9 months agoBump and prep 1.34.2 1.34.2
Reedy [Tue, 23 Jun 2020 00:33:20 +0000 (01:33 +0100)]
Bump and prep 1.34.2

Change-Id: I5d0164f279e4a46904cb4b114d03c09392dfebe3

9 months agoSECURITY: Fix accidental public CC headers in img_auth.php
Tim Starling [Tue, 31 Mar 2020 06:02:49 +0000 (17:02 +1100)]
SECURITY: Fix accidental public CC headers in img_auth.php

Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.


Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2

9 months agoBring RELEASE-NOTES up to date
Reedy [Tue, 23 Jun 2020 00:02:43 +0000 (01:02 +0100)]
Bring RELEASE-NOTES up to date

Change-Id: I71eda4b4f5b2b59b6b8bfd87a68bb9834ab99fce

9 months agobuild: Bump mediawiki-phan-config to 0.8.0
Daimona Eaytoy [Tue, 23 Jun 2020 10:19:13 +0000 (12:19 +0200)]
build: Bump mediawiki-phan-config to 0.8.0

So that our CI docker image will work.

Disabling new issues (and removing now-unused suppressions) seems better
than attempting to fix all 300 of them.

Bug: T256088
Change-Id: Ide4a93043244fe254befe55e11a19dafd37a5fe8

10 months agoSpecialContributions: Use PoolCounter to limit concurrency
Brad Jorsch [Tue, 19 Nov 2019 19:36:35 +0000 (14:36 -0500)]
SpecialContributions: Use PoolCounter to limit concurrency

Allow using PoolCounter to limit the number of times a user or IP can
concurrently load Special:Contributions.

By default no limitation is applied. Key 'SpecialContributions' in
$wgPoolCounterConf must be set to configure the concurrency.

Bug: T234450
Change-Id: Ie769fa170093bfb6d281c651d3857545d139e009

10 months ago[SECURITY] Password Reset Updates
hmonroy [Wed, 15 Apr 2020 20:40:44 +0000 (13:40 -0700)]
[SECURITY] Password Reset Updates

* Include throttle message in password reset success
* Update password reset success message to include throttle message.
* Remove password reset invalid email message
* Show general message when an invalid email is submitted.

* Note: squashing two related master commits for security backports.

Related Change-Ids:
* Ia247034ec9a93689218c619d391a666c6b92991a
* I98a35af26930f3d66308065e271e9617fdbf5076

Bug: T249730
Change-Id: Ie329cc927742ed8637ff6479f63adc79b56a14f8

10 months agoUpdate the change_tag table in rebuildrecentchanges.php
GeoffreyT2000 [Fri, 1 Mar 2019 03:47:38 +0000 (19:47 -0800)]
Update the change_tag table in rebuildrecentchanges.php

Without updating the change_tag table, tags will not correctly appear on
Special:RecentChanges after running the script.

Bug: T229461
Change-Id: Iff12588df1ad8d658091832e38d870dd8b75a32f
(cherry picked from commit 4c69162b95afc3dd3d7a1fa51cee207e6fe0171b)

10 months agoSet rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php
GeoffreyT2000 [Wed, 6 Mar 2019 01:55:49 +0000 (17:55 -0800)]
Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php

This fixes what rc_patrolled should be for autopatrolled changes. Also,
non-upload log entries will have rc_patrolled = 2 for now until T217388 decides
what rc_patrolled should be for such entries. In contrast, upload entries
can be patrolled unlike other log entries, so they will have rc_patrolled = 0.

Bug: T199474
Change-Id: Ib7d1f5f7dd3541768305debee703fd342844714b
(cherry picked from commit 87aaf7a1664a1a031f5872ffaf5fd9730db39444)

10 months agocleanupUsersWithNoId.php: Handle missing fields
Brad Jorsch [Tue, 12 Nov 2019 15:08:24 +0000 (10:08 -0500)]
cleanupUsersWithNoId.php: Handle missing fields

The maintenance script might be run to clean up users with no ID in the
`revision` table even after the other tables have had the ID and name
fields removed (in favor of the actor ID fields). Handle this situation
so as to not error out.

Bug: T238043
Change-Id: Ie84dab4218d816106bf4b0e61f020148730220f0
(cherry picked from commit f5b78e9c313d8c54cffe61cc24fe82367b023d31)

10 months ago[registration] Remove type of string from Hooks in extension.schema.v1.json
Reedy [Tue, 26 May 2020 00:28:46 +0000 (01:28 +0100)]
[registration] Remove type of string from Hooks in extension.schema.v1.json

Same as it will be or v2 when that patch merges

Change-Id: I64c3bbcda0f353fe9c14b0d5bea241e0304c0e2e
Follows-Up: I1a8657ff9fd14618c6709dbab62c3b4ee9f659a5

10 months agoBackport docs/extension.schema.v2.json fixes
Tim Starling [Mon, 18 May 2020 04:18:14 +0000 (14:18 +1000)]
Backport docs/extension.schema.v2.json fixes

* Fix the type of "Hooks" to not accept string (it never would've
* Fixed the lack of "services" from RestRoutes ObjectFactory specs,
  since RestRoutes and HookHandlers is supposed to be the same.

Bug: T240307
Change-Id: I1a8657ff9fd14618c6709dbab62c3b4ee9f659a5

11 months agoFixup some SELECT * usages in sqlite schema patches
Reedy [Sun, 10 May 2020 01:14:35 +0000 (02:14 +0100)]
Fixup some SELECT * usages in sqlite schema patches

Bug: T252311
Change-Id: I7abdb7db89873c20f3a79df9452ab45c59ca6395
(cherry picked from commit 634024b03005f835f086e2f8b244fde1f9101252)

11 months agoUpdate PostgreSQL supported version in docs/database/postgres.txt
Reedy [Sun, 17 May 2020 14:43:46 +0000 (15:43 +0100)]
Update PostgreSQL supported version in docs/database/postgres.txt

Change-Id: I9e49857e67f3351683dbbf0019d8301eaf43e59c
(cherry picked from commit 39176163d20a7095e5a68338697f6a719371f1a6)

11 months agoRemove rotten docs/php-memcached docs
Reedy [Sun, 17 May 2020 14:42:17 +0000 (15:42 +0100)]
Remove rotten docs/php-memcached docs

README contains a URL that doesn't work.

ChangeLog has no purpose these days

Documentation doesn't match state of the class these days either

Change-Id: Ia2e00891d78cb4b227113e89d6b5e95a10261f0a
(cherry picked from commit 71c3aaf7f754f500e0981236e504efd93a5abbdc)

11 months agoregistration: Fix upgradeExtensionJsonSchema to remove _merge_strategy
Kunal Mehta [Tue, 12 May 2020 19:13:26 +0000 (12:13 -0700)]
registration: Fix upgradeExtensionJsonSchema to remove _merge_strategy

The unset() call was on the wrong array.

Bug: T252576
Change-Id: Ieaa3273d2867df87f67b110e97149410066b6795

11 months agoresourceloader: Let wgResourceLoaderMaxQueryLength=-1 fallback to default
Timo Tijhof [Mon, 4 May 2020 20:30:24 +0000 (21:30 +0100)]
resourceloader: Let wgResourceLoaderMaxQueryLength=-1 fallback to default

Follows-up 3ac385a0c39a622c. This was generated by the installer at some
point and we've received two user reports of someone being caught by
this. We don't need to support "unlimited" anymore, but at least make it
do something more sensible, like using the default of 2000.

Previously, it was effectively treating the -1 like 0,
which was causing "debug mode"-like behaviour for end users.

Bug: T251789
Change-Id: I483d5312e6fa25a0b00bb6173ed01eeb99ad42aa
(cherry picked from commit fcd799ad54facda32aad127bbb4576fc2af078cc)

11 months agoWork around change in SimpleXMLElement behavior introduced in PHP 7.3.17
C. Scott Ananian [Thu, 30 Apr 2020 22:10:43 +0000 (18:10 -0400)]
Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17

Upstream bug reports of the behavior change introduced in PHP 7.3.17 (and
applied to PHP 7.4 branch as well):

The reponsible commit in PHP was https://github.com/php/php-src/pull/5246

This was a "bug fix" in the sense that SimpleXML used to discard the
attributes on the namespace elements, which look like this:
     <namespace key="-2" case="first-letter">Media</namespace>
SimpleXML used to return this as a string "Media" instead of a
SimpleXMLElement... but ExportTest (inadvertently?) depended on that

In any case, if we iterate over SimpleXMLElement::children() we always
get SimpleXMLElements, not "sometimes strings", and so our code will
correct correctly on PHP below 7.3.17 and above, regardless of how PHP
decides to handle this "bug".

Bug: T250568
Change-Id: I9c2cb6a86fd6e8023c1979ec6838071a87a7bcea
(cherry picked from commit 7f1ad7d9848782d025bad63149e058964fc37c97)

11 months agoMerge "MultiHttpClient: Also fallover to non-curl if curl_multi* is blocked" into...
jenkins-bot [Mon, 27 Apr 2020 23:49:38 +0000 (23:49 +0000)]
Merge "MultiHttpClient: Also fallover to non-curl if curl_multi* is blocked" into REL1_34

11 months agoMultiHttpClient: Also fallover to non-curl if curl_multi* is blocked
James D. Forrester [Wed, 15 Apr 2020 19:34:51 +0000 (12:34 -0700)]
MultiHttpClient: Also fallover to non-curl if curl_multi* is blocked

Requested by a user at https://www.mediawiki.org/wiki/Topic:Vkk1ahk3eggd9747 for
whom their hoster provides curl but with multi-threaded functions removed for
some reason.

Change-Id: Id3877c600ae02feffb67f74a815430f8e679230a
(cherry picked from commit 1c241419914d1203ea90eeea6a41d76f4a2ecbec)

12 months agoOptimize email sending on password reset
suecarmol [Wed, 8 Apr 2020 00:13:54 +0000 (19:13 -0500)]
Optimize email sending on password reset

Improve performance of sending emails when a user resets a password.

Bug: T247017
Change-Id: I9edb0e4c8845f7a9082035de66f5965c3f9b762d

12 months agoClean up unused $displayPassword return value
Sam Wilson [Mon, 13 Apr 2020 02:32:17 +0000 (10:32 +0800)]
Clean up unused $displayPassword return value

This is a follow-up to f12a3edff708a1fb73a09d154693dba49b69d921
to remove the now unused $password return variable.

Change-Id: I2b12bd7c9f84e915f1bda659a95bab3d63a611d2

12 months agoUpdate git submodules
Dejan Savuljesku [Tue, 12 Nov 2019 08:47:12 +0000 (09:47 +0100)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to a71bd68ac4cd3258bd80560c344322ae63fa9c5d
  - Define fallback for request IP when persisting user

    Bug: T237554
    Change-Id: I18f57a523a6515f593963a9c149374bd6f6c73b4
    (cherry picked from commit 54fc8a0cbf6145ffa3dfc684465cbd3fe6dea064)

12 months agoStart 1.34.2
Reedy [Tue, 24 Mar 2020 17:30:10 +0000 (17:30 +0000)]
Start 1.34.2

Change-Id: Id94c154302f981b939f1d9789cb5a02a21b2024f

12 months agoBump and prep 1.34.1 1.34.1
Reedy [Tue, 24 Mar 2020 17:29:34 +0000 (17:29 +0000)]
Bump and prep 1.34.1

Change-Id: Ib9a2c9426f25c3af54e021a775c99dd9e6baa0b1

12 months agoSECURITY: Better controls for logout interface buttons
sbassett [Tue, 11 Feb 2020 23:03:40 +0000 (17:03 -0600)]
SECURITY: Better controls for logout interface buttons

* Adds data-mw attribute support within BaseTemplate->getPersonalTools()

* Adds data-mw="interface" for default logout button in

* Adds the [data-mw="interface"] selector to the '#pt-logout a' click
handler added in 8f033911030d.

Bug: T232932
Change-Id: I8e933badb77c89212603a36470ce655e30c137f0

12 months agoSECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
Bartosz Dziewoński [Mon, 2 Mar 2020 16:08:15 +0000 (17:08 +0100)]
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

Bug: T246602
Change-Id: Iea64a258499ab597b9a8900418a42162fdb5f391

12 months agoSECURITY: UserGroupMembership: Fix HTML escaping in #getLink
Bartosz Dziewoński [Mon, 23 Mar 2020 21:01:30 +0000 (22:01 +0100)]
SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or

Bug: T236509

Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563
(cherry picked from commit a0d7e49f0941a5f7a7e9cbb396540572317f9ae6)

12 months agoAdd one more to RELEASE-NOTES
Reedy [Tue, 24 Mar 2020 13:24:25 +0000 (13:24 +0000)]
Add one more to RELEASE-NOTES

Change-Id: I0183903ff232afa24f07a855fa54d020c4be41ee

13 months agobuild: Merge doc linting into 'npm test'
Timo Tijhof [Wed, 18 Mar 2020 18:19:39 +0000 (18:19 +0000)]
build: Merge doc linting into 'npm test'

Whether JSDuck or JSDoc3, it's good to verify that there are no
regressions in the doc syntax. This has been enforced by WMF CI
for many years with a dedicated Jenkins job.

However, both 'grunt lint' and 'npm run doc' take a relatively
small amount of time in CI:

* grunt lint: ~ 35s (not incl 'npm install')
* npm run doc: ~ 10s (not incl 'npm install')

Change-Id: If22b7bc64266e43088c7dec8138d81c938687fb9

13 months agoAPI: Fix fetching login token from action=query&meta=tokens on private wikis
Brad Jorsch [Fri, 14 Feb 2020 20:22:36 +0000 (15:22 -0500)]
API: Fix fetching login token from action=query&meta=tokens on private wikis

Accidentally broken by I991809acf.

Also added a test that should hopefully prevent this from accidentally
being broken again.

Bug: T245149
Change-Id: Ia7985397db50efe8af81f643f2a0a89d0ece179e
(cherry picked from commit e0f3a29349ffd8a3be14cec164c1e0f719e0e74b)

13 months agoUpdate RELEASE-NOTES-1.34
Reedy [Thu, 12 Mar 2020 23:55:57 +0000 (23:55 +0000)]

Change-Id: I00afa261b8aa2430c72b096e89082ef5f99f21ff

13 months agoAdd check for page existence
Ammar Abdulhamid [Mon, 9 Mar 2020 08:57:43 +0000 (09:57 +0100)]
Add check for page existence

Currently even if the page does not exist at all this script just says
"there's no content" which is partially true. If the page does exist but with
no content and/or blank the same answer is also given, which is OK in that case
but less so in the former case.

Also handle special pages instead of throwing exception.

Change-Id: Ia15b336d989d3605ead1891e3396380e8e6d4347

13 months agoFix output of RecountCategories::doWork()
Reedy [Sun, 8 Mar 2020 23:34:05 +0000 (23:34 +0000)]
Fix output of RecountCategories::doWork()

Display actual cat_id starting at, not the batch size

Also, adjust message per option description:
'Only recount categories with cat_id greater than the given value'

Bug: T247215
Follows-Up: I8b3e9ca1f42b7c49ee57f17b88ca2fc7b404f342
Change-Id: I09844c922a4350178a67e526dd025eb831489939
(cherry picked from commit e3c9741aacdcc8e6ca4bfd17526119c2e9709082)

13 months agoThe PHP Group stopped supporting 7.1 in late 2019
Reedy [Mon, 2 Mar 2020 00:57:30 +0000 (00:57 +0000)]
The PHP Group stopped supporting 7.1 in late 2019

As per https://www.php.net/eol.php 7.1 was EOL and therefore
unsupported since 1 December 2019.

Change-Id: I2f6e307457365f0adf1b727b4fff9ed19c685b4f

13 months agoupdateCollation.php: fix PHP error
Ostrzyciel [Tue, 25 Feb 2020 17:13:09 +0000 (18:13 +0100)]
updateCollation.php: fix PHP error

Currently the updateCollation maintenance script throws an error
when ran, as it calls MediaWikiServices before it's initialized.
See the phab task for more details.

Bug: T246127
Change-Id: Ib9d6b485b55760897ff5152b5d6f22b0d6a36daa

13 months agoProvide MW_VERSION and soft-deprecate global $wgVersion
Timo Tijhof [Tue, 25 Feb 2020 01:28:12 +0000 (01:28 +0000)]
Provide MW_VERSION and soft-deprecate global $wgVersion

Backported from a5d5ea82ca.

Bug: T212738
Change-Id: I04628de4152dd5c72646813e08ff35e422e265a4

14 months agoUse proper SemVer comparison in CheckComposerLockUpToDate
C. Scott Ananian [Thu, 13 Feb 2020 21:48:59 +0000 (16:48 -0500)]
Use proper SemVer comparison in CheckComposerLockUpToDate

We were using exact string matching previously.  We already have
a SemVer dependency in ExtensionRegistry.php, so we might as well
do things right.

Change-Id: I8895843a5b1116fca42e0c7179a2907fe84a74d1
(cherry picked from commit 3b0b9aa8ad35b9a567619186ac2174240db58726)

14 months agoUpdate git submodules
Martin Urbanec [Fri, 24 Jan 2020 20:54:30 +0000 (21:54 +0100)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to a63f16718bedfc309f33b956e5966c4067bf1a8d
  - SECURITY: Disallow user JS at our special pages

    Bug: T243608
    Change-Id: Ib0deea7a986dd37f23ad5a68a1fb9784ac346db6

14 months agomediawiki.language: Rename languageData back to languageNames
Roan Kattouw [Wed, 12 Feb 2020 22:39:38 +0000 (14:39 -0800)]
mediawiki.language: Rename languageData back to languageNames

This was renamed by accident in 1c7c9bdf1fc5d57434a, which silently
broke every feature that tried to obtain the name of a language in the
current language.

Bug: T245072
Change-Id: I9e458e79c695efc775a95f8295685925b8a88e7d
(cherry picked from commit b9cf5ee43b6d90fb3848e80f53b8615ffbc7f340)

14 months agoUpdate git submodules
Dejan Savuljesku [Wed, 5 Feb 2020 09:46:58 +0000 (10:46 +0100)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to cf8447838b88027638da54ee7adbe8f010651097
  - Fix removing scratch tokens

    Due to using unset(), array keys would be preserved, and therefore, for loop would crash.
    Now using array_splice, but had to "reset" the values on construct to fix currently broken

    Bug: T244308
    Change-Id: I6f3dd3df95d5a071b92aa7693ed7ae3fddf35a9d
    (cherry picked from commit c943f75cee1329c019636449dc28ccb57c0fed1f)

14 months agoUpdate git submodules
Thiemo Kreuz [Mon, 9 Dec 2019 09:10:54 +0000 (10:10 +0100)]
Update git submodules

* Update extensions/Cite from branch 'REL1_34'
  to db87fdc6ceb204e0d647802efb019afeb8b612c7
  - Fix broken reference list numbering in Firefox

    Same as Ib6e9de6.

    We must reset the build-in "list-item" counter to make this code behave
    sane in Firefox. It looks like this is even described in the CSS spec
    and it is not Firefox having a bug, but Chrome being "clever" and not
    following the spec.

    Bug: T229307
    Change-Id: I955786e2b68d087c819a962ded3c571946c61f78
    (cherry picked from commit d18c0871a8dfe80b20c70c2121bfadbbe99013fa)

15 months agoMerge "Follow up 9ef34a2f1d0: fix NewPagesPager "hide registered users" option" into...
jenkins-bot [Fri, 27 Dec 2019 14:53:56 +0000 (14:53 +0000)]
Merge "Follow up 9ef34a2f1d0: fix NewPagesPager "hide registered users" option" into REL1_34

15 months agoRemove space from strings
Paladox [Mon, 23 Dec 2019 22:42:25 +0000 (22:42 +0000)]
Remove space from strings

Change-Id: Id81dab1d806f2b93b5bad47cfd2a9fa37dedcd02

15 months agoFollow up 9ef34a2f1d0: fix NewPagesPager "hide registered users" option
DannyS712 [Tue, 17 Dec 2019 06:08:29 +0000 (06:08 +0000)]
Follow up 9ef34a2f1d0: fix NewPagesPager "hide registered users" option

Bug: T238483
Change-Id: I6afe6bf28da8841815191b9c0b1833e0cfd28b6c
(cherry picked from commit f599ff347d0772e163edfda2a35d65e222380a12)

15 months agoUser: Allow newSystemUser() to create over anonymous actors
Brad Jorsch [Mon, 28 Oct 2019 15:51:05 +0000 (11:51 -0400)]
User: Allow newSystemUser() to create over anonymous actors

Various maintenance scripts assume reserved usernames like
"MediaWiki default" exist, but since they're reserved
User::isUsableName() returns false and therefore the actor migration
created them as anonymous actors. Which would then prevent those
maintenance scripts from using User::newSystemUser() to ensure they
actually exist.

This adjusts User::newSystemUser() to be able to create users for
those anonymous actors.

This also adjusts uses of "MediaWiki default" in core to create it as a
system user.

Bug: T236444
Change-Id: I59a646df36ff9343cc43c05aa20b2b69b2ee124a
(cherry picked from commit 685b505628099a027ab5c9451502f522b489c109)

15 months agoDon't redefine MW_ENTRY_POINT in thumb.php if already defined
Reedy [Mon, 23 Dec 2019 18:17:14 +0000 (18:17 +0000)]
Don't redefine MW_ENTRY_POINT in thumb.php if already defined

Bug: T241340
Change-Id: I95914267bf22910391a54ec524ed11bc076f83e3

16 months agoUser: better error message when getActorId fails.
daniel [Wed, 18 Dec 2019 11:50:37 +0000 (12:50 +0100)]
User: better error message when getActorId fails.

This changes User::getActorId() to include the user name and id
when throwing an exception. This doesn't solve the problem
reported in T211450, but should allow the the probelmatic user
name to be identified.

Bug: T211450
Change-Id: Ie83ce6ad6b5ef18ea44a52e204f580cd9c992148
(cherry picked from commit db3e7f8b7e81eed410e6f82f939038768efd27ce)

16 months agoStart 1.34.1
Reedy [Thu, 19 Dec 2019 13:33:30 +0000 (13:33 +0000)]
Start 1.34.1

Change-Id: I0dddff5a6f50820551966db37061dbada8c19e5f

16 months agoBump and prep 1.34.0 1.34.0
Reedy [Thu, 19 Dec 2019 13:32:41 +0000 (13:32 +0000)]
Bump and prep 1.34.0

Change-Id: I57b1934858bd88a9d04796d236be5a3cd3173e6c

16 months agoRELEASE-NOTES-1.34: Add note for T212067 backport
James D. Forrester [Wed, 18 Dec 2019 11:53:21 +0000 (11:53 +0000)]
RELEASE-NOTES-1.34: Add note for T212067 backport

Change-Id: Ibedb07ce92820ff94380a390afe1001c279c8598

16 months agoTests for an old PHP bug in parse_url
Brad Jorsch [Mon, 17 Dec 2018 18:20:12 +0000 (13:20 -0500)]
Tests for an old PHP bug in parse_url

It would get confused by URLs with a query portion but no path.

We no longer support any vulnerable versions of PHP, but it would still
be useful to have these tests.

Bug: T212067
Change-Id: I15c15161a668115d68eb2e2f8004826b47148fc1
(cherry picked from commit 489bb4fb981cfe2e81b647c498e329033a4bc72b)

16 months agoUpdate RELEASE-NOTES
Reedy [Tue, 17 Dec 2019 21:12:30 +0000 (21:12 +0000)]

Change-Id: I10c0115d9f1591dd2e0ade8497b168247bf70c05

16 months agomedia: Log and fail gracefully on invalid EXIF coordinates
Thiemo Kreuz [Tue, 26 Nov 2019 08:54:05 +0000 (09:54 +0100)]
media: Log and fail gracefully on invalid EXIF coordinates

The $coord value is a value extracted from the EXIF section of an
image file. We expect it to be a float, but there is no guarantee this
is the case. It could, for example, be an empty string.

I suggest this trivial fix. It does have the following effects:
* Instead of logging a PHP notice when floor() hits something that is
  not a number, I try to log something that's more useful for later,
  more in-depth debugging. Note this log call isn't necessarily meant
  to stay, but to find an even better fix for this issue.
* I return the string as it is. If it's "foo", the user will see "foo"
  instead of "0° 0′ 0″ N", which wasn't helpful.

Also note how wrong and misleading the PHPDoc block for this function

Bug: T226751
Change-Id: I1ca98728de4113ee1ae4362bd3e62b425d589388
(cherry picked from commit f6787ede2db29fcc2c1923e23eaa2e9bf86522a1)

16 months agoNewPagesPager: Fix namespace query conditions
DannyS712 [Tue, 17 Dec 2019 06:22:57 +0000 (06:22 +0000)]
NewPagesPager: Fix namespace query conditions

Bug: T240924
Change-Id: I28d276cae0518386cac3f9d571ba09e9eff6678b
(cherry picked from commit b390ef6e5825e8906667d7a755d70b3478ce47b7)

16 months agordbms: Log debug message traces as 'exception.trace' instead of 'trace'
sbassett [Wed, 4 Dec 2019 20:19:52 +0000 (14:19 -0600)]
rdbms: Log debug message traces as 'exception.trace' instead of 'trace'

Code cleanup and hardening (see also: T234014) of Database-related
lib code in MediaWiki core.

Bug: T233342
Change-Id: I3c968f4f5300374253dc80d99596cac50fbeb59e
(cherry picked from commit 2e11b14455b44b8fcfd528da5efcc214902c2ffb)

16 months agoSECURITY: Do not allow user scripts on Special:PasswordReset
Amir Sarabadani [Sat, 7 Dec 2019 22:36:42 +0000 (23:36 +0100)]
SECURITY: Do not allow user scripts on Special:PasswordReset

Bug: T192134
Change-Id: If5e91452f2e569476626bcf650ba4efaa122952c

16 months agoReplace deprecated lSize with lLen
Paladox [Tue, 3 Dec 2019 18:12:47 +0000 (18:12 +0000)]
Replace deprecated lSize with lLen

lSize is an alias to lLen according to [1]

[1] https://github.com/phpredis/phpredis/blob/9f4ededa4139f0af324aab56773f26be5a9d1783/README.markdown#L2148

Bug: T239734
Change-Id: I5b72fbe61e313511b69e8d2e96c2042742370b85
(cherry picked from commit fac9054e3f894962b92304fb9ca610f07b0b8549)

16 months agoApiEditPage: Test for bad redirect targets
Brad Jorsch [Mon, 2 Dec 2019 14:39:03 +0000 (09:39 -0500)]
ApiEditPage: Test for bad redirect targets

Apparently everything downstream assumes callers already handled
interwiki titles.

See also T239466 for related code-hardening.

Bug: T239428
Change-Id: Ie54f366986056c876eade0fcad6c41f70b8b8de8
(cherry picked from commit 9084591e104fc10f004044f552b47ad27e7d763b)

16 months agoUpdate RELEASE-NOTES-1.34
Reedy [Wed, 4 Dec 2019 20:49:28 +0000 (20:49 +0000)]

Change-Id: Ie9c70854e759f848f6907b79b9ca630504958517

16 months agoMimic CURLOPT_POST in GuzzleHttpRequest
Moritz Schubotz (physikerwelt) [Fri, 22 Nov 2019 15:11:26 +0000 (16:11 +0100)]
Mimic CURLOPT_POST in GuzzleHttpRequest

The MWHttpRequest is implemented by the
CurlHttpRequest class and also the
GuzzleHttpRequest class. However, curl based rendering set
the CURLOPT_POST which implies that the 'Content-Type'
header defaults to 'application/x-www-form-urlencoded'.
To homgonize the functionality this patch mimics the
curl behaviour in Guzzle.

Bug: T232866
Change-Id: Id60a8de18e5f1e750a3bde23bd8b0deca4071165
(cherry picked from commit 5e3a0e73955d6324c5dd6e12fbe36d3ba203d9db)

16 months agoMark options as requiring parameters in addSite.php
lens0021 [Mon, 2 Dec 2019 01:32:25 +0000 (10:32 +0900)]
Mark options as requiring parameters in addSite.php

Bug: T239561
Change-Id: Ibd967da45f32c8ea58b8997f15d26ab06f1e14cb

16 months agoAvoid using deprecated phpredis::delete() alias
Paladox [Mon, 2 Dec 2019 22:33:08 +0000 (22:33 +0000)]
Avoid using deprecated phpredis::delete() alias

Bug: T227461
Change-Id: I5eb2fa42d61e4757b11b6eb909c04dafb40923a1

16 months agoLocalisationCache: Don't instantiate ResourceLoader
daniel [Tue, 26 Nov 2019 19:33:10 +0000 (20:33 +0100)]
LocalisationCache: Don't instantiate ResourceLoader

When clearing the LocalisationCache, avoid instantiating a ResourceLoader
instance. Doing so introduces a circular dependency among service

This patch introduces a static method for clearing the MessageBlobStore
without the need for a ResoruceLoader instance.

Bug: T231866
Change-Id: I404e64713fee6a534ba014981cef78af0b91f2aa
(cherry picked from commit 41415deda4c66ba52194c4df51c54c367f1f10b9)

16 months agoFix support for HTTP/2 in MultiHttpClient
Paladox [Sun, 1 Dec 2019 17:59:17 +0000 (17:59 +0000)]
Fix support for HTTP/2 in MultiHttpClient

Under buster, curl uses HTTP/2 (confirmed when running eval):

GET xxx HTTP/2

GET xxx HTTP/1.1

The code presumes that it will always be HTTP/1.x.

We fix this by adjusting the regex to match HTTP2.

Bug: T232866
Change-Id: Ibde6036048d5939508df143ec5956abcd0718ad1

16 months agoMake sure DBLoadBalancerFactory service is not disabled
RazeSoldier [Wed, 25 Sep 2019 14:54:13 +0000 (22:54 +0800)]
Make sure DBLoadBalancerFactory service is not disabled

After b873e929, when the CLI installation failed, the script will throw
a ServiceDisabledException.
This is because the installer disables DBLoadBalancerFactory service
during instantiation and throws the exception because the installation
failed to restore the service.
So I check if the service is enabled before try commit
the master changes.

Bug: T229601
Change-Id: Ia7589d14ee55bcb03a64856b6dd2c81d8bda783c
(cherry picked from commit eadde762b03ed94c687788ed3e0d9c65e5046fb2)

16 months agoUpdate RELEASE-NOTES-1.34 for backports
Reedy [Tue, 26 Nov 2019 11:35:45 +0000 (11:35 +0000)]
Update RELEASE-NOTES-1.34 for backports

Change-Id: I954c8a7ea2f988783c9e23c8206f24eccd343cd2

16 months agoFix ''
Reedy [Tue, 26 Nov 2019 11:19:21 +0000 (11:19 +0000)]
Fix ''

Change-Id: Iac30bc682344a5d3e550c1af9c66962998fffed2

17 months agoSet MCR migration stage to SCHEMA_COMPAT_NEW.
daniel [Mon, 28 Oct 2019 20:13:46 +0000 (21:13 +0100)]
Set MCR migration stage to SCHEMA_COMPAT_NEW.

This disables writing to the old schema in DefaultSettings.php.

Bug: T231673
Change-Id: I799bfb76c10fd0c0dc791e7380fce0159d81c2d3
(cherry picked from commit 1a917bab4cfa3a957e4cda1959050a2c2058ee4c)

17 months agoWikiExporter: Remove unnecessary check for SCHEMA_COMPAT_WRITE_OLD flag
daniel [Mon, 28 Oct 2019 20:09:44 +0000 (21:09 +0100)]
WikiExporter: Remove unnecessary check for SCHEMA_COMPAT_WRITE_OLD flag

WikiExporter used to require SCHEMA_COMPAT_WRITE_OLD to be enabled,
until that requirement was fixed in I5ea972bb07ca1cfb3a2ad8ef120aef7.
However, I failed to remove the explicit check for the flag at the
time, causing all exports to fail in SCHEMA_COMPAT_NEW mode. This
change removes the obsolete check.

Bug: T236735
Change-Id: I809ed4e2f1f30fdc4bd817f815d733d8a62f3d4f
(cherry picked from commit d9209707cc62ea2eb0f0fe9d2c79e56a8cc87552)

17 months agoUpdate git submodules
zoranzoki21 [Mon, 4 Nov 2019 20:55:42 +0000 (21:55 +0100)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to a1b93f1f7680829f7d4104469627d53358cf00ec
  - Add missing oathauth-module-invalid message

    Bug: T228269
    Change-Id: I7f3ceaf27cb13bbf1acc0e7784f405fef35e3001

17 months agoStorage: SqlBlobStore no longer needs Language object
Timo Tijhof [Tue, 1 Oct 2019 16:20:45 +0000 (17:20 +0100)]
Storage: SqlBlobStore no longer needs Language object

Constructing a Language object in order to initialize the
BlobStoreFactory service causes a circular dependency
(see T231866).

SqlBlobStore was using the Language object to all iconv.
But nothing language specific is done in Language::iconv,
so we can just inline the call.

Bug: T231866
Change-Id: I90c25decbcff10ea762a2c7474a12fd2041b3abc

17 months agoAdd $wgDiffEngine
Brad Jorsch [Tue, 5 Nov 2019 15:07:06 +0000 (10:07 -0500)]
Add $wgDiffEngine

The immediate use case is for testing, where some tests need to use the
PHP implementation even when wikidiff2 is installed.

Bug: T237049
Change-Id: I41dc4c0933429065d7638f518ec31f0a056afc41
(cherry picked from commit f3058c81b9bbdede6eeb70503ecc44a6ba423e0d)

17 months agoAdd section for changes after 1.34.0-rc.1
Reedy [Tue, 5 Nov 2019 22:06:47 +0000 (22:06 +0000)]
Add section for changes after 1.34.0-rc.1

Change-Id: I4a4aa7ec1f9e93d36e414057d0209a531bfaadde

17 months agoBump $wgVersion 1.34.0-rc.1 1.34.0-rc.1
Reedy [Tue, 5 Nov 2019 21:39:34 +0000 (21:39 +0000)]
Bump $wgVersion 1.34.0-rc.1

Change-Id: Ia14a51d05256e8110359865f7c239fd13d700f40

17 months agoUpdate RELEASE-NOTES
Reedy [Mon, 4 Nov 2019 18:24:40 +0000 (18:24 +0000)]

Change-Id: Ia60600afe56fdb50ff255e189eac51a882715cbb

17 months agoHard deprecate Parser::disableCache()
C. Scott Ananian [Mon, 4 Nov 2019 19:31:21 +0000 (14:31 -0500)]
Hard deprecate Parser::disableCache()

Among deployed extensions, only used in the Quiz extension.

Full list of uses (some false positives):

Depends-On: I956a88120d07d76d1afa9d06e95d31055f9b07f1
Change-Id: I6419754de6cbc01af07b6c0eafb8396bd720a58d
(cherry picked from commit 8dbc866e91d5a06cc1c2ca70c48c6752ddb48944)

17 months agoUpdate git submodules
Reedy [Mon, 4 Nov 2019 18:33:19 +0000 (18:33 +0000)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to 42cb55cef1b127ee53e256f55dedce4f37774fd2
  - Enable schemaUpdateTOTPToMultipleKeys

    Change-Id: I6cb10a877652a10412664e124f94c5d0c58932fe

17 months agoDo not insert page titles into querycache.qc_value
mszabo-wikia [Wed, 14 Mar 2018 14:38:14 +0000 (15:38 +0100)]
Do not insert page titles into querycache.qc_value

querycache.qc_value column is used to store a numeric value related
to the query results, generally a COUNT(*) aggregation or timestamp,
but some query pages insert the page title here after passing it through
PHP's intval() function to parse it into a number.
While this will cause 0 to be inserted for pages whose title is not numeric
(i.e. most titles), a DB error may occur for numeric page titles that exceed
the maximum value for unsigned integers, depending on relevant DB settings,
such as MySQL's strict mode.[1]

This patch changes query pages not to insert page titles into the qc_value
column. Also, it adds the getOrderFields() method to query pages that were
missing them, to ensure that the result set inserted into the querycache
table is correctly ordered by title.

[1] https://dev.mysql.com/doc/refman/8.0/en/sql-mode.html#sql-mode-strict

Bug: T181658
Change-Id: I1ef297257c6f419826ba4ffc6e875389ccec46db
(cherry picked from commit 335fabf5fba49fa43c0e876996baa165a7ff4350)

17 months agoParamValidator: Flag as unstable for 1.34
Brad Jorsch [Fri, 1 Nov 2019 17:48:59 +0000 (13:48 -0400)]
ParamValidator: Flag as unstable for 1.34

Iea6d4a1d0 isn't likely to make it, and I don't want to have to
support the architectural mistakes it's fixing in 1.35.

Change-Id: Icd161779d4e2eb60c507a5a4400f9432741c72eb
(cherry picked from commit ff70806ef1e142c67841b049b7b943170558ed78)

17 months agoFix for ArticleRevisionViewCustom hook in DifferenceEngine.php
Yaron Koren [Mon, 28 Oct 2019 13:30:43 +0000 (13:30 +0000)]
Fix for ArticleRevisionViewCustom hook in DifferenceEngine.php

Was missing a parameter, which actually made this hook unusable.

Bug: T236628
Change-Id: I6e260cd49f7083f34d4218712edf7d91d2f11ee9
(cherry picked from commit b10d0fa09d52fc6bd3d645fb39175b45973bb54b)

17 months agoHard deprecate `$wgSysopEmailBans`
DannyS712 [Fri, 1 Nov 2019 01:39:25 +0000 (01:39 +0000)]
Hard deprecate `$wgSysopEmailBans`

Bug: T232169
Change-Id: Icfe02595fc92738c279fa6764f955aa00818088d
(cherry picked from commit 42566fce93af715465f145618d37b7b6dd030862)

17 months agoMerge "Disable $wgServer autodetection to prevent cache poisoning attacks" into REL1_34
jenkins-bot [Thu, 31 Oct 2019 00:57:49 +0000 (00:57 +0000)]
Merge "Disable $wgServer autodetection to prevent cache poisoning attacks" into REL1_34

17 months agoDisable $wgServer autodetection to prevent cache poisoning attacks
Kunal Mehta [Fri, 19 Jul 2019 04:04:41 +0000 (00:04 -0400)]
Disable $wgServer autodetection to prevent cache poisoning attacks

Since MediaWiki 1.18, $wgServer has been automatically set by the web installer
when it generates LocalSettings.php, so this shouldn't be an issue for most
wikis. The CLI installer now supports a --server optional parameter to
specify $wgServer, otherwise it'll be set to 'http://localhost' by default.

Users will see a fatal error pointing them to the on-wiki $wgServer
documentation that I've updated as well.

Originally this functionality was slated for removal in 1.20, but now is
just a good time as any. It also calls into other parts of MediaWiki before
most things are initialized, making it difficult to librarize some code.

Bug: T30798
Bug: T232931
Change-Id: Ia5d616e7fafbab01655067c24c5a3a073b254f21
(cherry picked from commit 03078991c4408b8e4e72cc28584a9d011d9edf72)

17 months agoMerge "Parser: Hard deprecate getConverterLanguage" into REL1_34
jenkins-bot [Wed, 30 Oct 2019 21:47:48 +0000 (21:47 +0000)]
Merge "Parser: Hard deprecate getConverterLanguage" into REL1_34

17 months agoDeprecate additional public methods of Parser
C. Scott Ananian [Tue, 29 Oct 2019 07:34:25 +0000 (03:34 -0400)]
Deprecate additional public methods of Parser


It wasn't obvious there was a better name for these, so just rename
them with a `...Private` suffix and deprecate the old names.  When
the deprecated public methods are removed we'll rename the private
methods to remove the `...Private` suffix again.

Code search:

Bug: T236810
Change-Id: I44458490fa86abd0ead048a4c94021da6be333f0
(cherry picked from commit 736b6b27f3dc1e9f7b4facc55f08dbc28da68827)

17 months agoDeprecate Parser::replaceLinkHolders / replaceLinkHoldersText
C. Scott Ananian [Tue, 29 Oct 2019 16:52:47 +0000 (12:52 -0400)]
Deprecate Parser::replaceLinkHolders / replaceLinkHoldersText

Because this method is used in the ImageMap extension, we can't
immediately hard-deprecate replaceLinkHolders.

Code search:

Bug: T236810
Change-Id: If02130ffc86d0d9db2a455efcd29641a8206f0a0
(cherry picked from commit 023bb7677fa93b97e155969bacc4ef8be2410b3c)

17 months agoDeprecate Parser::splitWhitespace() / Parser::createAssocArgs()
C. Scott Ananian [Tue, 29 Oct 2019 07:52:58 +0000 (03:52 -0400)]
Deprecate Parser::splitWhitespace() / Parser::createAssocArgs()

These methods are not used anywhere in deployed code.

Parser::createAssocArgs() is used in Extension:DataTable2, but it should
just copy the implementation from Parser, it's very little code.

Code search:

Bug: T236810
Change-Id: I4e6a39e2ecf7a3a568e26ad1d8ce1166a44a5ad9
(cherry picked from commit d7cd12e81ff6622bb5e14980297f926a3dec0984)

17 months agoDeprecate Parser::areSubpagesAllowed() / Parser::maybeDoSubpageLink()
C. Scott Ananian [Tue, 29 Oct 2019 07:32:44 +0000 (03:32 -0400)]
Deprecate Parser::areSubpagesAllowed() / Parser::maybeDoSubpageLink()

These are unused outside the Parser and are so short it's not worth
renaming them to make them private; just hard-deprecate the methods
and inline the implementation in the small # of places they appear.

Code search:

Bug: T236810
Change-Id: Ia06c65409a3158b083bcc59c9f6e347945b375c0
(cherry picked from commit dcae22c8fa46822148dc5fd87018acb385bf4c91)

17 months agoDeprecate Parser implementation methods (will be private in next release)
C. Scott Ananian [Mon, 28 Oct 2019 19:52:50 +0000 (15:52 -0400)]
Deprecate Parser implementation methods (will be private in next release)

The following public methods were renamed and made private; the old name
is hard-deprecated and calls the new renamed private method:

Parser::doMagicLinks() => handleMagicLinks()
Parser::doDoubleUnderscore() => handleMagicLinks()
Parser::doHeadings() => handleHeadings()
Parser::doAllQuotes() => handleAllQuotes()
Parser::replaceExternalLinks() => handleExternalLinks()
Parser::replaceInternalLinks() => handleInternalLinks()
Parser::replaceInternalLinks2() => handleInternalLinks2()
Parser::getVariableValue() => expandMagicVariable()
Parser::initialiseVariables() => initializeVariables()
Parser::formatHeadings() => finalizeHeadings()
Parser::test{Pst,Preprocess,Srvus}() => fuzzTest{Pst,Preprocess,Srvus}()

Additionally, the following methods are not used externally, but are
used outside the Parser class by core code.  They have been marked

Parser::doQuotes() (used by {{#displaytitle}}),
Parser::getExternalLink{Rel,Attribs}() (used by Linker),
Parser::normalizeLinkUrl() (used by Special:LinkSearch and elsewhere).
Parser::{brace,arg,extension}Substitution() (used by PPFrame)

Code search query:

Bug: T236810
Change-Id: I19a43ffc5dcfdd2981b51079c33422c964acb076

17 months agoParser: Hard deprecate getConverterLanguage
Fomafix [Mon, 30 Sep 2019 19:34:03 +0000 (21:34 +0200)]
Parser: Hard deprecate getConverterLanguage

getConverterLanguage is deprecated since MediaWiki 1.32.
getConverterLanguage always return a Language object and never null.

Change-Id: Ia0480c76416ef1e925619d9e85c7134c2ecf2296
Depends-On: Iea4771161d129c49f6482e1a6822e1324bf2fb49
(cherry picked from commit 9bae9db4cc296f248ea7c1fba950032e54a5cb03)

17 months agoAdd release notes for discontinuation of IE6/7 support
Timo Tijhof [Fri, 25 Oct 2019 22:29:49 +0000 (23:29 +0100)]
Add release notes for discontinuation of IE6/7 support

Bug: T232563
Change-Id: I95c693d7c3059f441489d61f3fce597f02bedc0e

17 months agoUpdate git submodules
Reedy [Wed, 23 Oct 2019 14:45:50 +0000 (15:45 +0100)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to eacb5b281ae3fac18f394342a419d63ad6064d9c
  - Bump 0.4.4

    Change-Id: I3097526954c18c6759461f800168ebeb4a92e9e7

17 months agoUpdate git submodules
Dejan Savuljesku [Wed, 23 Oct 2019 07:49:37 +0000 (09:49 +0200)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_34'
  to 99b1f06a2f411c08f12e3fa80257ac0a49612345
  - Ask for user re-auth only on initial requests

    Make sure user is asked to re-authenticate (if needed) only on initital request,
    not after submitting the form

    Bug: T235645
    Change-Id: Ic315f49ac5810da0a703ccf4b51f558d17f905fb

18 months agoMerge "resources: Collapse all jQuery UI modules into one deprecated mega-module...
jenkins-bot [Sun, 20 Oct 2019 09:51:58 +0000 (09:51 +0000)]
Merge "resources: Collapse all jQuery UI modules into one deprecated mega-module" into REL1_34

18 months agoFix docs for GetUserBlock hooks
Daimona Eaytoy [Sun, 20 Oct 2019 08:45:27 +0000 (10:45 +0200)]
Fix docs for GetUserBlock hooks

Change-Id: I93b64fb00477c0632a6fa3573800dd7609d25db0

18 months agoresources: Collapse all jQuery UI modules into one deprecated mega-module
James D. Forrester [Thu, 10 Oct 2019 23:33:54 +0000 (16:33 -0700)]
resources: Collapse all jQuery UI modules into one deprecated mega-module

(cherry picked from commits b76856675d78d1 and ecf4cb6610).

Bug: T219604
Change-Id: I9070ad9052319f5ca2bc67e0ffaf502db0f13ceb

18 months agoDeprecate 'jquery.tabIndex' module
Ammar Abdulhamid [Sun, 13 Oct 2019 10:25:20 +0000 (11:25 +0100)]
Deprecate 'jquery.tabIndex' module

Bug: T234581
Change-Id: I8e1b43ae17b2bdd90f5ce7f0a4907cf94f759b8d

18 months agoUpdate RELEASE-NOTES-1.34 for various backports
Reedy [Fri, 18 Oct 2019 21:26:20 +0000 (22:26 +0100)]
Update RELEASE-NOTES-1.34 for various backports

Change-Id: I6241e2a0820fc2f89c806d202514ae75039e1fa0

18 months agoDeprecate setting Parser::mTitle to null
C. Scott Ananian [Thu, 17 Oct 2019 16:59:04 +0000 (12:59 -0400)]
Deprecate setting Parser::mTitle to null

This never happens in core code; however extensions have slipped into
a state of sin.

Bug: T235392
Change-Id: Ia254949cd8b3bc162b11dcc911dcce40d91bf1b7
(cherry picked from commit dd9e6124b4a47b98cccdaa2971d587ecc6f0ab6e)

18 months agoRevert "Parser: Add Title type hints"
Fomafix [Mon, 14 Oct 2019 18:52:19 +0000 (20:52 +0200)]
Revert "Parser: Add Title type hints"

This change reverts most of commit 3dff713fe4.

Especially the return type hints for getTitle() and Title() are reduced
to allow the type null as return value, because SematicMediaWiki uses
this by

$this->parser->getTitle() instanceof Title

to check if there is a valid Title object.

The parameter type hints for setTitle() and Title() are kept.

Bug: T235392
Change-Id: I72ac1c9d37059876dbc7cd38158e7abd212da8fe
(cherry picked from commit d91a136ae7b53f07bac62aba944f5a7ba1ccd7ec)