2 years agoSECURITY: Add permission check for user is permitted to view the log type
rxy [Sun, 28 Apr 2019 20:14:18 +0000 (05:14 +0900)]
SECURITY: Add permission check for user is permitted to view the log type

Bug: T222038
Change-Id: I92ec2adfd9c514b3be1c07b7d22b9f9722d24a82

2 years agoSECURITY: Add permission check for user is permitted to view the log type
rxy [Sun, 28 Apr 2019 20:04:01 +0000 (05:04 +0900)]
SECURITY: Add permission check for user is permitted to view the log type

Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72

2 years agoSECURITY: Fix cache mode for (un)patrolled recent changes query
Lucas Werkmeister [Mon, 17 Dec 2018 13:02:39 +0000 (14:02 +0100)]
SECURITY: Fix cache mode for (un)patrolled recent changes query

Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.

Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26

2 years agoSECURITY: API: Respect $wgBlockCIDRLimit in action=block
Kunal Mehta [Fri, 13 Jul 2018 15:07:51 +0000 (08:07 -0700)]
SECURITY: API: Respect $wgBlockCIDRLimit in action=block

$wgBlockCIDRLimit states how large rangeblocks are allowed to be for IPv4
and IPv6. The API now calls SpecialBlock::validateTarget() to perform
that validation step.

As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by
the API, but that can probably be cleaned up at another time.

Tests included.

Bug: T199540
Change-Id: Ic7d60240d9ebd9580c0eb3b41e4befceab69bd81

2 years agoSECURITY: rate-limit and prevent blocked users from changing email
Brian Wolff [Wed, 21 Nov 2018 16:15:28 +0000 (16:15 +0000)]
SECURITY: rate-limit and prevent blocked users from changing email

This is to counter spam where people use Special:ChangeEmail to
spam people with the confirmation email and using the username
to promote their thing

Bug: T209794
Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3

2 years agoSECURITY: blacklist CSS var()
Max Semenik [Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)]
SECURITY: blacklist CSS var()

Bug: T208881
Change-Id: I9a4ced2bc47eb5f96cf35e693bf5261c48acb126

2 years agoSECURITY: Fix reauth in Special:ChangeEmail
Brian Wolff [Fri, 15 Jun 2018 08:19:49 +0000 (08:19 +0000)]
SECURITY: Fix reauth in Special:ChangeEmail

Previously you could bypass reauthentication by directly
POSTing to Special:ChangeEmail.

Bug: T197279
Change-Id: I674557351e0e91a8105c12ddf6cd30283aac9f7a

2 years agoselenium: wdio-mocha-framework now v0.6.4
James D. Forrester [Tue, 7 May 2019 19:43:54 +0000 (12:43 -0700)]
selenium: wdio-mocha-framework now v0.6.4

Bug: T213268
Bug: T222406
Change-Id: I5935fc5d5bc23978e50275d3c99ac870b3b82f49

2 years agoAdd getLoginSecurityLevel() support to FormSpecialPage
Brad Jorsch [Wed, 9 May 2018 18:53:32 +0000 (14:53 -0400)]
Add getLoginSecurityLevel() support to FormSpecialPage

The base SpecialPage will handle reauthentication automatically if you
just implement getLoginSecurityLevel() to return an appropriate string.

But it doesn't work with FormSpecialPage, and if you try calling
checkLoginSecurityLevel() manually it'll lose any post data if the
reauth happens when the form is posted.

So this patch has SpecialPage::checkLoginSecurityLevel() preserve post
data across reauth (using logic similar to that in AuthManagerSpecialPage),
and has FormSpecialPage call checkLoginSecurityLevel() in the same
way the base SpecialPage does.

It also fixes the SpecialPage logic to not call
checkLoginSecurityLevel() when the special page doesn't implement
getLoginSecurityLevel(), as was the originally-intended behavior.
Apparently almost nothing actually gets to SpecialPage::execute() or
this would probably have been noticed already.

Change-Id: Ic89dc1b6583aaecd2efe3f5109896148a188c271
(cherry picked from commit bfc4e41636aca33b943f8522024bd9f8eeac1977)

2 years agoAdd/update RELEASE-NOTES to match commits
Reedy [Tue, 28 May 2019 22:27:12 +0000 (23:27 +0100)]
Add/update RELEASE-NOTES to match commits

Change-Id: Ib260482dcbab92610b978744c98bc3a94940dcab

2 years agoMake config-outdated-sqlite parameter numbers consistent with config-*-old
Reedy [Sun, 26 May 2019 19:14:03 +0000 (20:14 +0100)]
Make config-outdated-sqlite parameter numbers consistent with config-*-old

Bug: T224374
Change-Id: Iebfb8299234cc9c66db0ecc4abd0c0a32af63602

2 years agoresourceloader: Use AND instead of OR for upsert conds in saveFileDependencies()
Reedy [Thu, 23 May 2019 23:16:42 +0000 (00:16 +0100)]
resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies()

Follows-up e7b57d881a, which changed it from replace() to upsert()
but lost one of the wrapping arrays in doing so.

Previously updated many more rows than expected on Postgresql, when it
should only be updating individual rows, not all rows that match either

SQL query before:
 WHERE ((md_module = 'jquery.makeCollapsible.styles') OR (md_skin = 'vector|en-gb'))

SQL query after:
 WHERE ((md_module = 'jquery.makeCollapsible.styles' AND md_skin = 'vector|en-gb'))

Not a problem on MySQL as upsert() is implemented differently there.

Bug: T222385
Change-Id: If8a458bf4543b297b3a06f31e09c0e77666bf7e6

2 years agoMerge "Update cssjanus/cssjanus from 1.2.0 to 1.3.0" into REL1_31
jenkins-bot [Sat, 11 May 2019 02:44:53 +0000 (02:44 +0000)]
Merge "Update cssjanus/cssjanus from 1.2.0 to 1.3.0" into REL1_31

2 years agoUpdate git submodules
Reedy [Sat, 11 May 2019 02:10:14 +0000 (03:10 +0100)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to 1521f359a06aed626e860285769ed78a7152cdec
  - Update cssjanus/cssjanus from 1.2.0 to 1.3.0


    Change-Id: Id8aba2d9e99671a9c45e02b271dbf290a11228d7

2 years agoUpdate cssjanus/cssjanus from 1.2.0 to 1.3.0
Reedy [Sat, 11 May 2019 02:18:13 +0000 (03:18 +0100)]
Update cssjanus/cssjanus from 1.2.0 to 1.3.0


Change-Id: I352f79f6f34279e669057aee7c2f1570800c8a11
Depends-On: Id8aba2d9e99671a9c45e02b271dbf290a11228d7

2 years agoApiLogout: Follow up Icb674095
Brad Jorsch [Thu, 25 Apr 2019 13:49:01 +0000 (09:49 -0400)]
ApiLogout: Follow up Icb674095

This implements getWebUITokenSalt(), as mentioned in T25227#2008199 and
implemented in F3328897. Somehow it didn't make it into Icb674095.

This also fixes some issues in the unit test:
* Properly link the user to the request's Session so User::doLogout()
  won't log a warning. This also gives use to the otherwise-unneeded
  implementation of setUp(), and lets us get rid of the broken call to
  User::newFromId() that was passing an IP address rather than a user ID.
* Privatize some internal methods.
* Use setExpectedApiException() instead of manually catching and
  hard-coding the English exception message.
* Also assert that the bad token error didn't result in a logout.

Bug: T25227
Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2

2 years agoNew helper ApiTestCase::setExpectedApiException()
Aryeh Gregor [Tue, 31 Jul 2018 13:19:10 +0000 (16:19 +0300)]
New helper ApiTestCase::setExpectedApiException()

This allows setting the expected exception message by the message key,
not text, so it remains correct if the message is updated.  This
function could be defined to work with other exception types too, but it
seems useful to have shortcuts for common types like ApiUsageException
or MWException.

Change-Id: Ic86278e9e1e91eea0c045d2b93342f018e1d8e66

2 years ago[SECURITY] [API BREAKING CHANGE] Require logout token.
sbassett [Tue, 16 Apr 2019 22:09:43 +0000 (17:09 -0500)]
[SECURITY] [API BREAKING CHANGE] Require logout token.

Special:Userlogout now requires a token

Api action=logout requires a csrf token and the request to be POSTed

Patch author: bawolff

Bug: T25227
Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774

2 years agoAdd support for new Japanese era name "Reiwa"
rxy [Mon, 1 Apr 2019 07:04:40 +0000 (16:04 +0900)]
Add support for new Japanese era name "Reiwa"

Bug: T219728
Change-Id: I28c26291c38e7e6c167011472236fb81a8adf032

2 years agoUrlencode fragments when redirecting after editing
Max Semenik [Mon, 18 Mar 2019 05:42:42 +0000 (22:42 -0700)]
Urlencode fragments when redirecting after editing

This is a quick fix for the main symptom of the Chrome bug that results in
users being redirected to Special:BadTitle after section editing. We'll
need to discuss a more permanent solution.

Bug: T216029
Change-Id: I4b2d42ebc74031df86bc52310da71819da11c1ae

2 years agoRearrange code in User::getBlockedStatus to avoid isAllowed calls
Gergő Tisza [Thu, 21 Mar 2019 16:00:49 +0000 (09:00 -0700)]
Rearrange code in User::getBlockedStatus to avoid isAllowed calls

User::isAllowed() triggers session loading, which results in a loop
if it is called during session loading. Session providers need to
check block status when $wgBlockDisablesLogin is enabled, so try to
avoid isAllowed calls in that situation.

Bug: T218608
Change-Id: Iab24923c613d6aeed4b574f587fc4cee8f33077c

2 years agoReplace $wgUser with RequestContext::getUser in User::getBlockedStatus
Gergő Tisza [Mon, 18 Mar 2019 21:50:48 +0000 (14:50 -0700)]
Replace $wgUser with RequestContext::getUser in User::getBlockedStatus

$wgUser is not guaranteed to exist until MediaWiki has been fully
initialized; block status needs to be checked early on for
authentication-related permission checks.

Bug: T218608
Change-Id: I16315c071855024bc0412d5360c95f843420d9a9

2 years agoUpdate git submodules
Brad Jorsch [Mon, 2 Jul 2018 17:52:49 +0000 (13:52 -0400)]
Update git submodules

* Update extensions/Renameuser from branch 'REL1_31'
  to 21f254948a422f367b397cc842dce85f521f83ff
  - Fix incorrect usage in RenameUserJob

    Too many rewrites of that code while I was writing it.

    Also, no idea why that was passing false to in_array()'s $strict

    Bug: T198285
    Change-Id: Ib4ab555f53f5ffa95ef7c974c3a53f33a34d2ad5
    (cherry picked from commit 130b99c4613058dfda0a9532c9794f516933b8b6)

2 years agouser_group, the nonexistent table that keeps on giving
Jack Phoenix [Wed, 6 Mar 2019 09:07:26 +0000 (11:07 +0200)]
user_group, the nonexistent table that keeps on giving

Follow-up to 27c61fb1e94da9114314468fd00bcf129ec064b6.

Bug: T199474
Change-Id: Ie8e054f5898209c51538669149e966bee7754f1e

2 years agoFix a rather fatal typo in rebuildrecentchanges.php
Jack Phoenix [Tue, 5 Mar 2019 23:13:59 +0000 (01:13 +0200)]
Fix a rather fatal typo in rebuildrecentchanges.php

The JOIN condition was being ignored because there is no table called "user_group" in MediaWiki core.
Thus if and when using $wgSharedDB, the query would end up listing *all* registered users from the shared user table.
And even without $wgSharedDB, running rebuildrecentchanges.php would result in everyone's edits being marked as bot edits (recentchanges.rc_bot = 1) and thus hidden from the Special:RecentChanges page.

Thanks to Lcawte for reporting this bug.

Follow-up to 27c61fb1e94da9114314468fd00bcf129ec064b6

Change-Id: I18d658b67c50f2200341f732783c2e7524dd27f1

2 years agoBackport WikiMap/JobQueueGroup logic to handle hyphenated DB names
Aaron Schulz [Wed, 20 Feb 2019 00:26:10 +0000 (16:26 -0800)]
Backport WikiMap/JobQueueGroup logic to handle hyphenated DB names

Although the documentation in DefaultSettings.php states that such
cases should be avoided, some common cases and code paths can be
made to work easily enough.

Partially cherry-picked from dcd0a3d5351945dbca3594, and 5196ac32c6.

Bug: T204423
Change-Id: Ia3c5855b18b98d9fc5bc02fe68358cfa52ccbce1

2 years agoRELEASE-NOTES for last two commits
Reedy [Tue, 26 Feb 2019 14:48:05 +0000 (14:48 +0000)]
RELEASE-NOTES for last two commits

Change-Id: I119b88499bdd59f58295473523b1a0974c0c1476

2 years agoDatabasePostgres: Ignore "IGNORE" option to update()
Brad Jorsch [Wed, 20 Feb 2019 15:22:26 +0000 (10:22 -0500)]
DatabasePostgres: Ignore "IGNORE" option to update()

PostgreSQL doesn't support anything like this. For now, avoid generating
invalid SQL by just ignoring the option. If we come up with a use case
someday, that can guide implementation of a workalike.

Bug: T215169
Change-Id: I1409c80b39834d1977c82c489226255a8cc93fd0
(cherry picked from commit 814605a979633fc37bcfa8319ddbfe627a66a308)

2 years agoReturn the page_id in list=langbacklinks as an int
Reedy [Mon, 25 Feb 2019 00:18:47 +0000 (00:18 +0000)]
Return the page_id in list=langbacklinks as an int

Bug: T216968
Change-Id: I5b16779be7b24b1e46d4787a82a8daa3611f67b1

2 years agoReturn the page_id in list=iwbacklinks as an int rather than string
setian [Sun, 24 Feb 2019 21:43:33 +0000 (16:43 -0500)]
Return the page_id in list=iwbacklinks as an int rather than string

Bug: T216968
Change-Id: I6645c5f1c6e76be3187c24053ed430e99c03bff4

2 years agoBackfill release notes for Iaf531795
Gergő Tisza [Tue, 20 Nov 2018 20:38:32 +0000 (20:38 +0000)]
Backfill release notes for Iaf531795

Change-Id: Ida5491d2376fc28e75c8887feb213e301991e115

2 years agoUpdate required PHP version to 7.0.13
James D. Forrester [Thu, 14 Feb 2019 19:29:48 +0000 (11:29 -0800)]
Update required PHP version to 7.0.13

Bug: T209423
Change-Id: I66e563adb062bc132a1092d78bfd06e2210f382e

2 years agoFix flaky MessageBlobStoreTest assertion failures
Aaron Schulz [Tue, 12 Jun 2018 01:32:19 +0000 (18:32 -0700)]
Fix flaky MessageBlobStoreTest assertion failures

Bug: T176097
Change-Id: I0f1e9a6a73bb5b2bc54ee400c5710055e992c3f1
(cherry picked from commit 46a43d8187a1aa1a7702bbfec2a3c5e20df4435a)

2 years agoobjectcache: add setMockTime() method to BagOStuff/WANObjectCache
Aaron Schulz [Thu, 31 May 2018 06:14:09 +0000 (23:14 -0700)]
objectcache: add setMockTime() method to BagOStuff/WANObjectCache

Change-Id: I3e5760814fb7dbe628eb0d979d690c3275fc3c15

2 years agoUpdate git submodules
Peter Boehm [Thu, 24 Jan 2019 12:44:53 +0000 (13:44 +0100)]
Update git submodules

* Update extensions/CategoryTree from branch 'REL1_31'
  to a1717183d7a263ad2a109a1891ac430f1e604c02
  - Change 'title' attributes to links to use full page name

    This changes the title attribute on the link generated in the
    CategoryTree. The only effect is additional information about the
    link target that may be truncated by 'hideprefix' or CSS overflow,
    will now still be accessible in another way.

    Change-Id: I4f07fa88f0a528634e9bf3c504e84fb4bf55e3bf
    (cherry picked from commit 1dfe6ca618afd5b85631417c10772591de02043a)

2 years agoUpdate git submodules
Fomafix [Wed, 18 Apr 2018 06:23:38 +0000 (08:23 +0200)]
Update git submodules

* Update extensions/CategoryTree from branch 'REL1_31'
  to fec55f2994c3e8021d0329e45aed510a0062c168
  - Simplify by using Xml::element

    Xml::element already makes the HTML encoding.

    Change-Id: Idee5e6871c5a7b5e6763ebe85275598b9b217224
    (cherry picked from commit 6684f62bbaa17068c50a0ed89319a515d86bea1c)

2 years agoUpdate git submodules
Brian Wolff [Thu, 5 Jul 2018 00:34:08 +0000 (00:34 +0000)]
Update git submodules

* Update extensions/CategoryTree from branch 'REL1_31'
  to 27e63545302d93d98dabd15ca9844c40227ff41f
  - Fix some raw html messages

    Try also to ensure that the bullet messages are treated the
    same in both JS and PHP. It should be noted that the mk and scn
    translations are currently broken on the JS side.

    Bug: T195010
    Change-Id: Id87d26db8d90e293701ae11f6434026a8ae88822
    (cherry picked from commit f36af623179350b42e69d98816203273b6e8ac3b)

2 years agoMerge "Fix $magicWords for the Sanskrit language" into REL1_31
jenkins-bot [Sat, 9 Feb 2019 20:32:40 +0000 (20:32 +0000)]
Merge "Fix $magicWords for the Sanskrit language" into REL1_31

2 years agoFollow-up I41cc21708: Add to RELEASE-NOTES as it's now a pre-release patch
James D. Forrester [Fri, 8 Feb 2019 19:53:58 +0000 (11:53 -0800)]
Follow-up I41cc21708: Add to RELEASE-NOTES as it's now a pre-release patch

Bug: T215632
Change-Id: Id8a25f38bbb28d04c725bc0941a0ceb94aa151fd

2 years agoRemoves Google web search from exception page
Juan Osorio [Fri, 9 Nov 2018 22:45:55 +0000 (14:45 -0800)]
Removes Google web search from exception page

When a wiki is down, it is not necessarily useful to be able to
search the web. Additionally, there is general consensus that
the hard-coded Google search form should be removed.

Bug: T208871
Change-Id: I5bcae848de1144d4fc1116c475b2e2ab1ccc3f7d

2 years agoMWExceptionRenderer: Fix db error outage page
Strainu [Thu, 24 May 2018 20:23:26 +0000 (23:23 +0300)]
MWExceptionRenderer: Fix db error outage page

Set content encoding and add some content to the header tag.

Bug: T195525
Change-Id: Ieabfe18280359459e9462204371d3fe8d62a4177
(cherry picked from commit 94b58b2c268541cf09612f5f9fa99c7c3edb2af4)

2 years agoAvoid session double-start in Setup.php
Brad Jorsch [Sat, 12 Jan 2019 19:16:52 +0000 (14:16 -0500)]
Avoid session double-start in Setup.php

In PHP before 7.3, the double start doesn't really matter: session_id()
changes the ID even if it was already started, and the warning from
session_start() can just be ignored. Which is what we did.

In PHP 7.3, now session_id() also warns and no longer changes the ID. To
preserve the previous behavior, we'll need to explicitly close the old
session and open the new one.

Bug: T213489
Change-Id: I02a5be1c3adb326927c156fdd00663bccee37477

2 years agordbms: reduce LoadBalancer replication log spam
Aaron Schulz [Mon, 10 Dec 2018 20:29:43 +0000 (15:29 -0500)]
rdbms: reduce LoadBalancer replication log spam

LoadMonitor already has similar and less-frequent logging since
it only happens on cache rebuilds.

Bug: T204531
Change-Id: I270a65ab1d3f471bd49c8f54d85151c91827a518
(cherry picked from commit 38b54d71ece279f978246fefa21142f34cb6e07f)

2 years agoFix $magicWords for the Sanskrit language
Jayprakash12345 [Sat, 30 Jun 2018 13:20:44 +0000 (18:50 +0530)]
Fix $magicWords for the Sanskrit language

Bug: T102320
Change-Id: I4ef78dc7a41916a9af6aa259de455e3948662913
(cherry picked from commit eb741da7a18c7f52dc2e2b55c4f34e69362b5c7f)

2 years agoUser: Bypass repeatable-read when creating an actor_id
Brad Jorsch [Thu, 29 Nov 2018 14:03:20 +0000 (09:03 -0500)]
User: Bypass repeatable-read when creating an actor_id

When MySQL is using repeatable-read transaction isolation (which is the
default), the following sequence of events can occur:

1. Request A: Begin a transaction.
2. Request A: Try to select the actor ID for a user. Find no rows.
3. Request B: Insert an actor ID for that user.
4. Request A: Try to insert an actor ID for the user. Fails because one
5. Request A: Try to select the actor ID that must exist. Fail because of
   the snapshot created at step 2.

In MySQL we can avoid this issue at step #5 by using a locking select
(FOR UPDATE or LOCK IN SHARE MODE), so let's do that.

Bug: T210621
Change-Id: I6c1d255fdd14c6f49d2ea9790e7bd7d101e98ee4
(cherry picked from commit 37f48fdb25a78ba7623c57b50cdfd842292d3ccb)

2 years agoAdd join conditions to ActiveUsersPager
Brad Jorsch [Fri, 21 Sep 2018 18:32:34 +0000 (14:32 -0400)]
Add join conditions to ActiveUsersPager

We're (very slowly and somewhat unofficially) moving towards using join
conditions everywhere, and here they're needed to avoid errors once the
actor migration reaches the READ_NEW stage.

Bug: T204767
Change-Id: I8bfe861fac7874f8938bed9bfac3b7ec6f478238
(cherry picked from commit 15441cabe60d84e17ffb25824aeb095d92bc375a)

2 years agoUpdate git submodules
Alexia E. Smith [Thu, 15 Nov 2018 16:09:15 +0000 (10:09 -0600)]
Update git submodules

* Update extensions/ParserFunctions from branch 'REL1_31'
  to a28ad04eeefa05a16264e67537ba118bd67576d4
  - Fix E_WARNING with {{#pos:}} if the offset is larger than the string

    The mb_strpos() function throws E_WARNING if the offset is longer
    than the length of the string.

    Bug: T209600
    Change-Id: Ib4296ba136eaf5c8461681e9d5f108118b2494f4
    (cherry picked from commit cf1480cb9629514dd4400b1b83283ae6c83ff163)

2 years agoMerge "i18n: Clarify the default sidebar 'Help' link is about MediaWiki itself" into...
jenkins-bot [Wed, 19 Dec 2018 12:30:23 +0000 (12:30 +0000)]
Merge "i18n: Clarify the default sidebar 'Help' link is about MediaWiki itself" into REL1_31

2 years agoFix copy-paste error
Amir Sarabadani [Tue, 18 Dec 2018 17:55:13 +0000 (18:55 +0100)]
Fix copy-paste error

It's actually adding the column on the wrong table

Change-Id: I2fd8ea50f3eb4b5da04fce2ea0348a2dc6329965

2 years agoi18n: Clarify the default sidebar 'Help' link is about MediaWiki itself
Andre Klapper [Thu, 29 Nov 2018 10:09:34 +0000 (11:09 +0100)]
i18n: Clarify the default sidebar 'Help' link is about MediaWiki itself

Enough users of third-party MediaWiki installations seem to think it is a
link to a help forum for the topic of that installation, and not for

Bug: T209335
Change-Id: I6614b7a5c06de3ffca7ddbb10ea75450e7c6f183
(cherry picked from commit ac0a3f17cf46b7733fcc1d0cef65febb1d04b7b6)

2 years agoMerge "Upgrade wikimedia/ip-set to 1.3.0" into REL1_31
jenkins-bot [Tue, 18 Dec 2018 05:45:47 +0000 (05:45 +0000)]
Merge "Upgrade wikimedia/ip-set to 1.3.0" into REL1_31

2 years agoMerge "Use our fork of less.php" into REL1_31
jenkins-bot [Tue, 18 Dec 2018 05:45:41 +0000 (05:45 +0000)]
Merge "Use our fork of less.php" into REL1_31

2 years agoUpdate git submodules
Kunal Mehta [Tue, 18 Dec 2018 04:13:14 +0000 (20:13 -0800)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to 5c8dde3a1611b701e28678b36a878c4e3cecfeb7
  - Upgrade wikimedia/ip-set to 1.3.0

    Change-Id: Ib749ec9aae5aeb3fad8232ecbea749530e0408a2

2 years agoUpdate git submodules
Kunal Mehta [Tue, 18 Dec 2018 04:09:56 +0000 (20:09 -0800)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to a48c47a029213b44e032b8dcdd4795876cfc93a8
  - Switch to our less.php fork

    Bug: T206975
    Change-Id: I01e0b3328c8e1c4a69c37a471e436acd8911f1fa

2 years agoUpgrade wikimedia/ip-set to 1.3.0
Kunal Mehta [Tue, 18 Dec 2018 04:14:25 +0000 (20:14 -0800)]
Upgrade wikimedia/ip-set to 1.3.0

Bug: T209756
Depends-On: Ib749ec9aae5aeb3fad8232ecbea749530e0408a2
Change-Id: I7f5625924baea822f2679115278a3d7a02a72d57

2 years agoUse our fork of less.php
Kunal Mehta [Tue, 18 Dec 2018 04:12:14 +0000 (20:12 -0800)]
Use our fork of less.php

Supports PHP 7.3, among other things

Bug: T206975
Depends-On: I01e0b3328c8e1c4a69c37a471e436acd8911f1fa
Change-Id: I8edcd9316cbff40aee3d52c7295f5974ee2f44b0

2 years agoImageListPager: Actor migration for buildQueryConds()
Brad Jorsch [Tue, 4 Dec 2018 16:08:08 +0000 (11:08 -0500)]
ImageListPager: Actor migration for buildQueryConds()

This method got missed in I8d825eb0.

Bug: T211061
Change-Id: Ice7446e54a42cbf48eae2a2092862a722650086c
(cherry picked from commit 86b081aa4100bfde2c4903c16fd593f485954326)

2 years agoSave value from CLI installers `--lang` argument
rvogel [Mon, 3 Dec 2018 10:48:08 +0000 (11:48 +0100)]
Save value from CLI installers `--lang` argument

This way the value of `--lang` is available to `LocalSettingsGenerator`.

Bug: T210998
Change-Id: I8b6bd83603687e4d23fc7e0642c3b8f27157b62d
(cherry picked from commit 996ac9f61e34db8b5d50ca9574a021e422cf9030)

2 years agoRELEASE-NOTES-1.31: Add in other cherry-picks since 1.31.1 was cut
James D. Forrester [Fri, 30 Nov 2018 23:16:20 +0000 (15:16 -0800)]
RELEASE-NOTES-1.31: Add in other cherry-picks since 1.31.1 was cut

Gone through `git log --topo-order --no-merges --reverse 1.31.1..`
from 1f664ea4 to 7a6393fc (HEAD as of writing); re-worded a couple,
grouped the PHP version work together, and skipped a couple which
were just follow-up tweaks or test fixes to ones already in the list.

Change-Id: Ic04998209348abf73eefb1cad404700da91457ed

2 years agoLogFormatter: Fail softer when trying to link an invalid titles
Bartosz Dziewoński [Wed, 1 Aug 2018 01:13:18 +0000 (03:13 +0200)]
LogFormatter: Fail softer when trying to link an invalid titles

Old log entries contain titles that used to be valid, but now are not.

Bug: T185049
Change-Id: Ia66d901aedf1b385574b3910b29f020b3fd4bd97
(cherry picked from commit 26bb9d9b23eb2075eefca2097ca393a9d4aa3264)

2 years agoSQL syntax error in MS-SQL file
Seb35 [Tue, 20 Nov 2018 14:25:09 +0000 (15:25 +0100)]
SQL syntax error in MS-SQL file

Bug: T209870
Change-Id: I91e4f8472832c4bb17eb1d185db1bcbde57a9287
(cherry picked from commit e1100d2d53baa71d20cc282b6dc0a950b080aaad)

2 years agoUse $revQuery['joins'] in query in populateSearchIndex
Paladox [Mon, 19 Nov 2018 21:29:44 +0000 (21:29 +0000)]
Use $revQuery['joins'] in query in populateSearchIndex

Bug: T209885
Change-Id: Iaf53179535030064788eb107c4ebdd398ed306e4

2 years agoUpdate git submodules
RazeSoldier [Sat, 10 Nov 2018 07:32:34 +0000 (15:32 +0800)]
Update git submodules

* Update extensions/LocalisationUpdate from branch 'REL1_31'
  to 8ac18feceb9bf298a65c4e27d29cd458e4bc061a
  - Use "break" instead of "continue" inside a switch

    "continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.

    Bug: T206976
    Change-Id: I7e28a59918edbbcc741a64c6c0ed2a55bd650384
    (cherry picked from commit fa93fda37e308a83e3211f53c8f828b5c3482c07)

2 years agoUpdate git submodules
Derk-Jan Hartman [Wed, 14 Nov 2018 20:01:22 +0000 (21:01 +0100)]
Update git submodules

* Update extensions/WikiEditor from branch 'REL1_31'
  to dca935d7de870eb5352788c0537c172b574f1475
  - Modules: Protect against loading modules twice

    Bug: T189029
    Change-Id: Ie0dff9c1dfa8e3a0927f2915a9a237dff739289a
    (cherry picked from commit 0161e37e6e67ac6eb76fbc0bea4f299e17fcdda2)

2 years agoAdd test for completionSearch with wgCapitalLinkOverrides
David Causse [Tue, 6 Nov 2018 13:35:03 +0000 (14:35 +0100)]
Add test for completionSearch with wgCapitalLinkOverrides

Bug: T208255
Change-Id: Id2299a013b2dc9b5391d400d7c7c4dc37185f714

2 years agoCompletion search should not change the search query
David Causse [Tue, 6 Nov 2018 14:52:08 +0000 (15:52 +0100)]
Completion search should not change the search query

when extracting the namespace

Bug: T208255
Change-Id: I98206bda9a32e12acc7e515c3396fa823c3cd4f3

2 years agoUpdate git submodules
Niklas Laxström [Wed, 24 Oct 2018 08:33:04 +0000 (10:33 +0200)]
Update git submodules

* Update extensions/LocalisationUpdate from branch 'REL1_31'
  to bdf7b30dbada29938bd92ee6b9370a45d0ecac61
  - Handle exceptions from GitHubFetcher

    If a l10n directory is not found, log a message but continue.

    This commit introduces some output to normal update.php run, which
    can be disabled with the --quiet switch.

    Bug: T176390
    Change-Id: Ic1001303aef859d325e307edd4348364cab9ed7d
    (cherry picked from commit db84ba6ed2b4e255c844171db545fa451da08e1f)

2 years agocomposer.json, require ext-fileinfo
addshore [Mon, 24 Sep 2018 08:25:53 +0000 (09:25 +0100)]
composer.json, require ext-fileinfo

PHPVersionCheck requires fileinfo be installed for mime_content_type

Change-Id: Iea7d2c7842c770e77c05265d4f4b08b17f9ab71f
(cherry picked from commit 139bf5bc7b66c83bd5a27d4fc6806ddaebe3f188)

2 years agoDon't throw E_NOTICEs about undefined properties
Jack Phoenix [Fri, 13 Jul 2018 03:33:10 +0000 (06:33 +0300)]
Don't throw E_NOTICEs about undefined properties

Bug: T199494
Change-Id: Id24b9ece76ca0bedcaac29f1a6f5567af78658c1
(cherry picked from commit 83164669a140717797953f07baaf0b3239689017)

2 years agoMerge "Update wikimedia/base-convert to 2.0.0" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 22:03:54 +0000 (22:03 +0000)]
Merge "Update wikimedia/base-convert to 2.0.0" into REL1_31

2 years agoUpdate git submodules
Kunal Mehta [Mon, 22 Oct 2018 18:17:22 +0000 (11:17 -0700)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to 5f60e30d272ea5327b407e625b4398952d49f8cf
  - Update wikimedia/base-convert to 2.0.0

    Bug: T194052
    Change-Id: I4de5c0ab827c96e2cef4e0b2cd7d10a109393668
    (cherry picked from commit 2f3707a143c1ef3bbe69d57fa724ae9dc6541d0e)

2 years agoUpdate wikimedia/base-convert to 2.0.0
Kunal Mehta [Mon, 22 Oct 2018 18:17:40 +0000 (11:17 -0700)]
Update wikimedia/base-convert to 2.0.0

The breaking change is dropping PHP 5 support.

Bug: T194052
Depends-On: I4de5c0ab827c96e2cef4e0b2cd7d10a109393668
Change-Id: If39ea5274bfa3c9b0ce18f9a43a27445a90ea3fc
(cherry picked from commit bb2d81c3a47e1fb1266b6f0352bb89b786ea9235)

2 years agoMerge "Upgrade wikimedia/remex-html to 2.0.1" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 15:18:08 +0000 (15:18 +0000)]
Merge "Upgrade wikimedia/remex-html to 2.0.1" into REL1_31

2 years agoUpdate git submodules
Kunal Mehta [Sun, 21 Oct 2018 05:10:45 +0000 (22:10 -0700)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to 48fed251a916a78bf5bff4f38fc9c1131ee21f4f
  - Upgrade wikimedia/remex-html to 2.0.1

    Bug: T207088
    Change-Id: Id4bbbdb68678c37ec4aa84d519516199bb800393
    (cherry picked from commit 48f274d9cc6b2e8d4961c831e1cc81c4edba6689)

2 years agoMerge "Upgrade wikimedia/remex-html to 2.0.0" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 15:18:02 +0000 (15:18 +0000)]
Merge "Upgrade wikimedia/remex-html to 2.0.0" into REL1_31

2 years agoUpdate git submodules
Kunal Mehta [Tue, 14 Aug 2018 20:38:26 +0000 (13:38 -0700)]
Update git submodules

* Update vendor from branch 'REL1_31'
  to 78271def9b2b28e6f176ca470f23e24526ff2c5c
  - Upgrade wikimedia/remex-html to 2.0.0

    Change-Id: Ie13945649314853cbd5707363f3a10da55752743
    (cherry picked from commit 1f29509a937d9ac7c6c0b876928307828a697fa9)

2 years agoMerge "RemexCompatMunger: Don't call endTag() in case B/b" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 02:14:00 +0000 (02:14 +0000)]
Merge "RemexCompatMunger: Don't call endTag() in case B/b" into REL1_31

2 years agoMerge "<ins>/<del> elements can be phrasing or flow" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 02:11:41 +0000 (02:11 +0000)]
Merge "<ins>/<del> elements can be phrasing or flow" into REL1_31

2 years agoUpgrade wikimedia/remex-html to 2.0.1
Kunal Mehta [Sun, 21 Oct 2018 05:12:14 +0000 (22:12 -0700)]
Upgrade wikimedia/remex-html to 2.0.1

Bug: T207088
Depends-On: Id4bbbdb68678c37ec4aa84d519516199bb800393
Change-Id: Ia5822f5f283f5d935c78402ce71e2d010e9a7a91
(cherry picked from commit a404d87418bb332deab92fa7189b999d1c0c410c)

2 years agoUpgrade wikimedia/remex-html to 2.0.0
Kunal Mehta [Tue, 14 Aug 2018 20:38:37 +0000 (13:38 -0700)]
Upgrade wikimedia/remex-html to 2.0.0

Depends-On: Ie13945649314853cbd5707363f3a10da55752743
Change-Id: Ib6c8aaa797c128c273cde8095eb0bb1527fc0e21
(cherry picked from commit 9cac6c5645cbde9c48a4fac43c8dfdd977bb200f)

2 years agoRemexCompatMunger: Don't call endTag() in case B/b
Tim Starling [Mon, 6 Aug 2018 02:30:51 +0000 (12:30 +1000)]
RemexCompatMunger: Don't call endTag() in case B/b

This was naïve, the linked bug documents a case where endTag() was
called despite children of the p-wrap still being in TreeBuilder's
stack. Instead, wait for the parent of the p-wrap to have endTag()
called on it, I've submitted a patch which will clean up the node in
that case.

Bug: T200827
Change-Id: I34694813eace9cadabf2db8f9ccca83d1368cfad
(cherry picked from commit 10c8cfea305ec1d450b16ad54ebddb5f910016f4)

2 years ago<ins>/<del> elements can be phrasing or flow
Arlo Breault [Thu, 12 Jul 2018 18:31:04 +0000 (14:31 -0400)]
<ins>/<del> elements can be phrasing or flow

The changes to the parserTests.txt highlight the differing opinions that
doBlockLevels and Remex had on whether these should be paragraph wrapped.

Since the only time they wouldn't have been was when found on a line
with other flow tags, this likely isn't a behaviour that was depended on
in practice.  And, indeed, the task describes this as a bug.

A sampling of pages from an insource:/\<(ins|del)\>/ search on wiki bears
this out.

Bug: T17491
Change-Id: I311da777a63aa3c45013f2cfc090be35a022497e
(cherry picked from commit 5a7f860b7859146d006d09c29f542be835165870)

2 years agoSECURITY: Don't allow loading unprotected JS files
Brian Wolff [Thu, 27 Sep 2018 11:42:37 +0000 (11:42 +0000)]
SECURITY: Don't allow loading unprotected JS files

This is meant to protect against malicious people while avoiding
annoying good users as much as possible. We may want to restrict
this further in the future, but that's something that can be discussed
in the normal way.

Bug: T194204
Bug: T113042
Bug: T112937
Change-Id: I27e049bae78b5c0f63b10f454b740cb1dc394813

2 years agoSECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Brian Wolff [Tue, 15 May 2018 00:34:14 +0000 (00:34 +0000)]
SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log

Loading JS from an unregistered user's JS subpage is a severe
security risk as someone could potentially register that account
and then modify the JS.

Bug: T207603
Change-Id: I741736e12b0ed49e95f22c869a2b53e2c97b31f0

2 years agoMerge "Don't pass a MailAddress pass the email to mail()" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 17:33:31 +0000 (17:33 +0000)]
Merge "Don't pass a MailAddress pass the email to mail()" into REL1_31

2 years agoMerge "Update ImportableUploadRevisionImporter for interwiki usernames" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:47 +0000 (15:59 +0000)]
Merge "Update ImportableUploadRevisionImporter for interwiki usernames" into REL1_31

2 years agoMerge "installer: Don't link to the obsolete "Extension Matrix" page" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:42 +0000 (15:59 +0000)]
Merge "installer: Don't link to the obsolete "Extension Matrix" page" into REL1_31

2 years agoDatabase: Allow selectFieldValues() to accept SQL fragments
Brad Jorsch [Wed, 17 Oct 2018 15:26:51 +0000 (11:26 -0400)]
Database: Allow selectFieldValues() to accept SQL fragments

The documentation says "This must be a valid SQL fragment", but as
written it breaks if given anything other than a field name. It's easy
enough to fix by adding an alias to the internal select() call.

Bug: T201781
Change-Id: I76428af6d3aadc266254fdb24109a0ac2db3761f
(cherry picked from commit c5a5b022400318e52638a4d34369ddbb74d7a21b)

2 years agoinstaller: Don't link to the obsolete "Extension Matrix" page
Zoranzoki21 [Sat, 29 Sep 2018 00:06:23 +0000 (03:06 +0300)]
installer: Don't link to the obsolete "Extension Matrix" page

Bug: T205765
Change-Id: Id1ba965c7c06ce03611ba745421dc982f5393f8c
(cherry picked from commit 8b7b5f04b7c84ffd2cda3aae06513a8e4fca6128)

2 years agoDon't pass a MailAddress pass the email to mail()
Reedy [Sat, 20 Oct 2018 12:37:15 +0000 (13:37 +0100)]
Don't pass a MailAddress pass the email to mail()

Bug: T207541
Change-Id: I1516023907e9773cb093010c6b67279f695abb1a
(cherry picked from commit c57aacb782f5ce5e53253192a53d736ece300d3c)

2 years agoInclude IP address in "Login for $1 succeeded" log entry
Kunal Mehta [Sat, 20 Oct 2018 12:35:22 +0000 (05:35 -0700)]
Include IP address in "Login for $1 succeeded" log entry

Bug: T207540
Change-Id: Iab4f2f2ddc8e64ead2f33356d03fa7beed399415

2 years agoUpdate ImportableUploadRevisionImporter for interwiki usernames
Brad Jorsch [Tue, 16 Oct 2018 14:47:44 +0000 (10:47 -0400)]
Update ImportableUploadRevisionImporter for interwiki usernames

This was somehow missed in I5401941c.

Bug: T206013
Change-Id: Ia618b05329e6cbfca7c95d9161f12ba4150705c8
(cherry picked from commit afb2578055b49f3fe523cf9314f75d63bac4786b)

2 years agoAdd session_write_close() calls to SessionManager tests
Brad Jorsch [Tue, 16 Oct 2018 14:22:33 +0000 (10:22 -0400)]
Add session_write_close() calls to SessionManager tests

PHP 7.3 doesn't like it if session_id() is called when the session has
been started, so we need to be sure to close it first in a few tests.

Bug: T207112
Change-Id: Ief36c1bb7b5c9066f158b5bb0d6d785a7f7ddd3c
(cherry picked from commit 6698b7ea1d63fbd2e3014bf563c3ad9e937bc8dd)

2 years agoOutput only to stderr in unit tests
Aryeh Gregor [Mon, 8 Oct 2018 18:04:12 +0000 (21:04 +0300)]
Output only to stderr in unit tests

Otherwise, session tests don't work in PHP 7.2 because headers are
already sent: https://bugs.php.net/bug.php?id=75628

Bug: T206476
Change-Id: Ie88db4a61a56b756c6445d2579a2f30da22c3ee8

2 years agoSuppress "Headers already sent" in PHP 7.2 too
Aryeh Gregor [Mon, 8 Oct 2018 17:10:36 +0000 (20:10 +0300)]
Suppress "Headers already sent" in PHP 7.2 too

The "h" is now capitalized, so we need to update the regex.

Change-Id: I1111e1228868ec66d930c7a3b0d7972e5c6356b9
(cherry picked from commit 1572f3b1b89abc958da6a7d131553e3b67953403)

2 years agoAvoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable
Aaron Schulz [Sat, 26 May 2018 00:29:17 +0000 (17:29 -0700)]
Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable

Change-Id: Ida81bf998b462f2f6bb2b708df1f15bbc1933db1
(cherry picked from commit b172aff090b7c59c2f602931d469cf3ac5e9e74a)

2 years agoFix PHP warnings "preg_replace(): [...] invalid range in character class"
Edward Chernenko [Mon, 18 Jun 2018 22:53:52 +0000 (01:53 +0300)]
Fix PHP warnings "preg_replace(): [...] invalid range in character class"

This was spotted when running tests on Travis (PHP 7.3 nighly, trusty).

Two expressions inside preg_replace() contained non-escaped "-" inside [],
where this "-" meant an actual "-" character.
The warning is because "-" has special meaning inside [] ("a-z" for range),
and things like [\w-.] are considered "invalid range".

Solution is to escape "-" like this: [\w\-.]

Change-Id: I41cc217081f00f54d957b6d8052ee209412f5ff6
(cherry picked from commit d88e924b6e5a7d529c471980e14f72430a94e546)

2 years agoLocalisationCache: Avoid use of compact()
Kunal Mehta [Mon, 15 Oct 2018 07:17:38 +0000 (00:17 -0700)]
LocalisationCache: Avoid use of compact()

In PHP 7.3, compact() now raises notices if the variable is undefined, which
is something that we expect. So we can check whether the key exists instead
of bothering with compat() and suppressing warnings.

Bug: T206979
Change-Id: I612049db4debd850a2e6d10bc631d31aa17be898
(cherry picked from commit d0463178dfa09b79b3a08fee939da1beed030824)

2 years agoUse "break" instead of "continue" inside a switch
RazeSoldier [Mon, 15 Oct 2018 15:58:26 +0000 (23:58 +0800)]
Use "break" instead of "continue" inside a switch

"continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.

Bug: T206974
Change-Id: I54bcec013ff52ab81bff09f8f7ef02f3944a5b7d
(cherry picked from commit f3b012b51f492155cd7acf4d7f641cd43147bfc0)

2 years agoUpdate git submodules
RazeSoldier [Mon, 15 Oct 2018 10:35:36 +0000 (18:35 +0800)]
Update git submodules

* Update extensions/ParserFunctions from branch 'REL1_31'
  to f2c63e5062c136d756d5d4378a722385e4b0149c
  - Use "break" instead of "continue" inside a switch

    "continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.

    Also change the indentation.

    Bug: T206977
    Change-Id: I8ad0ef6508e73bcca7dabfe2e88d661dd409bdfb
    (cherry picked from commit d258457e018bfa157bf4b782efed8c160ec40545)