_parser_free() calls. * (T410920) Language: Prevent passing '' to ord() in ucfirst(). * (T410912) Language: Fix "ord(): Providing a string that is not one byte long is deprecated." * (T410912) MessageCache: Fix "ord(): Providing a string that is not one byte long is deprecated." * (T410920) Language: Prevent passing '' to ord() in lcfirst(). * (T410963) Upgrade wikimedia/xmp-reader from 0.9.4 to 0.10.2. * (T411016) Upgrading wikimedia/cldr-plural-rule-parser (v2.0.0 => v3.0.0). * (T411075) Api: Initialise reference variable. * (T411018) IndexPager: Set '' as default value for 'order'. * (T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in formatNumInternal. * (T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in parseFormattedNumber. * (T338103, T411214) ApiResult: Fix "ord(): Providing a string that is not one byte long is deprecated." * (T356544) Replace uses of Xml::fieldset(), deprecated since 1.42. * (T393790) htmlform: Fix rendering contents for cloner fields. * (T391882) HTMLFormFieldCloner: Fix multiple bugs related to conditional states. * (T406374) htmlform: Load ooui before infusing field cloner buttons. * (T411199) initEditCount: Fix count for users with no edits. * (T411827) SpecialPageFactory: Handle resolveAlias() returning null in getPage() and exists(). * (T411968) Installer: Do not use null as array offset. * Add support for HTTP/3 in MultiHttpClient. * (T295568) mediawiki.jqueryMsg: Support self-closing HTML tags. * (T411968) EditResultBuilder: Do not use null as array offset. * Add http/3 to runMulti in MultiHttpClient * (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in Special:ApiSandbox. * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment links. * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail encoded-words. * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide underscore in data-* attribute names. * (T401053, CVE-2025-67480) SECURITY: Check read permissions in ApiQueryRevisionsBase. * (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape 'comma-separator' between multiple protection levels. * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side messages (jqueryMsg). == MediaWiki 1.43.5 == This is a security and maintenance release of the MediaWiki 1.43 branch. === Changes since MediaWiki 1.43.4 === * Add missing backport for Extension:DiscussionTools. * Add missing backport for Extension:Thanks. * (T406322, CVE-2025-11261) SECURITY: Escape system messages in mw.language.listToText.
[+]
php82
[+]
php53
[-] changelog.txt
[edit]
[-] notes.txt
[edit]
[-] LocalSettings.php
[edit]
[-] import.php
[edit]
[-] info.xml
[edit]
[-] install.xml
[edit]
[-] fileindex.php
[edit]
[+]
php71
[-] clone.php
[edit]
[-] edit.xml
[edit]
[-] mw19.sql
[edit]
[-] install.js
[edit]
[+]
php56
[-] upgrade.php
[edit]
[-] upgrade.xml
[edit]
[+]
php81
[-] install.php
[edit]
[+]
..
[-] md5
[edit]
[-] mw19.zip
[edit]
[-] edit.php
[edit]
[+]
images