jenkins-bot [Mon, 6 Apr 2015 18:36:08 +0000 (18:36 +0000)]
Merge "Update special pages aliases for Luri (lrc) from translatewiki"
jenkins-bot [Mon, 6 Apr 2015 18:17:04 +0000 (18:17 +0000)]
Merge "Update special pages aliases for Persian (fa) from translatewiki"
jenkins-bot [Mon, 6 Apr 2015 17:35:42 +0000 (17:35 +0000)]
Merge "Catch rollback exceptions in API exception handling"
Brad Jorsch [Fri, 3 Apr 2015 16:12:30 +0000 (12:12 -0400)]
Catch rollback exceptions in API exception handling
Like I92293b22, but for the API. Needed for I41508127f fixing ignore
handling in the DB.
Change-Id: I1f2b70c80c7496f463f678b950c08de22476ea66
jenkins-bot [Mon, 6 Apr 2015 16:43:37 +0000 (16:43 +0000)]
Merge "Parser: Say tildes instead of ~~~ in comment to fix Doxygen fatal"
Gilles Dubuc [Mon, 6 Apr 2015 08:40:15 +0000 (10:40 +0200)]
Track request method in dbperformance.log
This will allow us to avoid needlessly investigating master requests that
only happen on POST (which is already what we want for multi-DC).
Bug: T92357
Change-Id: Ia7437d00f5b89a8e318d85659d60e2f9f9f26149
jenkins-bot [Mon, 6 Apr 2015 14:41:53 +0000 (14:41 +0000)]
Merge "Add a breadcrumb to EditPage refactor"
Timo Tijhof [Wed, 1 Apr 2015 00:37:28 +0000 (01:37 +0100)]
Parser: Say tildes instead of ~~~ in comment to fix Doxygen fatal
Doxygen was unable to parse the file past validateSig().
> Parser.php:6397: warning: reached end of file while inside a ~~~ block!
> The command that should end the block seems to be missing!
Change-Id: I3d1b547968302611d2bd78a7c11dd0738b40d23a
jenkins-bot [Mon, 6 Apr 2015 06:22:49 +0000 (06:22 +0000)]
Merge "ResourceLoaderImage: Allow shorthand syntax"
jenkins-bot [Mon, 6 Apr 2015 06:22:45 +0000 (06:22 +0000)]
Merge "resourceloader: Omit empty parameters from mw.loader.implement calls"
jenkins-bot [Mon, 6 Apr 2015 01:27:05 +0000 (01:27 +0000)]
Merge "objectcache: Add @covers for BagOStuffTest"
mjbmr [Sun, 5 Apr 2015 23:07:22 +0000 (23:07 +0000)]
Update special pages aliases for Luri (lrc) from translatewiki
Change-Id: I17d71f47f8b7b7710261ab3c0a50bb8c45583b9d
Translation updater bot [Sun, 5 Apr 2015 18:45:49 +0000 (20:45 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I13e36a6ca3c35959e1e5912ac27193cc13d9c74f
jenkins-bot [Sun, 5 Apr 2015 17:43:30 +0000 (17:43 +0000)]
Merge "Mock error event firing in mw.loader test"
Timo Tijhof [Sun, 5 Apr 2015 15:02:53 +0000 (16:02 +0100)]
objectcache: Add @covers for BagOStuffTest
Change-Id: I93a8074ba79b5ea66a984edabe009cc828e6fc4d
jenkins-bot [Sun, 5 Apr 2015 13:07:06 +0000 (13:07 +0000)]
Merge "DefaultSettings: Remove "~~~~" from comment to fix Doxygen parse error"
Adam Roses Wight [Sun, 5 Apr 2015 06:48:02 +0000 (23:48 -0700)]
Add a breadcrumb to EditPage refactor
Change-Id: I4cc398e712f499fdf35ac9384912e68ac8e9010b
Ori Livneh [Fri, 3 Apr 2015 23:17:13 +0000 (16:17 -0700)]
Html::srcSet: allow density to be specified either with or without trailing 'x'
$wgLogoHD is meant to contain high-density alternatives for $wgLogo, but its
keys include the trailing 'x' (e.g., '1.5x'), making it unusable with
Html::srcSet(). Fix that by normalizing all density values to have a
single trailing 'x'.
Change-Id: I62cc3a9e4aeff3a7cb102de2965b8b40fd106c37
Translation updater bot [Sat, 4 Apr 2015 18:38:02 +0000 (20:38 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Ie48757c02285cbc60158862e2b73be9fe0d8b141
jenkins-bot [Sat, 4 Apr 2015 04:25:22 +0000 (04:25 +0000)]
Merge "Verify parameter for MapCacheLRU::has() can be passed to array_key_exists()"
Roan Kattouw [Fri, 3 Apr 2015 22:05:42 +0000 (15:05 -0700)]
Update OOjs UI to v0.9.7
Release notes:
https://git.wikimedia.org/blob/oojs%2Fui.git/v0.9.7/History.md
Change-Id: I6548deccf1bce60873ed16229905cfa5790ec4a0
Timo Tijhof [Thu, 2 Apr 2015 12:47:07 +0000 (13:47 +0100)]
jquery.suggestions: Convert documentation to JSDuck format
Change-Id: I39aba7f3f0c9d397f26934446e3a5ef686d84d86
jenkins-bot [Fri, 3 Apr 2015 19:21:50 +0000 (19:21 +0000)]
Merge "jquery.suggestions: Document the callback context and parameters"
Bryan Davis [Mon, 23 Mar 2015 00:53:24 +0000 (18:53 -0600)]
Move MWLogger classes to MediaWiki\Logger namespace
Move the MWLogger PSR-3 logging related classes into the
MediaWiki\Logger namespace. Create shim classes to ease migration of
existing MWLoggerFactory usage to the namespaced classes.
Bug: T93406
Change-Id: I359cc81fbd2dcf8937742311dcc7d3dee08747b0
Ori Livneh [Fri, 3 Apr 2015 18:26:20 +0000 (18:26 +0000)]
Merge "PHPCS lint fixes"
Ori Livneh [Fri, 3 Apr 2015 18:07:39 +0000 (11:07 -0700)]
PHPCS lint fixes
Change-Id: I16288db03f34439bdb16940a86720d2511f46467
Translation updater bot [Fri, 3 Apr 2015 18:02:47 +0000 (20:02 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I94574a6af0fbcc11b1ec6e7fc6adee2650bf2224
jenkins-bot [Fri, 3 Apr 2015 16:50:20 +0000 (16:50 +0000)]
Merge "Made rollbackMasterChanges catch exceptions, throwing the last one"
Aaron Schulz [Thu, 2 Apr 2015 19:33:30 +0000 (12:33 -0700)]
Made rollbackMasterChanges catch exceptions, throwing the last one
Change-Id: Ida36a302b35434d1af464cb77a0084ec441d038a
jenkins-bot [Fri, 3 Apr 2015 16:10:44 +0000 (16:10 +0000)]
Merge "Add namespaces for Western Balochi (bgn) from translatewiki"
jenkins-bot [Fri, 3 Apr 2015 16:05:20 +0000 (16:05 +0000)]
Merge "Add special pages aliases for Luri (lrc) from translatewiki"
Gilles Dubuc [Thu, 2 Apr 2015 09:53:12 +0000 (11:53 +0200)]
Better file size limit message display logic
Only display upload size limit differentiation message
if there are 2 upload methods.
Bug: T94727
Change-Id: I23c5a5c5e7a30484c242005db831eec5c8c1f4a7
Gilles Dubuc [Fri, 3 Apr 2015 12:11:26 +0000 (14:11 +0200)]
Skin: Account for User::newFromName returning false
Follows-up
e41f5a07f893cf.
Bug: T92357
Change-Id: I00edfaed92af7d16894453f28999bfce2de2e37a
Aaron Schulz [Fri, 3 Apr 2015 09:48:42 +0000 (02:48 -0700)]
Made Skin::getRelevantUser use READ_NORMAL
Bug: T92357
Change-Id: I5089c99ae3a21bb8d41d488d18dd63fe1eaefea9
jenkins-bot [Fri, 3 Apr 2015 09:24:53 +0000 (09:24 +0000)]
Merge "Removed BloomFilter classes"
Aaron Schulz [Fri, 3 Apr 2015 08:28:08 +0000 (01:28 -0700)]
Removed BloomFilter classes
* This ends up being more complex than its worth
and even more so for multi-DC support
Bug: T93006
Change-Id: Iaa774fe69061e42955b11dc82d30dba93208e606
Kunal Mehta [Thu, 2 Apr 2015 17:31:24 +0000 (10:31 -0700)]
SkinFallback: Recommend using wfLoadSkin() if possible
Change-Id: I4f3841029578305ab692d853c45678f487adbc78
Timo Tijhof [Tue, 9 Dec 2014 01:17:53 +0000 (01:17 +0000)]
resourceloader: Omit empty parameters from mw.loader.implement calls
Follows-up
ebeb29723,
1f393b6da,
0e719ce23.
Also:
* Add tests for ResourceLoader::makeLoaderImplementScript().
* Apply ResourceLoader::trimArray to makeLoaderImplementScript (new in
c0c221bf).
This commit changes the load.php response to omit empty parameters.
These parameters were required until recently. The client has been
updated (
1f393b6da and
0e719ce23) to make these optional, thus supporting
both the old server format and the change this commit makes
Clients with a tab open from before
0e719ce23 are naturally not
compatible with load.php responses from after this commit. Ensure
this is deployed several days after
0e719ce23 to reduce race
conditions of this nature.
(This is a re-submitted version of
4ce0c0da4)
Bug: T88879
Change-Id: I9e998261ee9b0b745e3339bc3493755c0cb04b6a
Matthew Flaschen [Fri, 3 Apr 2015 02:53:57 +0000 (22:53 -0400)]
Have back-compat shim actually return the value
Bug: T94958
Change-Id: I75fbd11c8bb357b83079402592e8863acef18fb1
jenkins-bot [Fri, 3 Apr 2015 00:57:51 +0000 (00:57 +0000)]
Merge "Fixed class name typo in docs"
Aaron Schulz [Fri, 3 Apr 2015 00:42:41 +0000 (17:42 -0700)]
Fixed class name typo in docs
Change-Id: Ifc73af824b31fc2f709b777397896f605fe6dfff
jenkins-bot [Thu, 2 Apr 2015 23:41:12 +0000 (23:41 +0000)]
Merge "Check return value of preg_match in Sanitizer.php"
jenkins-bot [Thu, 2 Apr 2015 23:41:06 +0000 (23:41 +0000)]
Merge "Add checks to try to catch T92046"
mjbmr [Thu, 2 Apr 2015 23:01:20 +0000 (23:01 +0000)]
Add namespaces for Western Balochi (bgn) from translatewiki
Change-Id: I87e2842b3d204098768fb265b5e2f7bf715d918b
jenkins-bot [Thu, 2 Apr 2015 22:37:52 +0000 (22:37 +0000)]
Merge "languages: Backtick "<em>" since it's meant as code instead of mark up"
jenkins-bot [Thu, 2 Apr 2015 22:29:12 +0000 (22:29 +0000)]
Merge "Doxyfile: Suppress warnings for phpunit "@" annotations"
jenkins-bot [Thu, 2 Apr 2015 22:29:09 +0000 (22:29 +0000)]
Merge "Doxyfile: Suppress warnings for invalid @codingStandardsIgnoreStart"
jenkins-bot [Thu, 2 Apr 2015 22:29:05 +0000 (22:29 +0000)]
Merge "mwdocgen: Exclude node_modules from Doxygen"
jenkins-bot [Thu, 2 Apr 2015 22:29:02 +0000 (22:29 +0000)]
Merge "DefaultSettings: Fix doxygen warning for missing @endcond"
jenkins-bot [Thu, 2 Apr 2015 21:20:54 +0000 (21:20 +0000)]
Merge "Use structured logging/MWLoggerFactory for TransactionProfiler"
jenkins-bot [Thu, 2 Apr 2015 21:16:37 +0000 (21:16 +0000)]
Merge "Don't trigger MessageBlobStore during tests"
mjbmr [Thu, 2 Apr 2015 20:00:16 +0000 (20:00 +0000)]
Add special pages aliases for Luri (lrc) from translatewiki
Change-Id: I134b75f95e4d5aab6cf40e493c144de41806b47e
Timo Tijhof [Thu, 2 Apr 2015 12:08:07 +0000 (13:08 +0100)]
jquery.suggestions: Document the callback context and parameters
Change-Id: Ida73a836952b66476bfff4925ea6c1eee3e58b52
Timo Tijhof [Tue, 31 Mar 2015 23:53:25 +0000 (00:53 +0100)]
DefaultSettings: Remove "~~~~" from comment to fix Doxygen parse error
> /includes/DefaultSettings.php:7478:
> warning: reached end of file while inside a ~~~ block!
> The command that should end the block seems to be missing!
Three or more tildes in plain text results in the beginning of
a fenced code block.
http://doxygen.org/manual/markdown.html
https://michelf.ca/projects/php-markdown/extra/#fenced-code-blocks
It stopped parsing after $wgUrlProtocols and ignored the rest.
I tried to escape it in different ways but couldn't find any method
that keeps the string readable and inline. If it's important we can
put it back in an indented code block.
Change-Id: If350a917c6afaebcd45f246404b6b6195453e51e
Timo Tijhof [Wed, 1 Apr 2015 00:11:18 +0000 (01:11 +0100)]
languages: Backtick "<em>" since it's meant as code instead of mark up
For unknown things like <site> and <nowiki> it defaults to text,
but (like wikitext) it does support certain tags such as <em>.
Change-Id: Ib7bead3cb72fd7c361c8032bfc3069da970226bc
Timo Tijhof [Tue, 31 Mar 2015 23:48:04 +0000 (00:48 +0100)]
LogFormatter: Indent code to fix Doxygen parse error
This file was not being indexed due to a parse error.
> /includes/logging/LogFormatter.php:844:
> warning: Reached end of file while still inside a (nested) comment.
> Nesting level 2 (probable line reference: 48, 26)
Change-Id: Ie34ae644d06e705991b934d4389e8c41bb7f77a7
Bartosz Dziewoński [Thu, 2 Apr 2015 17:54:07 +0000 (19:54 +0200)]
ResourceLoaderImage: Allow shorthand syntax
array( "en,de,fr" => "foo.svg" ) now means the same as
array( "en" => "foo.svg", "de" => "foo.svg", "fr" => "foo.svg" ).
Bug: T76539
Change-Id: I0bf82e06be3c5f94b6ac88bbc0437b5229ceb284
jenkins-bot [Thu, 2 Apr 2015 18:34:50 +0000 (18:34 +0000)]
Merge "Added read-only checks around User::saveSettings where they belong"
Translation updater bot [Thu, 2 Apr 2015 18:32:41 +0000 (18:32 +0000)]
Merge "Localisation updates from https://translatewiki.net."
Translation updater bot [Thu, 2 Apr 2015 18:28:33 +0000 (20:28 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Iabff7129bf55c58ec92f46dd34457093409087f2
jenkins-bot [Thu, 2 Apr 2015 18:22:44 +0000 (18:22 +0000)]
Merge "Simplify profiler output class selection"
Aaron Schulz [Mon, 30 Mar 2015 19:00:07 +0000 (12:00 -0700)]
Added read-only checks around User::saveSettings where they belong
* Ideally saveSettings() would not just silently do nothing in
read-only mode as not all callers expect that behavior. This
change is just the first step.
Change-Id: Ieeaf531dac3027ddba89c60159b98f9c04de78d3
Ori Livneh [Thu, 2 Apr 2015 17:46:57 +0000 (10:46 -0700)]
Simplify profiler output class selection
Instead of maintaining a mapping of short names to class names ('db' =>
'ProfilerOutputDb', etc.), let us adopt the convention of using the full
class name to indicate the output type. We can maintain backward-compatibility
by using simple string manipulation to transform short names to the full class
names.
Change-Id: I976e0da2873d88b9892fb41823cfe3af0a2d3974
umherirrender [Sat, 21 Feb 2015 09:37:31 +0000 (10:37 +0100)]
Check return value of preg_match in Sanitizer.php
preg_match returns bool to indicate if $regs contains content, check
that before using the array.
Bug: T75487
Change-Id: Idca50feb170e35ca25e9874674f5a4091748052a
Max Semenik [Wed, 1 Apr 2015 00:13:47 +0000 (17:13 -0700)]
Minor cleanups
* Declare undeclared variables
* Kill unused variables
* Fix comments including PHPDoc
Change-Id: I60015f6b6740aa9088bda3745f4dc4e65e29fcb1
Kunal Mehta [Sun, 29 Mar 2015 08:41:38 +0000 (01:41 -0700)]
Don't require database access in ApiMainTest
It's still slow though because ApiTestCase does expensive things in
setUp(), but nothing in these tests need database access anymore.
Change-Id: Iaf431cc62fe23154c42967e6391c533fe1c5346e
jenkins-bot [Thu, 2 Apr 2015 15:30:07 +0000 (15:30 +0000)]
Merge "Remove redundant NS_MAIN from translations"
jenkins-bot [Thu, 2 Apr 2015 14:17:54 +0000 (14:17 +0000)]
Merge "Change labels of paging links in Category page"
jenkins-bot [Thu, 2 Apr 2015 13:25:28 +0000 (13:25 +0000)]
Merge "Message: Clean up unit tests and improve code coverage"
Timo Tijhof [Thu, 2 Apr 2015 07:01:38 +0000 (08:01 +0100)]
Message: Clean up unit tests and improve code coverage
* Remove unnecessary use of ReflectionClass. It was testing
internal properties that aren't part of the API. Using the
getters instead.
* Remove need for func_get_args that was making the test more
complex and the data provider hard to read. Simply maintain
it as array of expected params and array of variadic arguments.
* Rename tests to more closely match tested methods.
* Rename data providers to provide*, and make them static.
* Reorder tests to more closely match logical order of the class.
* Improve line coverage from 31% to 67%.
Also:
* Remove testParams (dupes testConstructorParams).
* Add tests for RawMessage class.
* Add tests for transformation and parsing.
* Add tests for wfMessage().
* Add tests for Message::newFrom*.
* Add tests for "$*" replacement.
* Add tests for __toString.
Change-Id: I2b183a66f9e9f51bd800088e174b1ae4d3284d8d
Timo Tijhof [Thu, 2 Apr 2015 01:15:50 +0000 (02:15 +0100)]
User: Add unit tests for getId, isAnon and isLoggedIn
Change-Id: Ie007d9da47df871f99ca19c4d7364f46f71c255b
Ori Livneh [Thu, 2 Apr 2015 04:09:20 +0000 (21:09 -0700)]
Follow-up to Icf644ad34: Introduce ProfilerOutputStats
Change-Id: Ib3585303b75899c4cd7c9c88fb3473b441e52c23
Ori Livneh [Wed, 1 Apr 2015 23:30:16 +0000 (16:30 -0700)]
Introduce ProfilerOutputStats
* Associate Profiler objects with a request context by adding a $context
property with a getter and a setter.
* Introduce ProfilerOutputStats, which writes profiling data to the stats
buffer associated with the current request context.
* Make it the Profiler class's responsibility to enforce $wgProfilerLimit.
* Deprecate $wgProfilerLimit in favor of the (more aptly named, IMO)
$wgProfiler['threshold'] config setting.
* Tidy up Profiler instance creation code in Profiler::instance().
* Add Profiler::getOutputs, which returns an array of ProfilerOutput instances
which are configured for the current profiler and whose canUse() method
returns true.
* Make ProfilerStub not log by creating a stub ProfilerStub::logData() method
which does not call the parent. Previously the parent class checked if $this
was an instance of ProfilerStub and returned early if so.
Task: T90623
Task: T85641
Change-Id: Icf644ad3435c1f30d0a49957a97b481808a3153d
Ori Livneh [Wed, 1 Apr 2015 23:16:09 +0000 (16:16 -0700)]
Make WebRequest objects time-aware
* Deprecate $wgRequestTime in favor of $_SERVER['REQUEST_TIME_FLOAT'], which is
more accurate. Because $_SERVER['REQUEST_TIME_FLOAT'] is only set for PHP
5.4+, set it to microtime( true ) in WebStart.php for back-compatibility.
* Add a 'requestTime' property to WebRequest objects, set to
$_SERVER['REQUEST_TIME_FLOAT'] for WebRequest or the instance creation time
for FauxRequest instances.
* Use that to provide WebRequest::getElapsedTime(), which gets the time since
the request was initiated.
* In wfLogProfilingData(), get the user and request objects from the context
object rather than from global scope.
Opportunistic clean-up: move the magic quotes check to WebStart.php and make
the error message more helpful.
Change-Id: I7e07e22eaf16b5141b80ad9f843285c542a127b7
jenkins-bot [Wed, 1 Apr 2015 22:27:33 +0000 (22:27 +0000)]
Merge "tests: Clean up file headers"
jenkins-bot [Wed, 1 Apr 2015 22:27:27 +0000 (22:27 +0000)]
Merge "installer: Use wfLoadExtension/Skin in LocalSettingsGenerator"
jenkins-bot [Wed, 1 Apr 2015 20:48:50 +0000 (20:48 +0000)]
Merge "Sync up with Parsoid parserTests."
jenkins-bot [Wed, 1 Apr 2015 20:18:28 +0000 (20:18 +0000)]
Merge "ResourceLoaderImageModule: Remove stupid TODO"
Subramanya Sastry [Wed, 1 Apr 2015 20:07:44 +0000 (15:07 -0500)]
Sync up with Parsoid parserTests.
This now aligns with Parsoid commit
ea9c04956577c35ec15609a966bf5a4d5541ab45
Change-Id: I310a0c652eb41a9845cfaa3c90262762b6ee4cc8
jenkins-bot [Wed, 1 Apr 2015 19:46:19 +0000 (19:46 +0000)]
Merge "Make all QUnit tests pass for languages other than English"
Translation updater bot [Wed, 1 Apr 2015 19:37:35 +0000 (19:37 +0000)]
Merge "Localisation updates from https://translatewiki.net."
Bartosz Dziewoński [Wed, 1 Apr 2015 19:35:43 +0000 (21:35 +0200)]
ResourceLoaderImageModule: Remove stupid TODO
Change-Id: I36ade1713b593504a34b1ec92bc4d9e536aa262a
Schnark [Tue, 24 Mar 2015 10:33:47 +0000 (10:33 +0000)]
Make all QUnit tests pass for languages other than English
Some tablesorter tests were failing for a content language different from
English, and the test for two functions from mw.language for a different
UI language.
This patch provides a mocked environment for all these tests, simulating
English language.
Bug: T59776
Change-Id: Ibfc83c34a896dc5fb5e892fb0ffd60e618880781
Translation updater bot [Wed, 1 Apr 2015 19:31:59 +0000 (21:31 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I32d1c7cf05c4981322f4111c8d997f08b79b05bf
Bartosz Dziewoński [Mon, 30 Mar 2015 17:27:31 +0000 (19:27 +0200)]
ResourceLoaderImageModule: Remove bogus CSSJanus call
We explicitly do not want to use CSSJanus flipping here, as
ResourceLoaderImage has a separate and more sophisticated mechanism
for choosing the right image for given language. This was a no-op,
since there were no flippable paths in the output at this point.
Change-Id: Ieff5f21653504a28afe3d4c110a52d8b06fc6a07
jenkins-bot [Wed, 1 Apr 2015 19:05:30 +0000 (19:05 +0000)]
Merge "Use "string|false" as @return instead of "string|bool" where appropiate"
Bartosz Dziewoński [Wed, 1 Apr 2015 17:45:26 +0000 (19:45 +0200)]
Resources.php: Remove duplicate copy of 'oojs-ui.styles' module
derp
Change-Id: Id7cd440888818e387f5cae68a5a63d73d3e11876
jenkins-bot [Wed, 1 Apr 2015 17:40:17 +0000 (17:40 +0000)]
Merge "SECURITY: Don't allow entities in XMP with HHVM"
jenkins-bot [Wed, 1 Apr 2015 17:40:13 +0000 (17:40 +0000)]
Merge "SECURITY: Don't allow directly calling Xml::isWellFormed"
jenkins-bot [Wed, 1 Apr 2015 17:40:10 +0000 (17:40 +0000)]
Merge "SECURITY: Always expand xml entities when checking SVG's"
jenkins-bot [Wed, 1 Apr 2015 17:32:01 +0000 (17:32 +0000)]
Merge "SECURITY: Escape > in Html::expandAttributes"
jenkins-bot [Wed, 1 Apr 2015 17:31:57 +0000 (17:31 +0000)]
Merge "SECURITY: Don't execute another user's CSS or JS on preview"
jenkins-bot [Wed, 1 Apr 2015 17:31:54 +0000 (17:31 +0000)]
Merge "SECURITY: Set maximal password length for DoS"
jenkins-bot [Wed, 1 Apr 2015 17:18:23 +0000 (17:18 +0000)]
Merge "OutputPage: Tiny tweak to jQuery.ready inline script"
Ori Livneh [Wed, 1 Apr 2015 08:48:29 +0000 (01:48 -0700)]
OutputPage: Tiny tweak to jQuery.ready inline script
Changing 'window.jQuery && jQuery.ready()' to 'if ( window.jQuery )
jQuery.ready()' means no *<![CDATA[*/ /*]]>* is required (because we
got rid of the ampersands). It's also more readable and more consistent
with if(window.mw).
Change-Id: I28262efb978c085e732b40f9dc5ddb1bda5c4376
csteipp [Thu, 12 Mar 2015 22:49:22 +0000 (15:49 -0700)]
SECURITY: Don't allow entities in XMP with HHVM
Test for, and refuse to parse, XMP chunks with a doctype declaration
when parsing XMP under HHVM.
Bug: T85848
Change-Id: Iea4feb077ee85a35509a920153daaa9321ee69f3
csteipp [Fri, 13 Mar 2015 23:52:18 +0000 (16:52 -0700)]
SECURITY: Don't allow directly calling Xml::isWellFormed
Changing Xml::isWellFormed to private. In WMF hosted repos, there are
no callers to isWellFormed directly.
Bug: T85848
Change-Id: I104427989b89c386de571b8e60642095331a1132
csteipp [Wed, 4 Feb 2015 01:45:05 +0000 (17:45 -0800)]
SECURITY: Always expand xml entities when checking SVG's
XmlTypeCheck's use of xml_parse for filtering SVG's sometimes left xml
entities unexpanded, which can lead to false-negatives when the
callback was used for filtering. Update XmlTypeCheck to use XMLReader
instead, tell the library to fully expand entities, and rely on the
library to error out if it encounters XML that is likely to cause a DoS
if parsed.
Bug: T88310
Change-Id: I77c77a2d6d22f549e7ef969811f7edd77a45dbba
csteipp [Thu, 19 Feb 2015 23:05:40 +0000 (15:05 -0800)]
SECURITY: Escape > in Html::expandAttributes
Escape > characters in attributes, so we don't confuse post-processing,
like LanguageConverter.
Bug: T73394
Change-Id: I768e2a12c7b6ba635e6c8571676b8c776b16bf72
Brad Jorsch [Mon, 5 Jan 2015 21:31:26 +0000 (16:31 -0500)]
SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a