Brian Wolff [Thu, 27 Sep 2018 11:42:37 +0000 (11:42 +0000)]
SECURITY: Don't allow loading unprotected JS files
This is meant to protect against malicious people while avoiding
annoying good users as much as possible. We may want to restrict
this further in the future, but that's something that can be discussed
in the normal way.
Bug: T194204
Bug: T113042
Bug: T112937
Change-Id: I27e049bae78b5c0f63b10f454b740cb1dc394813
Brian Wolff [Tue, 15 May 2018 00:34:14 +0000 (00:34 +0000)]
SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Loading JS from an unregistered user's JS subpage is a severe
security risk as someone could potentially register that account
and then modify the JS.
Bug: T207603
Change-Id: I741736e12b0ed49e95f22c869a2b53e2c97b31f0
jenkins-bot [Sun, 21 Oct 2018 17:33:31 +0000 (17:33 +0000)]
Merge "Don't pass a MailAddress pass the email to mail()" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:47 +0000 (15:59 +0000)]
Merge "Update ImportableUploadRevisionImporter for interwiki usernames" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:42 +0000 (15:59 +0000)]
Merge "installer: Don't link to the obsolete "Extension Matrix" page" into REL1_31
Brad Jorsch [Wed, 17 Oct 2018 15:26:51 +0000 (11:26 -0400)]
Database: Allow selectFieldValues() to accept SQL fragments
The documentation says "This must be a valid SQL fragment", but as
written it breaks if given anything other than a field name. It's easy
enough to fix by adding an alias to the internal select() call.
Bug: T201781
Change-Id: I76428af6d3aadc266254fdb24109a0ac2db3761f
(cherry picked from commit
c5a5b022400318e52638a4d34369ddbb74d7a21b)
Zoranzoki21 [Sat, 29 Sep 2018 00:06:23 +0000 (03:06 +0300)]
installer: Don't link to the obsolete "Extension Matrix" page
Bug: T205765
Change-Id: Id1ba965c7c06ce03611ba745421dc982f5393f8c
(cherry picked from commit
8b7b5f04b7c84ffd2cda3aae06513a8e4fca6128)
Reedy [Sat, 20 Oct 2018 12:37:15 +0000 (13:37 +0100)]
Don't pass a MailAddress pass the email to mail()
Bug: T207541
Change-Id: I1516023907e9773cb093010c6b67279f695abb1a
(cherry picked from commit
c57aacb782f5ce5e53253192a53d736ece300d3c)
Kunal Mehta [Sat, 20 Oct 2018 12:35:22 +0000 (05:35 -0700)]
Include IP address in "Login for $1 succeeded" log entry
Bug: T207540
Change-Id: Iab4f2f2ddc8e64ead2f33356d03fa7beed399415
Brad Jorsch [Tue, 16 Oct 2018 14:47:44 +0000 (10:47 -0400)]
Update ImportableUploadRevisionImporter for interwiki usernames
This was somehow missed in I5401941c.
Bug: T206013
Change-Id: Ia618b05329e6cbfca7c95d9161f12ba4150705c8
(cherry picked from commit
afb2578055b49f3fe523cf9314f75d63bac4786b)
Brad Jorsch [Tue, 16 Oct 2018 14:22:33 +0000 (10:22 -0400)]
Add session_write_close() calls to SessionManager tests
PHP 7.3 doesn't like it if session_id() is called when the session has
been started, so we need to be sure to close it first in a few tests.
Bug: T207112
Change-Id: Ief36c1bb7b5c9066f158b5bb0d6d785a7f7ddd3c
(cherry picked from commit
6698b7ea1d63fbd2e3014bf563c3ad9e937bc8dd)
Aryeh Gregor [Mon, 8 Oct 2018 18:04:12 +0000 (21:04 +0300)]
Output only to stderr in unit tests
Otherwise, session tests don't work in PHP 7.2 because headers are
already sent: https://bugs.php.net/bug.php?id=75628
Bug: T206476
Change-Id: Ie88db4a61a56b756c6445d2579a2f30da22c3ee8
Aryeh Gregor [Mon, 8 Oct 2018 17:10:36 +0000 (20:10 +0300)]
Suppress "Headers already sent" in PHP 7.2 too
The "h" is now capitalized, so we need to update the regex.
Change-Id: I1111e1228868ec66d930c7a3b0d7972e5c6356b9
(cherry picked from commit
1572f3b1b89abc958da6a7d131553e3b67953403)
Aaron Schulz [Sat, 26 May 2018 00:29:17 +0000 (17:29 -0700)]
Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable
Change-Id: Ida81bf998b462f2f6bb2b708df1f15bbc1933db1
(cherry picked from commit
b172aff090b7c59c2f602931d469cf3ac5e9e74a)
Edward Chernenko [Mon, 18 Jun 2018 22:53:52 +0000 (01:53 +0300)]
Fix PHP warnings "preg_replace(): [...] invalid range in character class"
This was spotted when running tests on Travis (PHP 7.3 nighly, trusty).
Two expressions inside preg_replace() contained non-escaped "-" inside [],
where this "-" meant an actual "-" character.
The warning is because "-" has special meaning inside [] ("a-z" for range),
and things like [\w-.] are considered "invalid range".
Solution is to escape "-" like this: [\w\-.]
Change-Id: I41cc217081f00f54d957b6d8052ee209412f5ff6
(cherry picked from commit
d88e924b6e5a7d529c471980e14f72430a94e546)
Kunal Mehta [Mon, 15 Oct 2018 07:17:38 +0000 (00:17 -0700)]
LocalisationCache: Avoid use of compact()
In PHP 7.3, compact() now raises notices if the variable is undefined, which
is something that we expect. So we can check whether the key exists instead
of bothering with compat() and suppressing warnings.
Bug: T206979
Change-Id: I612049db4debd850a2e6d10bc631d31aa17be898
(cherry picked from commit
d0463178dfa09b79b3a08fee939da1beed030824)
RazeSoldier [Mon, 15 Oct 2018 15:58:26 +0000 (23:58 +0800)]
Use "break" instead of "continue" inside a switch
"continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.
Bug: T206974
Change-Id: I54bcec013ff52ab81bff09f8f7ef02f3944a5b7d
(cherry picked from commit
f3b012b51f492155cd7acf4d7f641cd43147bfc0)
RazeSoldier [Mon, 15 Oct 2018 10:35:36 +0000 (18:35 +0800)]
Update git submodules
* Update extensions/ParserFunctions from branch 'REL1_31'
to
f2c63e5062c136d756d5d4378a722385e4b0149c
- Use "break" instead of "continue" inside a switch
"continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.
Also change the indentation.
Bug: T206977
Change-Id: I8ad0ef6508e73bcca7dabfe2e88d661dd409bdfb
(cherry picked from commit
d258457e018bfa157bf4b782efed8c160ec40545)
RazeSoldier [Thu, 23 Aug 2018 16:18:07 +0000 (00:18 +0800)]
Use "break" instead of "continue"
"continue" statements are equivalent to "break". In PHP 7.3, will generate a
warning.
Bug: T200595
Change-Id: I244ecb2e1ce5a76295f014fb1becd8d263196846
(cherry picked from commit
24ffbd9bd182944daa8b12244b729562cd5f50db)
jenkins-bot [Fri, 12 Oct 2018 00:32:25 +0000 (00:32 +0000)]
Merge "Remove deprecated pear/mail_mime-decode from composer dependancies" into REL1_31
Reedy [Thu, 11 Oct 2018 20:54:58 +0000 (21:54 +0100)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
86a1bbc0ab0fe0a4a750b48a1f76baa48ed013b1
- Remove pear/mail_mime-decode
Code isn't PHP 7 compatible, and rotted. Useful code seems to have
been merged into pear/mail
Bug: T109121
Change-Id: Iaaba6985526e95699fe24e7fbc64817d3dd9ebaf
Reedy [Thu, 11 Oct 2018 20:42:15 +0000 (21:42 +0100)]
Remove deprecated pear/mail_mime-decode from composer dependancies
Bug: T109121
Change-Id: I198e39e77d54bf3edd0ebf08403c6623d6092fd4
Reedy [Thu, 11 Oct 2018 18:20:30 +0000 (19:20 +0100)]
Load installer i18n when running update.php
Bug: T206765
Change-Id: Ie1c1a5dbf7c905eaca55777448e5aba00267ed31
(cherry-picked from
a8408122fd7982ec1f6f380288c887298ba07045)
Mark A. Hershberger [Tue, 24 Jul 2018 16:36:46 +0000 (12:36 -0400)]
Add pear/Net_SMTP 1.7.3 to composer dependencies
Bug: T200254
Change-Id: I231759a1e0bd5b8750939acaad85ed327d052b79
Brad Jorsch [Thu, 26 Apr 2018 18:52:12 +0000 (14:52 -0400)]
Fix typo in postgres patch-drop-ar_text.sql
I18f1c740 was cherry-picked to REL1_31 but it was broken.
Before that got merged to REL1_31, this was already in master,
but apparently that was missed when cherry-picking.
This should have made 1.31-rc.2.
Bug: T205967
Change-Id: I6d479d123848325b8501275ef4b98fc81cd99505
(cherry picked from commit
7e685a395d4a6e69d904c03f6e847b18795217a9)
Kunal Mehta [Wed, 26 Sep 2018 04:44:50 +0000 (21:44 -0700)]
Document removal of CologneBlue & Modern from the tarball
Worth noting as a pre-upgrade thing, as trying to run the updater will fail
unless it's disabled or downloaded separately.
Reported by <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909589>.
Change-Id: I5ea6dc65d683dfceaa25104ca59f2f56c1ab1884
Brad Jorsch [Tue, 18 Sep 2018 16:01:32 +0000 (12:01 -0400)]
WatchedItemStore::countVisitingWatchersMultiple() shouldn't query all titles when asked for none
If a caller gives an empty array for $targetsWithVisitThresholds, per
the documentation it should be expecting an empty array in return, not a
count of watchers for every title in the database.
Bug: T204729
Change-Id: I0f25fae301450d077bb30597281aaef0fba209d4
(cherry picked from commit
f5469d36602cb2a95396830b14e9a631d698f3a6)
Kunal Mehta [Mon, 3 Sep 2018 08:11:17 +0000 (01:11 -0700)]
Bump 1.31.1
Change-Id: I4f1dbc9ddf6daa9e67a08908d0c04db876493b84
Kunal Mehta [Fri, 20 Jul 2018 20:29:14 +0000 (22:29 +0200)]
SECURITY: Don't exclude .htaccess files from `git archive`
Bug: T199029
Change-Id: I7ada3dddc4f5f7f2800882ccc9c73c8494f7fac9
Brian Wolff [Sun, 13 May 2018 19:37:09 +0000 (19:37 +0000)]
SECURITY: Do not allow botpassword login if account locked.
Reported by Rxy
Bug: T194605
Change-Id: Ib41005e69ab4db6f849837de12f0d41398b58f9a
Chad Horohoe [Tue, 13 Mar 2018 18:43:30 +0000 (18:43 +0000)]
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limit
The order of operations was incorrect.
Bug: T169545
Change-Id: Ia910aa2a494914d3b0017daac9ab294ea9fa8705
Jayprakash12345 [Wed, 22 Aug 2018 18:53:05 +0000 (00:23 +0530)]
UsersPager: Fix typo in formDescriptor array
Bug: T202550
Change-Id: I06c6cf596ab0f159ad6a50251788ff3917125ae7
(cherry picked from commit
eee4385869fab8d1b5dde7bd3f6520ed880ef673)
Tim Starling [Wed, 1 Aug 2018 01:30:49 +0000 (11:30 +1000)]
Fix pingback on non-MySQL
MySQL has its own implementation of upsert(), but the others rely on
$uniqueIndexes being a field list, not a field/value associative array.
The previous code generated an SQL error when checking for existing
values.
Bug: T200864
Change-Id: Ifb56f7f350fbb84144bc6f5a1dd76939816338a6
(cherry picked from commit
ba54f7f90dce0e06ff3c4ad1ec141362f10be9a9)
Aaron Schulz [Wed, 15 Aug 2018 01:44:40 +0000 (18:44 -0700)]
Make ExternalStoreDB "wiki" context override the server "dbname" field
This is all that is needed for b/c and going beyond that can break
foreign wiki (domain) external store access if matching per-wiki DB
names *are* used for external store.
Follow up to
92e4ace7eae61.
Bug: T200471
Change-Id: I877139ff659f542da04d4d8f5ef3297dbfcfd734
Aaron Schulz [Sun, 12 Aug 2018 10:14:54 +0000 (03:14 -0700)]
Use LB server configuration to force DB domains in ExternalStorageDB
This is for backwards-compatibility for pre
14ee3f210782 external store
configuration that relied on not using the main wiki DB name(s).
(cherry-picked from
92e4ace7eae612ce0fa040e02d932516c4d99712)
Bug: T200471
Change-Id: Ie60cae64e32ff2532565cbd79c8e084634a61cce
Tim Starling [Wed, 1 Aug 2018 00:18:08 +0000 (10:18 +1000)]
Fix total breakage of SQLite web upgrade
Partial revert of
8d61cf2793abd2, since LBFactoryTest.php passes without
overriding selectDB() in the current master. It's unclear why it was necessary.
Bug: T200861
Change-Id: I7c0560d7890616899297f81a227db98996d5cb7f
(cherry picked from commit
7584bf22fb2bda3c66ecf50c1edaad904ee1a649)
Sam Wilson [Sat, 30 Jun 2018 07:55:47 +0000 (15:55 +0800)]
Guard against uncountable tag values
As of PHP 7.2 counting false or null raises a "Warning: count(): Parameter must be an array or an object that implements Countable".
Bug: T182377
Bug: T196793
Change-Id: I7ca38bc55ae04f68106fe0d27c7d496da1538459
(cherry picked from commit
61af022e5f8e06c2588a8fc3fd003f52bdb85b08)
Matěj Suchánek [Sun, 29 Jul 2018 09:54:45 +0000 (11:54 +0200)]
Treat all time values on Special:Watchlist as floats
PHP division may return float or int, depending on the operands. [1]
Make sure all numbers are of the same type (floats), because
XmlSelect compares values with ===.
[1] http://php.net/manual/en/language.operators.arithmetic.php
Bug: T199566
Change-Id: I37df6fd425f47d9a4562d83e04fcb50c3b97e0da
(cherry picked from commit
4b75063d0eafeb9260f177cde782156a81b56f6b)
Brad Jorsch [Wed, 13 Jun 2018 13:51:57 +0000 (09:51 -0400)]
PHPSessionHandler: Suppress warnings in initialize()
PHP 7.2 has gotten strict about calling various session-related methods
after headers were sent. Even in CLI mode where there are no headers to
send in the first place. Silence these warnings.
Bug: T197030
Change-Id: Idaabf1320c56e0d6c26387f03af05f32e1496a1c
(cherry picked from commit
701854b3ebc3c2b06067823395a7d95e8984cfda)
Aaron Schulz [Thu, 14 Jun 2018 00:14:23 +0000 (17:14 -0700)]
rdbms: disable ChronologyProtector if EmptyBagOStuff is used
Bug: T197206
Change-Id: Ic07634224fac1ae72d1ba20176c028fdda5ba415
jenkins-bot [Wed, 18 Jul 2018 10:26:57 +0000 (10:26 +0000)]
Merge "Avoid arithmetics on localized number string ("0,04") in SpecialWatchlist" into REL1_31
Florian Schmidt [Fri, 15 Jun 2018 15:51:22 +0000 (17:51 +0200)]
registration: Use the correct key for skin dependencies
Instead of using "skin" to check for skin dependencies, extension registration
now uses the correct key "skins" (from the schema).
Bug: T197478
Change-Id: I382fc79229e1406786f444192e6e3e3bde44d224
(cherry picked from commit
0f7e760334df920adca5f6340814ba028b95dae0)
petarpetkovic [Thu, 24 May 2018 22:27:21 +0000 (00:27 +0200)]
Insert space before compatibility link in PHP version message
Change-Id: Ia056ba7f9eddbcf31082c7b2f7a64e7dbf02cba4
(cherry picked from commit
6da2a437e3ce62652c5e5a0d631be36908eee369)
Brad Jorsch [Tue, 10 Jul 2018 18:13:58 +0000 (14:13 -0400)]
SpecialChangeEmail: Log email changes
Bug: T151415
Change-Id: Icc403be286f87a591ebc9d3e07d84b09f8b87713
Edward Chernenko [Sun, 1 Jul 2018 02:10:56 +0000 (05:10 +0300)]
Avoid arithmetics on localized number string ("0,04") in SpecialWatchlist
In SpecialWatchlist::cutoffselector(), values like 1/24 or 6/24 are cast
to string via strval(). However, in some locales (e.g. ru_RU.utf8) strval
will return a localized form of the number, e.g. "0,04" instead of "0.04".
This "0,04" is then used in arithmetic operations, where it's treated as 0,
resulting in "0 hours" being shown instead of "1 hour", "2 hours", etc.
Bug: T198501
Change-Id: Iaa4e6170b30a7bb9ce0f22d9d2cc4772b0faa3b8
(cherry picked from commit
6b240c699eb1e965dad3c51107566f1f27ed1887)
Kunal Mehta [Sun, 24 Jun 2018 20:55:43 +0000 (23:55 +0300)]
GitInfo: Don't try shelling out if it's disabled
Bug: T198037
Change-Id: I364f9bc0e78439474101f4b2a171805c91f50a72
(cherry picked from commit
d503ac7c9433a36358b1db27c6365167ea869832)
Brad Jorsch [Fri, 4 May 2018 13:35:55 +0000 (09:35 -0400)]
BotPasswords: Indicate when a password needs reset
Certain things, such as changing the account's main login credentials,
causes all bot passwords to be invalidated. This state should be
indicated in Special:BotPasswords, and the API when login fails.
Bug: T193829
Change-Id: Ib12929fed861742c9f2f76702c9ac3254e8a5d97
(cherry picked from commit
ff6b4cb35c1944870fcd3cc525884790c20819b3)
Sam Wilson [Mon, 23 Apr 2018 03:55:24 +0000 (11:55 +0800)]
Add 'logid' parameter to Special:Log
Make it possible to get a URL for a single log entry,
as an alternative to using Special:Redirect/logid/123.
The existing single-log-entry link of Special:Redirect/logid/123
is also simplified to be a redirect to this new parameter.
Bug: T191608
Bug: T187638
Change-Id: I5f2e52531cd2ba617a25570e40aa8c5168e284d9
(cherry picked from commit
8e04e60113272d498070e51ff2b50412ae7a9234)
Brad Jorsch [Wed, 9 May 2018 19:14:38 +0000 (15:14 -0400)]
SECURITY: Special:BotPasswords should reauthenticate
More specifically, it should reauthenticate when creating a bot password
or resetting the password. But we may as well do it for all accesses.
Bug: T194237
Change-Id: I9a38a3109492753fff1f33c0f280e5b0f1fc1a76
Brad Jorsch [Tue, 3 Jul 2018 15:59:18 +0000 (11:59 -0400)]
Fix error in various deprecated selectFields() methods
When aliasing a field to null, it has to be aliased to the string 'NULL'
rather than PHP null.
Bug: T198687
Change-Id: I6096f306b97022da781eaabeb15e502f391673a9
(cherry picked from commit
377ce5a469476a0ec68a6f03e3f5714eb40caeff)
Aaron Schulz [Mon, 25 Jun 2018 20:14:08 +0000 (21:14 +0100)]
Avoid bad method call to patchPatch() in DbTestRecorder
Bug: T193995
Change-Id: Ibc480b04463792b7cd720a6eb080e0960a30e440
(cherry picked from commit
ec3289524e33fd93c9dc51c2a0ddffc24068583a)
Jayprakash12345 [Wed, 20 Jun 2018 16:38:40 +0000 (22:08 +0530)]
Correct $specialPageAliases for sa.wiki
Bug: T102320
Change-Id: I10bf5a0039235a5b149dcea6bd62176d3763acf9
(cherry picked from commit
8d963e6a93bd9bbcb6d817de8b2a06947583e3e8)
Edward Chernenko [Mon, 25 Jun 2018 22:45:13 +0000 (01:45 +0300)]
Fix PHP7 warning "non well formed numeric value encountered"
PHP 7.1 warns when non-numeric string is implicitly cast to integer.
Change-Id: Ia46ea793e9495548c7d421b3372f6deaeda163f5
(cherry picked from commit
0a4a274b6255cc543df459f16902c1619697068f)
Edward Chernenko [Tue, 19 Jun 2018 23:43:01 +0000 (02:43 +0300)]
Update git submodules
* Update skins/MonoBook from branch 'REL1_31'
to
53a78553e4b6cb091df318bf70291330f1425429
- Missing 'class' in "newtalk" notification
MonoBookTemplate incorrectly calls getIfExists() for newtalk/undelete:
attributes of wrapper <div> must be under the 'parameters' key.
Change-Id: I5392477d493174b0b5598927bfbcec2029b0987e
(cherry picked from commit
73ad6a7835b587035e127d32d4667ba16e43ad03)
Paladox [Sat, 16 Jun 2018 21:27:22 +0000 (21:27 +0000)]
Update git submodules
* Update skins/Timeless from branch 'REL1_31'
to
6860d4d96db3bfcc92172f08ddfe4a2344229937
- Fix sidebar closing on iOS
this follows this fix [1]
[1] https://stackoverflow.com/questions/
11397028/document-click-function-for-touch-device
Bug: T161470
Change-Id: I20e6a0e18a239131b94e4ab949b7784f241e4d40
Isarra [Wed, 13 Jun 2018 20:52:32 +0000 (20:52 +0000)]
Update git submodules
* Update skins/Timeless from branch 'REL1_31'
to
2126f76540981047f072d672be5c15475a2556cf
- Remove nonfunctional jquery mobile stuff
Does not appear to work, and is possibly breaking things elsewise as
well. In particular: chrome text selection in general, possibly iphone
support?
May or may not resolve the following; please test (does seem to
effectively resolve T183215, for now, at least, but dunno at all about
the other two.):
Bug: T161470
Bug: T183215
Bug: T188387
Change-Id: I2d4aae98fe47bce5a873bc44b6cea58f111f5086
MarcoAurelio [Thu, 14 Jun 2018 11:00:20 +0000 (13:00 +0200)]
Add Extension:Nuke submodule to REL1_31
Bug: T197229
Change-Id: I6dad2c00c7480894beeaf8979b8d66f4cc32cc89
Chad Horohoe [Wed, 13 Jun 2018 15:33:16 +0000 (11:33 -0400)]
Bump to 1.31.0 for final release
Change-Id: Ie743443584e2c7a3aac2d185de1c3cb2eeca80b6
Kunal Mehta [Tue, 12 Jun 2018 01:11:08 +0000 (18:11 -0700)]
Add release notes for
0eb4eaefd3 and
f7f71359
Change-Id: Ie139db2f178660aa42009661716290158d60c8fc
(cherry picked from commit
1f286e8d4019e7712916060ecb8dd00ff04fdc7b)
jenkins-bot [Tue, 12 Jun 2018 00:54:54 +0000 (00:54 +0000)]
Merge "parser: Validate $length in padleft/padright parser functions" into REL1_31
Kunal Mehta [Sun, 10 Jun 2018 18:09:07 +0000 (11:09 -0700)]
parser: Validate $length in padleft/padright parser functions
$length is user input, so cast it to an int before passing it to min().
If there is nothing to add at that point, return immediately.
In PHP 7.1+ this raised a warning of "A non-numeric value encountered"
because min() will return the junk value, returning a string. Then we
try and subtract an int from it (return value of mb_strlen()),
triggering the warning.
Added a parser test to verify the behavior, and confirmed that it
triggers warnings without the patch.
Bug: T180403
Change-Id: I614750962104f6251a864519035366ac9798fc0f
(cherry picked from commit
dc96f656affd1f8fab0ae72b0d96e77055e5b336)
Brian Wolff [Fri, 26 Aug 2016 01:29:58 +0000 (01:29 +0000)]
Make $wgEmailConfirmToEdit only affect edit actions.
Previously it would affect all actions that use Title::userCan.
This used to be less noticable, but recently was expanded to include
the 'read' action. This only affected the case where both
$wgBlockDisablesLogin and $wgEmailConfirmedToEdit were enabled.
I don't think anyone was relying on the old behaviour as it was
undocumented, and only affected obscure permissions (checked with
Title::userCan and not depending on "edit" rights)
Follow-up
b675be2083
Bug: T143790
Change-Id: I4ad93ed78de4f1ed444f73df6dc26d405a67e553
(cherry picked from commit
d561f646b9b8424bd79cfc14729a622a143d9f12)
Jforrester [Fri, 8 Jun 2018 19:55:45 +0000 (19:55 +0000)]
Follow-up Ieaeb3113a: Add RELEASE-NOTES
Change-Id: I79f1d28b54532a7495fb8e205c9b6636016587d7
(cherry picked from commit
0d37539a7c9191f893dec6e77591ae753e6b461a)
Kunal Mehta [Thu, 7 Jun 2018 19:52:04 +0000 (12:52 -0700)]
Ensure $user is passed by reference in TitleMoveComplete hook on HHVM
Suggested by Anomie in T118683#
3688320.
Bug: T118683
Change-Id: I57e05c5ae42c8b85d0a8f9631a459c5686b27893
(cherry picked from commit
d5e4bf920c7ff48bf4c907bee1ee47fa96907774)
Ed Schouten [Thu, 7 Jun 2018 12:21:53 +0000 (14:21 +0200)]
registration: Allow the mtime of extension.json files to be zero
When creating Docker images of MediaWiki using the Bazel build system, I
noticed that I'm not able to load any extensions. This is due to the
fact that Bazel always generates container layers with mtimes of files
set to 1970-01-01 for determinism/reproducibility.
Relax the check a bit to only fail when the mtime is false, which
happens when filemtime() fails.
Bug: T196672
Change-Id: Ieaeb3113a7d9c44f29cca2d062c5bb11ebeada0d
(cherry picked from commit
d7d5d3c82a84338bd2669284427193ea7a80bdbc)
Kunal Mehta [Thu, 7 Jun 2018 08:01:13 +0000 (01:01 -0700)]
installer: Fix display of UPGRADE by disabling InterwikiLookup
Since
129067c907ea65f62, parsing section titles has looked up interwiki
prefixes with InterwikiLookup. In the web upgrader, this triggers
database access, and since that service is disabled, it throws
exceptions, causing parsing to fail.
Work around that by using a dummy InterwikiLookup service that knows
about no interwiki prefixes. Maybe one could be written to just read
from the stock `interwiki.list`, but that's a project for another time.
Bug: T196607
Change-Id: I13485a9af79297b552a1128240cb8597c2ef83d8
(cherry picked from commit
a498abf272c7aff376c5225a6f593349e3cc3eaa)
Kunal Mehta [Thu, 7 Jun 2018 00:54:07 +0000 (17:54 -0700)]
Fix UploadBase::checkXMLEncodingMissmatch() on PHP 7.1+
file_get_contents() started supporting a negative offset in 7.1+. But
we really just want to start with 0.
Also fix the order of arguments to assertSame() so that the expected
value is first.
Bug: T182366
Change-Id: I84c92652de5b51a43f6e2b58cd235d2889093453
Kunal Mehta [Wed, 6 Jun 2018 22:21:12 +0000 (15:21 -0700)]
Add vendor submodule
People will no longer need to clone it separately, just run
`git submodule update --init`.
If people want to run composer locally and have already checked out the
submodule, a `git submodule deinit vendor` will disable the submodule.
Change-Id: I1fdaf8dc3c2a8e246bb7d2987a42a41272dffc29
Reedy [Wed, 6 Jun 2018 18:31:49 +0000 (18:31 +0000)]
Move RELEASE-NOTES for I4678250331a48db4d50d1fc6c489c991a4dee920
Change-Id: Ic880a54427bf8bd9adf96863da25c485cb3c5662
jenkins-bot [Wed, 6 Jun 2018 18:02:33 +0000 (18:02 +0000)]
Merge "objectcache: update MemcachedPeclBagOStuff for pecl memcached 3.0.0" into REL1_31
Reedy [Tue, 5 Jun 2018 21:40:41 +0000 (21:40 +0000)]
Populate 1.31 rc.0 -> rc.2 release notes
Change-Id: I15fa23e881c0e177d12a6f6374bc08af3b197435
(cherry picked from commit
6e3bb339713db677df2272d7ff6f634dff1f244d)
Aaron Schulz [Thu, 31 May 2018 21:41:02 +0000 (14:41 -0700)]
objectcache: update MemcachedPeclBagOStuff for pecl memcached 3.0.0
The get() $cas_token parameter was changed into $flags, which can act
as a switch to make the return value an associative array of details.
pecl and PHP-based memcached BagOStuff class both pass all tests now.
Bug: T196125
Change-Id: I4678250331a48db4d50d1fc6c489c991a4dee920
Kunal Mehta [Mon, 4 Jun 2018 20:35:06 +0000 (13:35 -0700)]
Deprecate $wgDBmysql5
Bug: T196185
Change-Id: Iea74b5dd1fc49c911dcc0070604f05100e56ce0d
(cherry picked from commit
7271d50bab79231efcedeabf5fbe4db0aa13fa4d)
jenkins-bot [Fri, 1 Jun 2018 21:49:45 +0000 (21:49 +0000)]
Merge "installer: Don't allow setting $wgDBmysql5" into REL1_31
Kunal Mehta [Fri, 1 Jun 2018 18:57:36 +0000 (11:57 -0700)]
installer: Don't allow setting $wgDBmysql5
It was possible to pass --dbmysql5 to the command line installer to
enable this experimental option. This removes that ability, and removes
setting of $wgDBmysql5 in the generated LocalSettings.php, so new
installs will fallback to the default of false.
Bug: T196185
Change-Id: Id5ff69f493d14cf7b16157f729fbe4f4b4e2e8c8
(cherry picked from commit
c9339ba552cb5f87586e7045b46519bd9db04fe0)
Kunal Mehta [Thu, 31 May 2018 18:29:19 +0000 (11:29 -0700)]
installer: Hide binary/utf-8 charset option from users
This is still used internally for the preUpgrade() checks that see if
the user has an existing table using the utf8 charset, but hide it from
users so they don't accidentally pick utf8.
Bug: T196092
Change-Id: Iaace2e5bf9df7563e1d233496366c95b3f1faf16
(cherry picked from commit
d5cde75416893983bfc65d161049798c26e33c54)
Antoine Musso [Wed, 30 May 2018 19:02:46 +0000 (21:02 +0200)]
registration: Initialize PSR-4 namespaces at same stage as normal autoloader
readFromQueue() injects the content of AutoloadClasses to
$wgAutoloadClasses however it missed doing the same for
AutoloadNamespaces.
When using the installer with an extension having AutoloadNamespaces
set, its classes would not be found.
Make ExtensionRegistry append to AutoLoader::$psr4Namespaces, and add
a test to cover the new behavior.
Bug: T195783
Change-Id: Id61155867a4ca7d9bc4a347f8671da74b0fa490b
(cherry picked from commit
224864ebddab2e448f9ae4f247b85c652d9df42e)
Bartosz Dziewoński [Wed, 30 May 2018 22:27:05 +0000 (00:27 +0200)]
Update git submodules
* Update skins/Timeless from branch 'REL1_31'
to
58301ba4468f4667c0c180f67bda238f0fedd58e
- Fix condition for 'emptyPortlet' class
Follow-up to
6b9616d1ca337308d773441dcfb263d9c68fdab6, which
accidentally inverted the logic.
This is a manual cherry-pick of
70b5f24986a5162c06ab343820e54c989753eeb4.
Bug: T196026
Change-Id: I98bc7529a1894b09ec3d80aab244327f526c022c
Chad Horohoe [Wed, 30 May 2018 18:00:05 +0000 (11:00 -0700)]
Bump version from rc.0 to rc.2
Should've been bumped awhile ago to rc.1, meaning the rc.1
tag had the wrong version number. Rather than re-issue the
tag, we'll just move forward and not bother with rc.1
Change-Id: Ie89caf3826c35c3a15fe1390c4caec1f8b7d19cc
Paladox [Tue, 29 May 2018 16:13:19 +0000 (16:13 +0000)]
Update git submodules
* Update skins/Timeless from branch 'REL1_31'
to
97ba1dd2996811899b6b1a96dce3fa20dd613b21
- Fix $count to === against array instead of using count that fails
Bug: T195613
Change-Id: If2b51af8c5335394b8c0266ac2765e1c7ce49618
Bartosz Dziewoński [Wed, 9 May 2018 20:39:20 +0000 (22:39 +0200)]
Release notes for I61749f1d864cf68afe90cd9e15ba2d7a74252501
Change-Id: Idd0a8f5bbc1da161817276cef44ff61a0e72f8b2
Chad Horohoe [Fri, 18 May 2018 01:56:00 +0000 (18:56 -0700)]
Only load PEAR Smtp mailer from vendor/composer, not from `pear` itself
Change-Id: I91c42a3eafd079039ddbc17a11ad3c7b6579e3c1
Kunal Mehta [Thu, 26 Apr 2018 05:24:24 +0000 (22:24 -0700)]
mail: Refactor checks looking for PEAR libraries to be clearer
I don't think this makes any difference towards the linked bug, but
it makes it more obvious that MediaWiki doesn't try to use any PEAR
classes before attempting to require them.
Bug: T186456
Change-Id: I342f41903a15f13e72e76464499351412a9afa34
(cherry picked from commit
5d30435e81427fcce3353d900faaf8d9fa9a8709)
libraryupgrader [Sat, 14 Apr 2018 10:27:27 +0000 (10:27 +0000)]
build: Updating mediawiki/mediawiki-codesniffer to 18.0.0
Change-Id: Id39e8dcf22262d1b3c57628467163a995fe4053b
(cherry picked from commit
5a024697a272981fc491e7502d6d5fddef4d2c22)
Fomafix [Fri, 27 Apr 2018 14:27:39 +0000 (16:27 +0200)]
installer: Do not wrongly hide namespace input field
When the radio button is already on "other" then the input field for
the namespace should not get hidden by JavaScript on load.
Also remove the readonly attribute in HTML because the readonly
attribute can not get removed with disabled JavaScript.
Change-Id: I8cfde90d791765234572caf00b731881ac2eda48
(cherry picked from commit
31a472655b246df3c072d36959afcb7d2897889d)
Edward Chernenko [Sun, 1 Apr 2018 21:39:59 +0000 (00:39 +0300)]
Fix warning "ob_end_flush(): failed to delete and flush buffer" during uploads
Bug: T186565
Change-Id: Ia4b29611ccee4acac11717f5220ff9e0fdbd55a9
(cherry picked from commit
30d72ec3d0914bb905d4114dee9256f02cbdcc7f)
Mark A. Hershberger [Sun, 20 May 2018 14:51:34 +0000 (10:51 -0400)]
Don't require trailing slash in PSR-4 autoloader directory
This avoids the confusing error “Fatal error: Uncaught
InvalidArgumentException” or similar.
Bug: T195211
Change-Id: Ifda59a26f8bd968a2d0acbdb157d81dc0bf6aab4
(cherry picked from commit
3b85e362a4098832a08529adc89571a86bf6e9a2)
Cindy Cicalese [Wed, 16 May 2018 12:43:54 +0000 (12:43 +0000)]
Update git submodules
* Update extensions/ReplaceText from branch 'REL1_31'
to
a027ec972c1d98e92483230e1cbf71cc08a31150
- Fix path to maintenance directory.
Change-Id: Ife7a7076ee87938cadb84aa56982cc667bd90e2f
(cherry picked from commit
f7b59db9b3aba2e5523a11d7922f668ef05806ee)
jenkins-bot [Tue, 15 May 2018 23:54:23 +0000 (23:54 +0000)]
Merge "registration: Improve duplicate config setting exception" into REL1_31
jenkins-bot [Tue, 15 May 2018 23:53:37 +0000 (23:53 +0000)]
Merge "IcuCollation: Use codepoint as tiebreaker when getting first-letters" into REL1_31
Kunal Mehta [Tue, 15 May 2018 17:26:43 +0000 (10:26 -0700)]
registration: Improve duplicate config setting exception
We don't keep track of what set a specific global, so at least mention
the name of the extension that is setting a duplicate for easier
debugging.
Also, fix the case where if the first extension to be loaded was setting
a core setting, it would not throw an exception since config was being
processed before the rest of extension.json. Now we process config after
all core settings, going only before attributes.
Bug: T194319
Change-Id: I4fd96e7d167cf0652ee3e8e66167c86f2b91b992
(cherry picked from commit
5490b1270a0a7447f28d2407736fc3c1deb41d44)
Kunal Mehta [Tue, 15 May 2018 18:23:38 +0000 (11:23 -0700)]
installer: Don't shell out if it's disabled
Bug: T191947
Change-Id: I16a82d271157cd0024aa14d7eaec80b4870947b5
(cherry picked from commit
2e473413a8fd1e205142b5c5980addb34aaf369f)
James D. Forrester [Thu, 3 May 2018 18:59:00 +0000 (11:59 -0700)]
Update git submodules
* Update extensions/MultimediaViewer from branch 'REL1_31'
to
1273d3e0b2189e33fed0567f589a3e7bc4ae6d4e
- tests: Comment out failing tests
Bug: T192932
Change-Id: Iba81676ebb13407679bd99b0e08d29e225a7ebde
(cherry picked from commit
2078fbfb53acd357c96ea187f31a6ba878afc053)
Bartosz Dziewoński [Tue, 8 May 2018 11:43:10 +0000 (13:43 +0200)]
IcuCollation: Use codepoint as tiebreaker when getting first-letters
This prevents unexpected cuneiform digits from acting as headings for
2 and 3 on category pages.
Bug: T187645
Change-Id: I0424a24769899cb23b28704f97e1002fa44999fd
(cherry picked from commit
390ff7fca179e26ac177810145d27d98fe2fff43)
Brian Wolff [Wed, 9 May 2018 20:43:51 +0000 (20:43 +0000)]
Add default edit rate limit of 90 edits/minute for all users
Previously there was no rate limit at all if you were autoconfirmed.
This initial setting is set on the high end of things, we may
adjust later. See also T192668, T194204.
Change-Id: I7cb002900bae2da3f4f4758671186659c1720e1d
(cherry picked from commit
cefdcefdb8f15ffdec8345b93aff2036db92d1f7)
Kunal Mehta [Mon, 7 May 2018 09:07:59 +0000 (02:07 -0700)]
Add ReplaceText submodule
Bug: T191741
Change-Id: Iea4e0e4e04b2ec1b4fc07b11fb0af1ac3ee6347f
Kunal Mehta [Sat, 5 May 2018 03:05:58 +0000 (20:05 -0700)]
Update git submodules
* Update extensions/TitleBlacklist from branch 'REL1_31'
to
1143a1f61e049e4f8e4de317e7299091a2ca0707
- Upgrade phan-taint-check-plugin to 1.2.0
Change-Id: I9c02ca49f9e35873adc2e2462df1020fd30eb934
(cherry picked from commit
616a7afb885bd8707c143bb271831fb31fc8d377)
Kunal Mehta [Sat, 5 May 2018 02:52:32 +0000 (19:52 -0700)]
Update git submodules
* Update extensions/Renameuser from branch 'REL1_31'
to
f8e515711db88fdd2aae02b760d2e11df3d70489
- Upgrade phan-taint-check-plugin to 1.2.0
Change-Id: I3af50c0a15b7ec0ecea087fefc3d026cced99749
(cherry picked from commit
52ac2bdc3221a65a15d383f7fafc56f47e31b08b)
Kunal Mehta [Sat, 5 May 2018 03:01:48 +0000 (20:01 -0700)]
Update git submodules
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_31'
to
a7d04ae33439d1c1b595d68fbad08c43f930fdcf
- Upgrade phan-taint-check-plugin to 1.2.0
Change-Id: I2fa1c622dc495e3f4969d7684934f1839f9caf00
(cherry picked from commit
b185d9892f5c45d02c0bb3c620644c831945d7bb)
Kunal Mehta [Sat, 5 May 2018 02:56:08 +0000 (19:56 -0700)]
Update git submodules
* Update extensions/SpamBlacklist from branch 'REL1_31'
to
f6fa789ad2c07a4fe89e4d1e636aea1126f26afc
- Upgrade phan-taint-check-plugin to 1.2.0
Change-Id: Iaefb223d2217762f6fa91a854d0f963270362c07
(cherry picked from commit
9a87cc3c060eab4d576f3561f0f197f91ac090c2)