Timo Tijhof [Tue, 22 Nov 2016 01:52:30 +0000 (17:52 -0800)]
Upgrade to jQuery v3
Source code:
https://code.jquery.com/jquery-3.2.1.js
https://code.jquery.com/jquery-migrate-3.0.0.js
Documentation:
https://blog.jquery.com/2016/06/09/jquery-3-0-final-released/
https://jquery.com/upgrade-guide/3.0/
This is not a breaking change because jQuery Migrate covers
all breaking changes.
However some extensions (especially unit tests) may've relied
on undocumented behaviour. For that reason, and due to unresolved
upsteam issues this is still behind a feature flag for now.
It is true by default to ensure this has wide exposure to discover
issues as quickly as possible. If this is not resolved before
the end of the 1.29 release cycle it should be turned off again.
Bug: T124742
Change-Id: I3c3dedaa9a9d449eaa2b7e5d24b4540e7fa421c0
jenkins-bot [Thu, 13 Apr 2017 01:45:22 +0000 (01:45 +0000)]
Merge "resourceloader: Fold legacy modules into base modules request"
jenkins-bot [Thu, 13 Apr 2017 00:29:42 +0000 (00:29 +0000)]
Merge "Add comments to ApiBase::isWriteMode()"
Aaron Schulz [Wed, 12 Apr 2017 23:17:00 +0000 (16:17 -0700)]
Add comments to ApiBase::isWriteMode()
Change-Id: I3581f5e3055c425367d265a5c57831bb34dd5a2f
jenkins-bot [Wed, 12 Apr 2017 21:50:07 +0000 (21:50 +0000)]
Merge "Ensure logo preload transforms urls if needed"
jenkins-bot [Wed, 12 Apr 2017 21:48:10 +0000 (21:48 +0000)]
Merge "RC Filters: Disable defaults for legacy filters in structured UI"
Timo Tijhof [Wed, 12 Apr 2017 20:43:57 +0000 (13:43 -0700)]
Ensure logo preload transforms urls if needed
Follows-up
5f55e9c9c2a24.
If the logo url is from within /w, then ResourceLoaderSkinModule
will (as it should) apply a file hash query to it.
The preloader didn't do that, so it specified the wrong url.
Refactored SkinModule to make this logic re-usable.
Bug: T100999
Change-Id: I1ba11f7c70d1a725ad72754fee4a3f33c2a4c1be
jenkins-bot [Wed, 12 Apr 2017 21:16:50 +0000 (21:16 +0000)]
Merge "mw.widgets.Complex*: Fix setDisabled"
Translation updater bot [Wed, 12 Apr 2017 19:57:18 +0000 (21:57 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I9d431f5c949ec909d85949436b90ffde42139962
Prateek Saxena [Wed, 12 Apr 2017 19:27:22 +0000 (00:57 +0530)]
mw.widgets.Complex*: Fix setDisabled
* Check if elements exists before trying to disable them
* Return `this`, as the method is marked as chainable
Follows-up I6747f4e64dd81197bb3e37c09876399f1cb3be07
Bug: T162667
Change-Id: I17665e57537dbed0821bc3226377849eb8388a32
jenkins-bot [Wed, 12 Apr 2017 18:19:00 +0000 (18:19 +0000)]
Merge "Convert EditPage buttons, checkboxes and summary input to OOUI"
jenkins-bot [Wed, 12 Apr 2017 18:13:52 +0000 (18:13 +0000)]
Merge "Use delete_and_move_reason in content language on move over redirect"
jenkins-bot [Wed, 12 Apr 2017 18:07:43 +0000 (18:07 +0000)]
Merge "Move Database and subclasses to Rdbms namespace"
jenkins-bot [Wed, 12 Apr 2017 17:52:18 +0000 (17:52 +0000)]
Merge "mw.loader: Don't assume var 'loading' assigns before Promise resolves"
Aaron Schulz [Tue, 7 Feb 2017 04:49:57 +0000 (20:49 -0800)]
Move Database and subclasses to Rdbms namespace
Change-Id: I52bef87512f9ddd155d1f4cc0052f6b7a0db5b42
Fomafix [Wed, 12 Apr 2017 05:15:24 +0000 (07:15 +0200)]
mw.loader: Don't assume var 'loading' assigns before Promise resolves
In rare situations the variable loading already assigned with a promise and
the call to loading.map fails with
TypeError: loading.map is not a function
Change-Id: Ie50bdda229e48b159702fc2a83e641a35d7c850c
Fomafix [Wed, 12 Apr 2017 15:25:28 +0000 (17:25 +0200)]
Remove multiple spaces in PHP files
Change-Id: Id9c26ec5ca730a9536f8fdccb8853eb03cbe87a4
jenkins-bot [Wed, 12 Apr 2017 11:45:18 +0000 (11:45 +0000)]
Merge "Remove some ancient upgrade information from release notes"
jenkins-bot [Wed, 12 Apr 2017 06:58:13 +0000 (06:58 +0000)]
Merge "Preload the logo using link rel="preload" http header"
jenkins-bot [Wed, 12 Apr 2017 05:56:47 +0000 (05:56 +0000)]
Merge "Prevent PHPDBG from issuing notices in unit tests"
Timo Tijhof [Tue, 11 Apr 2017 00:57:16 +0000 (17:57 -0700)]
phpunit: Avoid use of wmf-production host names
* Remove used of 'eqiad' and 'wmnet' in unit tests.
Change-Id: I5bf19b63876e4dc8deaca8cd9907dca0bfa15455
Gilles Dubuc [Mon, 1 Jun 2015 16:58:42 +0000 (18:58 +0200)]
Preload the logo using link rel="preload" http header
This greatly increases the priority of loading
the logo on browsers that support rel="preload".
Bug: T100999
Change-Id: I0738fcc0a575153dab65016fa87faaa9b8b97a9d
Florian [Fri, 14 Aug 2015 18:07:35 +0000 (20:07 +0200)]
Convert EditPage buttons, checkboxes and summary input to OOUI
Several methods now have a new implementation using OOjs UI widgets
(ButtonInputWidget/ButtonWidget, CheckboxInputWidget, TextInputWidget).
The existing (public) methods are unchanged. The OOjs UI version is
used by default.
Because this change can cause problems for extensions and on-wiki
scripts depending on the exact HTML, the old version is still available
and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
This will be removed later and OOjs UI will become the only option.
To make testing easier, users can also force either mode by adding
&ooui=true or &ooui=false to the action=edit URL.
* EditPage::getSummaryInput() and EditPage::getSummaryInputOOUI()
* EditPage::getCheckboxes() and EditPage::getCheckboxesOOUI()
* EditPage::getCancelLink()
* EditPage::getEditButtons()
Bug: T111088
Co-Authored-By: Amir Sarabadani <ladsgroup@gmail.com>
Co-Authored-By: Florian Schmidt <florian.schmidt.welzow@t-online.de>
Change-Id: I25aa78ac59082789938ecfb5878eb16614392995
jenkins-bot [Wed, 12 Apr 2017 01:29:58 +0000 (01:29 +0000)]
Merge "Remove "editusercssjs" user right"
jenkins-bot [Wed, 12 Apr 2017 00:08:25 +0000 (00:08 +0000)]
Merge "RCFilters UI: Adjust styles to OOUI's newest release"
Moriel Schottlender [Tue, 11 Apr 2017 01:09:58 +0000 (18:09 -0700)]
RCFilters UI: Adjust styles to OOUI's newest release
Slight modificationsfor OOUI 0.21.0
Change-Id: I8b1db97fd7d52a57a7e3bdd13cc7dc4e364b8976
Volker E [Tue, 11 Apr 2017 23:41:59 +0000 (16:41 -0700)]
Update OOjs UI to v0.21.0
Release notes:
https://phabricator.wikimedia.org/diffusion/GOJU/browse/master/History.md;v0.21.0
Change-Id: I94d5b7a89551e7d34d53223872ad3005f0ac4a04
jenkins-bot [Tue, 11 Apr 2017 23:13:33 +0000 (23:13 +0000)]
Merge "objectcache: Complete coverage for newAnything()"
jenkins-bot [Tue, 11 Apr 2017 23:00:36 +0000 (23:00 +0000)]
Merge "wikibits: Remove methods deprecated since 1.17 and 1.18"
Timo Tijhof [Sun, 10 Apr 2016 02:05:14 +0000 (03:05 +0100)]
resourceloader: Fold legacy modules into base modules request
Follows-up
0ac4f998 (restore "blocking" legacy modules).
After
d790562, legacy modules in the top queue were no longer consistently
loaded before the bottom queue due to the top queue being async.
The implied dependency was made explicit by
0ac4f998 by forcing all modules
to wait for legacy modules before executing.
This had the negative side-effect of putting an extra HTTP request between
the startup module request, base modules request, and actual execution
of page modules.
(Indentation aligns with when a request is triggered.)
Before:
1. Request: Startup module.
2. Request: Base modules
3. Request: Legacy modules
4. Page module request (or local store hit) and execution
After:
1. Request: Startup module.
2. Request: Base+legacy modules
3. Page module request (or local store hit) and execution
This could alternatively be fixed by moving the top queue to be before
the embedded modules and enforcing the embed in a different way.
It could also be fixed by debouncing module load calls so they naturally
end up in the same request as page modules.
However for now I'm addressing this by adding legacy modules to the
list of modules in the initial load request from the startup module.
This was not possible before because the legacy wikibits had dependencies
and base modules cannot have dependencies. Fixed in I7f9f61ea81ad1ef.
Bug: T159911
Change-Id: I54f087655e1cde1b8ff1ca5fe56e82f7f7d80965
jenkins-bot [Tue, 11 Apr 2017 22:48:27 +0000 (22:48 +0000)]
Merge "interwiki: Remove inappropiate use of wfMemcKey()"
Timo Tijhof [Tue, 11 Apr 2017 02:34:38 +0000 (19:34 -0700)]
interwiki: Remove inappropiate use of wfMemcKey()
This is used for lookup in a CDB file or PHP static array.
In neither case is the key created by wfMemcKey() or any other
implementation of BagOStuff::makeKey().
This is already broken if:
* An interwiki prefix were to contain characters not supported by
Memcached.
* An interwiki prefix and wikiid together are too long for Memcached.
* If the site has wgCachePrefix configured, which overrides the
wfWikiID() namespace makeKey() normally uses.
dumpInterwiki.php does not use wfMemcKey() either (and should not).
This was simply here as leftover from many rewrites ago, its
only purpose is to create wikiid + prefix joined by colon.
Ref T148958.
Change-Id: I45682133ed593fbb0d66af5a67751f77f15a4a14
jenkins-bot [Tue, 11 Apr 2017 22:25:33 +0000 (22:25 +0000)]
Merge "resourceloader: Add unit tests for ResourceLoaderImage"
Bartosz Dziewoński [Mon, 20 Mar 2017 19:34:21 +0000 (20:34 +0100)]
resourceloader: Add unit tests for ResourceLoaderImage
Follows-up I5b14d65a and I5a563c59.
Change-Id: Id42e1b868c9fe97cdb14b4bc7328947820a7fd94
Translation updater bot [Tue, 11 Apr 2017 20:18:15 +0000 (22:18 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I9d8d4197b88a4ded273ec2ed874b0965d9df1bb8
Translation updater bot [Tue, 11 Apr 2017 20:11:37 +0000 (22:11 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Ib863e1b841bed4ddf5bed7adb27d49cfa4b82ce3
Timo Tijhof [Sun, 10 Apr 2016 02:10:42 +0000 (03:10 +0100)]
wikibits: Remove methods deprecated since 1.17 and 1.18
Keeping only importScript and friends and addOnloadHook for now.
Inline wikiUrlencode logic so that the dependency on mediawiki.util can be
removed, which caused significant performance overhead (See I54f087655e1c).
Follows-up:
*
68fae478a8 (1.22; deprecation warnings for ua vars)
*
ec69391a4f (1.22; deprecation warnings for jsMsg)
*
fcf4934a52 (1.23; deprecation warnings for the rest)
The following have been deprecated since either 1.17 or 1.18. Deprecation
warnings were added in 1.22. Most of these variables have also been replaced
with dummy placeholders in 1.22 so that calling code is silently disabled
instead of causing cascading failures into other code. Anything still using
these variables to date has been broken since at least April 2013.
* User-Agent variables:
is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera, ie6_bugs.
(deprecated since 1.17; warnings and hardcoded to false since 1.22)
clientPC
(deprecated since 1.17; warnings added in 1.22)
* DOM manipulation:
changeText, killEvt, addHandler, hookEvent, addClickHandler, removeHandler,
getElementsByClassName, getInnerText.
(deprecated since 1.17; replaced with no-op warning dummies in 1.22)
* Checkbox utilities:
setupCheckboxShiftClick, addCheckboxClickHandlers.
(deprecated since 1.17; replaced with no-op warning dummies in 1.22)
* Classic toolbar utilities:
mwEditButtons, mwCustomEditButtons
(deprecated since 1.17; replaced with no-op warning dummies in 1.22)
* Misc utilities:
- injectSpinner, removeSpinner, escapeQuotes, escapeQuotesHTML, jsMsg
(deprecated since 1.17; replaced with no-op warning dummies in 1.22)
- addPortletLink, appendCSS, tooltipAccessKeyPrefix,
tooltipAccessKeyRegexp, updateTooltipAccessKeys
(deprecated since 1.17; warnings added in 1.22)
Bug: T122755
Change-Id: I7f9f61ea81ad1efa0b5cff79b5e5f4bbe2d401fe
Kaldari [Tue, 11 Apr 2017 18:30:09 +0000 (11:30 -0700)]
Correcting qqq message about Special:AutoblockList submit button
Change-Id: I6d9c1f4cb223c12ee986848308aa1060499eac48
jenkins-bot [Tue, 11 Apr 2017 18:05:36 +0000 (18:05 +0000)]
Merge "First version of AutoblockList special page"
mainframe98 [Mon, 6 Mar 2017 20:09:36 +0000 (21:09 +0100)]
First version of AutoblockList special page
This patch introduces a new special page named AutoblockList.
Its design is reused from Special:BlockList.
Bug: T146414
Change-Id: I811d23c98be749d8df36700b07a295355691af77
jenkins-bot [Tue, 11 Apr 2017 14:07:11 +0000 (14:07 +0000)]
Merge "API: Optionally include in job queue size in maxlag"
zppix1 [Thu, 19 Jan 2017 02:37:17 +0000 (20:37 -0600)]
Remove "editusercssjs" user right
Deprecated since MediaWiki1.16
Change-Id: Ic9851d53affe0f4ece7a79f541ec5cb39133b109
jenkins-bot [Tue, 11 Apr 2017 04:23:44 +0000 (04:23 +0000)]
Merge "chmod -x SpecialNewpages.php"
Kunal Mehta [Mon, 10 Apr 2017 06:54:01 +0000 (23:54 -0700)]
API: Optionally include in job queue size in maxlag
maxlag is the default mechanism most bots and libraries use in
determining when to back off due to wiki overload. However these days,
there are other things that should be considered when asking bots to
back off, one of those is job queue size.
For compatibility and simplicity of use, the number of jobs is converted
into something resembling seconds using a configurable factor. We also
output the total number of jobs in the API error output so more
sophisticated clients can do a more advanced back off.
Bug: T160003
Change-Id: Iedae2344a3d93202efbdd1bf807cef6165b6257a
Kunal Mehta [Mon, 10 Apr 2017 22:07:49 +0000 (15:07 -0700)]
chmod -x SpecialNewpages.php
This is not an executable script.
Change-Id: I1daa0eff24f5a7b65c2df75f44c0e28d0795d9f6
Timo Tijhof [Mon, 10 Apr 2017 21:41:12 +0000 (14:41 -0700)]
objectcache: Complete coverage for newAnything()
* Fix typo that disabled testNewAnythingNoAccel().
Follows-up
c5a0fa5bed, accidentally committed a local hack
to disable the test.
* Add missing case other types falling back and no DB.
* Add missing case of no other types and no DB.
Change-Id: If158f21053f0b3741f2625fe4455fdb31955a22f
Arlo Breault [Mon, 10 Apr 2017 21:13:56 +0000 (17:13 -0400)]
Sync up with Parsoid parserTests.txt
This now aligns with Parsoid commit
906375badbbf3d10455f36d9ecbaa8f66f5e6425
Change-Id: I1a102a4b6988eb972215eb7210a44cdf19d04c47
Translation updater bot [Mon, 10 Apr 2017 20:15:15 +0000 (22:15 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I6f8349c3dae6b75a0936e630d7339b94b0811ddb
jenkins-bot [Mon, 10 Apr 2017 18:59:12 +0000 (18:59 +0000)]
Merge "MediaSearchWidget: Listen to "change" event to reposition"
Moriel Schottlender [Wed, 5 Apr 2017 21:55:15 +0000 (14:55 -0700)]
MediaSearchWidget: Listen to "change" event to reposition
The "add" event is emitted too early (by the OO.EmitterList, before
the items are attached to the DOM) so instead we have to go by the
GroupElement event api itself -- which uses "change" event to all
item changes.
Listening to item change means that we are certain the items are
already attached to the DOM before we manipulate and read their
positioning, etc.
Bug: T162202
Change-Id: I3ef9d9451562c725e12a66b80048fc3836280d9f
jenkins-bot [Mon, 10 Apr 2017 18:50:19 +0000 (18:50 +0000)]
Merge "Add ?safemode=1 to disable user JS/CSS"
jenkins-bot [Mon, 10 Apr 2017 18:46:29 +0000 (18:46 +0000)]
Merge "RC Filters: correctly read default value for 'string_options' filters"
Ed Sanders [Wed, 6 Jul 2016 21:05:24 +0000 (22:05 +0100)]
Use classes instead of IDs for TOC collapsing
One may way to have multiple TOC's on the page (e.g. in VisualEditor).
Change-Id: I19701c4037b653b2944e407752e50f444861f883
jenkins-bot [Mon, 10 Apr 2017 16:14:50 +0000 (16:14 +0000)]
Merge "Fixes to mw.notifications"
jenkins-bot [Mon, 10 Apr 2017 15:53:15 +0000 (15:53 +0000)]
Merge "stylelint: Remove no-unsupported-browser-features exceptions"
jenkins-bot [Mon, 10 Apr 2017 15:50:40 +0000 (15:50 +0000)]
Merge "EditPage: Fix typo in comment"
Ed Sanders [Mon, 10 Apr 2017 15:13:20 +0000 (16:13 +0100)]
Fixes to mw.notifications
* Fix cutting of drop shadows
* Use null as default empty value
Change-Id: I09b77161c3a2cc0ef586c08c7287a73bd1dd2066
jenkins-bot [Mon, 10 Apr 2017 15:06:47 +0000 (15:06 +0000)]
Merge "Add UserGroupMembership details to the UserGroupsChanged hook"
Seb35 [Mon, 10 Apr 2017 11:32:15 +0000 (13:32 +0200)]
Prevent PHPDBG from issuing notices in unit tests
Although issuing PHP notices in unit tests is only a nice-to-have, the cause
is PHPDBG has no special treatment in JobQueueGroup at the contrary of the
PHP SAPI 'cli', and it may be desirable both 'command line SAPIs' have the
same behaviour.
This is the most apparent difference between cli and phpdbg but there could
be a dozen of other occurrences (see bug), potentially creating differences
in unit tests depending on the SAPI.
Bug: T162591
Change-Id: Idf9c14db72f1f768c5a17b49ed689a05922c57d3
Aaron Schulz [Tue, 21 Mar 2017 18:47:52 +0000 (11:47 -0700)]
Add EtcdConfig class
Bug: T156924
Change-Id: I60914d31c21484bfb935fe3d8c3168b51a2d5d1b
Translation updater bot [Sun, 9 Apr 2017 19:52:36 +0000 (21:52 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I742a743e37c056c2bc04d09a1ce86d05aa65ae1d
Ed Sanders [Sun, 9 Apr 2017 17:04:06 +0000 (18:04 +0100)]
stylelint: Remove no-unsupported-browser-features exceptions
We no longer use this rule.
Change-Id: I97063c786952364620a7380936da14ebeb1aa1d9
Ed Sanders [Sun, 9 Apr 2017 17:03:32 +0000 (18:03 +0100)]
EditPage: Fix typo in comment
Change-Id: I084933a733c704188217c1d306454d2fed08b59b
Translation updater bot [Sat, 8 Apr 2017 20:36:24 +0000 (22:36 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I325563cad264df780d346f76427a324f7b58160d
jenkins-bot [Sat, 8 Apr 2017 09:36:21 +0000 (09:36 +0000)]
Merge "ApiPageSet: Follow RedirectSpecialArticle redirects"
jenkins-bot [Sat, 8 Apr 2017 09:33:14 +0000 (09:33 +0000)]
Merge "Add .rej files to .gitignore"
jenkins-bot [Sat, 8 Apr 2017 09:20:25 +0000 (09:20 +0000)]
Merge "Update HISTORY for 1.28.1/1.27.2/1.23.16"
Umherirrender [Sat, 8 Apr 2017 09:08:00 +0000 (11:08 +0200)]
Use delete_and_move_reason in content language on move over redirect
Follows I9645f23c5d6132abb304e254b039036ebca4b064
Bug: T161993
Change-Id: I08426118947ef5a9ea887a973fdf0a9176639aab
This, that and the other [Sat, 8 Apr 2017 07:32:53 +0000 (17:32 +1000)]
Add UserGroupMembership details to the UserGroupsChanged hook
For Echo.
Bug: T159301
Change-Id: I5d32445f8e5b41599889b8488a2431e7a908f858
umherirrender [Sat, 29 Oct 2016 14:33:13 +0000 (16:33 +0200)]
Move count of revisions/files out of undelete log comment
The log comment on undelete contains a hint about the count of restored
files and/or revisions.
Move this text out of the comment to allow longer comments. Also makes
this information readable inside the api.
This is only for new log entries. Old entries will still show the hint
from the comment and no data in the api.
Change-Id: I9e30eb1271656bb81259a408210e9a282e949c57
jenkins-bot [Sat, 8 Apr 2017 02:26:47 +0000 (02:26 +0000)]
Merge "Use IDatabase type hints in /maintenance"
jenkins-bot [Sat, 8 Apr 2017 00:00:46 +0000 (00:00 +0000)]
Merge "objectcache: Complete code coverage for CachedBagOStuff"
jenkins-bot [Fri, 7 Apr 2017 23:51:28 +0000 (23:51 +0000)]
Merge "objectcache: Fix CachedBagOStuff to use backend makeKey()"
jenkins-bot [Fri, 7 Apr 2017 23:48:10 +0000 (23:48 +0000)]
Merge "Database: clean up lockTables() and add postgres support"
Aaron Schulz [Thu, 30 Mar 2017 20:46:06 +0000 (13:46 -0700)]
Use IDatabase type hints in /maintenance
Relatedly, move lockTables()/unlockTables() to IMaintainableDatabase
Change-Id: Ib53e9fa948deb2f9a70f0ce16c002613d0060bf9
Timo Tijhof [Fri, 7 Apr 2017 23:30:33 +0000 (16:30 -0700)]
objectcache: Complete code coverage for CachedBagOStuff
Change-Id: I8a228d68701f1ad4d37f60de53d105c32898dc8b
Timo Tijhof [Fri, 7 Apr 2017 23:11:40 +0000 (16:11 -0700)]
objectcache: Fix CachedBagOStuff to use backend makeKey()
Follows-up
25dbd91513f1e5.
Change-Id: Ib727c57cb27f05c0462bfdfee89a185ef6603ddd
Aaron Schulz [Thu, 30 Mar 2017 21:56:22 +0000 (14:56 -0700)]
Database: clean up lockTables() and add postgres support
A new method is now available to check whether session scope
locks are supported, which callers typically want when using lock().
Its usage can avoid deadlock prone and expensive row-level locks for
some maintenance tasks.
For Postgres, table locks are tied to the transaction. Trigger
startAtomic() in lockTables() and endAtomic() in unlockTables() to
assure that a transaction is present.
Also remove LOW_PRIORITY feature, which is ignored by mysql.
Change-Id: I499061bcc2763afb1ff4a43319064eed4ba3a8fe
Translation updater bot [Fri, 7 Apr 2017 20:04:40 +0000 (22:04 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I4ccefb84808700373dfb0a694991a5c47fe9a48b
Moriel Schottlender [Fri, 7 Apr 2017 18:15:17 +0000 (11:15 -0700)]
RCFilters UI: Check that filter exists before changing its state
Bug: T162417
Change-Id: I53bdd8106f5072f70f2618f2b6e6c9da37675fc9
Reedy [Fri, 7 Apr 2017 09:52:29 +0000 (10:52 +0100)]
Update HISTORY for 1.28.1/1.27.2/1.23.16
Bug: T162170
Change-Id: Ic9d0eb183c56caa2955509f1e74cec1f101b89e1
jenkins-bot [Thu, 6 Apr 2017 23:30:01 +0000 (23:30 +0000)]
Merge "phpunit: Avoid use of deprecated getMock for PHPUnit 5 compat"
Reedy [Thu, 6 Apr 2017 22:23:03 +0000 (23:23 +0100)]
Add .rej files to .gitignore
Change-Id: Ie4f470f5f0528308871b78c7c823851b0a45e8eb
jenkins-bot [Thu, 6 Apr 2017 21:46:48 +0000 (21:46 +0000)]
Merge "SECURITY: Do not allow users to undelete a page they can't edit or create"
L10n-bot [Thu, 6 Apr 2017 21:44:25 +0000 (21:44 +0000)]
Merge "Revert "Localisation updates from https://translatewiki.net.""
Raimond Spekking [Thu, 6 Apr 2017 21:44:02 +0000 (21:44 +0000)]
Revert "Localisation updates from https://translatewiki.net."
Overwrites changes
This reverts commit
ead4315a667fc4c22790681e24d09972ab37123e.
Change-Id: Iee963af531c40495d65e6414b3bb3f5cf860dd85
jenkins-bot [Thu, 6 Apr 2017 21:28:45 +0000 (21:28 +0000)]
Merge "SECURITY: Always normalize link url before adding to ParserOutput"
jenkins-bot [Thu, 6 Apr 2017 21:28:41 +0000 (21:28 +0000)]
Merge "SECURITY: Don't write LocalisationCache to temporary directory"
jenkins-bot [Thu, 6 Apr 2017 21:28:37 +0000 (21:28 +0000)]
Merge "SECURITY: Whitelist DTD declaration in SVG"
jenkins-bot [Thu, 6 Apr 2017 21:28:34 +0000 (21:28 +0000)]
Merge "SECURITY: Escape wikitext content model/format in message"
jenkins-bot [Thu, 6 Apr 2017 21:10:22 +0000 (21:10 +0000)]
Merge "SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited""
L10n-bot [Thu, 6 Apr 2017 21:09:40 +0000 (21:09 +0000)]
Merge "Localisation updates from https://translatewiki.net."
Translation updater bot [Thu, 6 Apr 2017 21:09:29 +0000 (23:09 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Ia470eb8a4c72ef0ae0031271cbd4384c5703176f
Brian Wolff [Mon, 13 Jun 2016 07:07:48 +0000 (03:07 -0400)]
SECURITY: Do not allow users to undelete a page they can't edit or create
If the page exists, it only checks edit rights, otherwise it
checks both edit and create rights.
This would only matter on wikis that have a non-default rights
configuration where there are users with undelete rights but a
restriction level enabled that prevents them from creating/editing
pages (or they otherwise aren't allowed to edit/create)
It should be noted that the error messages aren't used in the
normal UI currently, but they could be in the future, and
extensions could potentially be using them (The backend functions
return them, but the UI functions in Special:Undelete ignore
them)
Bug: T108138
Change-Id: I164b80534cf89e0afca264e9de07431484af8508
Brian Wolff [Fri, 11 Mar 2016 01:08:06 +0000 (20:08 -0500)]
SECURITY: Always normalize link url before adding to ParserOutput
Move link normalization directly into addExternalLink() method,
since you always need to do it - having it separate is just
inviting people to forget to normalize a link.
Additionally, links weren't properly registered for <gallery>.
This was somewhat unnoticed, as the call to recursiveTagParse()
would register free links, but it wouldn't work for example with
protocol relative links.
Issue originally reported by MZMcBride.
Bug: T48143
Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
Reedy [Tue, 28 Mar 2017 20:47:08 +0000 (21:47 +0100)]
SECURITY: Don't write LocalisationCache to temporary directory
Bug: T161453
Change-Id: I51b375c63fcece908da921c465c861968c9eee1c
Brian Wolff [Mon, 28 Nov 2016 23:34:24 +0000 (23:34 +0000)]
SECURITY: Whitelist DTD declaration in SVG
Only allow ENTITY declarations inside the doctype internal
subset. Do not allow parameter entities, recursive entity
references are entity values longer than 255 bytes, or
external entity references. Filter external doctype subset
to only allow the standard svg doctypes.
Recursive entities that are simple aliases are allowed
because people appear to use them on commons. Declaring
xmlns:xlink to have a #FIXED value to the xlink namespace
is allowed because GraphViz apparently does that so its
somewhat common.
This prevents someone bypassing filter by using default
attribute values in internal dtd subset. No browser loads
the external dtd subset that I could find, but whitelist
just to be safe anyways.
Issue reported by Cassiogomes11.
Bug: T151735
Change-Id: I7cb4690f759ad97e70e06e560978b6207d84c446
Brian Wolff [Mon, 13 Mar 2017 21:20:02 +0000 (21:20 +0000)]
SECURITY: Escape wikitext content model/format in message
Escape wikitext in model= and format= url parameter to
edit page. This goes along with
1c788944 to help prevent
XSS for wikis with $wgRawHtml = true; set.
Bug: T156184
Change-Id: Ifcaa2ccf05a2a691d0b150e2f7e0e765db25fc7f
Bartosz Dziewoński [Mon, 7 Nov 2016 19:10:21 +0000 (20:10 +0100)]
SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"
Bug: T150044
Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661
Brad Jorsch [Thu, 18 Aug 2016 17:37:05 +0000 (13:37 -0400)]
SECURITY: API: Don't log "sensitive" parameters
Stuff like passwords and CSRF tokens shouldn't be in the logs.
The fact of being sensitive is intentionally separated from the need to
be in the POST body because, for example, the wltoken parameter to
ApiQueryWatchlist needs to be in the query string to serve its purpose
but still shouldn't be logged.
Bug: T125177
Change-Id: I1d61f4dcf792d77401ee2e2988b1afcb2a2ad58f