== MediaWiki 1.35.14 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.13 ===
* Localisation updates.
* (T344912) mail: Encode period (ascii 46) if it appears in encoded email
header.
* (T347726, CVE-2023-PENDING) SECURITY: logging: Fix non-escaped messages
used in rights log.
== MediaWiki 1.35.13 ==
This is a maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.12 ===
* Tarball release to fix backport issues with patch for T341529.
== MediaWiki 1.35.12 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.11 ===
* Localisation updates.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
* (T341434) WikiImporter: Improve error message output.
* (T341737) ApiBase: Cast $id to string in filterIDs.
* (T342632) ApiComparePages: Add help url.
* (T347227) ImportReporter: Make callback functions public.
* doc: Improve description of type in extension.schema.v1.json.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser
("X intermediate revisions by the same user not shown") ignores username
suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
file to Special:Upload (non-standard configuration).
== MediaWiki 1.35.11 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.10 ===
* Localisation updates.
* (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1.
* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
(1.9.0 => 1.9.1).
* (T269636) Add Access-Control-Max-Age to $wgAllowedCorsHeaders.
* (T322944) Add Authorization to default $wgAllowedCorsHeaders.
* (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.
* (T297917) objectcache: avoid use of ctype_digit() in
WANObjectCache::adaptiveTTL().
* (T330464) Work around argument corruption bug in XMLReader::open.
* (T313157) IndexPager: Also protect against $offset being 0.
* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
== MediaWiki 1.35.10 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.9 ===
* Localisation updates.
* (T324895) MWCallbackStream: Add explicit $stream property.
* Remove /images .htaccess rules that are no longer relevent.
* Disable php in .htaccess of images directory as a hardening measure.
* (T322583) Include missing message parameter in message.
* Fix phan error when Excimer is enabled.
* (T274966) tests: Make pass on php8.0.
* (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0.
* (T326021) Add matrix: to $wgUrlProtocols.
* api/en.json: api-help-datatype-expiry add missing 'may'.
* (T225218) Wait until the recent changes are updated.
* (T328222) Pass empty string to strlen() if schema is null for
PostgresDatabase.
* (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code.
* (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
* (T155582, T328503) Fix XML dumps for content types with non-string
getNativeData().
* (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4.
* (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses.
* (T329198) ParamValidator: Improve paramvalidator-help-multi-max message.
* (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text'
tag.
* (T329484) API: Fix query+allimages user parameter description.
* (T330529) SpecialEditTags: Set default of '' for wpReason.
* (T330526) htmlform: Handle null from HTMLFormField::getDefault in
multiselects.
* (T285159, CVE-2023-PENDING) SECURITY: Do not apply autoblocks to untrusted
XFF headers.
== MediaWiki 1.35.9 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.8 ===
* Localisation updates.
* (T319000) WebInstaller: Don't try and run trim() on null.
* (T320864) When calling mail(), use an array for headers.
* (T311567) In ManualLogEntry, cast the comment to string.
* (T323082) Upgrading wikimedia/xmp-reader (0.7.0 => 0.8.5).
* Language: Handle ronna and quetta.
* (T304515) LCStoreStaticArray: atomically replace the cache file.
* (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2.
* (T322637) SECURITY: sqlite should not create DB file world-readable.
== MediaWiki 1.35.8 ==
This is a security and maintenance release of the MediaWiki 1.35 branch.
=== Changes since MediaWiki 1.35.7 ===
* Localisation updates.
* (T311568) UploadBase::setTempFile() handle $tempPath being passed as null.
* (T311559) SpecialListFiles: user parameter isn't always present.
* (T311561) ImageListPager: Don't call htmlspecialchars() on null.
* (T311920) SpecialBlockList: Prevent passing null to trim().
* (T311921) SpecialUserrights: Don't pass null to str_replace.
* (T311570) SpecialWithoutInterwiki: Don't pass null through to
Title::capitalize().
* (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser.
* (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null.
* (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid.
* (T312302) SpecialRedirect: Don't pass null to explode.
* RemoveInvalidEmails: Fix quoting for postgres.
* (T312678) import: UploadSourceAdapter::stream_read() don't pass null to
strlen().
* (T312300) SpecialDiff: Don't pass null to explode().
* (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg.
* (T289926) Handle null passed to wfShorthandToInteger() and Html::element().
* (T289926) Ensure that strlen() does not get passed a (valid) null.
* (T312301) SpecialDiff: Don't pass null to trim().
* Hooks: Use more meaningful name for SkinAfterPortlet hook parameter.
* (T289926) Ensure we don't pass null to mb_strlen.
* (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim()
calls.
* (T289926) site: Consistently return null from Site::getDomain().
* (T307304, T289879) filebackend,jobqueue: Add signature for
FilterIterator::accept().
* (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1.
* Add application/vnd.ms-opentype to MIME list.
* Allow composer/installers plugin in composer.json.
* (T313663) Make HandlerTestTrait compatible with php8.1.
* (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests.
* Change type hints for BatchRowIterator and NotRecursiveIterator for
compatibility with PHP 8.1.
* (T313663) [php8] Don't use strlen on potentially null string.
* (T313663) [php8.1] Suppress test warning about providing null.
* (T313663) Parser will use current timestamp instead of null if passed a
RevisionRecord that does not have a timestamp.
* (T313663) Add explicit null check for $sha in FileBackend [php8.1].
* (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1].
* (T289879, T289926) Get rid of warnings on PHP 8.1.
* rdbms: fix some PHP 8 warnings in Database/LoadBalancer/LBFactory.
* (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat].
* Fix a couple deprecation warnings in the installer under PHP 8.1.
* (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1].
* (T314096) Migrate use of ${var}-style string interpolation.
* (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be
'' not null.
* (T314225) SpecialCategories: Null coalescene $par.
* (T314099) User: Allow dynamic properties on PHP 8.2.
* (T314404) SpecialGoToInterwiki: Null coalescene $par.
* (T314397) SpecialBlock: Better handle null in getTargetUserTitle.
* (T314099) phpunit: Fix trivial dynamic property usages in tests.
* (T314405) UploadStash: Check if us_prop is set in the fileMetadata.
* (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint.
* (T314551) SpecialMergeHistory: Set defaults for target and dest parameters.
* api: Add rel=nofollow to help examples.
* (T314824) tests: Update parser test after i18n change.
* (T263927) Add autocomplete HTML attribute to common auth form fields.
* (T307613) Validate length of user email on Special:ChangeEmail/
Special:CreateAccount.
* (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and
wpNamespaceRestrictions.
* (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite.
* (T315892) composer.json: Pin phpunit to 8.5.28.
* (T229092) MigrateActors.php: ignore duplicate creations of actors.
* (T313049) Bump wikimedia/parsoid to v0.12.3.
* (T317750) session: Fix broken SessionTest case due to PHPUnit dependency
change.
* (T318460) SpecialChangeEmail: Set default for returntoquery.
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
of hidden users.