Reedy [Thu, 12 Mar 2020 23:49:43 +0000 (23:49 +0000)]
Update RELEASE-NOTES-1.31
Change-Id: I2d602a8a6b823dee75e05126e6ef7b187013e861
Reedy [Thu, 12 Mar 2020 23:38:21 +0000 (23:38 +0000)]
Disable even more flaky/broken selenium tests
Bug: T247580
Change-Id: I0004e97bb7de8586ee1b5c246776cccaf4f21c77
Reedy [Thu, 12 Mar 2020 23:33:28 +0000 (23:33 +0000)]
Disable some more flaky/broken selenium tests
Bug: T247580
Change-Id: Id99bb15c20ed7ca7fe45569757ee6ec33e4557d5
Kunal Mehta [Tue, 31 Jul 2018 19:28:31 +0000 (12:28 -0700)]
Disable "...able to change preferences" browser test
It's incredibly flaky.
Bug: T247580
Bug: T199446
Change-Id: I5372a285dab4f5f032ae340d9fd30b9c7c8bf72a
jenkins-bot [Wed, 11 Mar 2020 16:53:14 +0000 (16:53 +0000)]
Merge "rdbms: re-add DB domain sanity checks to LoadBalancer" into REL1_31
Ammar Abdulhamid [Mon, 9 Mar 2020 08:57:43 +0000 (09:57 +0100)]
Add check for page existence
Currently even if the page does not exist at all this script just says
"there's no content" which is partially true. If the page does exist but with
no content and/or blank the same answer is also given, which is OK in that case
but less so in the former case.
Also handle special pages instead of throwing exception.
Change-Id: Ia15b336d989d3605ead1891e3396380e8e6d4347
Reedy [Sun, 8 Mar 2020 23:34:05 +0000 (23:34 +0000)]
Fix output of RecountCategories::doWork()
Display actual cat_id starting at, not the batch size
Also, adjust message per option description:
'Only recount categories with cat_id greater than the given value'
Bug: T247215
Follows-Up: I8b3e9ca1f42b7c49ee57f17b88ca2fc7b404f342
Change-Id: I09844c922a4350178a67e526dd025eb831489939
(cherry picked from commit
e3c9741aacdcc8e6ca4bfd17526119c2e9709082)
Reedy [Mon, 2 Mar 2020 00:57:30 +0000 (00:57 +0000)]
The PHP Group stopped supporting 5.6 in late 2018
As per https://www.php.net/eol.php 5.6 was EOL and therefore
unsupported since 31 December 2018.
Change-Id: I2f6e307457365f0adf1b727b4fff9ed19c685b4f
Timo Tijhof [Tue, 25 Feb 2020 01:28:12 +0000 (01:28 +0000)]
Provide MW_VERSION and soft-deprecate global $wgVersion
Backported from
a5d5ea82ca.
Bug: T212738
Change-Id: I04628de4152dd5c72646813e08ff35e422e265a4
C. Scott Ananian [Thu, 13 Feb 2020 21:48:59 +0000 (16:48 -0500)]
Use proper SemVer comparison in CheckComposerLockUpToDate
We were using exact string matching previously. We already have
a SemVer dependency in ExtensionRegistry.php, so we might as well
do things right.
Change-Id: I8895843a5b1116fca42e0c7179a2907fe84a74d1
(cherry picked from commit
3b0b9aa8ad35b9a567619186ac2174240db58726)
sbassett [Thu, 13 Feb 2020 20:35:51 +0000 (14:35 -0600)]
Update git submodules
* Update extensions/OATHAuth from branch 'REL1_31'
to
44c0834dc396345de7e159d2d745d169b8344c84
- SECURITY: Disallow user JS at our special pages
Bug: T243608
Change-Id: Ib0deea7a986dd37f23ad5a68a1fb9784ac346db6
Aaron Schulz [Sat, 13 Oct 2018 16:14:20 +0000 (16:14 +0000)]
rdbms: re-add DB domain sanity checks to LoadBalancer
Also clean up empty schema handling in DatabaseDomain
This reverts commit
f23ac02f4fcf156767df66a5df2fa407310fe1d2.
Bug: T193565
Bug: T234022
Change-Id: I95fde5c069f180ca888a023fade25ec81b846d44
Reedy [Thu, 19 Dec 2019 13:28:34 +0000 (13:28 +0000)]
Start 1.31.7
Change-Id: Icc42b1db0ef48ecf1acbd0e48f2e7da2a6d104f9
Reedy [Thu, 19 Dec 2019 13:24:33 +0000 (13:24 +0000)]
Bump and prep 1.31.6
Change-Id: I07df574bbc0a6e39be152a1f818e3ef87fb32cb0
Brad Jorsch [Mon, 17 Dec 2018 18:20:12 +0000 (13:20 -0500)]
SECURITY: Work around PHP bug in parse_url
It gets confused by URLs with a query portion but no path.
Bug: T212067
Change-Id: I15c15161a668115d68eb2e2f8004826b47148fc1
Reedy [Tue, 17 Dec 2019 21:09:04 +0000 (21:09 +0000)]
Update RELEASE-NOTES
Change-Id: Icb46eccf65cdd2090e2e7429ba99fd447d5a0b1b
Thiemo Kreuz [Tue, 26 Nov 2019 08:54:05 +0000 (09:54 +0100)]
media: Log and fail gracefully on invalid EXIF coordinates
The $coord value is a value extracted from the EXIF section of an
image file. We expect it to be a float, but there is no guarantee this
is the case. It could, for example, be an empty string.
I suggest this trivial fix. It does have the following effects:
* Instead of logging a PHP notice when floor() hits something that is
not a number, I try to log something that's more useful for later,
more in-depth debugging. Note this log call isn't necessarily meant
to stay, but to find an even better fix for this issue.
* I return the string as it is. If it's "foo", the user will see "foo"
instead of "0° 0′ 0″ N", which wasn't helpful.
Also note how wrong and misleading the PHPDoc block for this function
was.
Bug: T226751
Change-Id: I1ca98728de4113ee1ae4362bd3e62b425d589388
(cherry picked from commit
f6787ede2db29fcc2c1923e23eaa2e9bf86522a1)
jenkins-bot [Tue, 10 Dec 2019 23:51:24 +0000 (23:51 +0000)]
Merge "rdbms: Log debug message traces as 'exception.trace' instead of 'trace'" into REL1_31
sbassett [Wed, 4 Dec 2019 20:19:52 +0000 (14:19 -0600)]
rdbms: Log debug message traces as 'exception.trace' instead of 'trace'
Code cleanup and hardening (see also: T234014) of Database-related
lib code in MediaWiki core.
Bug: T233342
Change-Id: I3c968f4f5300374253dc80d99596cac50fbeb59e
Brad Jorsch [Mon, 2 Dec 2019 14:39:03 +0000 (09:39 -0500)]
ApiEditPage: Test for bad redirect targets
Apparently everything downstream assumes callers already handled
interwiki titles.
Bug: T239428
Change-Id: Ie54f366986056c876eade0fcad6c41f70b8b8de8
Amir Sarabadani [Sat, 7 Dec 2019 22:36:42 +0000 (23:36 +0100)]
SECURITY: Do not allow user scripts on Special:PasswordReset
Bug: T192134
Change-Id: If5e91452f2e569476626bcf650ba4efaa122952c
Paladox [Tue, 3 Dec 2019 18:12:47 +0000 (18:12 +0000)]
Replace deprecated lSize with lLen
lSize is an alias to lLen according to [1]
[1] https://github.com/phpredis/phpredis/blob/
9f4ededa4139f0af324aab56773f26be5a9d1783/README.markdown#L2148
Bug: T239734
Change-Id: I5b72fbe61e313511b69e8d2e96c2042742370b85
Reedy [Wed, 4 Dec 2019 20:40:37 +0000 (20:40 +0000)]
Update RELEASE-NOTES-1.31
Change-Id: I3f39544bf7faba22211edb83112fb55782ae74f5
lens0021 [Mon, 2 Dec 2019 01:32:25 +0000 (10:32 +0900)]
Mark options as requiring parameters in addSite.php
Bug: T239561
Change-Id: Ibd967da45f32c8ea58b8997f15d26ab06f1e14cb
Aaron Schulz [Thu, 1 Aug 2019 20:16:39 +0000 (16:16 -0400)]
objectcache: avoid using deprecated phpredis::delete() alias
Bug: T227461
Change-Id: I3ca8bd9160eefff6590228082f030a32d0edb511
(cherry picked from commit
f445700ccc6f7f48158ae27d2cd13004675fd431)
Paladox [Mon, 2 Dec 2019 22:33:08 +0000 (22:33 +0000)]
Avoid using deprecated phpredis::delete() alias
Bug: T227461
Change-Id: I5eb2fa42d61e4757b11b6eb909c04dafb40923a1
Paladox [Sun, 1 Dec 2019 17:59:17 +0000 (17:59 +0000)]
Fix support for HTTP/2 in MultiHttpClient
Under buster, curl uses HTTP/2 (confirmed when running eval):
Buster:
GET xxx HTTP/2
Stretch:
GET xxx HTTP/1.1
The code presumes that it will always be HTTP/1.x.
We fix this by adjusting the regex to match HTTP2.
Bug: T232866
Change-Id: Ibde6036048d5939508df143ec5956abcd0718ad1
jenkins-bot [Thu, 14 Nov 2019 18:49:48 +0000 (18:49 +0000)]
Merge "rdbms: Remove references to pg_attrdef.adsrc in Postgres code" into REL1_31
Mark A. Hershberger [Thu, 9 Aug 2018 20:18:34 +0000 (16:18 -0400)]
rdbms: Use correct value for 'sslmode' in DatabasePostgres
Fix Postgres support by using ‘sslmode=require' instead of ‘sslmode=1'.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS
Change-Id: I424b0e3e144bbe9f0a2bde9a3b4a674dde10c729
(cherry picked from commit
2e5d114a99cf162074f92fc390590da44084362d)
Jeff Janes [Thu, 17 Jan 2019 23:41:51 +0000 (18:41 -0500)]
rdbms: Remove references to pg_attrdef.adsrc in Postgres code
PostgreSQL v12 will remove the long-deprecated column
pg_attrdef.adsrc. The supported way to introspect into column
default values is pg_get_expr(adbin, adrelid), which works
back through all versions of PostgreSQL supported by wikimedia.
Changing to the supported method will allow the upcoming v12 of the
database to be used while maintaining compatibility with older
versions, without needing to write version-specific code.
This patch has been tested with maintenance/update.php and
with phpunit in PostgreSQL versions 9.2, 11, and 12dev. It does
not harm the first two, and fixes errors that would otherwise
arise in the dev version. All unit tests which pass under version
11 now pass under 12dev as well.
Bug: T237931
Change-Id: I874d347fd286b26773113d4f0c6c30d9a4055ad3
(cherry picked from commit
27d342ef4bd31da48b0e10655daf1320e3d00b50)
Ariel T. Glenn [Thu, 13 Jun 2019 14:18:58 +0000 (17:18 +0300)]
when getting file (img) properties, suppress whines that it's not xml
Imports eventually succeed but the log fills up with stack traces
needlessly.
Bug: T206013
Change-Id: Icb004954272ea8fc6fbc4fd5090cd1310d66946c
(cherry picked from commit
c9a05a70433ca420a52dd86eefd4feb4529d7e49)
jenkins-bot [Mon, 4 Nov 2019 18:21:05 +0000 (18:21 +0000)]
Merge "Update RELEASE-NOTES" into REL1_31
Reedy [Mon, 4 Nov 2019 18:12:01 +0000 (18:12 +0000)]
Update RELEASE-NOTES
Change-Id: If2b247a03cf293ea7441786bbd8d1cb849b19c7d
mszabo-wikia [Wed, 14 Mar 2018 14:38:14 +0000 (15:38 +0100)]
Do not insert page titles into querycache.qc_value
querycache.qc_value column is used to store a numeric value related
to the query results, generally a COUNT(*) aggregation or timestamp,
but some query pages insert the page title here after passing it through
PHP's intval() function to parse it into a number.
While this will cause 0 to be inserted for pages whose title is not numeric
(i.e. most titles), a DB error may occur for numeric page titles that exceed
the maximum value for unsigned integers, depending on relevant DB settings,
such as MySQL's strict mode.[1]
This patch changes query pages not to insert page titles into the qc_value
column. Also, it adds the getOrderFields() method to query pages that were
missing them, to ensure that the result set inserted into the querycache
table is correctly ordered by title.
---
[1] https://dev.mysql.com/doc/refman/8.0/en/sql-mode.html#sql-mode-strict
Bug: T181658
Change-Id: I1ef297257c6f419826ba4ffc6e875389ccec46db
Reedy [Thu, 17 Oct 2019 23:58:59 +0000 (00:58 +0100)]
Update git submodules
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_31'
to
12fbfd414c02116376b68fbd43f16563eae6ca19
- Update README to match pygments version
Bug: T235808
Change-Id: Iea9a1bc566f67507414f7f2a4fdfd89c8433b7fd
Follows-Up: I4dc1782f19881ba1294308e1cdea1b2e063f438a
(cherry picked from commit
e286f3be4fada723e8a4cd32db2e56d32397f8d3)
Reedy [Fri, 11 Oct 2019 23:56:30 +0000 (00:56 +0100)]
Start RELEASE-NOTES for 1.31.6
Change-Id: I6601d37f97e4a3089fdcb72a30942cdcea539bf5
Reedy [Fri, 11 Oct 2019 23:51:25 +0000 (00:51 +0100)]
Prepare 1.31.5
Change-Id: I7e0279e9bf00b7658356914ba7fbe27f89a23b3c
Brian Wolff [Mon, 8 Apr 2019 02:24:57 +0000 (02:24 +0000)]
Make Installer::parse not be parseAsBlock
Previously all the checkboxes had newlines before their labels
which looked really broken.
Change-Id: I5e17524d90d10867ed27553a90cfb246984486d3
Reedy [Fri, 11 Oct 2019 23:36:47 +0000 (00:36 +0100)]
PermissionManager doesn't exist in 1.33, so we cannot use it in 1.31
Followup T230402, PermissionManager doesn't exist until 1.33, so fix the
backported patches to use User::isAllowed() instead.
Change-Id: Ia73bf71293d67f97fb5086ffc0384307568d4d43
Reedy [Sat, 21 Sep 2019 21:34:18 +0000 (22:34 +0100)]
Start RELEASE-NOTES for 1.31.5
Change-Id: If32a0fdcbf9e319b06ff529e74d992756dce1f95
Reedy [Sat, 21 Sep 2019 21:33:26 +0000 (22:33 +0100)]
Prepare 1.31.4
Change-Id: I21a8dbeed30df0e8d3a1063e8d10eaa5e9c9ad77
Brad Jorsch [Wed, 21 Nov 2018 16:13:52 +0000 (11:13 -0500)]
SQLite: Make patch-add-3d.sql a no-op
On a fresh install, update.php will apply patch-add-3d.sql even though
it doesn't need to. But this partially wipes out the new schema from
tables.sql, and the omnibus comment and actor table patched don't detect
this, leading to image, oldimage, and filearchive missing the new
fields.
Since SQLite doesn't actually care about the values in the ENUM type
(it's just an alias for TEXT), let's just make patch-add-3d.sql do
nothing.
Change-Id: I335cb8d9626f535a66b0fe18e051640b22848ef7
Reedy [Sat, 28 Sep 2019 14:48:19 +0000 (15:48 +0100)]
Split down patch-actor-table.sql
Bug: T227662
Change-Id: I024ff1d6f4c2726242138ba7e7f19480d9d2b948
Brad Jorsch [Wed, 28 Nov 2018 18:53:17 +0000 (13:53 -0500)]
SQLite: Split actor and comment filearchive updates to a separate file
On a fresh install, update.php will apply patch-editsummary-length.sql
even though it doesn't need to. But this partially wipes out the new schema from
tables.sql, and the omnibus comment and actor table patches don't detect
this, leading to filearchive missing the new fields.
Unlike the case with patch-add-3d.sql in I335cb8d9, here the patch does
make a change (if only a tiny one): fa_deleted_reason changes from TEXT
to BLOB.
Change-Id: I08047ff1207d471660365c0eb3faabc0b47746bb
Reedy [Thu, 15 Aug 2019 13:36:53 +0000 (14:36 +0100)]
Split down patch-comment-table.sql
Bug: T227662
Change-Id: I7617616df57f7468d06e9b52426b6851bfef0e7d
Reedy [Sat, 21 Sep 2019 21:15:41 +0000 (22:15 +0100)]
Update RELEASE-NOTES
Change-Id: Iba71a248ecbdc188c131609a5b65e004547c771e
sbassett [Tue, 27 Aug 2019 20:55:39 +0000 (15:55 -0500)]
dispatchUser() should use a 302 http status code
dispatchUser() in SpecialRedirect.php should use a 302 http
status code instead of a 301 to avoid certain caching issues.
Bug: T231386
Change-Id: Idb0cb21cc81d73bb9f77fc211af9cfd8b4f71e7d
(cherry picked from commit
02f35caa16fa574bb36a1d22eea62c3b250de235)
Brian Wolff [Fri, 1 Feb 2019 01:54:08 +0000 (01:54 +0000)]
Cache redirects from Special:Redirect
People sometimes link these from high traffic places, so it is
important to cache in varnish.
File's with height can change so only cache that for 10 seconds.
Also change from 302 to 301.
Change-Id: I87a60c812cd1aa78a36359090c0cb8390be7183f
(cherry picked from commit
f661f3373eb500949b7e421b0df5a955d2904809)
Umherirrender [Sat, 18 Aug 2018 02:37:59 +0000 (04:37 +0200)]
Give more specific error messages on Special:Redirect
Added some basic tests
Bug: T202183
Change-Id: Ib0dd50ff5575a2b2093a57afce79e9f8623fa24d
(cherry picked from commit
114e6547dea1a2508fe24889d65221af0163622a)
Thalia [Tue, 17 Sep 2019 19:16:05 +0000 (20:16 +0100)]
Improve documentation for the MinimumPasswordLengthToLogin policy
Bug: T233119
Change-Id: I2d0fa6f7116b407cbf62ad93da73d0800c9d14f9
Reedy [Thu, 12 Sep 2019 11:22:20 +0000 (12:22 +0100)]
Update RELEASE-NOTES-1.31
Change-Id: Idcec102a3bd9e3a6c83755fd429a687d5dce1066
Derk-Jan Hartman [Wed, 11 Sep 2019 22:12:22 +0000 (00:12 +0200)]
Fix XMP parser errors due to trailing nullchar
JPEG files can have trailing \0 chars at the end of the XMP value. Use
trim() to remove these from the string value.
Bug: T118799
Change-Id: Id4ab223ef432e5d2c0dd3b4e332320db02422700
(cherry picked from commit
9ce26a564d066a33ba7ae2a6502e3d57e7e4d48b)
Jforrester [Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)]
Merge "SECURITY: Add permission check for suppressed account" into REL1_31
Gergő Tisza [Sat, 20 Apr 2019 00:12:59 +0000 (17:12 -0700)]
Add helper for HTTPFileStreamer header syntax
Adds a helper function for transforming an intuitive header array
to the peculiar syntax expected by HTTPFileStreamer and the related
FileRepo/FileBackend streaming methods.
Change-Id: Idac9281b0f1b3c93f4ec1d1c3f336db110e5d260
(cherry picked from commit
65648f5523c9d1b772106e16e2adf57870892bc7)
rxy [Tue, 13 Aug 2019 09:30:38 +0000 (18:30 +0900)]
SECURITY: Add permission check for suppressed account
Bug: T230402
Change-Id: I6a13859be81e5c746bdf0993eb5416fecdac2306
(cherry picked from commit
4356572546b2b4e8eefda9bf10943ba1b12526b9)
James Montalvo [Fri, 15 Mar 2019 04:03:29 +0000 (23:03 -0500)]
Add ImgAuthModifyHeaders hook to img_auth.php to modify headers
Change-Id: I3c6fd7b0c39d7fd52c484494233241093d152f88
Santhosh Thottingal [Tue, 23 Jul 2019 06:50:52 +0000 (12:20 +0530)]
Update LanguageTrTest::testDottedAndDotlessI for PHP 7.3
PHP 7.3+ uses Unicode CaseFolding.txt for case mappings. For Turkic
languages(tr,az) the dotted i is given as a special case and we need
to implement it specifically for tr and az.
Updated the documentation and refactored the lcfirst and ucfirst methods
to use arrays containing the above mentioned special cases.
Bug: T207100
Change-Id: I317f2ca66b0adeaa79bc0f9e3dea5edfcd5e4693
(cherry picked from commit
27b424066453d59eeceda48a43d51e4915da960d)
Reedy [Mon, 1 Jul 2019 23:40:46 +0000 (00:40 +0100)]
Add 1.31.4 section to RELEASE-NOTES
Change-Id: I20f691740d2e79914816b0a297027933f074280b
Reedy [Mon, 1 Jul 2019 23:40:03 +0000 (00:40 +0100)]
Prepare 1.31.3
Bug: T227046
Change-Id: I0758709c11c68bb46573198903c88ba390c8ec8d
Reedy [Sun, 30 Jun 2019 22:44:23 +0000 (23:44 +0100)]
Add missing RELEASE-NOTES entries
Change-Id: I55f69c01045be8752b396e3acc506e531aa9cc81
Reedy [Sun, 30 Jun 2019 16:47:53 +0000 (17:47 +0100)]
Fix SQLite patch-(page|template)links-fix-pk.sql column order
Bug: T202211
Change-Id: Ife673b88c23acdc1bfc04630715d18243471035f
Purdea Andrei [Sun, 13 Jan 2019 04:14:56 +0000 (06:14 +0200)]
Make sure database update succeeds from older database versions too.
Fixes the following error message when updating from an older database.
Renaming index il_from into PRIMARY to table imagelinks ...[
7dbf1dd298ecf39128707744] [no req] Wikimedia\Rdbms\DBQueryError from line 1149 of /home/zok/mediawiki-1.30.1/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?
Query: INSERT INTO imagelinks_tmp
SELECT * FROM imagelinks
Function: Wikimedia\Rdbms\Database::sourceFile( /home/zok/mediawiki-1.30.1/maintenance/sqlite/archives/patch-imagelinks-fix-pk.sql )
Error: 19 UNIQUE constraint failed: imagelinks_tmp.il_from, imagelinks_tmp.il_to
Explanation:
the "imagelinks" table used to have two fields: il_from and il_to.
At one point during the development of mediawiki a new field has been
added called il_from_namespace. This new filed is the second column
if the database is created from scratch, however if the database is
updated from an older version then the il_from_namespace column becomes
the 3rd column.
That means that some of the older databases will have the columns in the
following order:
(1) il_from, il_from_namespace, il_to
while some older ones, which have been updated will have the following
order:
(2) il_from, il_to, il_from_namespace
This shouldn't matter much, except the file modified in this commit
copies records from one table to another using the INSERT INTO ... SELECT
command without explicitly listing the column names.
The newly created table has the (1) order, but the source table
might sometimes have the (2) order.
Explicitly listing the column names solves all the issues.
Change-Id: I222b171495d14ae45339c4679e263f0ab610e826
(cherry picked from commit
68c298ed05ef7b5be8099ff272e6dea20d00e42b)
Reedy [Sun, 30 Jun 2019 17:18:24 +0000 (18:18 +0100)]
Remove jetbrains/phpstorm-stubs from composer dev dependancies
Bug: T226766
Change-Id: I8f985996dcc780a8307c4d1ef9a1d6e2b9f1a1d0
Timo Tijhof [Thu, 13 Jun 2019 14:06:43 +0000 (15:06 +0100)]
installer: Detect APC for MainCacheType in CLI installer
The web installer did this already, but with the CLI installer,
the generated LocalSettings.php always contained the following
hardcoded:
$wgMainCacheType = CACHE_NONE;
Combined with the fact that in WMF CI, the generated local settings
is applied *after* the inclusion of Quibble settings and
DevelopmentSettings, meant that it was not possible to enable
object caching.
For now, make it match the behaviour of the web installer and thus
output $wgMainCacheType = CACHE_ACCELL if we detect a supported
implementation in the PHP runtime.
For later we should probably:
* Make this an option to install.php,
* or, change Quibble to append its overrides, instead of
prepending. So that DevelopmentSettings actually after the
generated LocalSettings.
Bug: T225496
Change-Id: I3f43cd054ce71d0f1b2395302e8ef9ee2f6b01c2
(cherry picked from commit
7e0fb4fff6a247802c2209df48cf9fab8bfb8563)
Leszek Manicki [Mon, 17 Jun 2019 09:11:39 +0000 (11:11 +0200)]
Disable rate limiting in Development Settings
Bug: T225796
Change-Id: I2475a04066d4aaefeba372bd223ef68548a8cf18
Karsten Hoffmeyer [Tue, 11 Jun 2019 19:24:16 +0000 (21:24 +0200)]
Installer: Update link to PHP intl away from old PECL package
PHP 5.5 was the last version supported by PECL intl package. Now the
PHP intl extension is used instead.
Bug: T225558
Change-Id: I68cb7a549c899e69da9a8cfea5a69b9acb41e8ae
(cherry picked from commit
7f0f6af2902cb7cf1406df5b8ee8cd12a5a88f1f)
Reedy [Tue, 28 May 2019 23:43:59 +0000 (00:43 +0100)]
1.31.3 RELEASE-NOTES section
Change-Id: I8bc00c2274018f5d7051b34cdd162c001c58061c
Reedy [Tue, 28 May 2019 23:39:18 +0000 (00:39 +0100)]
Prepare 1.31.2
Change-Id: I0e6ef5f4a51adbe20631265a693c86f2114859d4
Reedy [Tue, 28 May 2019 23:38:44 +0000 (00:38 +0100)]
Add RELEASE-NOTES for security patches
Change-Id: I9032e202505fb77a7d4abea6662ef4f8fa49e0dd
James D. Forrester [Thu, 25 Apr 2019 21:12:52 +0000 (16:12 -0500)]
SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358
Patch taken from https://github.com/DanielRuf/snyk-js-jquery-174006?files=1.
Bug: T221739
Change-Id: I99c2be81c74a8f1d35c421f0ee43c75efb30a7d0
rxy [Sun, 28 Apr 2019 20:14:18 +0000 (05:14 +0900)]
SECURITY: Add permission check for user is permitted to view the log type
Bug: T222038
Change-Id: I92ec2adfd9c514b3be1c07b7d22b9f9722d24a82
rxy [Sun, 28 Apr 2019 20:04:01 +0000 (05:04 +0900)]
SECURITY: Add permission check for user is permitted to view the log type
Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72
Lucas Werkmeister [Mon, 17 Dec 2018 13:02:39 +0000 (14:02 +0100)]
SECURITY: Fix cache mode for (un)patrolled recent changes query
Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.
Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26
Kunal Mehta [Fri, 13 Jul 2018 15:07:51 +0000 (08:07 -0700)]
SECURITY: API: Respect $wgBlockCIDRLimit in action=block
$wgBlockCIDRLimit states how large rangeblocks are allowed to be for IPv4
and IPv6. The API now calls SpecialBlock::validateTarget() to perform
that validation step.
As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by
the API, but that can probably be cleaned up at another time.
Tests included.
Bug: T199540
Change-Id: Ic7d60240d9ebd9580c0eb3b41e4befceab69bd81
Brian Wolff [Wed, 21 Nov 2018 16:15:28 +0000 (16:15 +0000)]
SECURITY: rate-limit and prevent blocked users from changing email
This is to counter spam where people use Special:ChangeEmail to
spam people with the confirmation email and using the username
to promote their thing
Bug: T209794
Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3
Max Semenik [Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)]
SECURITY: blacklist CSS var()
Bug: T208881
Change-Id: I9a4ced2bc47eb5f96cf35e693bf5261c48acb126
Brian Wolff [Fri, 15 Jun 2018 08:19:49 +0000 (08:19 +0000)]
SECURITY: Fix reauth in Special:ChangeEmail
Previously you could bypass reauthentication by directly
POSTing to Special:ChangeEmail.
Bug: T197279
Change-Id: I674557351e0e91a8105c12ddf6cd30283aac9f7a
James D. Forrester [Tue, 7 May 2019 19:43:54 +0000 (12:43 -0700)]
selenium: wdio-mocha-framework now v0.6.4
Bug: T213268
Bug: T222406
Change-Id: I5935fc5d5bc23978e50275d3c99ac870b3b82f49
Brad Jorsch [Wed, 9 May 2018 18:53:32 +0000 (14:53 -0400)]
Add getLoginSecurityLevel() support to FormSpecialPage
The base SpecialPage will handle reauthentication automatically if you
just implement getLoginSecurityLevel() to return an appropriate string.
But it doesn't work with FormSpecialPage, and if you try calling
checkLoginSecurityLevel() manually it'll lose any post data if the
reauth happens when the form is posted.
So this patch has SpecialPage::checkLoginSecurityLevel() preserve post
data across reauth (using logic similar to that in AuthManagerSpecialPage),
and has FormSpecialPage call checkLoginSecurityLevel() in the same
way the base SpecialPage does.
It also fixes the SpecialPage logic to not call
checkLoginSecurityLevel() when the special page doesn't implement
getLoginSecurityLevel(), as was the originally-intended behavior.
Apparently almost nothing actually gets to SpecialPage::execute() or
this would probably have been noticed already.
Change-Id: Ic89dc1b6583aaecd2efe3f5109896148a188c271
(cherry picked from commit
bfc4e41636aca33b943f8522024bd9f8eeac1977)
Reedy [Tue, 28 May 2019 22:27:12 +0000 (23:27 +0100)]
Add/update RELEASE-NOTES to match commits
Change-Id: Ib260482dcbab92610b978744c98bc3a94940dcab
Reedy [Sun, 26 May 2019 19:14:03 +0000 (20:14 +0100)]
Make config-outdated-sqlite parameter numbers consistent with config-*-old
Bug: T224374
Change-Id: Iebfb8299234cc9c66db0ecc4abd0c0a32af63602
Reedy [Thu, 23 May 2019 23:16:42 +0000 (00:16 +0100)]
resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies()
Follows-up
e7b57d881a, which changed it from replace() to upsert()
but lost one of the wrapping arrays in doing so.
Previously updated many more rows than expected on Postgresql, when it
should only be updating individual rows, not all rows that match either
criteria.
SQL query before:
WHERE ((md_module = 'jquery.makeCollapsible.styles') OR (md_skin = 'vector|en-gb'))
SQL query after:
WHERE ((md_module = 'jquery.makeCollapsible.styles' AND md_skin = 'vector|en-gb'))
Not a problem on MySQL as upsert() is implemented differently there.
Bug: T222385
Change-Id: If8a458bf4543b297b3a06f31e09c0e77666bf7e6
jenkins-bot [Sat, 11 May 2019 02:44:53 +0000 (02:44 +0000)]
Merge "Update cssjanus/cssjanus from 1.2.0 to 1.3.0" into REL1_31
Reedy [Sat, 11 May 2019 02:10:14 +0000 (03:10 +0100)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
1521f359a06aed626e860285769ed78a7152cdec
- Update cssjanus/cssjanus from 1.2.0 to 1.3.0
https://github.com/cssjanus/php-cssjanus/releases/tag/v1.3.0
https://github.com/cssjanus/php-cssjanus/compare/v1.2.0...v1.3.0
Change-Id: Id8aba2d9e99671a9c45e02b271dbf290a11228d7
Reedy [Sat, 11 May 2019 02:18:13 +0000 (03:18 +0100)]
Update cssjanus/cssjanus from 1.2.0 to 1.3.0
https://github.com/cssjanus/php-cssjanus/releases/tag/v1.3.0
https://github.com/cssjanus/php-cssjanus/compare/v1.2.0...v1.3.0
Change-Id: I352f79f6f34279e669057aee7c2f1570800c8a11
Depends-On: Id8aba2d9e99671a9c45e02b271dbf290a11228d7
Brad Jorsch [Thu, 25 Apr 2019 13:49:01 +0000 (09:49 -0400)]
ApiLogout: Follow up Icb674095
This implements getWebUITokenSalt(), as mentioned in T25227#
2008199 and
implemented in
F3328897. Somehow it didn't make it into Icb674095.
This also fixes some issues in the unit test:
* Properly link the user to the request's Session so User::doLogout()
won't log a warning. This also gives use to the otherwise-unneeded
implementation of setUp(), and lets us get rid of the broken call to
User::newFromId() that was passing an IP address rather than a user ID.
* Privatize some internal methods.
* Use setExpectedApiException() instead of manually catching and
hard-coding the English exception message.
* Also assert that the bad token error didn't result in a logout.
Bug: T25227
Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2
Aryeh Gregor [Tue, 31 Jul 2018 13:19:10 +0000 (16:19 +0300)]
New helper ApiTestCase::setExpectedApiException()
This allows setting the expected exception message by the message key,
not text, so it remains correct if the message is updated. This
function could be defined to work with other exception types too, but it
seems useful to have shortcuts for common types like ApiUsageException
or MWException.
Change-Id: Ic86278e9e1e91eea0c045d2b93342f018e1d8e66
sbassett [Tue, 16 Apr 2019 22:09:43 +0000 (17:09 -0500)]
[SECURITY] [API BREAKING CHANGE] Require logout token.
Special:Userlogout now requires a token
Api action=logout requires a csrf token and the request to be POSTed
Patch author: bawolff
Bug: T25227
Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774
rxy [Mon, 1 Apr 2019 07:04:40 +0000 (16:04 +0900)]
Add support for new Japanese era name "Reiwa"
Bug: T219728
Change-Id: I28c26291c38e7e6c167011472236fb81a8adf032
Max Semenik [Mon, 18 Mar 2019 05:42:42 +0000 (22:42 -0700)]
Urlencode fragments when redirecting after editing
This is a quick fix for the main symptom of the Chrome bug that results in
users being redirected to Special:BadTitle after section editing. We'll
need to discuss a more permanent solution.
Bug: T216029
Change-Id: I4b2d42ebc74031df86bc52310da71819da11c1ae
Gergő Tisza [Thu, 21 Mar 2019 16:00:49 +0000 (09:00 -0700)]
Rearrange code in User::getBlockedStatus to avoid isAllowed calls
User::isAllowed() triggers session loading, which results in a loop
if it is called during session loading. Session providers need to
check block status when $wgBlockDisablesLogin is enabled, so try to
avoid isAllowed calls in that situation.
Bug: T218608
Change-Id: Iab24923c613d6aeed4b574f587fc4cee8f33077c
Gergő Tisza [Mon, 18 Mar 2019 21:50:48 +0000 (14:50 -0700)]
Replace $wgUser with RequestContext::getUser in User::getBlockedStatus
$wgUser is not guaranteed to exist until MediaWiki has been fully
initialized; block status needs to be checked early on for
authentication-related permission checks.
Bug: T218608
Change-Id: I16315c071855024bc0412d5360c95f843420d9a9
Brad Jorsch [Mon, 2 Jul 2018 17:52:49 +0000 (13:52 -0400)]
Update git submodules
* Update extensions/Renameuser from branch 'REL1_31'
to
21f254948a422f367b397cc842dce85f521f83ff
- Fix incorrect usage in RenameUserJob
Too many rewrites of that code while I was writing it.
Also, no idea why that was passing false to in_array()'s $strict
parameter.
Bug: T198285
Change-Id: Ib4ab555f53f5ffa95ef7c974c3a53f33a34d2ad5
(cherry picked from commit
130b99c4613058dfda0a9532c9794f516933b8b6)
Jack Phoenix [Wed, 6 Mar 2019 09:07:26 +0000 (11:07 +0200)]
user_group, the nonexistent table that keeps on giving
Follow-up to
27c61fb1e94da9114314468fd00bcf129ec064b6.
Bug: T199474
Change-Id: Ie8e054f5898209c51538669149e966bee7754f1e
Jack Phoenix [Tue, 5 Mar 2019 23:13:59 +0000 (01:13 +0200)]
Fix a rather fatal typo in rebuildrecentchanges.php
The JOIN condition was being ignored because there is no table called "user_group" in MediaWiki core.
Thus if and when using $wgSharedDB, the query would end up listing *all* registered users from the shared user table.
And even without $wgSharedDB, running rebuildrecentchanges.php would result in everyone's edits being marked as bot edits (recentchanges.rc_bot = 1) and thus hidden from the Special:RecentChanges page.
Thanks to Lcawte for reporting this bug.
Follow-up to
27c61fb1e94da9114314468fd00bcf129ec064b6
Change-Id: I18d658b67c50f2200341f732783c2e7524dd27f1
Aaron Schulz [Wed, 20 Feb 2019 00:26:10 +0000 (16:26 -0800)]
Backport WikiMap/JobQueueGroup logic to handle hyphenated DB names
Although the documentation in DefaultSettings.php states that such
cases should be avoided, some common cases and code paths can be
made to work easily enough.
Partially cherry-picked from
dcd0a3d53,
51945dbca3594, and
5196ac32c6.
Bug: T204423
Change-Id: Ia3c5855b18b98d9fc5bc02fe68358cfa52ccbce1
Reedy [Tue, 26 Feb 2019 14:48:05 +0000 (14:48 +0000)]
RELEASE-NOTES for last two commits
Change-Id: I119b88499bdd59f58295473523b1a0974c0c1476
Brad Jorsch [Wed, 20 Feb 2019 15:22:26 +0000 (10:22 -0500)]
DatabasePostgres: Ignore "IGNORE" option to update()
PostgreSQL doesn't support anything like this. For now, avoid generating
invalid SQL by just ignoring the option. If we come up with a use case
someday, that can guide implementation of a workalike.
Bug: T215169
Change-Id: I1409c80b39834d1977c82c489226255a8cc93fd0
(cherry picked from commit
814605a979633fc37bcfa8319ddbfe627a66a308)
Reedy [Mon, 25 Feb 2019 00:18:47 +0000 (00:18 +0000)]
Return the page_id in list=langbacklinks as an int
Bug: T216968
Change-Id: I5b16779be7b24b1e46d4787a82a8daa3611f67b1
setian [Sun, 24 Feb 2019 21:43:33 +0000 (16:43 -0500)]
Return the page_id in list=iwbacklinks as an int rather than string
Bug: T216968
Change-Id: I6645c5f1c6e76be3187c24053ed430e99c03bff4
dépôts / lhc / web / wiklou.git / log