12 months agoInit Wiklou repository
Ludovic CHEVALIER [Wed, 22 Jul 2020 15:19:05 +0000 (17:19 +0200)]
Init Wiklou repository

12 months agoshell: Expand documentation in firejail.profile
Kunal Mehta [Mon, 6 Jul 2020 19:58:16 +0000 (12:58 -0700)]
shell: Expand documentation in firejail.profile

Explain what content should go in the profile and what the two inclusions
are for.

Bug: T257207
Change-Id: I7a0fbc558a85baa91624414f67f84d2dc23a41bb

13 months agoIn the web installer, use secure session cookies
Tim Starling [Thu, 25 Jun 2020 06:03:35 +0000 (16:03 +1000)]
In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)

13 months agoStart 1.31.9
Reedy [Tue, 23 Jun 2020 00:30:57 +0000 (01:30 +0100)]
Start 1.31.9

Change-Id: I268d185fa606b7905664ad10d8f8f2c58e05d4d3

13 months agoBump and prep 1.31.8 1.31.8
Reedy [Tue, 23 Jun 2020 00:26:58 +0000 (01:26 +0100)]
Bump and prep 1.31.8

Change-Id: I5d51e01b55235c3303b721cb58e56487acb7a9e4

13 months agoSECURITY: Fix accidental public CC headers in img_auth.php
Tim Starling [Tue, 31 Mar 2020 06:02:49 +0000 (17:02 +1100)]
SECURITY: Fix accidental public CC headers in img_auth.php

Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.


Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2

13 months agoOne more RELEASE-NOTES
Reedy [Mon, 22 Jun 2020 23:59:02 +0000 (00:59 +0100)]

Change-Id: I5d8518a2c6ba2f4bb4963a21c1101cab17685868

13 months agoBring RELEASE-NOTES up to date
Reedy [Mon, 22 Jun 2020 23:48:25 +0000 (00:48 +0100)]
Bring RELEASE-NOTES up to date

Change-Id: I359ebf5a6f2aec785674080e9ae4724b31b6a0c2

13 months agoSpecialContributions: Use PoolCounter to limit concurrency
Brad Jorsch [Tue, 19 Nov 2019 19:36:35 +0000 (14:36 -0500)]
SpecialContributions: Use PoolCounter to limit concurrency

Allow using PoolCounter to limit the number of times a user or IP can
concurrently load Special:Contributions.

By default no limitation is applied. Key 'SpecialContributions' in
$wgPoolCounterConf must be set to configure the concurrency.

Bug: T234450
Change-Id: Ie769fa170093bfb6d281c651d3857545d139e009

13 months agoCall ob_start() before running tests
Tim Starling [Mon, 25 May 2020 03:48:42 +0000 (13:48 +1000)]
Call ob_start() before running tests

The policy introduced for T206476 creates a subtle failure mode: any test
writing to stdout will cause headers to be sent, causing later tests to
fail when they try to call header().

Instead, call ob_start() to intercept test output. Any buffered output is
still seen when PHPUnit exits.

Bug: T206476
Change-Id: Id085efeab67d1e700ffcbf37868b5107e3a7e5d5

14 months agoUpdate the change_tag table in rebuildrecentchanges.php
GeoffreyT2000 [Fri, 1 Mar 2019 03:47:38 +0000 (19:47 -0800)]
Update the change_tag table in rebuildrecentchanges.php

Without updating the change_tag table, tags will not correctly appear on
Special:RecentChanges after running the script.

Bug: T229461
Change-Id: Iff12588df1ad8d658091832e38d870dd8b75a32f
(cherry picked from commit 4c69162b95afc3dd3d7a1fa51cee207e6fe0171b)

14 months agoSet rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php
GeoffreyT2000 [Wed, 6 Mar 2019 01:55:49 +0000 (17:55 -0800)]
Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php

This fixes what rc_patrolled should be for autopatrolled changes. Also,
non-upload log entries will have rc_patrolled = 2 for now until T217388 decides
what rc_patrolled should be for such entries. In contrast, upload entries
can be patrolled unlike other log entries, so they will have rc_patrolled = 0.

Bug: T199474
Change-Id: Ib7d1f5f7dd3541768305debee703fd342844714b
(cherry picked from commit 87aaf7a1664a1a031f5872ffaf5fd9730db39444)

14 months ago[registration] Remove type of string from Hooks in extension.schema.v1.json
Reedy [Tue, 26 May 2020 00:28:46 +0000 (01:28 +0100)]
[registration] Remove type of string from Hooks in extension.schema.v1.json

Same as it will be or v2 when that patch merges

Change-Id: I64c3bbcda0f353fe9c14b0d5bea241e0304c0e2e
Follows-Up: I1a8657ff9fd14618c6709dbab62c3b4ee9f659a5

14 months agoBackport docs/extension.schema.v2.json fixes
Tim Starling [Mon, 18 May 2020 04:18:14 +0000 (14:18 +1000)]
Backport docs/extension.schema.v2.json fixes

* Fix the type of "Hooks" to not accept string (it never would've

Bug: T240307
Change-Id: I1a8657ff9fd14618c6709dbab62c3b4ee9f659a5

14 months agoFixup some SELECT * usages in sqlite schema patches
Reedy [Sun, 10 May 2020 01:14:35 +0000 (02:14 +0100)]
Fixup some SELECT * usages in sqlite schema patches

Bug: T252311
Change-Id: I7abdb7db89873c20f3a79df9452ab45c59ca6395

14 months agoUpdate PostgreSQL supported version in docs/database/postgres.txt
Reedy [Sun, 17 May 2020 14:43:46 +0000 (15:43 +0100)]
Update PostgreSQL supported version in docs/database/postgres.txt

Change-Id: I9e49857e67f3351683dbbf0019d8301eaf43e59c
(cherry picked from commit 39176163d20a7095e5a68338697f6a719371f1a6)

14 months agoRemove rotten docs/php-memcached docs
Reedy [Sun, 17 May 2020 14:42:17 +0000 (15:42 +0100)]
Remove rotten docs/php-memcached docs

README contains a URL that doesn't work.

ChangeLog has no purpose these days

Documentation doesn't match state of the class these days either

Change-Id: Ia2e00891d78cb4b227113e89d6b5e95a10261f0a

14 months agoregistration: Fix upgradeExtensionJsonSchema to remove _merge_strategy
Kunal Mehta [Tue, 12 May 2020 19:13:26 +0000 (12:13 -0700)]
registration: Fix upgradeExtensionJsonSchema to remove _merge_strategy

The unset() call was on the wrong array.

Bug: T252576
Change-Id: Ieaa3273d2867df87f67b110e97149410066b6795

14 months agoWork around change in SimpleXMLElement behavior introduced in PHP 7.3.17
C. Scott Ananian [Thu, 30 Apr 2020 22:10:43 +0000 (18:10 -0400)]
Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17

Upstream bug reports of the behavior change introduced in PHP 7.3.17 (and
applied to PHP 7.4 branch as well):

The reponsible commit in PHP was https://github.com/php/php-src/pull/5246

This was a "bug fix" in the sense that SimpleXML used to discard the
attributes on the namespace elements, which look like this:
     <namespace key="-2" case="first-letter">Media</namespace>
SimpleXML used to return this as a string "Media" instead of a
SimpleXMLElement... but ExportTest (inadvertently?) depended on that

In any case, if we iterate over SimpleXMLElement::children() we always
get SimpleXMLElements, not "sometimes strings", and so our code will
correct correctly on PHP below 7.3.17 and above, regardless of how PHP
decides to handle this "bug".

Bug: T250568
Change-Id: I9c2cb6a86fd6e8023c1979ec6838071a87a7bcea
(cherry picked from commit 7f1ad7d9848782d025bad63149e058964fc37c97)

15 months agoOptimize email sending on password reset
suecarmol [Wed, 8 Apr 2020 00:13:54 +0000 (19:13 -0500)]
Optimize email sending on password reset

Improve performance of sending emails when a user resets a password.

Bug: T247017
Change-Id: I9edb0e4c8845f7a9082035de66f5965c3f9b762d

15 months agoAuthManager: Don't invalidate BotPasswords if a password reset email is sent
Brad Jorsch [Tue, 17 Jul 2018 20:18:59 +0000 (16:18 -0400)]
AuthManager: Don't invalidate BotPasswords if a password reset email is sent

There's a difference between addition of credentials, which doesn't
need to invaliate BotPasswords, and changing or removal of credentials,
which does.

It seems most straightforward for the caller of
AuthManager::changeAuthenticationData() to know which is intended, so
let's add a flag there.

Bug: T199809
Change-Id: Ib8405734e605b94f3f0b66596ad95784cb365e4f

15 months agoClean up unused $displayPassword return value
Sam Wilson [Mon, 13 Apr 2020 02:32:17 +0000 (10:32 +0800)]
Clean up unused $displayPassword return value

This is a follow-up to f12a3edff708a1fb73a09d154693dba49b69d921
to remove the now unused $password return variable.

Change-Id: I2b12bd7c9f84e915f1bda659a95bab3d63a611d2

16 months agoStart 1.31.8
Reedy [Tue, 24 Mar 2020 17:25:39 +0000 (17:25 +0000)]
Start 1.31.8

Change-Id: I733577830e56051db165329a4740de5e33682920

16 months agoBump and prep 1.31.7 1.31.7
Reedy [Tue, 24 Mar 2020 17:24:57 +0000 (17:24 +0000)]
Bump and prep 1.31.7

Change-Id: I3feba3ab474d69a9acbae5e2c1ecd388784d9df0

16 months agoSECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
Bartosz Dziewoński [Mon, 2 Mar 2020 16:08:15 +0000 (17:08 +0100)]
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

Bug: T246602
Change-Id: Iea64a258499ab597b9a8900418a42162fdb5f391

16 months agoSECURITY: UserGroupMembership: Fix HTML escaping in #getLink
Bartosz Dziewoński [Mon, 23 Mar 2020 21:01:30 +0000 (22:01 +0100)]
SECURITY: UserGroupMembership: Fix HTML escaping in #getLink

In some cases, the return value would be either non-escaped or

Bug: T236509
Change-Id: If56a9df5f815a58a11741c5e020bb2d43a692563

16 months agobuild: Merge doc linting into 'npm test'
Timo Tijhof [Wed, 18 Mar 2020 18:19:39 +0000 (18:19 +0000)]
build: Merge doc linting into 'npm test'

Whether JSDuck or JSDoc3, it's good to verify that there are no
regressions in the doc syntax. This has been enforced by WMF CI
for many years with a dedicated Jenkins job.

However, both 'grunt lint' and 'npm run doc' take a relatively
small amount of time in CI:

* grunt lint: ~ 35s (not incl 'npm install')
* npm run doc: ~ 10s (not incl 'npm install')

Change-Id: If22b7bc64266e43088c7dec8138d81c938687fb9

16 months agoUpdate RELEASE-NOTES-1.31
Reedy [Thu, 12 Mar 2020 23:49:43 +0000 (23:49 +0000)]

Change-Id: I2d602a8a6b823dee75e05126e6ef7b187013e861

16 months agoDisable even more flaky/broken selenium tests
Reedy [Thu, 12 Mar 2020 23:38:21 +0000 (23:38 +0000)]
Disable even more flaky/broken selenium tests

Bug: T247580
Change-Id: I0004e97bb7de8586ee1b5c246776cccaf4f21c77

16 months agoDisable some more flaky/broken selenium tests
Reedy [Thu, 12 Mar 2020 23:33:28 +0000 (23:33 +0000)]
Disable some more flaky/broken selenium tests

Bug: T247580
Change-Id: Id99bb15c20ed7ca7fe45569757ee6ec33e4557d5

16 months agoDisable "...able to change preferences" browser test
Kunal Mehta [Tue, 31 Jul 2018 19:28:31 +0000 (12:28 -0700)]
Disable "...able to change preferences" browser test

It's incredibly flaky.

Bug: T247580
Bug: T199446
Change-Id: I5372a285dab4f5f032ae340d9fd30b9c7c8bf72a

16 months agoMerge "rdbms: re-add DB domain sanity checks to LoadBalancer" into REL1_31
jenkins-bot [Wed, 11 Mar 2020 16:53:14 +0000 (16:53 +0000)]
Merge "rdbms: re-add DB domain sanity checks to LoadBalancer" into REL1_31

16 months agoAdd check for page existence
Ammar Abdulhamid [Mon, 9 Mar 2020 08:57:43 +0000 (09:57 +0100)]
Add check for page existence

Currently even if the page does not exist at all this script just says
"there's no content" which is partially true. If the page does exist but with
no content and/or blank the same answer is also given, which is OK in that case
but less so in the former case.

Also handle special pages instead of throwing exception.

Change-Id: Ia15b336d989d3605ead1891e3396380e8e6d4347

16 months agoFix output of RecountCategories::doWork()
Reedy [Sun, 8 Mar 2020 23:34:05 +0000 (23:34 +0000)]
Fix output of RecountCategories::doWork()

Display actual cat_id starting at, not the batch size

Also, adjust message per option description:
'Only recount categories with cat_id greater than the given value'

Bug: T247215
Follows-Up: I8b3e9ca1f42b7c49ee57f17b88ca2fc7b404f342
Change-Id: I09844c922a4350178a67e526dd025eb831489939
(cherry picked from commit e3c9741aacdcc8e6ca4bfd17526119c2e9709082)

16 months agoThe PHP Group stopped supporting 5.6 in late 2018
Reedy [Mon, 2 Mar 2020 00:57:30 +0000 (00:57 +0000)]
The PHP Group stopped supporting 5.6 in late 2018

As per https://www.php.net/eol.php 5.6 was EOL and therefore
unsupported since 31 December 2018.

Change-Id: I2f6e307457365f0adf1b727b4fff9ed19c685b4f

17 months agoProvide MW_VERSION and soft-deprecate global $wgVersion
Timo Tijhof [Tue, 25 Feb 2020 01:28:12 +0000 (01:28 +0000)]
Provide MW_VERSION and soft-deprecate global $wgVersion

Backported from a5d5ea82ca.

Bug: T212738
Change-Id: I04628de4152dd5c72646813e08ff35e422e265a4

17 months agoUse proper SemVer comparison in CheckComposerLockUpToDate
C. Scott Ananian [Thu, 13 Feb 2020 21:48:59 +0000 (16:48 -0500)]
Use proper SemVer comparison in CheckComposerLockUpToDate

We were using exact string matching previously.  We already have
a SemVer dependency in ExtensionRegistry.php, so we might as well
do things right.

Change-Id: I8895843a5b1116fca42e0c7179a2907fe84a74d1
(cherry picked from commit 3b0b9aa8ad35b9a567619186ac2174240db58726)

17 months agoUpdate git submodules
sbassett [Thu, 13 Feb 2020 20:35:51 +0000 (14:35 -0600)]
Update git submodules

* Update extensions/OATHAuth from branch 'REL1_31'
  to 44c0834dc396345de7e159d2d745d169b8344c84
  - SECURITY: Disallow user JS at our special pages

    Bug: T243608
    Change-Id: Ib0deea7a986dd37f23ad5a68a1fb9784ac346db6

17 months agordbms: re-add DB domain sanity checks to LoadBalancer
Aaron Schulz [Sat, 13 Oct 2018 16:14:20 +0000 (16:14 +0000)]
rdbms: re-add DB domain sanity checks to LoadBalancer

Also clean up empty schema handling in DatabaseDomain

This reverts commit f23ac02f4fcf156767df66a5df2fa407310fe1d2.

Bug: T193565
Bug: T234022
Change-Id: I95fde5c069f180ca888a023fade25ec81b846d44

19 months agoStart 1.31.7
Reedy [Thu, 19 Dec 2019 13:28:34 +0000 (13:28 +0000)]
Start 1.31.7

Change-Id: Icc42b1db0ef48ecf1acbd0e48f2e7da2a6d104f9

19 months agoBump and prep 1.31.6 1.31.6
Reedy [Thu, 19 Dec 2019 13:24:33 +0000 (13:24 +0000)]
Bump and prep 1.31.6

Change-Id: I07df574bbc0a6e39be152a1f818e3ef87fb32cb0

19 months agoSECURITY: Work around PHP bug in parse_url
Brad Jorsch [Mon, 17 Dec 2018 18:20:12 +0000 (13:20 -0500)]
SECURITY: Work around PHP bug in parse_url

It gets confused by URLs with a query portion but no path.

Bug: T212067
Change-Id: I15c15161a668115d68eb2e2f8004826b47148fc1

19 months agoUpdate RELEASE-NOTES
Reedy [Tue, 17 Dec 2019 21:09:04 +0000 (21:09 +0000)]

Change-Id: Icb46eccf65cdd2090e2e7429ba99fd447d5a0b1b

19 months agomedia: Log and fail gracefully on invalid EXIF coordinates
Thiemo Kreuz [Tue, 26 Nov 2019 08:54:05 +0000 (09:54 +0100)]
media: Log and fail gracefully on invalid EXIF coordinates

The $coord value is a value extracted from the EXIF section of an
image file. We expect it to be a float, but there is no guarantee this
is the case. It could, for example, be an empty string.

I suggest this trivial fix. It does have the following effects:
* Instead of logging a PHP notice when floor() hits something that is
  not a number, I try to log something that's more useful for later,
  more in-depth debugging. Note this log call isn't necessarily meant
  to stay, but to find an even better fix for this issue.
* I return the string as it is. If it's "foo", the user will see "foo"
  instead of "0° 0′ 0″ N", which wasn't helpful.

Also note how wrong and misleading the PHPDoc block for this function

Bug: T226751
Change-Id: I1ca98728de4113ee1ae4362bd3e62b425d589388
(cherry picked from commit f6787ede2db29fcc2c1923e23eaa2e9bf86522a1)

19 months agoMerge "rdbms: Log debug message traces as 'exception.trace' instead of 'trace'" into...
jenkins-bot [Tue, 10 Dec 2019 23:51:24 +0000 (23:51 +0000)]
Merge "rdbms: Log debug message traces as 'exception.trace' instead of 'trace'" into REL1_31

19 months agordbms: Log debug message traces as 'exception.trace' instead of 'trace'
sbassett [Wed, 4 Dec 2019 20:19:52 +0000 (14:19 -0600)]
rdbms: Log debug message traces as 'exception.trace' instead of 'trace'

Code cleanup and hardening (see also: T234014) of Database-related
lib code in MediaWiki core.

Bug: T233342
Change-Id: I3c968f4f5300374253dc80d99596cac50fbeb59e

19 months agoApiEditPage: Test for bad redirect targets
Brad Jorsch [Mon, 2 Dec 2019 14:39:03 +0000 (09:39 -0500)]
ApiEditPage: Test for bad redirect targets

Apparently everything downstream assumes callers already handled
interwiki titles.

Bug: T239428
Change-Id: Ie54f366986056c876eade0fcad6c41f70b8b8de8

19 months agoSECURITY: Do not allow user scripts on Special:PasswordReset
Amir Sarabadani [Sat, 7 Dec 2019 22:36:42 +0000 (23:36 +0100)]
SECURITY: Do not allow user scripts on Special:PasswordReset

Bug: T192134
Change-Id: If5e91452f2e569476626bcf650ba4efaa122952c

19 months agoReplace deprecated lSize with lLen
Paladox [Tue, 3 Dec 2019 18:12:47 +0000 (18:12 +0000)]
Replace deprecated lSize with lLen

lSize is an alias to lLen according to [1]

[1] https://github.com/phpredis/phpredis/blob/9f4ededa4139f0af324aab56773f26be5a9d1783/README.markdown#L2148

Bug: T239734
Change-Id: I5b72fbe61e313511b69e8d2e96c2042742370b85

19 months agoUpdate RELEASE-NOTES-1.31
Reedy [Wed, 4 Dec 2019 20:40:37 +0000 (20:40 +0000)]

Change-Id: I3f39544bf7faba22211edb83112fb55782ae74f5

19 months agoMark options as requiring parameters in addSite.php
lens0021 [Mon, 2 Dec 2019 01:32:25 +0000 (10:32 +0900)]
Mark options as requiring parameters in addSite.php

Bug: T239561
Change-Id: Ibd967da45f32c8ea58b8997f15d26ab06f1e14cb

19 months agoobjectcache: avoid using deprecated phpredis::delete() alias
Aaron Schulz [Thu, 1 Aug 2019 20:16:39 +0000 (16:16 -0400)]
objectcache: avoid using deprecated phpredis::delete() alias

Bug: T227461
Change-Id: I3ca8bd9160eefff6590228082f030a32d0edb511
(cherry picked from commit f445700ccc6f7f48158ae27d2cd13004675fd431)

19 months agoAvoid using deprecated phpredis::delete() alias
Paladox [Mon, 2 Dec 2019 22:33:08 +0000 (22:33 +0000)]
Avoid using deprecated phpredis::delete() alias

Bug: T227461
Change-Id: I5eb2fa42d61e4757b11b6eb909c04dafb40923a1

19 months agoFix support for HTTP/2 in MultiHttpClient
Paladox [Sun, 1 Dec 2019 17:59:17 +0000 (17:59 +0000)]
Fix support for HTTP/2 in MultiHttpClient

Under buster, curl uses HTTP/2 (confirmed when running eval):

GET xxx HTTP/2

GET xxx HTTP/1.1

The code presumes that it will always be HTTP/1.x.

We fix this by adjusting the regex to match HTTP2.

Bug: T232866
Change-Id: Ibde6036048d5939508df143ec5956abcd0718ad1

20 months agoMerge "rdbms: Remove references to pg_attrdef.adsrc in Postgres code" into REL1_31
jenkins-bot [Thu, 14 Nov 2019 18:49:48 +0000 (18:49 +0000)]
Merge "rdbms: Remove references to pg_attrdef.adsrc in Postgres code" into REL1_31

20 months agordbms: Use correct value for 'sslmode' in DatabasePostgres
Mark A. Hershberger [Thu, 9 Aug 2018 20:18:34 +0000 (16:18 -0400)]
rdbms: Use correct value for 'sslmode' in DatabasePostgres

Fix Postgres support by using ‘sslmode=require' instead of ‘sslmode=1'.

See https://www.postgresql.org/docs/current/static/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS

Change-Id: I424b0e3e144bbe9f0a2bde9a3b4a674dde10c729
(cherry picked from commit 2e5d114a99cf162074f92fc390590da44084362d)

20 months agordbms: Remove references to pg_attrdef.adsrc in Postgres code
Jeff Janes [Thu, 17 Jan 2019 23:41:51 +0000 (18:41 -0500)]
rdbms: Remove references to pg_attrdef.adsrc in Postgres code

PostgreSQL v12 will remove the long-deprecated column
pg_attrdef.adsrc.  The supported way to introspect into column
default values is pg_get_expr(adbin, adrelid), which works
back through all versions of PostgreSQL supported by wikimedia.

Changing to the supported method will allow the upcoming v12 of the
database to be used while maintaining compatibility with older
versions, without needing to write version-specific code.

This patch has been tested with maintenance/update.php and
with phpunit in PostgreSQL versions 9.2, 11, and 12dev.  It does
not harm the first two, and fixes errors that would otherwise
arise in the dev version.  All unit tests which pass under version
11 now pass under 12dev as well.

Bug: T237931
Change-Id: I874d347fd286b26773113d4f0c6c30d9a4055ad3
(cherry picked from commit 27d342ef4bd31da48b0e10655daf1320e3d00b50)

20 months agowhen getting file (img) properties, suppress whines that it's not xml
Ariel T. Glenn [Thu, 13 Jun 2019 14:18:58 +0000 (17:18 +0300)]
when getting file (img) properties, suppress whines that it's not xml

Imports eventually succeed but the log fills up with stack traces

Bug: T206013
Change-Id: Icb004954272ea8fc6fbc4fd5090cd1310d66946c
(cherry picked from commit c9a05a70433ca420a52dd86eefd4feb4529d7e49)

20 months agoMerge "Update RELEASE-NOTES" into REL1_31
jenkins-bot [Mon, 4 Nov 2019 18:21:05 +0000 (18:21 +0000)]
Merge "Update RELEASE-NOTES" into REL1_31

20 months agoUpdate RELEASE-NOTES
Reedy [Mon, 4 Nov 2019 18:12:01 +0000 (18:12 +0000)]

Change-Id: If2b247a03cf293ea7441786bbd8d1cb849b19c7d

20 months agoDo not insert page titles into querycache.qc_value
mszabo-wikia [Wed, 14 Mar 2018 14:38:14 +0000 (15:38 +0100)]
Do not insert page titles into querycache.qc_value

querycache.qc_value column is used to store a numeric value related
to the query results, generally a COUNT(*) aggregation or timestamp,
but some query pages insert the page title here after passing it through
PHP's intval() function to parse it into a number.
While this will cause 0 to be inserted for pages whose title is not numeric
(i.e. most titles), a DB error may occur for numeric page titles that exceed
the maximum value for unsigned integers, depending on relevant DB settings,
such as MySQL's strict mode.[1]

This patch changes query pages not to insert page titles into the qc_value
column. Also, it adds the getOrderFields() method to query pages that were
missing them, to ensure that the result set inserted into the querycache
table is correctly ordered by title.

[1] https://dev.mysql.com/doc/refman/8.0/en/sql-mode.html#sql-mode-strict

Bug: T181658
Change-Id: I1ef297257c6f419826ba4ffc6e875389ccec46db

21 months agoUpdate git submodules
Reedy [Thu, 17 Oct 2019 23:58:59 +0000 (00:58 +0100)]
Update git submodules

* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_31'
  to 12fbfd414c02116376b68fbd43f16563eae6ca19
  - Update README to match pygments version

    Bug: T235808
    Change-Id: Iea9a1bc566f67507414f7f2a4fdfd89c8433b7fd
    Follows-Up: I4dc1782f19881ba1294308e1cdea1b2e063f438a
    (cherry picked from commit e286f3be4fada723e8a4cd32db2e56d32397f8d3)

21 months agoStart RELEASE-NOTES for 1.31.6
Reedy [Fri, 11 Oct 2019 23:56:30 +0000 (00:56 +0100)]
Start RELEASE-NOTES for 1.31.6

Change-Id: I6601d37f97e4a3089fdcb72a30942cdcea539bf5

21 months agoPrepare 1.31.5 1.31.5
Reedy [Fri, 11 Oct 2019 23:51:25 +0000 (00:51 +0100)]
Prepare 1.31.5

Change-Id: I7e0279e9bf00b7658356914ba7fbe27f89a23b3c

21 months agoMake Installer::parse not be parseAsBlock
Brian Wolff [Mon, 8 Apr 2019 02:24:57 +0000 (02:24 +0000)]
Make Installer::parse not be parseAsBlock

Previously all the checkboxes had newlines before their labels
which looked really broken.

Change-Id: I5e17524d90d10867ed27553a90cfb246984486d3

21 months agoPermissionManager doesn't exist in 1.33, so we cannot use it in 1.31
Reedy [Fri, 11 Oct 2019 23:36:47 +0000 (00:36 +0100)]
PermissionManager doesn't exist in 1.33, so we cannot use it in 1.31

Followup T230402, PermissionManager doesn't exist until 1.33, so fix the
backported patches to use User::isAllowed() instead.

Change-Id: Ia73bf71293d67f97fb5086ffc0384307568d4d43

21 months agoStart RELEASE-NOTES for 1.31.5
Reedy [Sat, 21 Sep 2019 21:34:18 +0000 (22:34 +0100)]
Start RELEASE-NOTES for 1.31.5

Change-Id: If32a0fdcbf9e319b06ff529e74d992756dce1f95

22 months agoPrepare 1.31.4 1.31.4
Reedy [Sat, 21 Sep 2019 21:33:26 +0000 (22:33 +0100)]
Prepare 1.31.4

Change-Id: I21a8dbeed30df0e8d3a1063e8d10eaa5e9c9ad77

22 months agoSQLite: Make patch-add-3d.sql a no-op
Brad Jorsch [Wed, 21 Nov 2018 16:13:52 +0000 (11:13 -0500)]
SQLite: Make patch-add-3d.sql a no-op

On a fresh install, update.php will apply patch-add-3d.sql even though
it doesn't need to. But this partially wipes out the new schema from
tables.sql, and the omnibus comment and actor table patched don't detect
this, leading to image, oldimage, and filearchive missing the new

Since SQLite doesn't actually care about the values in the ENUM type
(it's just an alias for TEXT), let's just make patch-add-3d.sql do

Change-Id: I335cb8d9626f535a66b0fe18e051640b22848ef7

22 months agoSplit down patch-actor-table.sql
Reedy [Sat, 28 Sep 2019 14:48:19 +0000 (15:48 +0100)]
Split down patch-actor-table.sql

Bug: T227662
Change-Id: I024ff1d6f4c2726242138ba7e7f19480d9d2b948

22 months agoSQLite: Split actor and comment filearchive updates to a separate file
Brad Jorsch [Wed, 28 Nov 2018 18:53:17 +0000 (13:53 -0500)]
SQLite: Split actor and comment filearchive updates to a separate file

On a fresh install, update.php will apply patch-editsummary-length.sql
even though it doesn't need to. But this partially wipes out the new schema from
tables.sql, and the omnibus comment and actor table patches don't detect
this, leading to filearchive missing the new fields.

Unlike the case with patch-add-3d.sql in I335cb8d9, here the patch does
make a change (if only a tiny one): fa_deleted_reason changes from TEXT
to BLOB.

Change-Id: I08047ff1207d471660365c0eb3faabc0b47746bb

22 months agoSplit down patch-comment-table.sql
Reedy [Thu, 15 Aug 2019 13:36:53 +0000 (14:36 +0100)]
Split down patch-comment-table.sql

Bug: T227662
Change-Id: I7617616df57f7468d06e9b52426b6851bfef0e7d

22 months agoUpdate RELEASE-NOTES
Reedy [Sat, 21 Sep 2019 21:15:41 +0000 (22:15 +0100)]

Change-Id: Iba71a248ecbdc188c131609a5b65e004547c771e

22 months agodispatchUser() should use a 302 http status code
sbassett [Tue, 27 Aug 2019 20:55:39 +0000 (15:55 -0500)]
dispatchUser() should use a 302 http status code

dispatchUser() in SpecialRedirect.php should use a 302 http
status code instead of a 301 to avoid certain caching issues.

Bug: T231386
Change-Id: Idb0cb21cc81d73bb9f77fc211af9cfd8b4f71e7d
(cherry picked from commit 02f35caa16fa574bb36a1d22eea62c3b250de235)

22 months agoCache redirects from Special:Redirect
Brian Wolff [Fri, 1 Feb 2019 01:54:08 +0000 (01:54 +0000)]
Cache redirects from Special:Redirect

People sometimes link these from high traffic places, so it is
important to cache in varnish.

File's with height can change so only cache that for 10 seconds.

Also change from 302 to 301.

Change-Id: I87a60c812cd1aa78a36359090c0cb8390be7183f
(cherry picked from commit f661f3373eb500949b7e421b0df5a955d2904809)

22 months agoGive more specific error messages on Special:Redirect
Umherirrender [Sat, 18 Aug 2018 02:37:59 +0000 (04:37 +0200)]
Give more specific error messages on Special:Redirect

Added some basic tests

Bug: T202183
Change-Id: Ib0dd50ff5575a2b2093a57afce79e9f8623fa24d
(cherry picked from commit 114e6547dea1a2508fe24889d65221af0163622a)

22 months agoImprove documentation for the MinimumPasswordLengthToLogin policy
Thalia [Tue, 17 Sep 2019 19:16:05 +0000 (20:16 +0100)]
Improve documentation for the MinimumPasswordLengthToLogin policy

Bug: T233119
Change-Id: I2d0fa6f7116b407cbf62ad93da73d0800c9d14f9

22 months agoUpdate RELEASE-NOTES-1.31
Reedy [Thu, 12 Sep 2019 11:22:20 +0000 (12:22 +0100)]

Change-Id: Idcec102a3bd9e3a6c83755fd429a687d5dce1066

22 months agoFix XMP parser errors due to trailing nullchar
Derk-Jan Hartman [Wed, 11 Sep 2019 22:12:22 +0000 (00:12 +0200)]
Fix XMP parser errors due to trailing nullchar

JPEG files can have trailing \0 chars at the end of the XMP value. Use
trim() to remove these from the string value.

Bug: T118799
Change-Id: Id4ab223ef432e5d2c0dd3b4e332320db02422700
(cherry picked from commit 9ce26a564d066a33ba7ae2a6502e3d57e7e4d48b)

23 months agoMerge "SECURITY: Add permission check for suppressed account" into REL1_31
Jforrester [Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)]
Merge "SECURITY: Add permission check for suppressed account" into REL1_31

23 months agoAdd helper for HTTPFileStreamer header syntax
Gergő Tisza [Sat, 20 Apr 2019 00:12:59 +0000 (17:12 -0700)]
Add helper for HTTPFileStreamer header syntax

Adds a helper function for transforming an intuitive header array
to the peculiar syntax expected by HTTPFileStreamer and the related
FileRepo/FileBackend streaming methods.

Change-Id: Idac9281b0f1b3c93f4ec1d1c3f336db110e5d260
(cherry picked from commit 65648f5523c9d1b772106e16e2adf57870892bc7)

23 months agoSECURITY: Add permission check for suppressed account
rxy [Tue, 13 Aug 2019 09:30:38 +0000 (18:30 +0900)]
SECURITY: Add permission check for suppressed account

Bug: T230402
Change-Id: I6a13859be81e5c746bdf0993eb5416fecdac2306
(cherry picked from commit 4356572546b2b4e8eefda9bf10943ba1b12526b9)

23 months agoAdd ImgAuthModifyHeaders hook to img_auth.php to modify headers
James Montalvo [Fri, 15 Mar 2019 04:03:29 +0000 (23:03 -0500)]
Add ImgAuthModifyHeaders hook to img_auth.php to modify headers

Change-Id: I3c6fd7b0c39d7fd52c484494233241093d152f88

2 years agoUpdate LanguageTrTest::testDottedAndDotlessI for PHP 7.3
Santhosh Thottingal [Tue, 23 Jul 2019 06:50:52 +0000 (12:20 +0530)]
Update LanguageTrTest::testDottedAndDotlessI for PHP 7.3

PHP 7.3+ uses Unicode CaseFolding.txt for case mappings. For Turkic
languages(tr,az) the dotted i is given as a special case and we need
to implement it specifically for tr and az.

Updated the documentation and refactored the lcfirst and ucfirst methods
to use arrays containing the above mentioned special cases.

Bug: T207100
Change-Id: I317f2ca66b0adeaa79bc0f9e3dea5edfcd5e4693
(cherry picked from commit 27b424066453d59eeceda48a43d51e4915da960d)

2 years agoAdd 1.31.4 section to RELEASE-NOTES
Reedy [Mon, 1 Jul 2019 23:40:46 +0000 (00:40 +0100)]
Add 1.31.4 section to RELEASE-NOTES

Change-Id: I20f691740d2e79914816b0a297027933f074280b

2 years agoPrepare 1.31.3 1.31.3
Reedy [Mon, 1 Jul 2019 23:40:03 +0000 (00:40 +0100)]
Prepare 1.31.3

Bug: T227046
Change-Id: I0758709c11c68bb46573198903c88ba390c8ec8d

2 years agoAdd missing RELEASE-NOTES entries
Reedy [Sun, 30 Jun 2019 22:44:23 +0000 (23:44 +0100)]
Add missing RELEASE-NOTES entries

Change-Id: I55f69c01045be8752b396e3acc506e531aa9cc81

2 years agoFix SQLite patch-(page|template)links-fix-pk.sql column order
Reedy [Sun, 30 Jun 2019 16:47:53 +0000 (17:47 +0100)]
Fix SQLite patch-(page|template)links-fix-pk.sql column order

Bug: T202211
Change-Id: Ife673b88c23acdc1bfc04630715d18243471035f

2 years agoMake sure database update succeeds from older database versions too.
Purdea Andrei [Sun, 13 Jan 2019 04:14:56 +0000 (06:14 +0200)]
Make sure database update succeeds from older database versions too.

Fixes the following error message when updating from an older database.
Renaming index il_from into PRIMARY to table imagelinks ...[7dbf1dd298ecf39128707744] [no req]   Wikimedia\Rdbms\DBQueryError from line 1149 of /home/zok/mediawiki-1.30.1/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?
Query: INSERT INTO imagelinks_tmp
 SELECT * FROM imagelinks

Function: Wikimedia\Rdbms\Database::sourceFile( /home/zok/mediawiki-1.30.1/maintenance/sqlite/archives/patch-imagelinks-fix-pk.sql )
Error: 19 UNIQUE constraint failed: imagelinks_tmp.il_from, imagelinks_tmp.il_to

the "imagelinks" table used to have two fields: il_from and il_to.
At one point during the development of mediawiki a new field has been
added called il_from_namespace. This new filed is the second column
if the database is created from scratch, however if the database is
updated from an older version then the il_from_namespace column becomes
the 3rd column.

That means that some of the older databases will have the columns in the
following order:
(1) il_from, il_from_namespace, il_to
while some older ones, which have been updated will have the following
(2) il_from, il_to, il_from_namespace

This shouldn't matter much, except the file modified in this commit
copies records from one table to another using the INSERT INTO ... SELECT
command without explicitly listing the column names.
The newly created table has the (1) order, but the source table
might sometimes have the (2) order.

Explicitly listing the column names solves all the issues.

Change-Id: I222b171495d14ae45339c4679e263f0ab610e826
(cherry picked from commit 68c298ed05ef7b5be8099ff272e6dea20d00e42b)

2 years agoRemove jetbrains/phpstorm-stubs from composer dev dependancies
Reedy [Sun, 30 Jun 2019 17:18:24 +0000 (18:18 +0100)]
Remove jetbrains/phpstorm-stubs from composer dev dependancies

Bug: T226766
Change-Id: I8f985996dcc780a8307c4d1ef9a1d6e2b9f1a1d0

2 years agoinstaller: Detect APC for MainCacheType in CLI installer
Timo Tijhof [Thu, 13 Jun 2019 14:06:43 +0000 (15:06 +0100)]
installer: Detect APC for MainCacheType in CLI installer

The web installer did this already, but with the CLI installer,
the generated LocalSettings.php always contained the following

 $wgMainCacheType = CACHE_NONE;

Combined with the fact that in WMF CI, the generated local settings
is applied *after* the inclusion of Quibble settings and
DevelopmentSettings, meant that it was not possible to enable
object caching.

For now, make it match the behaviour of the web installer and thus
output $wgMainCacheType = CACHE_ACCELL if we detect a supported
implementation in the PHP runtime.

For later we should probably:

* Make this an option to install.php,
* or, change Quibble to append its overrides, instead of
  prepending. So that DevelopmentSettings actually after the
  generated LocalSettings.

Bug: T225496
Change-Id: I3f43cd054ce71d0f1b2395302e8ef9ee2f6b01c2
(cherry picked from commit 7e0fb4fff6a247802c2209df48cf9fab8bfb8563)

2 years agoDisable rate limiting in Development Settings
Leszek Manicki [Mon, 17 Jun 2019 09:11:39 +0000 (11:11 +0200)]
Disable rate limiting in Development Settings

Bug: T225796
Change-Id: I2475a04066d4aaefeba372bd223ef68548a8cf18

2 years agoInstaller: Update link to PHP intl away from old PECL package
Karsten Hoffmeyer [Tue, 11 Jun 2019 19:24:16 +0000 (21:24 +0200)]
Installer: Update link to PHP intl away from old PECL package

PHP 5.5 was the last version supported by PECL intl package. Now the
PHP intl extension is used instead.

Bug: T225558
Change-Id: I68cb7a549c899e69da9a8cfea5a69b9acb41e8ae
(cherry picked from commit 7f0f6af2902cb7cf1406df5b8ee8cd12a5a88f1f)

2 years ago1.31.3 RELEASE-NOTES section
Reedy [Tue, 28 May 2019 23:43:59 +0000 (00:43 +0100)]
1.31.3 RELEASE-NOTES section

Change-Id: I8bc00c2274018f5d7051b34cdd162c001c58061c

2 years agoPrepare 1.31.2 1.31.2
Reedy [Tue, 28 May 2019 23:39:18 +0000 (00:39 +0100)]
Prepare 1.31.2

Change-Id: I0e6ef5f4a51adbe20631265a693c86f2114859d4

2 years agoAdd RELEASE-NOTES for security patches
Reedy [Tue, 28 May 2019 23:38:44 +0000 (00:38 +0100)]
Add RELEASE-NOTES for security patches

Change-Id: I9032e202505fb77a7d4abea6662ef4f8fa49e0dd

2 years agoSECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358
James D. Forrester [Thu, 25 Apr 2019 21:12:52 +0000 (16:12 -0500)]
SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

Patch taken from https://github.com/DanielRuf/snyk-js-jquery-174006?files=1.

Bug: T221739
Change-Id: I99c2be81c74a8f1d35c421f0ee43c75efb30a7d0

2 years agoSECURITY: Add permission check for user is permitted to view the log type
rxy [Sun, 28 Apr 2019 20:14:18 +0000 (05:14 +0900)]
SECURITY: Add permission check for user is permitted to view the log type

Bug: T222038
Change-Id: I92ec2adfd9c514b3be1c07b7d22b9f9722d24a82

2 years agoSECURITY: Add permission check for user is permitted to view the log type
rxy [Sun, 28 Apr 2019 20:04:01 +0000 (05:04 +0900)]
SECURITY: Add permission check for user is permitted to view the log type

Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72

2 years agoSECURITY: Fix cache mode for (un)patrolled recent changes query
Lucas Werkmeister [Mon, 17 Dec 2018 13:02:39 +0000 (14:02 +0100)]
SECURITY: Fix cache mode for (un)patrolled recent changes query

Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.

Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26