Subject: CVS commit: [pkgsrc-2012Q3] pkgsrc/www/mediawiki
From: Matthias Scheler
Date: 2012-12-04 11:36:23
Message id: 20121204103623.A4A03175DD@cvs.netbsd.org

Log Message:
Pullup ticket #3979 - requested by wen
www/mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile                                        1.25
- www/mediawiki/PLIST                                           1.12
- www/mediawiki/distinfo                                        1.16

---
   Module Name:    pkgsrc
   Committed By:   wen
   Date:           Fri Nov 30 08:12:24 UTC 2012

   Modified Files:
           pkgsrc/www/mediawiki: Makefile PLIST distinfo

   Log Message:
   Update to 1.20.1

   Upstream changes:
   MediaWiki 1.20.1

   This is a security release of the MediaWiki 1.20 branch
   Changes since 1.20
   (bug 42202) Validate options to prevent html injection
   (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
   (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
   Javscript Lint fixes
   (bug 40632) Remove CleanupPresentationalAttributes feature
   [Database] Fixed case where trx idle callbacks might be lost.
   MediaWiki 1.20

   MediaWiki 1.20 is a stable release.
   PHP 5.3 now required
   Since 1.20, the lowest supported version of PHP is now 5.3.2. Please
   upgrade PHP if you have not done so prior to upgrading MediaWiki.
   Configuration changes in 1.20
   $wgGitRepositoryViewers defines a mapping from Git remote repository
   to the Gitweb instance URL used in Special:Version.
   $wgUsePathInfo = true; is no longer needed to make $wgArticlePath work
   on servers using like nginx, lighttpd, and apache over fastcgi.
   MediaWiki now always extracts path info from REQUEST_URI if it's
   available.
   The user right 'upload_by_url' is no longer given to sysops by
   default. This only affects installations which have
   $wgAllowCopyUploads set to true.
   Removed f-prot support from $wgAntivirusSetup.
   New variable $wgDBerrorLogTZ to provide dates in the error log in a
   different timezone than the wiki timezone set by $wgLocaltimezone.
   New variables $wgDBssl and $wgDBcompress to enable SSL and compression
   for database connections, if either are available for the selected DB
   type.
   $wgUseCombinedLoginLink now defaults to false, making MediaWiki output
   separate login and create account links by default.
   New features in 1.20
   Added TitleIsAlwaysKnown hook which gets called when determining if a
   page exists.
   Added NamespaceIsMovable hook which gets called when determining if
   pages in a certain namespace can be moved.
   Added SpecialPageBeforeExecute hook which gets called before
   SpecialPage::execute.
   Added SpecialPageAfterExecute hook which gets called after SpecialPage::execute.
   Added ORMTable, ORMRow and ORMResult classes for additional
   abstraction of database interaction.
   Added CacheHelper and associated SpecialCachedPage and CachedAction
   helper classes.
   (bug 32341) Add upload by URL domain limitation.
   &useskin=default will now always display the default skin. Useful for
   users with a preference for the non-default skin to look at something
   using the default skin.
   (bug 27619) Remove preference option to display broken links as link?
   (bug 34896) jQuery JSON plugin upgraded to v2.3 (2011-09-17).
   (bug 34302) Add CSS classes to email fields in user preferences.
   Introduced $wgDebugDBTransactions to trace transaction status
   (currently PostgreSQL only).
   (bug 23795) Add parser itself to ParserMakeImageParams hook.
   Introduce a cryptographic random number generator source api for use
   when generating various tokens.
   (bug 30963) Option on Special:Prefixindex and Special:Allpages to not
   show redirects.
   (bug 18062) New message when edit or create the local page of a shared file.
   (bug 22870) Separate interface message when creating a page.
   (bug 17615) nosummary option should be reassigned on preview/captcha.
   (bug 34355) Add a variable and parser function for the namespace number.
   (bug 35649) Special:Version now shows hashes of extensions checked out from git.
   (bug 35728) Git revisions are now linked on Special:Version.
   "Show Changes" on default messages shows now diff against default \ 
message text
   (bug 23006) create #speciale parser function.
   generateSitemap can now optionally skip redirect pages.
   (bug 27757) New API command just for retrieving tokens (not page-based).
   Added GitViewers hook for extensions using external git repositories
   to have a web-based repository viewer linked to from Special:Version.
   Memcached debug logs can now be sent to their own file logs by setting
   $wgDebugLogFile['memcached'] to some filepath.
   (bug 35685) api.php URL and other entry point URLs are now listed on
   Special:Version
   Edit notices can now be translated.
   jQuery upgraded to 1.8.2.
   jQuery UI upgraded to 1.8.23.
   QUnit upgraded from v1.2.0 to v1.10.0.
   (bug 37604) jquery.cookie upgraded to 2011 version.
   (bug 22887) Add warning and tracking category for preprocessor errors
   (bug 31704) Allow selection of associated namespace on the watchlist
   (bug 5445) Now remove autoblocks when a user is unblocked.
   Added $wgLogExceptionBacktrace, on by default, to allow logging of
   exception backtraces.
   Added device detection for determining device capabilities.
   QUnit.newMwEnvironment now supports passing a custom setup and/or
   teardown function. Arguments signature has changed. First arguments is
   now an options object of which 'config' can be a property. Previously
   'config' itself was the first and only argument.
   New getCreator and getOldestRevision methods added to WikiPage class
   (bug 4220) the XML dump format schema now have unique identity
   constraints for page and revision identifiers. Patch by Elvis
   Stansvik.
   cleanupSpam.php now can delete spam pages if --delete was specified
   instead of blanking them.
   Added new hook ChangePasswordForm to allow adding of additional fields
   in Special:ChangePassword
   Added new function getDomain to AuthPlugin for getting a user's domain
   (bug 23427) New magic word {{PAGEID}} which gives the current page ID.
   Will be null on previewing a page being created.
   (bug 37627) UserNotLoggedIn() exception to show a generic error page
   whenever a user is not logged in.
   Watched status in changes lists are no longer indicated by
   <strong></strong> tags with class "mw-watched". \ 
Instead, each line now
   has a class "mw-changeslist-line-watched" or
   "mw-changeslist-line-not-watched", and the title itself is surrounded
   by <span></span> tags with class "mw-title".
   Added ContribsPager::reallyDoQuery hook allowing extensions to data to
   MyContribs
   Added new hook ParserAfterParse to allow extensions to affect parsed
   output after the parse is complete but before block level processing,
   link holder replacement, and so on.
   (bug 34678) Added InternalParseBeforeSanitize hook which gets called
   during Parser's internalParse method just before the parser removes
   unwanted/dangerous HTML tags.
   Added new hook AfterFinalPageOutput to allow modifications to buffered
   page output before sent to the client.
   (bug 36783) Implement jQuery Promise interface in mediawiki.api module.
   Make dates in sortable tables sort according to the page content
   language instead of the site content language
   (bug 37926) Deleterevision will no longer allow users to delete log
   entries, the new deletelogentry permission is required for this.
   (bug 14237) Allow PAGESINCATEGORY to distinguish between 'all',
   'pages', 'files' and 'subcats'
   (bug 38362) Make Special:Listuser includeable on wiki pages.
   Added support in jquery.localize for placeholder attributes.
   (bug 38151) Implemented mw.user.getRights for getting and caching the
   current user's user rights.
   Session storage can now configured independently of general object
   cache storage, by using $wgSessionCacheType. $wgSessionsInMemcached
   has been renamed to $wgSessionsInObjectCache, with the old name
   retained for backwards compatibility. When this feature is enabled,
   the expiry time can now be configured with
   $wgObjectCacheSessionExpiry.
   Added a Redis client for object caching.
   Implemented mw.user.getGroups for getting and caching user groups.
   (bug 37830) Added $wgRequirePasswordforEmailChange to control whether
   password confirmation is required for changing an email address or
   not.
   HTMLForm mutators can now be chained (they return $this)
   A new message, "api-error-filetype-banned-type", is available for
   formatting API upload errors due to the file extension blacklist.
   New hook 'ParserTestGlobals' allows to set globals before running parser tests.
   Allow importing pages as subpage.
   Add lang and hreflang attributes to language links on Login page.
   (bug 22749) Create Special:MostInterwikis.
   Show change tags when transclude Special:Recentchanges(linked) or
   Special:Newpages.
   (bug 23226) Add |class= parameter to image links in order to add
   class(es) to HTML img tag.
   (bug 39431) SVG animated status is now shown in long description.
   (bug 39376) jquery.form upgraded to 3.14.
   SVG files will now show the actual width in the SVG's specified units
   in the metadata box.
   Added ResourceLoader module "jquery.jStorage" (v0.3.0, \ 
http://jStorage.info/).
   (bug 39273) Added AJAX support for "Show changes" (diff) in LivePreview.
   Added ResourceLoader module "jquery.badge".
   mw.util.$content now points to the overall content area in the skin
   rather than just page text content area. If you need the old behaviour
   please use $( '#mw-content-text').
   jsMessage has been replaced with a floating bubble notification system
   complete with auto-hide, multi-message support, and message
   replacement tags.
   jquery.messageBox which appears to be unused by both core and
   extensions has been removed.
   (bug 34939) Made link parsing insensitive ([HttP://]).
   (bug 40072) Add CSS classes to items in output of ChangesList pages.
   Added $wgCopyUploadProxy global to define which proxy to use for copy uploads.
   (bug 40448) mediawiki.legacy.mwsuggest has been replaced with a new
   module, mediawiki.searchSuggest, based on SimpleSeach from
   Extension:Vector.

Files:
RevisionActionfile
1.22.2.1modifypkgsrc/www/mediawiki/Makefile
1.11.2.1modifypkgsrc/www/mediawiki/PLIST
1.15.2.1modifypkgsrc/www/mediawiki/distinfo