== MediaWiki 1.35.14 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.13 === * Localisation updates. * (T344912) mail: Encode period (ascii 46) if it appears in encoded email header. * (T347726, CVE-2023-PENDING) SECURITY: logging: Fix non-escaped messages used in rights log. == MediaWiki 1.35.13 == This is a maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.12 === * Tarball release to fix backport issues with patch for T341529. == MediaWiki 1.35.12 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.11 === * Localisation updates. * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion. * (T341434) WikiImporter: Improve error message output. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T342632) ApiComparePages: Add help url. * (T347227) ImportReporter: Make callback functions public. * doc: Improve description of type in extension.schema.v1.json. * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). == MediaWiki 1.35.11 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.10 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (1.9.0 => 1.9.1). * (T269636) Add Access-Control-Max-Age to $wgAllowedCorsHeaders. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * (T297917) objectcache: avoid use of ctype_digit() in WANObjectCache::adaptiveTTL(). * (T330464) Work around argument corruption bug in XMLReader::open. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.35.10 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.9 === * Localisation updates. * (T324895) MWCallbackStream: Add explicit $stream property. * Remove /images .htaccess rules that are no longer relevent. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * Fix phan error when Excimer is enabled. * (T274966) tests: Make pass on php8.0. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0. * (T326021) Add matrix: to $wgUrlProtocols. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T225218) Wait until the recent changes are updated. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses. * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T285159, CVE-2023-PENDING) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.35.9 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.8 === * Localisation updates. * (T319000) WebInstaller: Don't try and run trim() on null. * (T320864) When calling mail(), use an array for headers. * (T311567) In ManualLogEntry, cast the comment to string. * (T323082) Upgrading wikimedia/xmp-reader (0.7.0 => 0.8.5). * Language: Handle ronna and quetta. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.35.8 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.7 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * (T313663) Make HandlerTestTrait compatible with php8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T289879, T289926) Get rid of warnings on PHP 8.1. * rdbms: fix some PHP 8 warnings in Database/LoadBalancer/LBFactory. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314404) SpecialGoToInterwiki: Null coalescene $par. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T314824) tests: Update parser test after i18n change. * (T263927) Add autocomplete HTML attribute to common auth form fields. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T229092) MigrateActors.php: ignore duplicate creations of actors. * (T313049) Bump wikimedia/parsoid to v0.12.3. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users.