= MediaWiki 1.29 =
+== MediaWiki 1.29.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.29 branch.
+
+=== Changes since 1.29.1 ===
+* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
+* (T175439) Unbreak Postgres Updater when setting defaults for a column.
+* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
+* Fixed login button label to accept RawMessage.
+* Fixed case of SpecialRecentChanges class usage.
+* (T174255) Declare uploadCount property in importDump.php.
+* (T163646) Pass a string not an int to mysql_real_escape_string().
+* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
+* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
+ sends non-standard url escaping.
+* (T165846) SECURITY: BotPassword login attempts weren't throttled.
+* (T128209) SECURITY: Reflected File Download from api.php.
+* (T134100) SECURITY: Do not reveal if user exists during login failure.
+* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
+* (T180237) SECURITY: Protect vendor folder with .htaccess.
+* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
+* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
+* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
+* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
+ branches in the previous security release.
+
+== MediaWiki 1.29.1 ==
+
+This is a maintenance release of the MediaWiki 1.29 branch.
+
+The SpamBlacklist and PdfHandler extensions were missing from the generated
+packages.
+
+=== Changes since 1.29.1 ===
+* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
+* (T172061) Fix fatal when passing a category to refreshLinks.php.
+
== MediaWiki 1.29.0 ==
=== Configuration changes in 1.29 ===
= MediaWiki 1.28 =
+== MediaWiki 1.28.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.28 branch.
+
+=== Changes since 1.28.2 ==
+* (T168856) Allow SVGs created by Dia to be uploaded.
+* (T157545) Add missing doUpdates() call to refreshLinks.php.
+* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
+* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
+* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
+* (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
+* (T167798) Fix phrase search and highlighting for phrase queries.
+* (T151136) Provide credits information to callbacks in extension registration.
+* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
+* (T168337) Fix ErrorPageError to work from non-UI contexts.
+* (T143788) Backports for PHP 7.0 and 7.1 support.
+* (T175439) Unbreak Postgres Updater when setting defaults for a column.
+* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
+* (T174255) Declare uploadCount property in importDump.php.
+* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
+ sends non-standard url escaping.
+* (T165846) SECURITY: BotPassword login attempts weren't throttled.
+* (T128209) SECURITY: Reflected File Download from api.php.
+* (T134100) SECURITY: Do not reveal if user exists during login failure.
+* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
+* (T180237) SECURITY: Protect vendor folder with .htaccess.
+* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
+* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
+* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
+
+== MediaWiki 1.28.2 ==
+
+Due to a packaging error, the wrong version of the SyntaxHighlight extension was
+included in the tarball version of MediaWiki 1.28.1. The version included had a
+serious security issue in it (T158689). There was also some minor code fixes in
+MediaWiki itself since 1.28.1, but none of them were security relevant.
+
== MediaWiki 1.28.1 ==
This is a security and maintenance release of the MediaWiki 1.28 branch.
= MediaWiki 1.27 =
+== MediaWiki 1.27.4 ==
+This is a security and maintenance release of the MediaWiki 1.27 branch.
+
+=== Changes since 1.27.3 ===
+* (T100085) Better handling of jobs execution in post-connection shutdown.
+* (T141604) Support conditionally registered namespaces.
+* (T167798) Fix highlighting for phrase queries and phrase search.
+* (T151136) Provide credits information to callbacks.
+* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
+* (T168856) Allow SVGs created by Dia to be uploaded.
+* (T144705) (T148662) Password reset link is no longer shown when no reset options are
+ available.
+* (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
+* (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
+ policies.
+* DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
+* (T175439) Unbreak Postgres Updater when setting defaults for a column.
+* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
+* (T142304) Allow putting the app ID in the password for bot passwords.
+* Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
+ sends non-standard url escaping.
+* (T165846) SECURITY: BotPassword login attempts weren't throttled.
+* (T128209) SECURITY: Reflected File Download from api.php.
+* (T134100) SECURITY: Do not reveal if user exists during login failure.
+* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
+* (T180237) SECURITY: Protect vendor folder with .htaccess.
+* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
+* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
+* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
+
== MediaWiki 1.27.3 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.27.2. The version included had a
'MediaWiki\\ShellDisabledError' => __DIR__ . '/includes/exception/ShellDisabledError.php',
'MediaWiki\\Shell\\Command' => __DIR__ . '/includes/shell/Command.php',
'MediaWiki\\Shell\\CommandFactory' => __DIR__ . '/includes/shell/CommandFactory.php',
+ 'MediaWiki\\Shell\\FirejailCommand' => __DIR__ . '/includes/shell/FirejailCommand.php',
'MediaWiki\\Shell\\Result' => __DIR__ . '/includes/shell/Result.php',
'MediaWiki\\Shell\\Shell' => __DIR__ . '/includes/shell/Shell.php',
'MediaWiki\\Site\\MediaWikiPageNameNormalizer' => __DIR__ . '/includes/site/MediaWikiPageNameNormalizer.php',
* It should be appended in the query string of static CSS and JS includes,
* to ensure that client-side caches do not keep obsolete copies of global
* styles.
+ *
+ * @deprecated since 1.31
*/
$wgStyleVersion = '303';
'hidepatrolled' => 0,
'hidecategorization' => 1,
'imagesize' => 2,
- 'math' => 1,
'minordefault' => 0,
'newpageshidepatrolled' => 0,
'nickname' => '',
*/
$wgShellLocale = 'C.UTF-8';
+/**
+ * Method to use to restrict shell commands
+ *
+ * Supported options:
+ * - 'autodetect': Autodetect if any restriction methods are available
+ * - 'firejail': Use firejail <https://firejail.wordpress.com/>
+ * - false: Don't use any restrictions
+ *
+ * @note If using firejail with MediaWiki running in a home directory different
+ * from the webserver user, firejail 0.9.44+ is required.
+ *
+ * @since 1.31
+ * @var string|bool
+ */
+$wgShellRestrictionMethod = false;
+
/** @} */ # End shell }
/************************************************************************//**
];
$result = Shell::command( $cmd )
->environment( [ 'GIT_DIR' => $this->basedir ] )
+ ->restrict( Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK )
+ ->whitelistPaths( [ $this->basedir ] )
->execute();
if ( $result->getExitCode() === 0 ) {
'filesize' => $config->get( 'MaxShellFileSize' ),
];
$cgroup = $config->get( 'ShellCgroup' );
+ $restrictionMethod = $config->get( 'ShellRestrictionMethod' );
- $factory = new CommandFactory( $limits, $cgroup );
+ $factory = new CommandFactory( $limits, $cgroup, $restrictionMethod );
$factory->setLogger( LoggerFactory::getInstance( 'exec' ) );
$factory->logStderr();
return null;
}
+ $cache = ObjectCache::getMainWANInstance();
$optionsHash = md5( serialize( $opts->getAllValues() ) ) . $wgRenderHashAppend;
- $timekey = wfMemcKey(
+ $timekey = $cache->makeKey(
$this->type, $this->format, $wgLang->getCode(), $optionsHash, 'timestamp' );
- $key = wfMemcKey( $this->type, $this->format, $wgLang->getCode(), $optionsHash );
+ $key = $cache->makeKey( $this->type, $this->format, $wgLang->getCode(), $optionsHash );
FeedUtils::checkPurge( $timekey, $key );
application/x-tcl [EXECUTABLE]
application/x-perl [EXECUTABLE]
application/x-python [EXECUTABLE]
+application/wasm [EXECUTABLE]
application/pdf application/acrobat [OFFICE]
application/msword [OFFICE]
chemical/x-mdl-rgfile rg
application/x-amf amf
application/sla stl
+application/wasm wasm
const HOLDOFF_NONE = 0;
/** Idiom for set()/getWithSetCallback() for "do not augment the storage medium TTL" */
const STALE_TTL_NONE = 0;
+ /** Idiom for set()/getWithSetCallback() for "no post-expired grace period" */
+ const GRACE_TTL_NONE = 0;
/** Idiom for getWithSetCallback() for "no minimum required as-of timestamp" */
const MIN_TIMESTAMP_NONE = 0.0;
* - checkKeys: List of "check" keys. The key at $key will be seen as invalid when either
* touchCheckKey() or resetCheckKey() is called on any of these keys.
* Default: [].
+ * - graceTTL: Consider reusing expired values instead of refreshing them if they expired
+ * less than this many seconds ago. The odds of a refresh becomes more likely over time,
+ * becoming certain once the grace period is reached. This can reduce traffic spikes
+ * when millions of keys are compared to the same "check" key and touchCheckKey()
+ * or resetCheckKey() is called on that "check" key.
+ * Default: WANObjectCache::GRACE_TTL_NONE.
* - lockTSE: If the key is tombstoned or expired (by checkKeys) less than this many seconds
* ago, then try to have a single thread handle cache regeneration at any given time.
* Other threads will try to use stale values if possible. If, on miss, the time since
* This is useful if the source of a key is suspected of having possibly changed
* recently, and the caller wants any such changes to be reflected.
* Default: WANObjectCache::MIN_TIMESTAMP_NONE.
- * - hotTTR: Expected time-till-refresh (TTR) for keys that average ~1 hit/second (1 Hz).
- * Keys with a hit rate higher than 1Hz will refresh sooner than this TTR and vise versa.
- * Such refreshes won't happen until keys are "ageNew" seconds old. The TTR is useful at
- * reducing the impact of missed cache purges, since the effect of a heavily referenced
- * key being stale is worse than that of a rarely referenced key. Unlike simply lowering
- * $ttl, seldomly used keys are largely unaffected by this option, which makes it possible
- * to have a high hit rate for the "long-tail" of less-used keys.
+ * - hotTTR: Expected time-till-refresh (TTR) in seconds for keys that average ~1 hit per
+ * second (e.g. 1Hz). Keys with a hit rate higher than 1Hz will refresh sooner than this
+ * TTR and vise versa. Such refreshes won't happen until keys are "ageNew" seconds old.
+ * The TTR is useful at reducing the impact of missed cache purges, since the effect of
+ * a heavily referenced key being stale is worse than that of a rarely referenced key.
+ * Unlike simply lowering $ttl, seldomly used keys are largely unaffected by this option,
+ * which makes it possible to have a high hit rate for the "long-tail" of less-used keys.
* Default: WANObjectCache::HOT_TTR.
* - lowTTL: Consider pre-emptive updates when the current TTL (seconds) of the key is less
* than this. It becomes more likely over time, becoming certain once the key is expired.
$lowTTL = isset( $opts['lowTTL'] ) ? $opts['lowTTL'] : min( self::LOW_TTL, $ttl );
$lockTSE = isset( $opts['lockTSE'] ) ? $opts['lockTSE'] : self::TSE_NONE;
$staleTTL = isset( $opts['staleTTL'] ) ? $opts['staleTTL'] : self::STALE_TTL_NONE;
+ $graceTTL = isset( $opts['graceTTL'] ) ? $opts['graceTTL'] : self::GRACE_TTL_NONE;
$checkKeys = isset( $opts['checkKeys'] ) ? $opts['checkKeys'] : [];
$busyValue = isset( $opts['busyValue'] ) ? $opts['busyValue'] : null;
$popWindow = isset( $opts['hotTTR'] ) ? $opts['hotTTR'] : self::HOT_TTR;
$preCallbackTime = $this->getCurrentTime();
// Determine if a cached value regeneration is needed or desired
if ( $value !== false
- && $curTTL > 0
+ && $this->isAliveOrInGracePeriod( $curTTL, $graceTTL )
&& $this->isValid( $value, $versioned, $asOf, $minTime )
&& !$this->worthRefreshExpiring( $curTTL, $lowTTL )
&& !$this->worthRefreshPopular( $asOf, $ageNew, $popWindow, $preCallbackTime )
return $minTTL; // no last-modified time provided
}
- $age = time() - $mtime;
+ $age = $this->getCurrentTime() - $mtime;
return (int)min( $maxTTL, max( $minTTL, $factor * $age ) );
}
return $ok;
}
+ /**
+ * Check if a key is fresh or in the grace window and thus due for randomized reuse
+ *
+ * If $curTTL > 0 (e.g. not expired) this returns true. Otherwise, the chance of returning
+ * true decrease steadily from 100% to 0% as the |$curTTL| moves from 0 to $graceTTL seconds.
+ * This handles widely varying levels of cache access traffic.
+ *
+ * If $curTTL <= -$graceTTL (e.g. already expired), then this returns false.
+ *
+ * @param float $curTTL Approximate TTL left on the key if present
+ * @param int $graceTTL Consider using stale values if $curTTL is greater than this
+ * @return bool
+ */
+ protected function isAliveOrInGracePeriod( $curTTL, $graceTTL ) {
+ if ( $curTTL > 0 ) {
+ return true;
+ } elseif ( $graceTTL <= 0 ) {
+ return false;
+ }
+
+ $ageStale = abs( $curTTL ); // seconds of staleness
+ $curGTTL = ( $graceTTL - $ageStale ); // current grace-time-to-live
+
+ // Chance of using a stale value is the complement of the chance of refreshing it
+ return !$this->worthRefreshExpiring( $curGTTL, $graceTTL );
+ }
+
/**
* Check if a key is nearing expiration and thus due for randomized regeneration
*
- * This returns false if $curTTL >= $lowTTL. Otherwise, the chance
- * of returning true increases steadily from 0% to 100% as the $curTTL
- * moves from $lowTTL to 0 seconds. This handles widely varying
- * levels of cache access traffic.
+ * This returns false if $curTTL >= $lowTTL. Otherwise, the chance of returning true
+ * increases steadily from 0% to 100% as the $curTTL moves from $lowTTL to 0 seconds.
+ * This handles widely varying levels of cache access traffic.
+ *
+ * If $curTTL <= 0 (e.g. already expired), then this returns false.
*
* @param float $curTTL Approximate TTL left on the key if present
* @param float $lowTTL Consider a refresh when $curTTL is less than this
} elseif ( $curTTL >= $lowTTL ) {
return false;
} elseif ( $curTTL <= 0 ) {
- return true;
+ return false;
}
$chance = ( 1 - $curTTL / $lowTTL );
/** @var string */
private $action = '';
+ /** @var bool */
+ private $performerRestrictionsEnforced = false;
+
+ /** @var bool */
+ private $actionRestrictionsEnforced = false;
+
/** @var LogEventsList */
public $mLogEventsList;
} else {
$this->mConds['log_user'] = $userid;
}
- // Paranoia: avoid brute force searches (T19342)
- $user = $this->getUser();
- if ( !$user->isAllowed( 'deletedhistory' ) ) {
- $this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_USER ) . ' = 0';
- } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
- $this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_USER ) .
- ' != ' . LogPage::SUPPRESSED_USER;
- }
+ $this->enforcePerformerRestrictions();
$this->performer = $name;
}
} else {
$this->mConds['log_title'] = $title->getDBkey();
}
- // Paranoia: avoid brute force searches (T19342)
- $user = $this->getUser();
- if ( !$user->isAllowed( 'deletedhistory' ) ) {
- $this->mConds[] = $db->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0';
- } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
- $this->mConds[] = $db->bitAnd( 'log_deleted', LogPage::SUPPRESSED_ACTION ) .
- ' != ' . LogPage::SUPPRESSED_ACTION;
- }
+ $this->enforceActionRestrictions();
}
/**
parent::doQuery();
$this->mDb->setBigSelects( 'default' );
}
+
+ /**
+ * Paranoia: avoid brute force searches (T19342)
+ */
+ private function enforceActionRestrictions() {
+ if ( $this->actionRestrictionsEnforced ) {
+ return;
+ }
+ $this->actionRestrictionsEnforced = true;
+ $user = $this->getUser();
+ if ( !$user->isAllowed( 'deletedhistory' ) ) {
+ $this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_USER ) . ' = 0';
+ } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
+ $this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_USER ) .
+ ' != ' . LogPage::SUPPRESSED_USER;
+ }
+ }
+
+ /**
+ * Paranoia: avoid brute force searches (T19342)
+ */
+ private function enforcePerformerRestrictions() {
+ // Same as enforceActionRestrictions(), except for _USER instead of _ACTION bits.
+ if ( $this->performerRestrictionsEnforced ) {
+ return;
+ }
+ $this->performerRestrictionsEnforced = true;
+ $user = $this->getUser();
+ if ( !$user->isAllowed( 'deletedhistory' ) ) {
+ $this->mConds[] = $db->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0';
+ } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
+ $this->mConds[] = $db->bitAnd( 'log_deleted', LogPage::SUPPRESSED_ACTION ) .
+ ' != ' . LogPage::SUPPRESSED_ACTION;
+ }
+ }
}
/** @var string|false */
private $cgroup = false;
+ /**
+ * bitfield with restrictions
+ *
+ * @var int
+ */
+ protected $restrictions = 0;
+
/**
* Constructor. Don't call directly, instead use Shell::command()
*
return $this;
}
+ /**
+ * Set additional restrictions for this request
+ *
+ * @since 1.31
+ * @param int $restrictions
+ * @return $this
+ */
+ public function restrict( $restrictions ) {
+ $this->restrictions |= $restrictions;
+
+ return $this;
+ }
+
+ /**
+ * Bitfield helper on whether a specific restriction is enabled
+ *
+ * @param int $restriction
+ *
+ * @return bool
+ */
+ protected function hasRestriction( $restriction ) {
+ return ( $this->restrictions & $restriction ) === $restriction;
+ }
+
+ /**
+ * If called, only the files/directories that are
+ * whitelisted will be available to the shell command.
+ *
+ * limit.sh will always be whitelisted
+ *
+ * @param string[] $paths
+ *
+ * @return $this
+ */
+ public function whitelistPaths( array $paths ) {
+ // Default implementation is a no-op
+ return $this;
+ }
+
/**
* String together all the options and build the final command
* to execute
namespace MediaWiki\Shell;
+use ExecutableFinder;
use Psr\Log\LoggerAwareTrait;
use Psr\Log\NullLogger;
/** @var bool */
private $doLogStderr = false;
+ /**
+ * @var string|bool
+ */
+ private $restrictionMethod;
+
+ /**
+ * @var string|bool
+ */
+ private $firejail;
+
/**
* Constructor
*
* @param array $limits See {@see Command::limits()}
* @param string|bool $cgroup See {@see Command::cgroup()}
+ * @param string|bool $restrictionMethod
*/
- public function __construct( array $limits, $cgroup ) {
+ public function __construct( array $limits, $cgroup, $restrictionMethod ) {
$this->limits = $limits;
$this->cgroup = $cgroup;
+ if ( $restrictionMethod === 'autodetect' ) {
+ // On Linux systems check for firejail
+ if ( PHP_OS === 'Linux' && $this->findFirejail() !== false ) {
+ $this->restrictionMethod = 'firejail';
+ } else {
+ $this->restrictionMethod = false;
+ }
+ } else {
+ $this->restrictionMethod = $restrictionMethod;
+ }
$this->setLogger( new NullLogger() );
}
+ private function findFirejail() {
+ if ( $this->firejail === null ) {
+ $this->firejail = ExecutableFinder::findInDefaultPaths( 'firejail' );
+ }
+
+ return $this->firejail;
+ }
+
/**
* When enabled, text sent to stderr will be logged with a level of 'error'.
*
* @return Command
*/
public function create() {
- $command = new Command();
+ if ( $this->restrictionMethod === 'firejail' ) {
+ $command = new FirejailCommand( $this->findFirejail() );
+ } else {
+ $command = new Command();
+ }
$command->setLogger( $this->logger );
return $command
--- /dev/null
+<?php
+/**
+ * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+namespace MediaWiki\Shell;
+
+use RuntimeException;
+
+/**
+ * Restricts execution of shell commands using firejail
+ *
+ * @see https://firejail.wordpress.com/
+ * @since 1.31
+ */
+class FirejailCommand extends Command {
+
+ /**
+ * @var string Path to firejail
+ */
+ private $firejail;
+
+ /**
+ * @var string[]
+ */
+ private $whitelistedPaths = [];
+
+ /**
+ * @param string $firejail Path to firejail
+ */
+ public function __construct( $firejail ) {
+ parent::__construct();
+ $this->firejail = $firejail;
+ }
+
+ /**
+ * @inheritDoc
+ */
+ public function whitelistPaths( array $paths ) {
+ $this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths );
+ return $this;
+ }
+
+ /**
+ * @inheritDoc
+ */
+ protected function buildFinalCommand() {
+ // If there are no restrictions, don't use firejail
+ if ( $this->restrictions === 0 ) {
+ return parent::buildFinalCommand();
+ }
+
+ if ( $this->firejail === false ) {
+ throw new RuntimeException( 'firejail is enabled, but cannot be found' );
+ }
+ // quiet has to come first to prevent firejail from adding
+ // any output.
+ $cmd = [ $this->firejail, '--quiet' ];
+ // Use a profile that allows people to add local overrides
+ // if their system is setup in an incompatible manner. Also it
+ // prevents any default profiles from running.
+ // FIXME: Doesn't actually override command-line switches?
+ $cmd[] = '--profile=' . __DIR__ . '/firejail.profile';
+
+ // By default firejail hides all other user directories, so if
+ // MediaWiki is inside a home directory (/home) but not the
+ // current user's home directory, pass --allusers to whitelist
+ // the home directories again.
+ static $useAllUsers = null;
+ if ( $useAllUsers === null ) {
+ global $IP;
+ // In case people are doing funny things with symlinks
+ // or relative paths, resolve them all.
+ $realIP = realpath( $IP );
+ $currentUser = posix_getpwuid( posix_geteuid() );
+ $useAllUsers = ( strpos( $realIP, '/home/' ) === 0 )
+ && ( strpos( $realIP, $currentUser['dir'] ) !== 0 );
+ if ( $useAllUsers ) {
+ $this->logger->warning( 'firejail: MediaWiki is located ' .
+ 'in a home directory that does not belong to the ' .
+ 'current user, so allowing access to all home ' .
+ 'directories (--allusers)' );
+ }
+ }
+
+ if ( $useAllUsers ) {
+ $cmd[] = '--allusers';
+ }
+
+ if ( $this->whitelistedPaths ) {
+ // Always whitelist limit.sh
+ $cmd[] = '--whitelist=' . __DIR__ . '/limit.sh';
+ foreach ( $this->whitelistedPaths as $whitelistedPath ) {
+ $cmd[] = "--whitelist={$whitelistedPath}";
+ }
+ }
+
+ if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
+ $cmd[] = '--noroot';
+ }
+
+ $seccomp = [];
+
+ if ( $this->hasRestriction( Shell::SECCOMP ) ) {
+ $seccomp[] = '@default';
+ }
+
+ if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
+ $seccomp[] = 'execve';
+ }
+
+ if ( $seccomp ) {
+ $cmd[] = '--seccomp=' . implode( ',', $seccomp );
+ }
+
+ if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {
+ $cmd[] = '--private-dev';
+ }
+
+ if ( $this->hasRestriction( Shell::NO_NETWORK ) ) {
+ $cmd[] = '--net=none';
+ }
+
+ list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
+
+ $builtCmd = implode( ' ', $cmd );
+
+ return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+ }
+
+}
*/
class Shell {
+ /**
+ * Apply a default set of restrictions for improved
+ * security out of the box.
+ *
+ * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+ *
+ * @note This value will change over time to provide increased security
+ * by default, and is not guaranteed to be backwards-compatible.
+ * @since 1.31
+ */
+ const RESTRICT_DEFAULT = 7;
+
+ /**
+ * Disallow any root access. Any setuid binaries
+ * will be run without elevated access.
+ *
+ * @since 1.31
+ */
+ const NO_ROOT = 1;
+
+ /**
+ * Use seccomp to block dangerous syscalls
+ * @see <https://en.wikipedia.org/wiki/seccomp>
+ *
+ * @since 1.31
+ */
+ const SECCOMP = 2;
+
+ /**
+ * Create a private /dev
+ *
+ * @since 1.31
+ */
+ const PRIVATE_DEV = 4;
+
+ /**
+ * Restrict the request to have no
+ * network access
+ *
+ * @since 1.31
+ */
+ const NO_NETWORK = 8;
+
+ /**
+ * Deny execve syscall with seccomp
+ * @see <https://en.wikipedia.org/wiki/exec_(system_call)>
+ *
+ * @since 1.31
+ */
+ const NO_EXECVE = 16;
+
/**
* Returns a new instance of Command class
*
--- /dev/null
+# Firejail profile used by MediaWiki when shelling out
+# See <https://firejail.wordpress.com/features-3/man-firejail-profile/> for
+# syntax documentation
+# Persistent local customizations
+include /etc/firejail/mediawiki.local
+# Persistent global definitions
+include /etc/firejail/globals.local
* @author Petr Kadlec <mormegil@centrum.cz>
*/
class SpecialListGroupRights extends SpecialPage {
- function __construct() {
+ public function __construct() {
parent::__construct( 'Listgrouprights' );
}
? 'all'
: $group;
- $msg = $this->msg( 'group-' . $groupname );
- $groupnameLocalized = !$msg->isBlank() ? $msg->text() : $groupname;
+ $groupnameLocalized = UserGroupMembership::getGroupName( $groupname );
- $msg = $this->msg( 'grouppage-' . $groupname )->inContentLanguage();
- $grouppageLocalized = !$msg->isBlank() ?
- $msg->text() :
- MWNamespace::getCanonicalName( NS_PROJECT ) . ':' . $groupname;
- $grouppageLocalizedTitle = Title::newFromText( $grouppageLocalized );
+ $grouppageLocalizedTitle = UserGroupMembership::getGroupPage( $groupname )
+ ?: Title::newFromText( MWNamespace::getCanonicalName( NS_PROJECT ) . ':' . $groupname );
if ( $group == '*' || !$grouppageLocalizedTitle ) {
// Do not make a link for the generic * group or group with invalid group page
* @param array $remove Array of groups this group is allowed to remove or true
* @param array $addSelf Array of groups this group is allowed to add to self or true
* @param array $removeSelf Array of group this group is allowed to remove from self or true
- * @return string List of all granted permissions, separated by comma separator
+ * @return string HTML list of all granted permissions
*/
private function formatPermissions( $permissions, $revoke, $add, $remove, $addSelf, $removeSelf ) {
$r = [];
"uploadstash-file-not-found-no-remote-thumb": "Памылка атрыманьня мініятуры: $1\nURL = $2",
"uploadstash-file-not-found-missing-content-type": "Адсутнічае загаловак тыпу зьместу.",
"uploadstash-file-not-found-not-exists": "Не атрымалася знайсьці шлях, ці не зьяўляецца простым файлам.",
+ "uploadstash-file-too-large": "Немагчыма апрацаваць файл памерам большым за $1 байтаў.",
"invalid-chunk-offset": "Няслушнае зрушэньне фрагмэнту",
"img-auth-accessdenied": "Доступ забаронены",
"img-auth-nopathinfo": "Адсутнічае PATH_INFO.\nВаш сэрвэр не ўстаноўлены на пропуск гэтай інфармацыі.\nМагчма, ён працуе праз CGI і не падтрымлівае img_auth.\nГлядзіце https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Image_Authorization.",
"recentchangesdays-max": "(maximum $1 jour{{PLURAL:$1||s}})",
"recentchangescount": "Nombre de modifications à afficher par défaut :",
"prefs-help-recentchangescount": "Ceci inclut les modifications récentes, les pages d'historiques et les journaux.",
+ "prefs-help-tokenmanagement": "Vous pouvez voir et réinitialiser la clé secrète de votre compte qui peut accéder au flux Web de votre liste de suivi. Toute personne connaissant la clé pourra lire votre liste de suivi, alors ne la partagez pas.",
"savedprefs": "Les préférences ont été sauvegardées.",
"savedrights": "Les droits utilisateur de {{GENDER:$1|$1}} ont été enregistrés.",
"timezonelegend": "Fuseau horaire :",
"nosuchusershort": "Non existe ningún usuario chamado \"$1\".\nVerifique o nome que inseriu.",
"nouserspecified": "Cómpre especificar un nome de usuario.",
"login-userblocked": "Este usuario está bloqueado. Acceso non autorizado.",
- "wrongpassword": "O contrasinal escrito é incorrecto.\nPor favor, insira outro.",
+ "wrongpassword": "O nome de usuario ou o contrasinal escrito son incorrectos.\nPor favor, probe de novo.",
"wrongpasswordempty": "O campo do contrasinal estaba en branco.\nPor favor, inténteo de novo.",
"passwordtooshort": "Os contrasinais deben conter, como mínimo, {{PLURAL:$1|1 carácter|$1 caracteres}}.",
"passwordtoolong": "Os contrasinais non poden ser máis longo de {{PLURAL:$1|1 carácter|$1 caracteres}}.",
"diff-multi-sameuser": "(Non se {{PLURAL:$1|mostra unha revisión|mostran $1 revisións}} do historial {{PLURAL:$1|feita|feitas}} polo mesmo usuario.)",
"diff-multi-otherusers": "(Non se {{PLURAL:$1|mostra unha revisión|mostran $1 revisións}} do historial {{PLURAL:$1|feita|feitas}} por {{PLURAL:$2|outro usuario|$2 usuarios}}.)",
"diff-multi-manyusers": "(Non se {{PLURAL:$1|mostra unha revisión|mostran $1 revisións}} do historial {{PLURAL:$1|feita|feitas}} por máis {{PLURAL:$2|dun usuario|de $2 usuarios}}.)",
+ "diff-paragraph-moved-tonew": "Moveuse o parágrafo. Prema para saltar para á nova localización.",
+ "diff-paragraph-moved-toold": "Moveuse o parágrafo. Prema para saltar para á localización anterior.",
"difference-missing-revision": "Non se {{PLURAL:$2|atopou revisión ningunha|atoparon $2 revisións}} desta diferenza ($1).\n\nA miúdo, isto está provocado por seguir unha ligazón de diferenzas obsoleta cara a unha páxina que foi borrada.\nO [{{fullurl:{{#Special:Log}}/delete|page={{FULLPAGENAMEE}}}} rexistro de borrados] contén máis detalles.",
"searchresults": "Resultados da procura",
"searchresults-title": "Resultados da procura de \"$1\"",
"prefs-watchlist-edits": "Número máximo de edicións que mostrar na lista de vixilancia:",
"prefs-watchlist-edits-max": "Número máximo: 1000",
"prefs-watchlist-token": "Pase para a lista de vixilancia:",
+ "prefs-watchlist-managetokens": "Xestionar identificadores",
"prefs-misc": "Preferencias varias",
"prefs-resetpass": "Cambiar o contrasinal",
"prefs-changeemail": "Cambiar ou eliminar o enderezo de correo electrónico",
"recentchangesdays-max": "Máximo: $1 {{PLURAL:$1|día|días}}",
"recentchangescount": "Número de edicións a mostrar por defecto:",
"prefs-help-recentchangescount": "Isto inclúe os cambios recentes, os historiais e mais os rexistros.",
- "prefs-help-watchlist-token2": "Esta é a clave secreta da fonte de novas web para a súa lista de vixilancia.\nCalquera persoa que a saiba poderá ler a súa lista de vixilancia; non comparta esta clave.\n[[Special:ResetTokens|Prema aquí se necesita restablecela]].",
"savedprefs": "Gardáronse as súas preferencias.",
"savedrights": "Gardáronse os grupos de {{GENDER:$1|usuario|usuaria}} de $1.",
"timezonelegend": "Fuso horario:",
"rcfilters-savedqueries-apply-and-setdefault-label": "Crear filtro por defecto",
"rcfilters-savedqueries-cancel-label": "Cancelar",
"rcfilters-savedqueries-add-new-title": "Gardar a configuración do filtro actual",
- "rcfilters-savedqueries-already-saved": "Estes filtro xa están gardados",
+ "rcfilters-savedqueries-already-saved": "Estes filtros xa están gardados. Cambie a súa configuración para crear un filtro gardado novo.",
"rcfilters-restore-default-filters": "Restaurar os filtros por defecto",
"rcfilters-clear-all-filters": "Borrar todos os filtros",
"rcfilters-show-new-changes": "Mostrar os cambios máis recentes",
"rcfilters-show-new-changes": "Vidi najnovije izmjene",
"rcfilters-search-placeholder": "Filtriraj nedavne promjene (pretražite ili počnite unositi)",
"rcfilters-invalid-filter": "Filter nije valjan",
- "rcfilters-empty-filter": "Nema aktivnih filtra. Prikazani su svi doprinosi.",
+ "rcfilters-empty-filter": "Nema aktivnih filtara. Prikazani su svi doprinosi.",
"rcfilters-filterlist-title": "Filtri",
"rcfilters-filterlist-whatsthis": "Kako ovo radi?",
"rcfilters-filterlist-feedbacklink": "Recite nam Vaše mišljenje o ovim (novim) oruđima za filtriranje",
"recentchangesdays-max": "Mássimo: $1 {{PLURAL:$1|die|dies}}",
"recentchangescount": "Númaro d'eidiçones a apersentar por omisson:",
"prefs-help-recentchangescount": "Anclui mudanças recentes, stórico de páiginas i registros.",
- "prefs-help-watchlist-token2": "Esta ye la chabe secreta pa l ''feed'' RSS de la sue lhista de páiginas begiadas.\nQualquiera pessona que coinça la chabe será capaç de lher la sue lhista de páiginas begiadas, por esso nun la dibulgue.\n[[Special:ResetTokens|Clique eiqui pa redefenir eilha]].",
"timezonelegend": "Fuso hourário:",
"localtime": "Hora lhocal:",
"timezoneuseoffset": "Outro (specificar defréncia)",
"youhavenewmessagesfromusers": "{{PLURAL:$4|Você tem}} $1 de {{PLURAL:$3|outro usuário|$3 usuários}} ($2).",
"youhavenewmessagesmanyusers": "Você tem $1 de muitos usuários ($2).",
"newmessageslinkplural": "{{PLURAL:$1|uma mensagem nova|999=mensagens novas}}",
- "newmessagesdifflinkplural": "último {{PLURAL:$1|mudança|999=mudanças}}",
+ "newmessagesdifflinkplural": "{{PLURAL:$1|última mudança|999=últimas mudanças}}",
"youhavenewmessagesmulti": "Você tem novas mensagens em $1",
"editsection": "editar",
"editold": "editar",
"november-date": "ᱱᱚᱵᱷᱮᱢᱵᱚᱨ $1",
"december-date": "ᱰᱤᱥᱮᱢᱵᱚᱨ $1",
"pagecategories": "{{PLURAL:$1|Bivag|Bivagko}}",
- "category_header": "Sakam korenaḱ rokom sokom \"$1\"",
+ "category_header": "ᱛᱷᱚᱠ ᱨᱮᱱ ᱥᱟᱦᱴᱟᱞᱩ \"$1\"",
"subcategories": "Huḍiń rokom sokomko",
"category-media-header": "\"$1\" babot reaḱ rokom sokomte emen meḍiya rẽtko",
"category-empty": "\"Noa rokom sokom sakamre do nit jahan sakam se miḍiya rẽt do bạnuḱa.\"",
"createaccount": "Ṭhai benaome",
"userlogin-resetpassword-link": "Amaḱ uku nambarem hiṛiń akada?",
"userlogin-helplink2": "Bolon khạtir go̠ṛo̠",
+ "createacct-emailrequired": "ᱤᱢᱮᱞ ᱵᱩᱴᱟᱹ",
"createacct-emailoptional": "Email ṭhikana (iccha lekate)",
"createacct-email-ph": "Amaḱ e-mail ṭhikana emme",
+ "createacct-another-email-ph": "ᱤᱢᱮᱞ ᱵᱩᱴᱟᱹ ᱟᱫᱮᱨᱢᱮ",
"createaccountmail": "E-mail hotete",
"createacct-submit": "Amaḱ account tearme",
+ "createacct-another-submit": "ᱠᱷᱟᱛᱟ ᱛᱮᱭᱟᱨᱢᱮ",
+ "createacct-continue-submit": "ᱠᱷᱟᱛᱟ ᱛᱮᱭᱟᱨ ᱛᱚᱝᱜᱮᱢᱮ",
+ "createacct-another-continue-submit": "ᱠᱷᱟᱛᱟ ᱛᱮᱭᱟᱨ ᱛᱚᱝᱜᱮᱢᱮ",
"createacct-benefit-heading": "{{SITENAME}} am lekan hoṛ hotete tear akan.",
"createacct-benefit-body1": "{{PLURAL:$1|joṛao|joṛaoko}}",
"createacct-benefit-body2": "{{PLURAL:$1|ᱥᱟᱦᱴᱟ|ᱥᱟᱦᱴᱟᱠᱳ}}",
"badretype": "Am do okaṭaḱ oku nambarkom em keda ona do baṅ milạolena.",
"userexists": "Laṛcaṛicaḱ ńutum em hoyena ona do beohar hoyakana.\nDayakatet́ eṭagaḱ ńutum bachaome.",
"loginerror": "Bhitri bolok do vulgea",
+ "createacct-error": "ᱠᱷᱟᱛᱟ ᱛᱮᱭᱟᱨ ᱦᱩᱲᱟᱹᱜ",
"createaccounterror": "Ekaunṭ do baṅ tear lena: $1",
"nocookiesnew": "Beoharićaḱ ekaunṭ tear hoe akana, menkhan am do nit hạbićte ekaunṭre bam boloakana. {{SITENAME}} re kuki beohar kate beoharićaḱ ekaunṭre boloa.\nAmaḱ sendrare kukiko bondo hoeakana. Dayakate kukiko kạmi hoe ocoemẽ ar amaḱ nãwã beohar ńutum ar uku nambar beohar hotete noa ekaunṭre boloḱmẽ.",
"nocookieslogin": "{{SITENAME}} re kuki hotete beoharićaḱ bhitri boloḱ do hoyoḱa. Amaḱ sendrare kuki bondo menaḱa. Kuki cạlu kate arhõ kurumuṭuimẽ.",
"retypenew": "Doṛhate oku namber olme",
"resetpass_submit": "Oku namber joṛao ar bhitri bolok",
"changepassword-success": "Amaḱ oku namber do napayte bodolena!\nNitoḱ do am bhitritem boloḱkana...",
+ "botpasswords-createnew": "ᱱᱟᱶᱟ ᱵᱚᱴ ᱫᱟᱱᱟᱝ ᱥᱟᱵᱟᱫᱽ ᱛᱮᱭᱟᱨᱢᱮ",
+ "botpasswords-label-appid": "ᱵᱚᱴ ᱧᱩᱛᱩᱢ:",
"botpasswords-label-create": "ᱛᱮᱭᱟᱨ",
+ "botpasswords-label-update": "ᱟᱹᱨᱩ ᱯᱷᱮᱨᱟᱣ",
"botpasswords-label-delete": "ᱜᱮᱫ ᱜᱤᱰᱤ",
"resetpass_forbidden": "Oku namber do baṅ bodoloklena",
"resetpass-no-info": "Noa sakam sojhete laṛcaṛ lạgit́te am do bhitri boloḱ hoyoḱtama.",
"searchresults-title": "\"$1\" ᱨᱮᱱᱟᱜ ᱥᱮᱸᱫᱽᱨᱟ ᱯᱷᱚᱞ",
"prevn": "Laha reaḱ {{PLURAL:$1|$1}}",
"nextn": "Táyom teaḱ {{PLURAL:$1|$1}}",
+ "prev-page": "ᱯᱟᱪᱮ ᱥᱟᱦᱴᱟ",
+ "next-page": "ᱫᱟᱨᱟᱭ ᱥᱟᱦᱴᱟ",
"prevn-title": "Laha renaḱ sakam $1 {{PLURAL:$1|result|results}}",
"nextn-title": "Tayom $1 {{PLURAL:$1|result|results}}",
"shown-title": "ᱥᱟᱦᱴᱟ $1 {{PLURAL:$1|ᱚᱨᱡᱚ|ᱚᱨᱡᱚᱠᱳ}} ᱩᱰᱩᱜᱽᱢᱮ",
"search-interwiki-caption": "Hopon porjekṭko",
"search-interwiki-default": "$1 folko:",
"search-interwiki-more": "(Arhõ)",
+ "search-interwiki-more-results": "ᱵᱟᱹᱲᱛᱤ ᱚᱨᱡᱚᱠᱚ",
+ "search-relatedarticle": "ᱥᱟᱹᱜᱟᱹᱭᱟᱱ",
"searchrelated": "songenko",
"searchall": "Sanamaḱ",
"search-showingresults": "{{PLURAL:$4|ᱚᱨᱡᱚ <strong>$1</strong> ᱨᱮᱱᱟᱜ <strong>$3</strong>|ᱚᱨᱡᱚᱠᱚ <strong>$1 - $2</strong> ᱨᱮᱱᱟᱜ <strong>$3</strong>}}",
"search-nonefound": "Kupuli leka roṛruạṛ bạnuḱa",
+ "powersearch-ns": "ᱨᱟᱠᱷᱟ ᱧᱩᱛᱩᱢ ᱨᱮ ᱥᱮᱸᱫᱽᱨᱟ",
"powersearch-togglelabel": "Sendra",
"powersearch-toggleall": "Sanamaḱ",
"powersearch-togglenone": "Okaṭaḱ hõ baṅ",
"preferences": "Pạsindko",
"mypreferences": "Pạsindko",
+ "prefs-edits": "ᱥᱟᱯᱲᱟᱣᱟᱜ ᱮᱞ:",
"prefs-skin": "Harta",
"skin-preview": "Ńel, Unuduḱ",
"datedefault": "Pạsind banuḱa",
"username": "Beoharićaḱ ńutum:",
"yourrealname": "Sạri ńutum",
"yourlanguage": "ᱯᱟᱹᱨᱥᱤ:",
+ "yournick": "ᱱᱟᱶᱟ ᱥᱩᱦᱤ:",
"gender-male": "Baba hoṛ",
"gender-female": "Gogo hoṛ, Kuṛi, Kuṛi gidrạ",
"email": "E-mail",
"prefs-help-email": "E-mail ṭhikana do bạṛtitege, menkhan uku namber nãwãte benao jạruṛa, am do amaḱ uku nomborem hiṛiń keda.",
"prefs-help-email-others": "Am são e-mail hotete jogajog dohoy lạgitte mitṭen joṛao se amaḱ katha roṛaḱ sakam bachao jońme.\nAmaḱ e-mail ṭhikạna do bań cabaḱa tinre onko do ko beohara",
+ "prefs-signature": "ᱥᱩᱦᱤ",
+ "prefs-editor": "ᱥᱟᱯᱲᱮᱛ",
+ "prefs-preview": "ᱧᱮᱞ ᱵᱤᱰᱟᱹᱣ",
"userrights": "Beoharićaḱ laṛcaṛ ektiạrko",
"userrights-lookup-user": "Beoharkoaḱ gãotako laṛcaṛ",
"userrights-user-editname": "Beoharićaḱ ńutum emmẽ",
"editusergroup": "Beoharićaḱ gãotako toṅgeymẽ",
"userrights-editusergroup": "Beoharićaḱ gãotako toṅgeymẽ",
"saveusergroups": "Beoharićaḱ gãotako rukhiyaymẽ",
+ "userrights-reason": "ᱚᱡᱮ:",
"group-bot": "ᱵᱚᱴᱠᱚ",
"group-sysop": "ᱟᱰᱢᱤᱱᱤᱥᱴᱨᱮᱴᱚᱨ",
"grouppage-bot": "{{ns:project}}:ᱵᱚᱴᱠᱚ",
"tooltip-n-help": "ᱥᱮᱸᱫᱽᱨᱟ ᱧᱟᱢ ᱨᱮᱭᱟᱜ ᱡᱟᱜᱟ",
"tooltip-t-whatlinkshere": "ᱥᱟᱱᱟᱢ ᱩᱤᱠᱤ ᱥᱟᱦᱴᱟ ᱨᱮᱱᱟᱜ ᱛᱟᱹᱞᱠᱟᱹ ᱟᱨ ᱡᱚᱱᱚᱲ ᱫᱚ ᱱᱚᱸᱰᱮ",
"tooltip-t-recentchangeslinked": "ᱱᱚᱭᱟ ᱥᱟᱦᱴᱟ ᱨᱮ ᱨᱚᱠᱟ ᱵᱚᱫᱚᱞ ᱟᱠᱟᱱ ᱥᱟᱦᱴᱟ ᱨᱮᱱᱟᱜ ᱡᱚᱱᱚᱲ",
- "tooltip-feed-atom": "Noa sakam lạgit́ atom phiḍ",
+ "tooltip-feed-atom": "ᱱᱚᱣᱟ ᱥᱟᱦᱴᱟ ᱞᱟᱹᱜᱤᱛ Atom feed",
"tooltip-t-contributions": "ᱮᱱᱮᱢ ᱨᱮᱱᱟᱜ ᱛᱟᱹᱞᱠᱟᱹ {{GENDER:$1|ᱱᱩᱭ ᱵᱮᱵᱷᱟᱨᱤᱭᱟᱹ}}",
"tooltip-t-emailuser": "ᱢᱤᱫ ᱤᱢᱮᱞ ᱠᱩᱞᱟᱭᱢᱮ {{GENDER:$1|ᱱᱩᱭ ᱵᱮᱵᱷᱟᱨᱤᱭᱟᱹ}}",
"tooltip-t-upload": "ᱨᱮᱫ ᱠᱚ ᱞᱟᱫᱮᱢᱮ",
"tooltip-ca-nstab-mediawiki": "ᱥᱤᱥᱴᱚᱢ ᱢᱮᱥᱮᱡᱽ ᱧᱮᱞ",
"tooltip-ca-nstab-template": "Forom uduḱme",
"tooltip-ca-nstab-help": "ᱜᱚᱸᱲᱚ ᱥᱟᱦᱴᱟ ᱧᱮᱞᱢᱮ",
- "tooltip-ca-nstab-category": "Rokom sokom sakamko udukme",
+ "tooltip-ca-nstab-category": "ᱛᱷᱚᱠ ᱥᱟᱦᱴᱟ ᱧᱮᱞᱢᱮ",
"tooltip-minoredit": "Noa do huḍiń joṛao lekate lekhay me",
"tooltip-save": "Bodolaḱko rukhiyayme",
"tooltip-preview": "Amaḱ bodolaḱ uduḱme, noa beoharme ạuri rukhiyayre",
"tooltip-diff": "Uduḱme okaṭaḱ onolem bodolakada",
"tooltip-compareselectedversions": "ᱱᱚᱣᱟ ᱥᱟᱦᱴᱟ ᱨᱮᱱᱟᱜ ᱵᱟᱨᱭᱟ ᱧᱮᱞᱟᱹᱨᱩ ᱵᱷᱮᱜᱮᱫ ᱧᱮᱞ ᱢᱮ",
- "tooltip-watch": "Amaḱ ńeloḱ sakamre noa do dohoyme",
+ "tooltip-watch": "ᱱᱚᱭᱟ ᱥᱟᱦᱴᱟ ᱫᱚ ᱟᱢᱟᱜ ᱧᱮᱞᱚᱜ ᱛᱟᱹᱞᱠᱟᱹᱨᱮ ᱡᱚᱲᱟᱣᱢᱮ",
"tooltip-rollback": "ᱫᱚᱲᱦᱟᱛᱮ ᱢᱤᱫ ᱫᱷᱟᱣ ᱞᱤᱱ ᱛᱮ contributor ᱟᱜ ᱢᱩᱪᱟᱹᱫ ᱥᱟᱯᱲᱟᱣ \"ᱜᱷᱩᱨᱞᱟᱹ ᱟᱹᱪᱩᱨ\" ᱢᱮ",
"tooltip-undo": "Noa joṛao kạmire ulṭao \"bạgiyaḱme\" ar ńeloḱ lekate noa joṛao jhicme. Noa do am guḍ karon joṛaoe ektiyariye emama.",
"tooltip-preferences-save": "Pạsindko rukhiyaymẽ",
'7' => '٧', # ٧
'8' => '٨', # ٨
'9' => '٩', # ٩
- '.' => '٫', # ٫ wrong table ?
+];
+
+$separatorTransformTable = [
+ '.' => '٫', # ٫
',' => '٬', # ٬
];
'7' => '7',
'8' => '8',
'9' => '9',
+];
+
+$separatorTransformTable = [
'.' => '.',
',' => ',',
];
'7' => '٧', # ٧
'8' => '٨', # ٨
'9' => '٩', # ٩
- '.' => '٫', # ٫ wrong table ?
+];
+
+$separatorTransformTable = [
+ '.' => '٫', # ٫
',' => '٬', # ٬
];
'8' => '۸', # ۸
'9' => '۹', # ۹
'%' => '٪', # ٪
- '.' => '٫', # ٫ wrong table?
+];
+
+$separatorTransformTable = [
+ '.' => '٫', # ٫
',' => '٬', # ٬
];
'7' => '٧', # ٧
'8' => '٨', # ٨
'9' => '٩', # ٩
- '.' => '٫', # ٫ wrong table ?
+];
+
+$separatorTransformTable = [
+ '.' => '٫', # ٫
',' => '٬', # ٬
];
'7' => '七',
'8' => '八',
'9' => '九',
+];
+
+$separatorTransformTable = [
'.' => '點',
',' => '',
];
$rtl = true;
+$digitTransformTable = [
+ '0' => '۰', # ᝶
+ '1' => '۱', # ᝷
+ '2' => '۲', # ᝸
+ '3' => '۳', # ᝹
+ '4' => '۴', # ក
+ '5' => '۵', # ខ
+ '6' => '۶', # គ
+ '7' => '۷', # ឃ
+ '8' => '۸', # ង
+ '9' => '۹', # ច
+];
+
+$separatorTransformTable = [
+ '.' => '٫', # ٫
+ ',' => '٬', # ٬
+];
+
$namespaceNames = [
NS_MEDIA => 'رسنۍ',
NS_SPECIAL => 'ځانگړی',
}
},
featureFlags: {
- liveUpdate: mw.config.get( 'StructuredChangeFiltersLiveUpdatePollingRate' ) &&
- ( mw.user.options.get( 'rcenhancedfilters' ) || new mw.Uri().query.liveupdate )
+ liveUpdate: mw.config.get( 'StructuredChangeFiltersLiveUpdatePollingRate' )
}
};
}( mediaWiki ) );
border-radius: 100%;
transform-origin: 50% 50%;
opacity: 0;
- animation: ripple 1.2s ease-out infinite;
+ animation: ripple 2.3s ease-out infinite;
animation-delay: 1s;
}
}
.transform( scale( 1.5 ) );
opacity: 0.8;
}
+ 80%,
100% {
opacity: 0;
.transform( scale( 4 ) );
.client-js #preferences > .oo-ui-panelLayout > .oo-ui-fieldsetLayout > .oo-ui-fieldsetLayout-header {
margin-bottom: 1em;
}
+
+/* Make the "Basic information" section more compact */
+/* OOUI's `align: 'left'` for FieldLayouts sucks, so we do our own */
+#mw-htmlform-info > .oo-ui-fieldLayout-align-top > .oo-ui-fieldLayout-body > .oo-ui-fieldLayout-header {
+ width: 20%;
+ display: inline-block;
+ vertical-align: middle;
+ padding: 0;
+}
+
+#mw-htmlform-info > .oo-ui-fieldLayout-align-top > .oo-ui-fieldLayout-body > .oo-ui-fieldLayout-field {
+ width: 80%;
+ display: inline-block;
+ vertical-align: middle;
+}
$this->assertEquals( $value, $v, "Value still returned after deleted" );
$this->assertEquals( 1, $wasSet, "Value process cached while deleted" );
- $backToTheFutureCache = new TimeAdjustableWANObjectCache( [
+ $timeyCache = new TimeAdjustableWANObjectCache( [
'cache' => new TimeAdjustableHashBagOStuff(),
'pool' => 'empty'
] );
return 'xxx' . $wasSet;
};
+ $now = microtime( true ); // reference time
+
$wasSet = 0;
$key = wfRandomString();
- $v = $backToTheFutureCache->getWithSetCallback(
+ $timeyCache->setTime( $now );
+ $v = $timeyCache->getWithSetCallback(
$key, 30, $checkFunc, [ 'staleTTL' => 50 ] + $extOpts );
$this->assertEquals( 'xxx1', $v, "Value returned" );
$this->assertEquals( false, $oldValReceived, "Callback got no stale value" );
$this->assertEquals( null, $oldAsOfReceived, "Callback got no stale value" );
- $backToTheFutureCache->setTime( microtime( true ) + 40 );
- $v = $backToTheFutureCache->getWithSetCallback(
+ $timeyCache->setTime( $now + 40 );
+ $v = $timeyCache->getWithSetCallback(
$key, 30, $checkFunc, [ 'staleTTL' => 50 ] + $extOpts );
$this->assertEquals( 'xxx2', $v, "Value still returned after expired" );
$this->assertEquals( 2, $wasSet, "Value recalculated while expired" );
$this->assertEquals( 'xxx1', $oldValReceived, "Callback got stale value" );
$this->assertNotEquals( null, $oldAsOfReceived, "Callback got stale value" );
- $backToTheFutureCache->setTime( microtime( true ) + 300 );
- $v = $backToTheFutureCache->getWithSetCallback(
+ $timeyCache->setTime( $now + 300 );
+ $v = $timeyCache->getWithSetCallback(
$key, 30, $checkFunc, [ 'staleTTL' => 50 ] + $extOpts );
$this->assertEquals( 'xxx3', $v, "Value still returned after expired" );
$this->assertEquals( 3, $wasSet, "Value recalculated while expired" );
$this->assertEquals( false, $oldValReceived, "Callback got no stale value" );
$this->assertEquals( null, $oldAsOfReceived, "Callback got no stale value" );
+
+ $wasSet = 0;
+ $key = wfRandomString();
+ $checkKey = $timeyCache->makeKey( 'template', 'X' );
+ $timeyCache->setTime( $now - $timeyCache::HOLDOFF_TTL - 1 );
+ $timeyCache->touchCheckKey( $checkKey ); // init check key
+ $timeyCache->setTime( $now );
+ $v = $timeyCache->getWithSetCallback(
+ $key,
+ $timeyCache::TTL_WEEK,
+ $checkFunc,
+ [ 'graceTTL' => $timeyCache::TTL_DAY, 'checkKeys' => [ $checkKey ] ] + $extOpts
+ );
+ $this->assertEquals( 'xxx1', $v, "Value returned" );
+ $this->assertEquals( 1, $wasSet, "Value computed" );
+ $this->assertEquals( false, $oldValReceived, "Callback got no stale value" );
+ $this->assertEquals( null, $oldAsOfReceived, "Callback got no stale value" );
+
+ $timeyCache->setTime( $now + 300 ); // some time passes
+ $timeyCache->touchCheckKey( $checkKey ); // make key stale
+ $timeyCache->setTime( $now + 3600 ); // ~23 hours left of grace
+ $v = $timeyCache->getWithSetCallback(
+ $key,
+ $timeyCache::TTL_WEEK,
+ $checkFunc,
+ [ 'graceTTL' => $timeyCache::TTL_DAY, 'checkKeys' => [ $checkKey ] ] + $extOpts
+ );
+ $this->assertEquals( 'xxx1', $v, "Value still returned after expired (in grace)" );
+ $this->assertEquals( 1, $wasSet, "Value still returned after expired (in grace)" );
+
+ $timeyCache->setTime( $now + $timeyCache::TTL_DAY );
+ $v = $timeyCache->getWithSetCallback(
+ $key,
+ $timeyCache::TTL_WEEK,
+ $checkFunc,
+ [ 'graceTTL' => $timeyCache::TTL_DAY, 'checkKeys' => [ $checkKey ] ] + $extOpts
+ );
+ $this->assertEquals( 'xxx2', $v, "Value was recomputed (past grace)" );
+ $this->assertEquals( 2, $wasSet, "Value was recomputed (past grace)" );
+ $this->assertEquals( 'xxx1', $oldValReceived, "Callback got post-grace stale value" );
+ $this->assertNotEquals( null, $oldAsOfReceived, "Callback got post-grace stale value" );
}
public static function getWithSetCallback_provider() {
<?php
+use MediaWiki\Shell\Command;
use MediaWiki\Shell\CommandFactory;
+use MediaWiki\Shell\FirejailCommand;
use Psr\Log\NullLogger;
use Wikimedia\TestingAccessWrapper;
'walltime' => 40,
];
- $factory = new CommandFactory( $limits, $cgroup );
+ $factory = new CommandFactory( $limits, $cgroup, false );
$factory->setLogger( $logger );
$factory->logStderr();
$command = $factory->create();
+ $this->assertInstanceOf( Command::class, $command );
$wrapper = TestingAccessWrapper::newFromObject( $command );
$this->assertSame( $logger, $wrapper->logger );
$this->assertSame( $limits, $wrapper->limits );
$this->assertTrue( $wrapper->doLogStderr );
}
+
+ /**
+ * @covers MediaWiki\Shell\CommandFactory::create
+ */
+ public function testFirejailCreate() {
+ $factory = new CommandFactory( [], false, 'firejail' );
+ $factory->setLogger( new NullLogger() );
+ $this->assertInstanceOf( FirejailCommand::class, $factory->create() );
+ }
}
--- /dev/null
+<?php
+
+/**
+ * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+use MediaWiki\Shell\FirejailCommand;
+use MediaWiki\Shell\Shell;
+use Wikimedia\TestingAccessWrapper;
+
+class FirejailCommandTest extends PHPUnit_Framework_TestCase {
+ public function provideBuildFinalCommand() {
+ global $IP;
+ // @codingStandardsIgnoreStart
+ $env = "'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";
+ // @codingStandardsIgnoreEnd
+ $limit = "$IP/includes/shell/limit.sh";
+ $profile = "--profile=$IP/includes/shell/firejail.profile";
+ $default = '--noroot --seccomp=@default --private-dev';
+ return [
+ [
+ 'No restrictions',
+ 'ls', 0, "/bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ [
+ 'default restriction',
+ 'ls', Shell::RESTRICT_DEFAULT,
+ "firejail --quiet $profile $default -- /bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ [
+ 'no network',
+ 'ls', Shell::NO_NETWORK,
+ "firejail --quiet $profile --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ [
+ 'default restriction & no network',
+ 'ls', Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK,
+ "firejail --quiet $profile $default --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ [
+ 'seccomp',
+ 'ls', Shell::SECCOMP,
+ "firejail --quiet $profile --seccomp=@default -- /bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ [
+ 'seccomp & no execve',
+ 'ls', Shell::SECCOMP | Shell::NO_EXECVE,
+ "firejail --quiet $profile --seccomp=@default,execve -- /bin/bash '$limit' ''\''ls'\''' $env"
+ ],
+ ];
+ }
+
+ /**
+ * @covers \MediaWiki\Shell\FirejailCommand::buildFinalCommand()
+ * @dataProvider provideBuildFinalCommand
+ */
+ public function testBuildFinalCommand( $desc, $params, $flags, $expected ) {
+ $command = new FirejailCommand( 'firejail' );
+ $command
+ ->params( $params )
+ ->restrict( $flags );
+ $wrapper = TestingAccessWrapper::newFromObject( $command );
+ $output = $wrapper->buildFinalCommand();
+ $this->assertEquals( $expected, $output[0], $desc );
+ }
+
+}