Update Releasenotes and version number for 1.23.10
Change-Id: Ibcb5605e99cbabbe4159b1131610cc8e9ab5e38f
Change-Id: Ibcb5605e99cbabbe4159b1131610cc8e9ab5e38f
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions
Same patch as dc2966bd05b, just for Special:DeletedContributions this
time.
Bug: T106893
Change-Id: I2089b21fc379b612fe9bf087b5f4ea75052bdbd3
Same patch as dc2966bd05b, just for Special:DeletedContributions this
time.
Bug: T106893
Change-Id: I2089b21fc379b612fe9bf087b5f4ea75052bdbd3
thumb.php: Escape $rel404 in error message
Bug: T97391
Change-Id: I363686732fe9e5636c85c267c0728fc872c3e39d
Bug: T97391
Change-Id: I363686732fe9e5636c85c267c0728fc872c3e39d
SECURITY: API: Use constant-time comparison for watchlist token
Avoids a theoretical timing attack.
Includes backport of hash_equals() compat function from Iece006e
Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6
Avoids a theoretical timing attack.
Includes backport of hash_equals() compat function from Iece006e
Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6
Merge "Fix InstantCommons - HTTP access to Commons does not work anymore" into REL1_23
Log http error in ForeignAPIRepo::httpGet
This makes at least the "SSL certificate problem: unable to get local
issuer certificate" visible.
Change-Id: Icf0658b5e9f7ac9c58f98291345442f8e405435f
(cherry picked from commit d2d692e17b8fa64f3d15b7ddf23173954317d31b)
This makes at least the "SSL certificate problem: unable to get local
issuer certificate" visible.
Change-Id: Icf0658b5e9f7ac9c58f98291345442f8e405435f
(cherry picked from commit d2d692e17b8fa64f3d15b7ddf23173954317d31b)
Fix InstantCommons - HTTP access to Commons does not work anymore
Bug: T102562
Change-Id: Ie0b4ec179b9ccd13015c9bcbfa5c9917ff26de36
(backported from commit 8517b3cb2276878d11004e2b8bd0a41ce8876134)
Bug: T102562
Change-Id: Ie0b4ec179b9ccd13015c9bcbfa5c9917ff26de36
(backported from commit 8517b3cb2276878d11004e2b8bd0a41ce8876134)
Add a hook for reporting exceptions
Bug: T100141
Change-Id: I893f8b93e09f9ef70beef46922d304fdb3600b78
(cherry picked from commit d0d539e6bae1d5b333828ad346eadef3399f5fb1)
Bug: T100141
Change-Id: I893f8b93e09f9ef70beef46922d304fdb3600b78
(cherry picked from commit d0d539e6bae1d5b333828ad346eadef3399f5fb1)
Minimal PSR-3 compatible logger layer
Provide a minimal PSR-3 compatible logger layer to make backporting
critical updates from 1.25+ easier. It also serves to allow extensions
that maintain backwards compatibility with the 1.23 LTS releases to
migrate to the new logging system.
A copy of the official PSR-3 implementation is added in
includes/libs/psr3 with the omission of PHP5.4+ Traits. In MediaWiki
1.25+ this library will be provided via Composer.
Bug: T91653
Change-Id: If385e722c62dc1f989af6fdee404535bad989acc
Provide a minimal PSR-3 compatible logger layer to make backporting
critical updates from 1.25+ easier. It also serves to allow extensions
that maintain backwards compatibility with the 1.23 LTS releases to
migrate to the new logging system.
A copy of the official PSR-3 implementation is added in
includes/libs/psr3 with the omission of PHP5.4+ Traits. In MediaWiki
1.25+ this library will be provided via Composer.
Bug: T91653
Change-Id: If385e722c62dc1f989af6fdee404535bad989acc
Make AutoLoaderTest handle namespaces
Bug: 67644
Change-Id: Ibeb0833742c574afac13bfebd278f9d2b8410de6
Bug: 67644
Change-Id: Ibeb0833742c574afac13bfebd278f9d2b8410de6
Updated release notes and version number for MediaWiki 1.23.9
Change-Id: Iceda1e73060a5c05ca11a9cdab065e5b28ae53a7
Change-Id: Iceda1e73060a5c05ca11a9cdab065e5b28ae53a7
SECURITY: Don't allow entities in XMP
Test for, and refuse to parse, XMP chunks with a doctype declaration
when parsing XMP.
Bug: T85848
Change-Id: Iea4feb077ee85a35509a920153daaa9321ee69f3
Test for, and refuse to parse, XMP chunks with a doctype declaration
when parsing XMP.
Bug: T85848
Change-Id: Iea4feb077ee85a35509a920153daaa9321ee69f3
SECURITY: Don't allow directly calling Xml::isWellFormed
Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.
Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132
Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.
Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132
SECURITY: Always expand xml entities when checking SVG's
XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml
entities unexpanded, which can lead to false-negatives when the
callback was used for filtering. Update XmlTypeCheck to use XMLReader
instead, tell the library to fully expand entities, and rely on the
library to error out if it encounters XML that is likely to cause a DoS
if parsed.
Bug: T88310
Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml
entities unexpanded, which can lead to false-negatives when the
callback was used for filtering. Update XmlTypeCheck to use XMLReader
instead, tell the library to fully expand entities, and rely on the
library to error out if it encounters XML that is likely to cause a DoS
if parsed.
Bug: T88310
Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
SECURITY: Escape > in Html::expandAttributes
Escape > characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Escape > characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
SECURITY: Fix animate blacklist
The blacklist should prevent animating any element's xlink:href to a
javascript url.
Bug: T86711
Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
The blacklist should prevent animating any element's xlink:href to a
javascript url.
Bug: T86711
Change-Id: Ia9e9192165fdfe1701f22605eee0b0e5c9137d5a
SECURITY: Don't allow embedded application/xml in SVG's
Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got
around our blacklist on embedded href targets. Use a whitelist instead.
Bug: T85850
Change-Id: I0cf9df4883994072029a2eda1fce8acb39a8f6e9
Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got
around our blacklist on embedded href targets. Use a whitelist instead.
Bug: T85850
Change-Id: I0cf9df4883994072029a2eda1fce8acb39a8f6e9
SECURITY: Make SVG @import checking case insensitive
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
build: Add Karma task for automated QUnit testing in browsers
To use, first run 'npm install'. Then run 'grunt qunit' to start
the test suite in Chrome.
Squashed cherry-picks from master:
* ba50b32556: SpecialJavaScriptTest: Add export feat
* 7605f112e4: jquery.mwExtension.test: Fix qunit-fixture conflict
* 365b6f3af9: mediawiki.jqueryMsg.test: Fix crazy concurrency
* 945c1efe37: build: Add Karma task
* 8d92aaf83e: build: Clean up Gruntfile
* 2258f25053: build: Add assert-mw-env task
* dcbbc0489c: build: Increase browserNoActivityTimeout to 60s
* fa4ba8dbd7: build: Declare grunt-cli dependency
Change-Id: I4e96da137340a28789b38940e75d4b6b8bc5d76a
To use, first run 'npm install'. Then run 'grunt qunit' to start
the test suite in Chrome.
Squashed cherry-picks from master:
* ba50b32556: SpecialJavaScriptTest: Add export feat
* 7605f112e4: jquery.mwExtension.test: Fix qunit-fixture conflict
* 365b6f3af9: mediawiki.jqueryMsg.test: Fix crazy concurrency
* 945c1efe37: build: Add Karma task
* 8d92aaf83e: build: Clean up Gruntfile
* 2258f25053: build: Add assert-mw-env task
* dcbbc0489c: build: Increase browserNoActivityTimeout to 60s
* fa4ba8dbd7: build: Declare grunt-cli dependency
Change-Id: I4e96da137340a28789b38940e75d4b6b8bc5d76a
Rename JSDuck config to standard 'jsduck'
* Move configuration to /jsduck.json per standard.
* Move --processes=0 from maintenace script into config file.
* Use grunt-contrib-copy instead of a symlink for resources.
Also removed old JSDuck 4 logic.
Change-Id: Iaaaac50ee78dd9ff8f24f1ef3a3685ad51cf33b2
(cherry picked from commit 3bbd27aa4911e491a6e0838438e9bc03c9df22c6)
* Move configuration to /jsduck.json per standard.
* Move --processes=0 from maintenace script into config file.
* Use grunt-contrib-copy instead of a symlink for resources.
Also removed old JSDuck 4 logic.
Change-Id: Iaaaac50ee78dd9ff8f24f1ef3a3685ad51cf33b2
(cherry picked from commit 3bbd27aa4911e491a6e0838438e9bc03c9df22c6)
resourceloader: Call setName() in test suite before calling getStyles()
This caused a database error due to NULL being inserted as name, which is illegal.
> Function: DatabaseSqlite::replace/single-row
> NOT NULL constraint failed: unittest_module_deps.md_module
> Stack trace:
> #3 includes/resourceloader/ResourceLoaderFileModule.php(420): DatabaseSqlite->replace()
> #4 tests/phpunit/includes/resourceloader/ResourceLoaderTest.php(88): ResourceLoaderFileModule->getStyles()
> #5 (): ResourceLoaderTest->testLessFileCompilation()
This test shouldn't be trigggering database updates, but that's for
a later change to stub out or refactor.
Bug: T91567
Change-Id: Ic451bd41e2ffc188d2efd6b7ce61b03b9de61296
(cherry picked from commit 54473cbb6deaf3c8b2089a3a9a995b067e272151)
This caused a database error due to NULL being inserted as name, which is illegal.
> Function: DatabaseSqlite::replace/single-row
> NOT NULL constraint failed: unittest_module_deps.md_module
> Stack trace:
> #3 includes/resourceloader/ResourceLoaderFileModule.php(420): DatabaseSqlite->replace()
> #4 tests/phpunit/includes/resourceloader/ResourceLoaderTest.php(88): ResourceLoaderFileModule->getStyles()
> #5 (): ResourceLoaderTest->testLessFileCompilation()
This test shouldn't be trigggering database updates, but that's for
a later change to stub out or refactor.
Bug: T91567
Change-Id: Ic451bd41e2ffc188d2efd6b7ce61b03b9de61296
(cherry picked from commit 54473cbb6deaf3c8b2089a3a9a995b067e272151)
jquery.badge: Swap non-breaking space character for regular space
Follows-up d453f81f4e. PHP's native json_encode requires input
being a UTF-8 string. For some reason MediaWiki, Git or OS X is
not reading jquery.badge.css as UTF-8 for me.
https://bugs.php.net/bug.php?id=51947
Due to json_encode rejecting the entire value and returning null
instead, the jquery.badge stylesheet was absent. load.php:
mw.loader.implement("jquery.badge",function, {"css":[null]} );
Change-Id: I84d2017a976249f55bdb269d2b9762db941292fe
(cherry picked from commit a334bfbb250c48f32827562d54d8cba8ed873d05)
Follows-up d453f81f4e. PHP's native json_encode requires input
being a UTF-8 string. For some reason MediaWiki, Git or OS X is
not reading jquery.badge.css as UTF-8 for me.
https://bugs.php.net/bug.php?id=51947
Due to json_encode rejecting the entire value and returning null
instead, the jquery.badge stylesheet was absent. load.php:
mw.loader.implement("jquery.badge",function, {"css":[null]} );
Change-Id: I84d2017a976249f55bdb269d2b9762db941292fe
(cherry picked from commit a334bfbb250c48f32827562d54d8cba8ed873d05)
tests: Move npm-test to repo root
(cherry picked from commit 6be355efdd67dd3e129fb55121f3406d87cd769f)
Change-Id: Iaf5cf65616f82640145fbb6395c36129428602ca
(cherry picked from commit 6be355efdd67dd3e129fb55121f3406d87cd769f)
Change-Id: Iaf5cf65616f82640145fbb6395c36129428602ca
PostgreSQL: Fix Special:ActiveUsers GROUP BY query
For GROUP BY queries, PostgreSQL require all columns in the
unaggregated part of the select list to also be in the
GROUP BY list.
To fix this, add user_name and user_id to the GROUP BY list along side
qcc_title.
This addition cannot change the query results, because user_name and
user_id are functionally dependent on qcc_title: user_name because
of the WHERE clause for this query, and user_id due to the 1 to 1
relationship between user_name and user_id enforced by their unique
and not null constraints on the underlying table.
This has been tested on PostgreSQL and MySQL.
Bug: 68087
Change-Id: I3aed715b40ff6e2290220122acbda0f0e74b5b36
(cherry picked from commit 52328f043c3f3e9a0ce76a8eadb7975bc957846e)
For GROUP BY queries, PostgreSQL require all columns in the
unaggregated part of the select list to also be in the
GROUP BY list.
To fix this, add user_name and user_id to the GROUP BY list along side
qcc_title.
This addition cannot change the query results, because user_name and
user_id are functionally dependent on qcc_title: user_name because
of the WHERE clause for this query, and user_id due to the 1 to 1
relationship between user_name and user_id enforced by their unique
and not null constraints on the underlying table.
This has been tested on PostgreSQL and MySQL.
Bug: 68087
Change-Id: I3aed715b40ff6e2290220122acbda0f0e74b5b36
(cherry picked from commit 52328f043c3f3e9a0ce76a8eadb7975bc957846e)
Updated release notes and version number to MediaWiki 1.23.8
This is MediaWiki 1.23.8 security and maintenance release.
Change-Id: I9ce82c6d4351535444b63333fbbda576fdfac5db
This is MediaWiki 1.23.8 security and maintenance release.
Change-Id: I9ce82c6d4351535444b63333fbbda576fdfac5db
SECURITY: Fix CORS origin matching in the API
Bug: T77028
Change-Id: I68c1ee5b5a048af2aba4e710bc301b09748389bf
Bug: T77028
Change-Id: I68c1ee5b5a048af2aba4e710bc301b09748389bf
thumb.php: Set proper output formats for messages going into HTML
* Use ->parse() instead of ->text() for wikitext messages that were
being treated as HTML
* Explicitly specify ->parse() if no output format was set
* Document that wfThumbError() takes HTML
Bug: T76686
Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
* Use ->parse() instead of ->text() for wikitext messages that were
being treated as HTML
* Explicitly specify ->parse() if no output format was set
* Document that wfThumbError() takes HTML
Bug: T76686
Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
Revert "SECURITY: Do not show log action if revdeleted" and fix UI message
This mostly reverts commit 89b793b9f72c254f0a6142952a4239fffa8ed945. It also
finishes removing of the "fld_action" field in ApiQueryLogEvents that
was begun in that commit.
Bug: T74222
Change-Id: I185e42d029905fd2781f3ccbbef0687f51234b0d
This mostly reverts commit 89b793b9f72c254f0a6142952a4239fffa8ed945. It also
finishes removing of the "fld_action" field in ApiQueryLogEvents that
was begun in that commit.
Bug: T74222
Change-Id: I185e42d029905fd2781f3ccbbef0687f51234b0d
Updated release notes and version number for MediaWiki 1.23.7
This is MediaWiki 1.23.7 security and maintenance release.
Change-Id: Ib796284fb7be80fee37652bdc9acc4e91f4d0bf9
This is MediaWiki 1.23.7 security and maintenance release.
Change-Id: Ib796284fb7be80fee37652bdc9acc4e91f4d0bf9
SECURITY: Do not show log action if revdeleted
Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.
Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.
Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
Merge "SECURITY: Require new right to change content model" into REL1_23
SECURITY: Require new right to change content model
Add the user right 'editcontentmodel', which is required to change the
content model while editing a Page.
Bug: 70901
Change-Id: Ibb463a74a8aaee1731f72c520e48f7bc3b120e34
Add the user right 'editcontentmodel', which is required to change the
content model while editing a Page.
Bug: 70901
Change-Id: Ibb463a74a8aaee1731f72c520e48f7bc3b120e34
SECURITY: Add edit token to Special:ExpandTemplates
On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.
Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).
Bug: T73111
Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb
On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.
Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).
Bug: T73111
Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb
Merge "API: Work around wfMangleFlashPolicy()" into REL1_23
Merge "Make calling wfMangleFlashPolicy configurable" into REL1_23
Added updated version history from 1.19.2 to 1.22.13
Bug: 42723
Change-Id: Id75f189abdfbb98499bd84eb35840547265d18ca
(cherry picked from commit 66f41336029e242a4f6cc33dc2270843fd2450b5)
Bug: 42723
Change-Id: Id75f189abdfbb98499bd84eb35840547265d18ca
(cherry picked from commit 66f41336029e242a4f6cc33dc2270843fd2450b5)
Make calling wfMangleFlashPolicy configurable
Add $wgMangleFlashPolicy so sites that define a safe master flash
policy can disable mangling of the <cross-domain-policy> string.
Backport, originally committed by csteipp
Bug: 66776
Change-Id: Ic0db939aae9d0bb6bdfc3cd9ce282661bad46783
Add $wgMangleFlashPolicy so sites that define a safe master flash
policy can disable mangling of the <cross-domain-policy> string.
Backport, originally committed by csteipp
Bug: 66776
Change-Id: Ic0db939aae9d0bb6bdfc3cd9ce282661bad46783
API: Work around wfMangleFlashPolicy()
The things wfMangleFlashPolicy() does to the output break things in the
API. For JSON we can work around it, while for PHP we just have to error
out. XML isn't affected because <> are escaped anyway (unless something
somehow uses 'cross-domain-policy' as a tag name), and the rest are
going away soon so they're not worth the trouble.
Backport, originally committed by Brad Jorsch
Bug: 66776
Change-Id: Idc5f37bd778288a9cde572f081dc753d681ec354
The things wfMangleFlashPolicy() does to the output break things in the
API. For JSON we can work around it, while for PHP we just have to error
out. XML isn't affected because <> are escaped anyway (unless something
somehow uses 'cross-domain-policy' as a tag name), and the rest are
going away soon so they're not worth the trouble.
Backport, originally committed by Brad Jorsch
Bug: 66776
Change-Id: Idc5f37bd778288a9cde572f081dc753d681ec354
Make allowing site-wide styles on restricted special pages a config option
This mostly reverts commit 614d7e5c274d927f99bfc52ac3a1e6c7e5902408.
Many wikis use MediaWiki:Common.css and associated pages to create a
custom "theme" for their wiki, which would no longer load on login
or preference pages, creating an inconsistent UI.
This re-adds the difference in module origin for different types
(styles, scripts, etc.), and now OutputPage::disallowUserJs()
checks the value of the "AllowSiteCSSOnRestrictedPages" config setting
to determine whether to allow site-wide CSS styles or not.
By default this feature is disabled to be secure by default.
Bug: 71621
Change-Id: I1bf4dd1845b6952c3985e179fbea48181ffb8907
This mostly reverts commit 614d7e5c274d927f99bfc52ac3a1e6c7e5902408.
Many wikis use MediaWiki:Common.css and associated pages to create a
custom "theme" for their wiki, which would no longer load on login
or preference pages, creating an inconsistent UI.
This re-adds the difference in module origin for different types
(styles, scripts, etc.), and now OutputPage::disallowUserJs()
checks the value of the "AllowSiteCSSOnRestrictedPages" config setting
to determine whether to allow site-wide CSS styles or not.
By default this feature is disabled to be secure by default.
Bug: 71621
Change-Id: I1bf4dd1845b6952c3985e179fbea48181ffb8907
Bump version number
Change-Id: I3c4dcdd603f127f9b2f73a5e5975caecc43278bd
Change-Id: I3c4dcdd603f127f9b2f73a5e5975caecc43278bd
Add Content-Length header for job queue requests
Include the Content-Length header in job queue POST requests to meet the
requirement by certain servers, avoiding HTTP 411 responses.
Bug: 72274
Change-Id: Icf34bca58c792225d735d576213d6887015459ca
Include the Content-Length header in job queue POST requests to meet the
requirement by certain servers, avoiding HTTP 411 responses.
Bug: 72274
Change-Id: Icf34bca58c792225d735d576213d6887015459ca
Allow classes to be registered properly from installer
Because otherwise extensions can cause the installer to explode when
they can't find their own classes at entry point.
I feel dirty.
Bug: 67440
Change-Id: I235fe58125fd49319963d949faffe024684755bd
(cherry picked from commit 248ac9e9b1af986ac3238b3b5291c6d046889347)
Because otherwise extensions can cause the installer to explode when
they can't find their own classes at entry point.
I feel dirty.
Bug: 67440
Change-Id: I235fe58125fd49319963d949faffe024684755bd
(cherry picked from commit 248ac9e9b1af986ac3238b3b5291c6d046889347)
Updated release notes and version number for MediaWiki 1.23.5
This is MediaWiki 1.23.5 security release
Change-Id: Id27a11a4061b8b1c6c014ca86e77cc1cd028613b
This is MediaWiki 1.23.5 security release
Change-Id: Id27a11a4061b8b1c6c014ca86e77cc1cd028613b
SECURITY: OutputPage: Remove separation of css and js module allowance
* No longer segment module origin allowance by an "only=" content
type. Both can be sensitive security-wise and there's no valid
use case for allowing CSS anywhere you want to disallow JS. Both
can significantly impact the user interface and cause unintended
actions to be taken on the user's behalf, or desired actions to
be made practically impossible.
* While at it, also remove the ability to set the module allowance
directly. The reduceAllowedModuleOrigin method is all we need.
I couldn't find usage or mention of setAllowedModules() in
mediawiki-core nor in any other Wikimedia-hosted repository.
Bug: 70672
Change-Id: I0e82755aede6ddd7101b495802a45d5fd96b6722
* No longer segment module origin allowance by an "only=" content
type. Both can be sensitive security-wise and there's no valid
use case for allowing CSS anywhere you want to disallow JS. Both
can significantly impact the user interface and cause unintended
actions to be taken on the user's behalf, or desired actions to
be made practically impossible.
* While at it, also remove the ability to set the module allowance
directly. The reduceAllowedModuleOrigin method is all we need.
I couldn't find usage or mention of setAllowedModules() in
mediawiki-core nor in any other Wikimedia-hosted repository.
Bug: 70672
Change-Id: I0e82755aede6ddd7101b495802a45d5fd96b6722
Updated release notes and version number for MediaWiki 1.23.4
This is MediaWiki 1.23.4 security and maintenance release.
Change-Id: I62067c60794a002e012dc6f8c01b2a2f9fb3ed82
This is MediaWiki 1.23.4 security and maintenance release.
Change-Id: I62067c60794a002e012dc6f8c01b2a2f9fb3ed82
SECURITY: Enhance CSS filtering in SVG files
* Filter <style> elements
* Normalize style elements and attributes before filtering
* Add checks for attributes that contain css
* Add unit tests for html5sec and reported bugs
Bug:69008
Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
* Filter <style> elements
* Normalize style elements and attributes before filtering
* Add checks for attributes that contain css
* Add unit tests for html5sec and reported bugs
Bug:69008
Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
GlobalVarConfig shouldn't throw exceptions for null-valued config settings
Use array_key_exists rather than isset to test $GLOBALS.
Bug: 66986
Change-Id: I9beabd79e1d52966b9184c9647af5a2a31c19276
(cherry picked from commit 1a059dbbe2380e9ae752daf6c5583333b5bd5f07)
Use array_key_exists rather than isset to test $GLOBALS.
Bug: 66986
Change-Id: I9beabd79e1d52966b9184c9647af5a2a31c19276
(cherry picked from commit 1a059dbbe2380e9ae752daf6c5583333b5bd5f07)
Make MySQLi work with non-standard socket
MySQLi needs to specify the socket location as a parameter, and not as part
of the hostname.
Split the socket out of the hostname if it contains *one* colon (IPv6 safe)
after checking for the port number.
Conflicts:
includes/db/DatabaseMysqli.php
Bug: 65998
Change-Id: I66ee34e1029bc1630669bde4272d0eae9d3fd9f1
MySQLi needs to specify the socket location as a parameter, and not as part
of the hostname.
Split the socket out of the hostname if it contains *one* colon (IPv6 safe)
after checking for the port number.
Conflicts:
includes/db/DatabaseMysqli.php
Bug: 65998
Change-Id: I66ee34e1029bc1630669bde4272d0eae9d3fd9f1
Updated release notes and version number to MediaWiki 1.23.3
This is MediaWiki 1.23.3 maintenance release.
Change-Id: I046c63794daf83fe27960e6e388b76de763c8458
This is MediaWiki 1.23.3 maintenance release.
Change-Id: I046c63794daf83fe27960e6e388b76de763c8458
Handle invalid language code gracefully in Language::fetchLanguageNames
Core MW doesn't have a problem, but translate extension explodes.
Seems safer to just use 'en' if passed an invalid language code.
Bug: 60629
Change-Id: I0ede3169bb49001a1515ae5b2b6d28477704f346
(cherry picked from commit 634905558b2b2a658d55ee98b3200d9bd0731fe4)
Core MW doesn't have a problem, but translate extension explodes.
Seems safer to just use 'en' if passed an invalid language code.
Bug: 60629
Change-Id: I0ede3169bb49001a1515ae5b2b6d28477704f346
(cherry picked from commit 634905558b2b2a658d55ee98b3200d9bd0731fe4)
Fix race condition in wfShellExec()
Especially when executing commands that return a relatively lot of data in stdout
quickly, proc_get_status() may return that command has terminated before everything
has been read from pipes. Handle this case by continuing to perform
non-blocking select on the process's streams until all remaining data has been
read.
Bug: 67870
Change-Id: I050292dbb76821f66a15f937bf3aaf4defe67687
Especially when executing commands that return a relatively lot of data in stdout
quickly, proc_get_status() may return that command has terminated before everything
has been read from pipes. Handle this case by continuing to perform
non-blocking select on the process's streams until all remaining data has been
read.
Bug: 67870
Change-Id: I050292dbb76821f66a15f937bf3aaf4defe67687
Merge "Correctly handle incorrect namespace in cleanupTitles.php" into REL1_23
Display MediaWiki:Loginprompt on the login page
This reinstates functionality removed in 44840d1.
There is no longer a default message, and must
be created on wikis locally.
Bug: 66574
Change-Id: Ife39fe868b46ef054101c2db2e4e901380998c0e
Co-Authored-By: Dan Poltawski <dan@moodle.com>
This reinstates functionality removed in 44840d1.
There is no longer a default message, and must
be created on wikis locally.
Bug: 66574
Change-Id: Ife39fe868b46ef054101c2db2e4e901380998c0e
Co-Authored-By: Dan Poltawski <dan@moodle.com>
Correctly handle incorrect namespace in cleanupTitles.php
If the namespace is not valid; Title::makeTitleSafe() will
return null, thus producing a fatal error. Work arround this
by setting the namespace to 0 in that case.
Bug: 68501
Change-Id: I0c22f9468ff2bf11d2bf4a9265fa454ece2c0fa3
(cherry picked from commit bb985c782704f25f4f9adb61b491e086e90c4cfe)
If the namespace is not valid; Title::makeTitleSafe() will
return null, thus producing a fatal error. Work arround this
by setting the namespace to 0 in that case.
Bug: 68501
Change-Id: I0c22f9468ff2bf11d2bf4a9265fa454ece2c0fa3
(cherry picked from commit bb985c782704f25f4f9adb61b491e086e90c4cfe)
Fetch string to pass through writeTemporary() in DatabaseOracle.php
Pulled some code from insertOneRow() to fix the update() function
and prevent the error warnings in bugzilla 64970 from showing up.
Note that since insertOneRow() and update() contains a lot of
duplicate code, they may be candidates for merging, but that is
outside the scope of this request.
Bug: 64970
Change-Id: I9ff9077d68e77f05f878fc541f87e0a5ce86ecc2
(cherry picked from commit 176213b89849f849e2c8dad2f0a79747b18a8b9d)
Pulled some code from insertOneRow() to fix the update() function
and prevent the error warnings in bugzilla 64970 from showing up.
Note that since insertOneRow() and update() contains a lot of
duplicate code, they may be candidates for merging, but that is
outside the scope of this request.
Bug: 64970
Change-Id: I9ff9077d68e77f05f878fc541f87e0a5ce86ecc2
(cherry picked from commit 176213b89849f849e2c8dad2f0a79747b18a8b9d)
Check for boolean false result from database query in SqlBagOStuff
Database::select() can return false, so we should check for it before
attempting to iterate on the result or to call methods on it.
Resolved conflicts:
includes/objectcache/SqlBagOStuff.php
Cherry-Picked: I0862493305e5b2784422e0e94b3e62e734267795
Change-Id: I0862493305e5b2784422e0e94b3e62e734267795
Database::select() can return false, so we should check for it before
attempting to iterate on the result or to call methods on it.
Resolved conflicts:
includes/objectcache/SqlBagOStuff.php
Cherry-Picked: I0862493305e5b2784422e0e94b3e62e734267795
Change-Id: I0862493305e5b2784422e0e94b3e62e734267795
Restore the number of rows shown on Special:Watchlist
This reverts the result of Iada3a93762dd25fdaf35fb707304abc40bd4a5b1.
This is a manual cherry pick of
Ie722c509a6ad1346b1624abee778f4cbdc79d457,
Ibb23838843a9a1cb8bb23347c3b2de7437861ae0 and necessary parts of
I495d19258205d8713a19aa934a7657aecbe240d4.
Contains only translations of message wlnote which was exported today
with Id59d00bd9402da7fd03a34bd6d0ceb9bd2d00024.
Bug: 62017
Change-Id: I5549e25f22f96eb69059b4d298bc50d11c72f1f1
This reverts the result of Iada3a93762dd25fdaf35fb707304abc40bd4a5b1.
This is a manual cherry pick of
Ie722c509a6ad1346b1624abee778f4cbdc79d457,
Ibb23838843a9a1cb8bb23347c3b2de7437861ae0 and necessary parts of
I495d19258205d8713a19aa934a7657aecbe240d4.
Contains only translations of message wlnote which was exported today
with Id59d00bd9402da7fd03a34bd6d0ceb9bd2d00024.
Bug: 62017
Change-Id: I5549e25f22f96eb69059b4d298bc50d11c72f1f1
Updated release notes and version number to MediaWiki 1.23.2
This is MediaWiki 1.23.2 security and maintenance release.
Change-Id: I2430a602c13a5f64a3b10108085f16aafd0510b2
This is MediaWiki 1.23.2 security and maintenance release.
Change-Id: I2430a602c13a5f64a3b10108085f16aafd0510b2
SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput
Special page transclusion returns an OutputPage, whose metadata is
copied into the ParserOutput, and then later back into an OutputPage.
The "preventClickjacking" flag should be part of that metadata.
Bug: 65778
Change-Id: I17d2720fb94bb383a92059e5adbf6c16ee3e9ef4
Special page transclusion returns an OutputPage, whose metadata is
copied into the ParserOutput, and then later back into an OutputPage.
The "preventClickjacking" flag should be part of that metadata.
Bug: 65778
Change-Id: I17d2720fb94bb383a92059e5adbf6c16ee3e9ef4
Fix for XSS issue in bug 66608
Generate the URL used for loading a new page in Javascript,
instead of relying on the URL in the link that has been clicked
(as that could have been crafted by an attacker).
Bug: 66608
Change-Id: I19e2bf3af017a37c35cbadce9a70194aac693f33
Generate the URL used for loading a new page in Javascript,
instead of relying on the URL in the link that has been clicked
(as that could have been crafted by an attacker).
Bug: 66608
Change-Id: I19e2bf3af017a37c35cbadce9a70194aac693f33
SECURITY: Prepend jsonp callback with comment
Mitigate CVE-2014-4671 for unpatched flash players
Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15
Mitigate CVE-2014-4671 for unpatched flash players
Bug: 68187
Change-Id: I2f46e623c1f541dbbafb6e8333e0929055098b15
Preferences: Turn stubthreshold back into a combo box
Currently it's an insanely tall list box. All the other settings on this
page use combo boxes, so we should be consistent.
After it was changed from 'selectorother' to 'select' in I88212703
and support for 'size' in HTMLSelectField was enabled in I7ac345e1,
the size defines the height of the select box instead of the width of
the text input field.
Bug: 68313
Change-Id: Id42a62e78fc2fee741bb02b88dc14cbb1b63635a
(cherry picked from commit 588880c5f0567fca144a37066e87db3712ef32ac)
Currently it's an insanely tall list box. All the other settings on this
page use combo boxes, so we should be consistent.
After it was changed from 'selectorother' to 'select' in I88212703
and support for 'size' in HTMLSelectField was enabled in I7ac345e1,
the size defines the height of the select box instead of the width of
the text input field.
Bug: 68313
Change-Id: Id42a62e78fc2fee741bb02b88dc14cbb1b63635a
(cherry picked from commit 588880c5f0567fca144a37066e87db3712ef32ac)
PostgreSQL: Fix ORDER BY NULL
MySQL automatically orders by the GROUP BY columns if no ORDER BY
is specified. You can countermand this by specifying
ORDER BY NULL, which can give speed improvements in some cases,
for example if the GROUP BY was implemented by hashing then a
sort is unneeded and wastes time.
PostgreSQL does not tolerate the ORDER BY NULL syntax,
and does not need an analgous hint because it never does
gratuitious sorting of the nature just discussed.
This patch makes PostgreSQL ignore the ORDER BY NULL clause.
It might be a better approach to find a way to add this clause
specifically to MySQL, rather than to drop it specifically from
other database engines.
SQLite seems to tolerate the MySQL syntax. Oracle and MSSQL
were not evaluated.
Bug: 67594
Change-Id: Ia9666136edd25e1e0d0728a8b28a92e44d00abc6
(cherry picked from commit ae811ddb6cc4932291cf73ce7768789eb39a33fd)
MySQL automatically orders by the GROUP BY columns if no ORDER BY
is specified. You can countermand this by specifying
ORDER BY NULL, which can give speed improvements in some cases,
for example if the GROUP BY was implemented by hashing then a
sort is unneeded and wastes time.
PostgreSQL does not tolerate the ORDER BY NULL syntax,
and does not need an analgous hint because it never does
gratuitious sorting of the nature just discussed.
This patch makes PostgreSQL ignore the ORDER BY NULL clause.
It might be a better approach to find a way to add this clause
specifically to MySQL, rather than to drop it specifically from
other database engines.
SQLite seems to tolerate the MySQL syntax. Oracle and MSSQL
were not evaluated.
Bug: 67594
Change-Id: Ia9666136edd25e1e0d0728a8b28a92e44d00abc6
(cherry picked from commit ae811ddb6cc4932291cf73ce7768789eb39a33fd)
Fix initSiteStats.php maintenance script
It appears not to have worked for some time, as it either calls a protected
function ($counter->refresh()) or an undefined function
($counter->update()) depending on the parameters specified.
Bug: 65214
Change-Id: Ia7d867792b84c98714ec6dbbfef09745e875c8bc
(cherry picked from commit babe76221c258093cc22029a6188e6cd6783ed00)
It appears not to have worked for some time, as it either calls a protected
function ($counter->refresh()) or an undefined function
($counter->update()) depending on the parameters specified.
Bug: 65214
Change-Id: Ia7d867792b84c98714ec6dbbfef09745e875c8bc
(cherry picked from commit babe76221c258093cc22029a6188e6cd6783ed00)
Updated release notes and version number to 1.23.1
This is MediaWiki 1.23.1 security and maintenance release.
Change-Id: I66d92d53262f54699c8d4c43434481eb328d8e18
This is MediaWiki 1.23.1 security and maintenance release.
Change-Id: I66d92d53262f54699c8d4c43434481eb328d8e18
SECURITY: Prevent external resources in SVG files
On bug 65724, it was discovered that a user could upload SVG images
with embedded <image> elements that pulled in the resource via http.
This could allow an attacker to track all viewers of an SVG by having
the image embed another image hosted on their own server.
While testing the patch, I also identified 3 more element namespaces
that have been used on commons and seem harmless, so I added those to
the whitelist.
Change-Id: Iacc5d3d6248b73740510ba579be9484f4964ca13
On bug 65724, it was discovered that a user could upload SVG images
with embedded <image> elements that pulled in the resource via http.
This could allow an attacker to track all viewers of an SVG by having
the image embed another image hosted on their own server.
While testing the patch, I also identified 3 more element namespaces
that have been used on commons and seem harmless, so I added those to
the whitelist.
Change-Id: Iacc5d3d6248b73740510ba579be9484f4964ca13
Merge "MimeMagic: Don't seek before BOF" into REL1_23
Special:Watchlist: Don't try to render empty row
If no rows to render in table, show message and leave function before
try to render.
Bug: 67025
Change-Id: Ica4ad670a130f31124ff644a2e1e50beea481c9b
If no rows to render in table, show message and leave function before
try to render.
Bug: 67025
Change-Id: Ica4ad670a130f31124ff644a2e1e50beea481c9b
Don't allow some E_NOTICE messages to end up in the LocalSettings.php
There is probably a better, more comprehensive way to produce a
LocalSettings.php file so that E_STRICT and E_NOTICE errors don't end
up in the file, or to notify users that there is a problem with the
generated file, at least. This only attempts to address those issues
reported as a result of c978cee8562f018dab158b41e15266fcf873bf1b.
Bug: 66922
Change-Id: I0fe70446d9fe23aed2a147e20e5ff3851371726d
There is probably a better, more comprehensive way to produce a
LocalSettings.php file so that E_STRICT and E_NOTICE errors don't end
up in the file, or to notify users that there is a problem with the
generated file, at least. This only attempts to address those issues
reported as a result of c978cee8562f018dab158b41e15266fcf873bf1b.
Bug: 66922
Change-Id: I0fe70446d9fe23aed2a147e20e5ff3851371726d
filebackend: Avoid using popen() when "parallelize" is disabled
Bug: 66467
Change-Id: Iaf8eb2ecfad166e26e265a98933399dc4bc255a3
Bug: 66467
Change-Id: Iaf8eb2ecfad166e26e265a98933399dc4bc255a3
Some corrections to RELEASE-NOTES-1.23
* Fixed a typo: "When $wgJobRunRate is higher that zero [...]".
* Removed a reference to 1.22: "[...] not yet queried but will be
in a future point release of 1.22."
* Fixed misspellings "wiki's" and "sql" in the same note.
Change-Id: I5fee88c459345ecd8b71f9e5b86c65afae183ba1
* Fixed a typo: "When $wgJobRunRate is higher that zero [...]".
* Removed a reference to 1.22: "[...] not yet queried but will be
in a future point release of 1.22."
* Fixed misspellings "wiki's" and "sql" in the same note.
Change-Id: I5fee88c459345ecd8b71f9e5b86c65afae183ba1
MimeMagic: Don't seek before BOF
This has weird side effects like only extracting the tail of the
file partially or not at all.
Cherry-picked from d96c6f01479ef
Bug: 66428
Change-Id: I182128c6958244f1515227ee742c3206a7484aee
This has weird side effects like only extracting the tail of the
file partially or not at all.
Cherry-picked from d96c6f01479ef
Bug: 66428
Change-Id: I182128c6958244f1515227ee742c3206a7484aee
chmod -x languages/data/plurals.xml
Bug: 66182
Change-Id: Ic8e15d94fb54b410d21b969b029fac685b2711d6
Bug: 66182
Change-Id: Ic8e15d94fb54b410d21b969b029fac685b2711d6
Updated release notes and version number for MediaWiki 1.23.0
This is MediaWiki 1.23.0 stable release.
Change-Id: Ibbfb27190d2d98c850849427c18526b898372ac8
This is MediaWiki 1.23.0 stable release.
Change-Id: Ibbfb27190d2d98c850849427c18526b898372ac8
Make convertUserOptions.php more self-contained
* Moved the code from User::decodeOptions() to the maintenance script,
the only place it is (indirectly) used.
* Changed the script to insert new rows itself rather than calling
User::saveSettings(), avoiding bug 63677.
* Removed FOR UPDATE and COMMIT lacking a matching BEGIN.
* Made ORDER BY explicit.
* Removed pointless "Do each user sequentially [...]" comment dating
back to r48732, in which the script would increment a user's ID
to get the next one.
Bug: 63677
Change-Id: I86365a7363af3376cc4f55fa528b050b44378656
* Moved the code from User::decodeOptions() to the maintenance script,
the only place it is (indirectly) used.
* Changed the script to insert new rows itself rather than calling
User::saveSettings(), avoiding bug 63677.
* Removed FOR UPDATE and COMMIT lacking a matching BEGIN.
* Made ORDER BY explicit.
* Removed pointless "Do each user sequentially [...]" comment dating
back to r48732, in which the script would increment a user's ID
to get the next one.
Bug: 63677
Change-Id: I86365a7363af3376cc4f55fa528b050b44378656
Updated release notes and version number for MediaWiki 1.23.0-rc.3
This is MediaWiki 1.23.0-rc.3 release candidate.
Change-Id: Iad21d8fbd0bfc3f84e000eda649ca12bcd3b0568
This is MediaWiki 1.23.0-rc.3 release candidate.
Change-Id: Iad21d8fbd0bfc3f84e000eda649ca12bcd3b0568
jquery.suggestions: Handle CSS ellipsis better for IE
IE is not impressed by our puny hacks and still reports the width
"in context of" the position in the document, limited by the width
of ancestor elements.
Let's temporarily apply position: absolute; to the involved elements.
This pulls them out of normal document flow and lets us figure out the
real width at last.
Also wrote a proper comment on why we need this stuff.
Verified that this fixes:
* IE 8
* IE 11
Verified that it doesn't break:
* Firefox 3.6
* Firefox 29
* Opera 12
* Opera 22
It *does not* fix IE 6. I don't think that investigating why is a good
use of my time, so I didn't. I84fbae5a made the functionality usable
on IE 6, which feels good enough for me.
Bug: 65224
Change-Id: I4a7357543ca244585ade2061b92f5a6d1e439278
(cherry picked from commit 1a04fb81cfca8bde9b05ceb17aa7775d94fcf24c)
IE is not impressed by our puny hacks and still reports the width
"in context of" the position in the document, limited by the width
of ancestor elements.
Let's temporarily apply position: absolute; to the involved elements.
This pulls them out of normal document flow and lets us figure out the
real width at last.
Also wrote a proper comment on why we need this stuff.
Verified that this fixes:
* IE 8
* IE 11
Verified that it doesn't break:
* Firefox 3.6
* Firefox 29
* Opera 12
* Opera 22
It *does not* fix IE 6. I don't think that investigating why is a good
use of my time, so I didn't. I84fbae5a made the functionality usable
on IE 6, which feels good enough for me.
Bug: 65224
Change-Id: I4a7357543ca244585ade2061b92f5a6d1e439278
(cherry picked from commit 1a04fb81cfca8bde9b05ceb17aa7775d94fcf24c)
Merge "SECURITY: Don't parse usernames as wikitext" into REL1_23
Merge "Officially deprecate skin autodiscovery" into REL1_23
SECURITY: Don't parse usernames as wikitext
On Special:PasswordReset, don't parse the username as wikitext since
the wikitext is parsed according to the wiki's configuration (might
include wgRawHtml), and the wiki may be private.
Bug: 65501
Change-Id: Ic3e5d42e1be5acc42ba89ae853c5ecbfec04fa91
On Special:PasswordReset, don't parse the username as wikitext since
the wikitext is parsed according to the wiki's configuration (might
include wgRawHtml), and the wiki may be private.
Bug: 65501
Change-Id: Ic3e5d42e1be5acc42ba89ae853c5ecbfec04fa91
Add ar_text to the list from Revision::selectArchiveFields(). It is checked later.
See Revision::newFromArchiveRow(). This is called from
populateRevisionLength.php's upgradeRow() which ultimately populates
$row from the fields returned by Revision::selectArchiveFields().
Revision::newFromArchiveRow() has the following condition:
if ( isset( $row->ar_text ) && !$row->ar_text_id ) {
And from the bug report:
> for old archived revisions, the rows in the archive table do _not_
> contain a pointer to the text in the text table, but that the text
> is stored in the archive table directly. Obviously the above code
> cannot handle this situation properly.
Credit goes to Joerg who found this and figured out the problem.
Bug: 65765
Change-Id: Iadcaae5e531d439780f5b6095286df78926ccaa7
See Revision::newFromArchiveRow(). This is called from
populateRevisionLength.php's upgradeRow() which ultimately populates
$row from the fields returned by Revision::selectArchiveFields().
Revision::newFromArchiveRow() has the following condition:
if ( isset( $row->ar_text ) && !$row->ar_text_id ) {
And from the bug report:
> for old archived revisions, the rows in the archive table do _not_
> contain a pointer to the text in the text table, but that the text
> is stored in the archive table directly. Obviously the above code
> cannot handle this situation properly.
Credit goes to Joerg who found this and figured out the problem.
Bug: 65765
Change-Id: Iadcaae5e531d439780f5b6095286df78926ccaa7
DerivativeContext::setConfig should take a Config object
Change-Id: Icc16a9c206c57fac2d26547cb874e02ef09c0485
Follows-Up: I13baec0b6d4ea7badf20b9c5f9b40846348838e4
(cherry picked from commit 07c748343cfe389b3c1a74b7aaa9bc222d588c94)
Change-Id: Icc16a9c206c57fac2d26547cb874e02ef09c0485
Follows-Up: I13baec0b6d4ea7badf20b9c5f9b40846348838e4
(cherry picked from commit 07c748343cfe389b3c1a74b7aaa9bc222d588c94)
Make abstract Config class truly implementation-agnostic
Follow up to I13baec0b6 ("Config: Add Config and GlobalConfig classes"):
Config:
* Rather than returning Status objects, Config::set will now throw an exception
if an error is encountered
* Config::factory was moved into it's own ConfigFactory class.
* Since there are no more functions in it, Config was turned into an interface.
GlobalConfig:
* Remove $prefix args from Config::set and ::get. The idea of having an
abstract Config class is to abstract some notion of configuration data from
the particular way in which it is currently implemented (global variables).
So the abstract base class has no business dealing with variable name
prefixes.
** Instead GlobalVarConfig's implementations of get and set call getWithPrefix
and setWithPrefix internally, which are now protected
* Rename GlobalConfig to GlobalVarConfig, which makes it clearer that it isn't
referring to the scope of the configuration value, but to the scope of the
variable name which provides it.
ConfigFactory:
* ConfigFactory is where Config objects are registered, and later constructed.
* Config objects are registered with a given name, and a callback factory function.
This allows for implementations to construct the object with the parameters they want,
and avoids the overhead of needing an entire class.
** The name 'main' is the default object returned by RequestContext::getConfig(),
and is intended to be used by core.
* This is a singleton class, the main instance can be obtained with:
ConfigFactory::getDefaultInstance()
In addition to the above:
* $wgConfigClass was removed, and $wgConfigRegistry was introduced, which
stores a name => callback. The name is to be what the Config instance is
registered with, and the callback should return an implementation of Config.
* Tests were written for the new ConfigFactory, and GlobalVarConfig's tests
were improved.
Co-Authored-By: Ori Livneh <ori@wikimedia.org>
Co-Authored-By: Chad Horohoe <chadh@wikimedia.org>
Co-Authored-By: Mattflaschen <mflaschen@wikimedia.org>
Co-Authored-By: Parent5446 <tylerromeo@gmail.com>
Co-Authored-By: Reedy <reedy@wikimedia.org>
Co-Authored-By: Daniel Kinzler <daniel.kinzler@wikimedia.de>
Change-Id: I5a5857fcfa07598ba4ce9ae5bbb4ce54a567d31e
(cherry picked from commit 8977e56a6b71e10e6046537cd82a3e32aea12f86)
Follow up to I13baec0b6 ("Config: Add Config and GlobalConfig classes"):
Config:
* Rather than returning Status objects, Config::set will now throw an exception
if an error is encountered
* Config::factory was moved into it's own ConfigFactory class.
* Since there are no more functions in it, Config was turned into an interface.
GlobalConfig:
* Remove $prefix args from Config::set and ::get. The idea of having an
abstract Config class is to abstract some notion of configuration data from
the particular way in which it is currently implemented (global variables).
So the abstract base class has no business dealing with variable name
prefixes.
** Instead GlobalVarConfig's implementations of get and set call getWithPrefix
and setWithPrefix internally, which are now protected
* Rename GlobalConfig to GlobalVarConfig, which makes it clearer that it isn't
referring to the scope of the configuration value, but to the scope of the
variable name which provides it.
ConfigFactory:
* ConfigFactory is where Config objects are registered, and later constructed.
* Config objects are registered with a given name, and a callback factory function.
This allows for implementations to construct the object with the parameters they want,
and avoids the overhead of needing an entire class.
** The name 'main' is the default object returned by RequestContext::getConfig(),
and is intended to be used by core.
* This is a singleton class, the main instance can be obtained with:
ConfigFactory::getDefaultInstance()
In addition to the above:
* $wgConfigClass was removed, and $wgConfigRegistry was introduced, which
stores a name => callback. The name is to be what the Config instance is
registered with, and the callback should return an implementation of Config.
* Tests were written for the new ConfigFactory, and GlobalVarConfig's tests
were improved.
Co-Authored-By: Ori Livneh <ori@wikimedia.org>
Co-Authored-By: Chad Horohoe <chadh@wikimedia.org>
Co-Authored-By: Mattflaschen <mflaschen@wikimedia.org>
Co-Authored-By: Parent5446 <tylerromeo@gmail.com>
Co-Authored-By: Reedy <reedy@wikimedia.org>
Co-Authored-By: Daniel Kinzler <daniel.kinzler@wikimedia.de>
Change-Id: I5a5857fcfa07598ba4ce9ae5bbb4ce54a567d31e
(cherry picked from commit 8977e56a6b71e10e6046537cd82a3e32aea12f86)
Officially deprecate skin autodiscovery
Corresponding change in master (core skins no longer use autodiscovery
there, but it's too scary of a change to backport here at last minute):
I6fc30f97d4b35820c132c4892abf6d2c86f9482e.
Bug: 65748
Change-Id: If9125ef587ce11f0d69f12eacd00ae7236139798
Corresponding change in master (core skins no longer use autodiscovery
there, but it's too scary of a change to backport here at last minute):
I6fc30f97d4b35820c132c4892abf6d2c86f9482e.
Bug: 65748
Change-Id: If9125ef587ce11f0d69f12eacd00ae7236139798
Raised version number to MediaWiki 1.23.0-rc.2
This is MediaWiki 1.23.0-rc.2 release candidate
Change-Id: I362ebf7fe866beacd6af37d0239c0dc293d439cb
This is MediaWiki 1.23.0-rc.2 release candidate
Change-Id: I362ebf7fe866beacd6af37d0239c0dc293d439cb
Avoid uncommitted transaction notices in thumb.php and img_auth.php
bug: 56269
Change-Id: I8cf5c070899d281c7efbac853f04c2fea9374e4d
(cherry picked from commit c993ec0095e80c939cdacea690d8677814cdbeb6)
bug: 56269
Change-Id: I8cf5c070899d281c7efbac853f04c2fea9374e4d
(cherry picked from commit c993ec0095e80c939cdacea690d8677814cdbeb6)
Sync RELEASE-NOTES-1.23 between REL1_23 and master
* Change Ic915c50b0acd2e2 and I0ee55deb9b44b7 put the entry
for bug 63444 in a different place in master.
* Commit d8b1b79ea423e was merged before branch cut, and then
reverted in I7431eb83a09, but that left behind one of the two
release notes. Release notes were fixed in master in I9ef5263ac8f7.
Change-Id: I3c9982a68d1759bd1f44d840a9414fea5d174be9
* Change Ic915c50b0acd2e2 and I0ee55deb9b44b7 put the entry
for bug 63444 in a different place in master.
* Commit d8b1b79ea423e was merged before branch cut, and then
reverted in I7431eb83a09, but that left behind one of the two
release notes. Release notes were fixed in master in I9ef5263ac8f7.
Change-Id: I3c9982a68d1759bd1f44d840a9414fea5d174be9
Removed 'Remember my login' preference
Removed 'Remember my login' from Preferences, as it was unwanted. It adds
to the complexity of the user preferences
Bug: 52342
Co-Author: Tyler Romeo <tylerromeo@gmail.com>
Change-Id: I7c957e1e1aaecf47f7c47bc063b5d3b364644afc
(cherry picked from commit 74756a24091d3b875a2fbf8759d8688609727586)
Removed 'Remember my login' from Preferences, as it was unwanted. It adds
to the complexity of the user preferences
Bug: 52342
Co-Author: Tyler Romeo <tylerromeo@gmail.com>
Change-Id: I7c957e1e1aaecf47f7c47bc063b5d3b364644afc
(cherry picked from commit 74756a24091d3b875a2fbf8759d8688609727586)
vector: Suppress watch star focus outline when animating it
It looks really funny, but that's not the effect we're aiming for.
The star is not supposed to look clickable during the rotation
animation anyway.
Bug: 65434
Change-Id: I3a7c91f5b7df0d70abd532cc234e8aa1bac9e129
(cherry picked from commit b3456db703ef66f3df5608fc8f2301b9273d2a9e)
It looks really funny, but that's not the effect we're aiming for.
The star is not supposed to look clickable during the rotation
animation anyway.
Bug: 65434
Change-Id: I3a7c91f5b7df0d70abd532cc234e8aa1bac9e129
(cherry picked from commit b3456db703ef66f3df5608fc8f2301b9273d2a9e)
jquery.textSelection: Don't throw errors on empty collections
All jQuery functions just do nothing or return "empty" values when
called on an empty collection (e.g. `$()`), the ones defined in this
module should behave in the same way.
This came to light when a change in WikiEditor combined with lousy
coding caused this code path to be called, breaking various gadgets
and extensions like SemanticForms.
Bug: 64289
Change-Id: Ib97f47ef1d66420682bd429c9c12e66c3392e77d
(cherry picked from commit 2828669dd40f63f60c2391b6d5ee30a3e255f3db)
All jQuery functions just do nothing or return "empty" values when
called on an empty collection (e.g. `$()`), the ones defined in this
module should behave in the same way.
This came to light when a change in WikiEditor combined with lousy
coding caused this code path to be called, breaking various gadgets
and extensions like SemanticForms.
Bug: 64289
Change-Id: Ib97f47ef1d66420682bd429c9c12e66c3392e77d
(cherry picked from commit 2828669dd40f63f60c2391b6d5ee30a3e255f3db)
Add space between two feed links
When more than one feed link was given, the links was concat without a
space, which looks odd. Adding now a space, between each link in the
toolbox.
Bug: 36356
Change-Id: Iaf61c88dde0a92c475a60c005e13222eb7618eef
(cherry picked from commit 853877f93af5056dc3162a7fc83957681674ca0c)
When more than one feed link was given, the links was concat without a
space, which looks odd. Adding now a space, between each link in the
toolbox.
Bug: 36356
Change-Id: Iaf61c88dde0a92c475a60c005e13222eb7618eef
(cherry picked from commit 853877f93af5056dc3162a7fc83957681674ca0c)
Merge "Revert "Introducing pp_sortkey."" into REL1_23
Revert "Introducing pp_sortkey."
Yep, I screwed this up.
This reverts commit f9e659cf0c03d2cb99527def8ca28585791d3e93.
Change-Id: I51095824730f90e7cc52ac47a9aebcbb01312419
Yep, I screwed this up.
This reverts commit f9e659cf0c03d2cb99527def8ca28585791d3e93.
Change-Id: I51095824730f90e7cc52ac47a9aebcbb01312419
Installer: properly override default $wgLogo value
Setup.php uses the value of $wgScriptPath in $wgLogo before the
installer determines the former, so it is necessary to override
the latter even before the WebInstaller_Options page is shown
(because it might never be shown).
Bug: 48084
Change-Id: Icc577c1bb1f78adc7a7cfb0581ae8ea2facba4cf
Setup.php uses the value of $wgScriptPath in $wgLogo before the
installer determines the former, so it is necessary to override
the latter even before the WebInstaller_Options page is shown
(because it might never be shown).
Bug: 48084
Change-Id: Icc577c1bb1f78adc7a7cfb0581ae8ea2facba4cf
mediawiki.api: Fix API postWithToken method
Referred to "this" instead of "api" ("this" here refers to the Deferred object).
Fixes "Uncaught TypeError: Cannot read property 'ajax' of undefined".
Change-Id: I78ba47a614512f6218e23d03e7c688e2c9efbe45
(cherry picked from commit 93fc25c4a84916316c75c2b9b4065ee236a501df)
Referred to "this" instead of "api" ("this" here refers to the Deferred object).
Fixes "Uncaught TypeError: Cannot read property 'ajax' of undefined".
Change-Id: I78ba47a614512f6218e23d03e7c688e2c9efbe45
(cherry picked from commit 93fc25c4a84916316c75c2b9b4065ee236a501df)
RELEASE 1.23.0-rc.1
Change-Id: I545756411db2db58056c611b76d270e9257d7af1
Change-Id: I545756411db2db58056c611b76d270e9257d7af1
Profiler class refactoring
* Merged the "collate at end" and "running collate" logic
into the base class to make it more unified and consistent.
* Pulled out DB code into ProfilerSimpleDB class.
* Removed the ProfilerSimple class and updated child classes.
* Made ProfilerSimpleTrace set the debug information too.
* Work around "ended by close()" bug from 99aef03f. Since the
getRawData() method gets called while some wfProfileOut() calls
have not yet happened, make it use the matched call data and let
the final logData() method work on the full data as normal.
* Let ProfilerSimple classes use getFunctionReport() for the profiler
debug log if it is setup instead of making it just return "".
* Made getRawData() work as best as possible with ProfilerMwprof.
* Removed $wgProfileToDatabase since it is now useless.
* Improved DB profile performance with sqlite.
* Updated visibility of various methods.
Hand picked from Change-Id: I1260bab2b5ba12dccbba701bcae4a637cb85c6e8
Change-Id: I832997187c20c95df406e6bfbe08d34b54531ef2
* Merged the "collate at end" and "running collate" logic
into the base class to make it more unified and consistent.
* Pulled out DB code into ProfilerSimpleDB class.
* Removed the ProfilerSimple class and updated child classes.
* Made ProfilerSimpleTrace set the debug information too.
* Work around "ended by close()" bug from 99aef03f. Since the
getRawData() method gets called while some wfProfileOut() calls
have not yet happened, make it use the matched call data and let
the final logData() method work on the full data as normal.
* Let ProfilerSimple classes use getFunctionReport() for the profiler
debug log if it is setup instead of making it just return "".
* Made getRawData() work as best as possible with ProfilerMwprof.
* Removed $wgProfileToDatabase since it is now useless.
* Improved DB profile performance with sqlite.
* Updated visibility of various methods.
Hand picked from Change-Id: I1260bab2b5ba12dccbba701bcae4a637cb85c6e8
Change-Id: I832997187c20c95df406e6bfbe08d34b54531ef2
Introducing pp_sortkey.
This adds the pp_sortkey column to the page_props table.
pp_sortkeys allows for top-k queries for pages, e.g.
the 100 pages with the most language links, etc. It is also
possible to query for exact values.
For now, pp_sortkey will contain pp_value's numeric value if
the value was set to a float, int or boolean.
Associated tasks:
* create a maintenance script for populating pp_sortkey. Tricky,
because when reading from the database, all values are strings.
* create an API module for querying pages by property value.
bug: 58032
hand picked from Change-Id: I217c42656fb877ff35a36eb446a22bdaf119faac
Change-Id: I89b6fc719f70a225a0a71290cc6e051f464114b7
This adds the pp_sortkey column to the page_props table.
pp_sortkeys allows for top-k queries for pages, e.g.
the 100 pages with the most language links, etc. It is also
possible to query for exact values.
For now, pp_sortkey will contain pp_value's numeric value if
the value was set to a float, int or boolean.
Associated tasks:
* create a maintenance script for populating pp_sortkey. Tricky,
because when reading from the database, all values are strings.
* create an API module for querying pages by property value.
bug: 58032
hand picked from Change-Id: I217c42656fb877ff35a36eb446a22bdaf119faac
Change-Id: I89b6fc719f70a225a0a71290cc6e051f464114b7
Parse versions in semver format
Change-Id: Icb3981736918154898cff0c98c472bc8bb36f1c6
Change-Id: Icb3981736918154898cff0c98c472bc8bb36f1c6