Leszek Manicki [Mon, 17 Jun 2019 09:11:39 +0000 (11:11 +0200)]
Disable rate limiting in Development Settings
Bug: T225796
Change-Id: I2475a04066d4aaefeba372bd223ef68548a8cf18
Karsten Hoffmeyer [Tue, 11 Jun 2019 19:24:16 +0000 (21:24 +0200)]
Installer: Update link to PHP intl away from old PECL package
PHP 5.5 was the last version supported by PECL intl package. Now the
PHP intl extension is used instead.
Bug: T225558
Change-Id: I68cb7a549c899e69da9a8cfea5a69b9acb41e8ae
(cherry picked from commit
7f0f6af2902cb7cf1406df5b8ee8cd12a5a88f1f)
Reedy [Tue, 28 May 2019 23:43:59 +0000 (00:43 +0100)]
1.31.3 RELEASE-NOTES section
Change-Id: I8bc00c2274018f5d7051b34cdd162c001c58061c
Reedy [Tue, 28 May 2019 23:39:18 +0000 (00:39 +0100)]
Prepare 1.31.2
Change-Id: I0e6ef5f4a51adbe20631265a693c86f2114859d4
Reedy [Tue, 28 May 2019 23:38:44 +0000 (00:38 +0100)]
Add RELEASE-NOTES for security patches
Change-Id: I9032e202505fb77a7d4abea6662ef4f8fa49e0dd
James D. Forrester [Thu, 25 Apr 2019 21:12:52 +0000 (16:12 -0500)]
SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358
Patch taken from https://github.com/DanielRuf/snyk-js-jquery-174006?files=1.
Bug: T221739
Change-Id: I99c2be81c74a8f1d35c421f0ee43c75efb30a7d0
rxy [Sun, 28 Apr 2019 20:14:18 +0000 (05:14 +0900)]
SECURITY: Add permission check for user is permitted to view the log type
Bug: T222038
Change-Id: I92ec2adfd9c514b3be1c07b7d22b9f9722d24a82
rxy [Sun, 28 Apr 2019 20:04:01 +0000 (05:04 +0900)]
SECURITY: Add permission check for user is permitted to view the log type
Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72
Lucas Werkmeister [Mon, 17 Dec 2018 13:02:39 +0000 (14:02 +0100)]
SECURITY: Fix cache mode for (un)patrolled recent changes query
Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.
Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26
Kunal Mehta [Fri, 13 Jul 2018 15:07:51 +0000 (08:07 -0700)]
SECURITY: API: Respect $wgBlockCIDRLimit in action=block
$wgBlockCIDRLimit states how large rangeblocks are allowed to be for IPv4
and IPv6. The API now calls SpecialBlock::validateTarget() to perform
that validation step.
As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by
the API, but that can probably be cleaned up at another time.
Tests included.
Bug: T199540
Change-Id: Ic7d60240d9ebd9580c0eb3b41e4befceab69bd81
Brian Wolff [Wed, 21 Nov 2018 16:15:28 +0000 (16:15 +0000)]
SECURITY: rate-limit and prevent blocked users from changing email
This is to counter spam where people use Special:ChangeEmail to
spam people with the confirmation email and using the username
to promote their thing
Bug: T209794
Change-Id: I8b2bd0f60c66f44c91dc78e3512a73e4237df2f3
Max Semenik [Wed, 7 Nov 2018 02:38:22 +0000 (18:38 -0800)]
SECURITY: blacklist CSS var()
Bug: T208881
Change-Id: I9a4ced2bc47eb5f96cf35e693bf5261c48acb126
Brian Wolff [Fri, 15 Jun 2018 08:19:49 +0000 (08:19 +0000)]
SECURITY: Fix reauth in Special:ChangeEmail
Previously you could bypass reauthentication by directly
POSTing to Special:ChangeEmail.
Bug: T197279
Change-Id: I674557351e0e91a8105c12ddf6cd30283aac9f7a
James D. Forrester [Tue, 7 May 2019 19:43:54 +0000 (12:43 -0700)]
selenium: wdio-mocha-framework now v0.6.4
Bug: T213268
Bug: T222406
Change-Id: I5935fc5d5bc23978e50275d3c99ac870b3b82f49
Brad Jorsch [Wed, 9 May 2018 18:53:32 +0000 (14:53 -0400)]
Add getLoginSecurityLevel() support to FormSpecialPage
The base SpecialPage will handle reauthentication automatically if you
just implement getLoginSecurityLevel() to return an appropriate string.
But it doesn't work with FormSpecialPage, and if you try calling
checkLoginSecurityLevel() manually it'll lose any post data if the
reauth happens when the form is posted.
So this patch has SpecialPage::checkLoginSecurityLevel() preserve post
data across reauth (using logic similar to that in AuthManagerSpecialPage),
and has FormSpecialPage call checkLoginSecurityLevel() in the same
way the base SpecialPage does.
It also fixes the SpecialPage logic to not call
checkLoginSecurityLevel() when the special page doesn't implement
getLoginSecurityLevel(), as was the originally-intended behavior.
Apparently almost nothing actually gets to SpecialPage::execute() or
this would probably have been noticed already.
Change-Id: Ic89dc1b6583aaecd2efe3f5109896148a188c271
(cherry picked from commit
bfc4e41636aca33b943f8522024bd9f8eeac1977)
Reedy [Tue, 28 May 2019 22:27:12 +0000 (23:27 +0100)]
Add/update RELEASE-NOTES to match commits
Change-Id: Ib260482dcbab92610b978744c98bc3a94940dcab
Reedy [Sun, 26 May 2019 19:14:03 +0000 (20:14 +0100)]
Make config-outdated-sqlite parameter numbers consistent with config-*-old
Bug: T224374
Change-Id: Iebfb8299234cc9c66db0ecc4abd0c0a32af63602
Reedy [Thu, 23 May 2019 23:16:42 +0000 (00:16 +0100)]
resourceloader: Use AND instead of OR for upsert conds in saveFileDependencies()
Follows-up
e7b57d881a, which changed it from replace() to upsert()
but lost one of the wrapping arrays in doing so.
Previously updated many more rows than expected on Postgresql, when it
should only be updating individual rows, not all rows that match either
criteria.
SQL query before:
WHERE ((md_module = 'jquery.makeCollapsible.styles') OR (md_skin = 'vector|en-gb'))
SQL query after:
WHERE ((md_module = 'jquery.makeCollapsible.styles' AND md_skin = 'vector|en-gb'))
Not a problem on MySQL as upsert() is implemented differently there.
Bug: T222385
Change-Id: If8a458bf4543b297b3a06f31e09c0e77666bf7e6
jenkins-bot [Sat, 11 May 2019 02:44:53 +0000 (02:44 +0000)]
Merge "Update cssjanus/cssjanus from 1.2.0 to 1.3.0" into REL1_31
Reedy [Sat, 11 May 2019 02:10:14 +0000 (03:10 +0100)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
1521f359a06aed626e860285769ed78a7152cdec
- Update cssjanus/cssjanus from 1.2.0 to 1.3.0
https://github.com/cssjanus/php-cssjanus/releases/tag/v1.3.0
https://github.com/cssjanus/php-cssjanus/compare/v1.2.0...v1.3.0
Change-Id: Id8aba2d9e99671a9c45e02b271dbf290a11228d7
Reedy [Sat, 11 May 2019 02:18:13 +0000 (03:18 +0100)]
Update cssjanus/cssjanus from 1.2.0 to 1.3.0
https://github.com/cssjanus/php-cssjanus/releases/tag/v1.3.0
https://github.com/cssjanus/php-cssjanus/compare/v1.2.0...v1.3.0
Change-Id: I352f79f6f34279e669057aee7c2f1570800c8a11
Depends-On: Id8aba2d9e99671a9c45e02b271dbf290a11228d7
Brad Jorsch [Thu, 25 Apr 2019 13:49:01 +0000 (09:49 -0400)]
ApiLogout: Follow up Icb674095
This implements getWebUITokenSalt(), as mentioned in T25227#
2008199 and
implemented in
F3328897. Somehow it didn't make it into Icb674095.
This also fixes some issues in the unit test:
* Properly link the user to the request's Session so User::doLogout()
won't log a warning. This also gives use to the otherwise-unneeded
implementation of setUp(), and lets us get rid of the broken call to
User::newFromId() that was passing an IP address rather than a user ID.
* Privatize some internal methods.
* Use setExpectedApiException() instead of manually catching and
hard-coding the English exception message.
* Also assert that the bad token error didn't result in a logout.
Bug: T25227
Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2
Aryeh Gregor [Tue, 31 Jul 2018 13:19:10 +0000 (16:19 +0300)]
New helper ApiTestCase::setExpectedApiException()
This allows setting the expected exception message by the message key,
not text, so it remains correct if the message is updated. This
function could be defined to work with other exception types too, but it
seems useful to have shortcuts for common types like ApiUsageException
or MWException.
Change-Id: Ic86278e9e1e91eea0c045d2b93342f018e1d8e66
sbassett [Tue, 16 Apr 2019 22:09:43 +0000 (17:09 -0500)]
[SECURITY] [API BREAKING CHANGE] Require logout token.
Special:Userlogout now requires a token
Api action=logout requires a csrf token and the request to be POSTed
Patch author: bawolff
Bug: T25227
Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774
rxy [Mon, 1 Apr 2019 07:04:40 +0000 (16:04 +0900)]
Add support for new Japanese era name "Reiwa"
Bug: T219728
Change-Id: I28c26291c38e7e6c167011472236fb81a8adf032
Max Semenik [Mon, 18 Mar 2019 05:42:42 +0000 (22:42 -0700)]
Urlencode fragments when redirecting after editing
This is a quick fix for the main symptom of the Chrome bug that results in
users being redirected to Special:BadTitle after section editing. We'll
need to discuss a more permanent solution.
Bug: T216029
Change-Id: I4b2d42ebc74031df86bc52310da71819da11c1ae
Gergő Tisza [Thu, 21 Mar 2019 16:00:49 +0000 (09:00 -0700)]
Rearrange code in User::getBlockedStatus to avoid isAllowed calls
User::isAllowed() triggers session loading, which results in a loop
if it is called during session loading. Session providers need to
check block status when $wgBlockDisablesLogin is enabled, so try to
avoid isAllowed calls in that situation.
Bug: T218608
Change-Id: Iab24923c613d6aeed4b574f587fc4cee8f33077c
Gergő Tisza [Mon, 18 Mar 2019 21:50:48 +0000 (14:50 -0700)]
Replace $wgUser with RequestContext::getUser in User::getBlockedStatus
$wgUser is not guaranteed to exist until MediaWiki has been fully
initialized; block status needs to be checked early on for
authentication-related permission checks.
Bug: T218608
Change-Id: I16315c071855024bc0412d5360c95f843420d9a9
Brad Jorsch [Mon, 2 Jul 2018 17:52:49 +0000 (13:52 -0400)]
Update git submodules
* Update extensions/Renameuser from branch 'REL1_31'
to
21f254948a422f367b397cc842dce85f521f83ff
- Fix incorrect usage in RenameUserJob
Too many rewrites of that code while I was writing it.
Also, no idea why that was passing false to in_array()'s $strict
parameter.
Bug: T198285
Change-Id: Ib4ab555f53f5ffa95ef7c974c3a53f33a34d2ad5
(cherry picked from commit
130b99c4613058dfda0a9532c9794f516933b8b6)
Jack Phoenix [Wed, 6 Mar 2019 09:07:26 +0000 (11:07 +0200)]
user_group, the nonexistent table that keeps on giving
Follow-up to
27c61fb1e94da9114314468fd00bcf129ec064b6.
Bug: T199474
Change-Id: Ie8e054f5898209c51538669149e966bee7754f1e
Jack Phoenix [Tue, 5 Mar 2019 23:13:59 +0000 (01:13 +0200)]
Fix a rather fatal typo in rebuildrecentchanges.php
The JOIN condition was being ignored because there is no table called "user_group" in MediaWiki core.
Thus if and when using $wgSharedDB, the query would end up listing *all* registered users from the shared user table.
And even without $wgSharedDB, running rebuildrecentchanges.php would result in everyone's edits being marked as bot edits (recentchanges.rc_bot = 1) and thus hidden from the Special:RecentChanges page.
Thanks to Lcawte for reporting this bug.
Follow-up to
27c61fb1e94da9114314468fd00bcf129ec064b6
Change-Id: I18d658b67c50f2200341f732783c2e7524dd27f1
Aaron Schulz [Wed, 20 Feb 2019 00:26:10 +0000 (16:26 -0800)]
Backport WikiMap/JobQueueGroup logic to handle hyphenated DB names
Although the documentation in DefaultSettings.php states that such
cases should be avoided, some common cases and code paths can be
made to work easily enough.
Partially cherry-picked from
dcd0a3d53,
51945dbca3594, and
5196ac32c6.
Bug: T204423
Change-Id: Ia3c5855b18b98d9fc5bc02fe68358cfa52ccbce1
Reedy [Tue, 26 Feb 2019 14:48:05 +0000 (14:48 +0000)]
RELEASE-NOTES for last two commits
Change-Id: I119b88499bdd59f58295473523b1a0974c0c1476
Brad Jorsch [Wed, 20 Feb 2019 15:22:26 +0000 (10:22 -0500)]
DatabasePostgres: Ignore "IGNORE" option to update()
PostgreSQL doesn't support anything like this. For now, avoid generating
invalid SQL by just ignoring the option. If we come up with a use case
someday, that can guide implementation of a workalike.
Bug: T215169
Change-Id: I1409c80b39834d1977c82c489226255a8cc93fd0
(cherry picked from commit
814605a979633fc37bcfa8319ddbfe627a66a308)
Reedy [Mon, 25 Feb 2019 00:18:47 +0000 (00:18 +0000)]
Return the page_id in list=langbacklinks as an int
Bug: T216968
Change-Id: I5b16779be7b24b1e46d4787a82a8daa3611f67b1
setian [Sun, 24 Feb 2019 21:43:33 +0000 (16:43 -0500)]
Return the page_id in list=iwbacklinks as an int rather than string
Bug: T216968
Change-Id: I6645c5f1c6e76be3187c24053ed430e99c03bff4
Gergő Tisza [Tue, 20 Nov 2018 20:38:32 +0000 (20:38 +0000)]
Backfill release notes for Iaf531795
Change-Id: Ida5491d2376fc28e75c8887feb213e301991e115
James D. Forrester [Thu, 14 Feb 2019 19:29:48 +0000 (11:29 -0800)]
Update required PHP version to 7.0.13
Bug: T209423
Change-Id: I66e563adb062bc132a1092d78bfd06e2210f382e
Aaron Schulz [Tue, 12 Jun 2018 01:32:19 +0000 (18:32 -0700)]
Fix flaky MessageBlobStoreTest assertion failures
Bug: T176097
Change-Id: I0f1e9a6a73bb5b2bc54ee400c5710055e992c3f1
(cherry picked from commit
46a43d8187a1aa1a7702bbfec2a3c5e20df4435a)
Aaron Schulz [Thu, 31 May 2018 06:14:09 +0000 (23:14 -0700)]
objectcache: add setMockTime() method to BagOStuff/WANObjectCache
Change-Id: I3e5760814fb7dbe628eb0d979d690c3275fc3c15
Peter Boehm [Thu, 24 Jan 2019 12:44:53 +0000 (13:44 +0100)]
Update git submodules
* Update extensions/CategoryTree from branch 'REL1_31'
to
a1717183d7a263ad2a109a1891ac430f1e604c02
- Change 'title' attributes to links to use full page name
This changes the title attribute on the link generated in the
CategoryTree. The only effect is additional information about the
link target that may be truncated by 'hideprefix' or CSS overflow,
will now still be accessible in another way.
Change-Id: I4f07fa88f0a528634e9bf3c504e84fb4bf55e3bf
(cherry picked from commit
1dfe6ca618afd5b85631417c10772591de02043a)
Fomafix [Wed, 18 Apr 2018 06:23:38 +0000 (08:23 +0200)]
Update git submodules
* Update extensions/CategoryTree from branch 'REL1_31'
to
fec55f2994c3e8021d0329e45aed510a0062c168
- Simplify by using Xml::element
Xml::element already makes the HTML encoding.
Change-Id: Idee5e6871c5a7b5e6763ebe85275598b9b217224
(cherry picked from commit
6684f62bbaa17068c50a0ed89319a515d86bea1c)
Brian Wolff [Thu, 5 Jul 2018 00:34:08 +0000 (00:34 +0000)]
Update git submodules
* Update extensions/CategoryTree from branch 'REL1_31'
to
27e63545302d93d98dabd15ca9844c40227ff41f
- Fix some raw html messages
Try also to ensure that the bullet messages are treated the
same in both JS and PHP. It should be noted that the mk and scn
translations are currently broken on the JS side.
Bug: T195010
Change-Id: Id87d26db8d90e293701ae11f6434026a8ae88822
(cherry picked from commit
f36af623179350b42e69d98816203273b6e8ac3b)
jenkins-bot [Sat, 9 Feb 2019 20:32:40 +0000 (20:32 +0000)]
Merge "Fix $magicWords for the Sanskrit language" into REL1_31
James D. Forrester [Fri, 8 Feb 2019 19:53:58 +0000 (11:53 -0800)]
Follow-up I41cc21708: Add to RELEASE-NOTES as it's now a pre-release patch
Bug: T215632
Change-Id: Id8a25f38bbb28d04c725bc0941a0ceb94aa151fd
Juan Osorio [Fri, 9 Nov 2018 22:45:55 +0000 (14:45 -0800)]
Removes Google web search from exception page
When a wiki is down, it is not necessarily useful to be able to
search the web. Additionally, there is general consensus that
the hard-coded Google search form should be removed.
Bug: T208871
Change-Id: I5bcae848de1144d4fc1116c475b2e2ab1ccc3f7d
Strainu [Thu, 24 May 2018 20:23:26 +0000 (23:23 +0300)]
MWExceptionRenderer: Fix db error outage page
Set content encoding and add some content to the header tag.
Bug: T195525
Change-Id: Ieabfe18280359459e9462204371d3fe8d62a4177
(cherry picked from commit
94b58b2c268541cf09612f5f9fa99c7c3edb2af4)
Brad Jorsch [Sat, 12 Jan 2019 19:16:52 +0000 (14:16 -0500)]
Avoid session double-start in Setup.php
In PHP before 7.3, the double start doesn't really matter: session_id()
changes the ID even if it was already started, and the warning from
session_start() can just be ignored. Which is what we did.
In PHP 7.3, now session_id() also warns and no longer changes the ID. To
preserve the previous behavior, we'll need to explicitly close the old
session and open the new one.
Bug: T213489
Change-Id: I02a5be1c3adb326927c156fdd00663bccee37477
Aaron Schulz [Mon, 10 Dec 2018 20:29:43 +0000 (15:29 -0500)]
rdbms: reduce LoadBalancer replication log spam
LoadMonitor already has similar and less-frequent logging since
it only happens on cache rebuilds.
Bug: T204531
Change-Id: I270a65ab1d3f471bd49c8f54d85151c91827a518
(cherry picked from commit
38b54d71ece279f978246fefa21142f34cb6e07f)
Jayprakash12345 [Sat, 30 Jun 2018 13:20:44 +0000 (18:50 +0530)]
Fix $magicWords for the Sanskrit language
Bug: T102320
Change-Id: I4ef78dc7a41916a9af6aa259de455e3948662913
(cherry picked from commit
eb741da7a18c7f52dc2e2b55c4f34e69362b5c7f)
Brad Jorsch [Thu, 29 Nov 2018 14:03:20 +0000 (09:03 -0500)]
User: Bypass repeatable-read when creating an actor_id
When MySQL is using repeatable-read transaction isolation (which is the
default), the following sequence of events can occur:
1. Request A: Begin a transaction.
2. Request A: Try to select the actor ID for a user. Find no rows.
3. Request B: Insert an actor ID for that user.
4. Request A: Try to insert an actor ID for the user. Fails because one
exists.
5. Request A: Try to select the actor ID that must exist. Fail because of
the snapshot created at step 2.
In MySQL we can avoid this issue at step #5 by using a locking select
(FOR UPDATE or LOCK IN SHARE MODE), so let's do that.
Bug: T210621
Change-Id: I6c1d255fdd14c6f49d2ea9790e7bd7d101e98ee4
(cherry picked from commit
37f48fdb25a78ba7623c57b50cdfd842292d3ccb)
Brad Jorsch [Fri, 21 Sep 2018 18:32:34 +0000 (14:32 -0400)]
Add join conditions to ActiveUsersPager
We're (very slowly and somewhat unofficially) moving towards using join
conditions everywhere, and here they're needed to avoid errors once the
actor migration reaches the READ_NEW stage.
Bug: T204767
Change-Id: I8bfe861fac7874f8938bed9bfac3b7ec6f478238
(cherry picked from commit
15441cabe60d84e17ffb25824aeb095d92bc375a)
Alexia E. Smith [Thu, 15 Nov 2018 16:09:15 +0000 (10:09 -0600)]
Update git submodules
* Update extensions/ParserFunctions from branch 'REL1_31'
to
a28ad04eeefa05a16264e67537ba118bd67576d4
- Fix E_WARNING with {{#pos:}} if the offset is larger than the string
The mb_strpos() function throws E_WARNING if the offset is longer
than the length of the string.
Bug: T209600
Change-Id: Ib4296ba136eaf5c8461681e9d5f108118b2494f4
(cherry picked from commit
cf1480cb9629514dd4400b1b83283ae6c83ff163)
jenkins-bot [Wed, 19 Dec 2018 12:30:23 +0000 (12:30 +0000)]
Merge "i18n: Clarify the default sidebar 'Help' link is about MediaWiki itself" into REL1_31
Amir Sarabadani [Tue, 18 Dec 2018 17:55:13 +0000 (18:55 +0100)]
Fix copy-paste error
It's actually adding the column on the wrong table
Change-Id: I2fd8ea50f3eb4b5da04fce2ea0348a2dc6329965
Andre Klapper [Thu, 29 Nov 2018 10:09:34 +0000 (11:09 +0100)]
i18n: Clarify the default sidebar 'Help' link is about MediaWiki itself
Enough users of third-party MediaWiki installations seem to think it is a
link to a help forum for the topic of that installation, and not for
MediaWiki.
Bug: T209335
Change-Id: I6614b7a5c06de3ffca7ddbb10ea75450e7c6f183
(cherry picked from commit
ac0a3f17cf46b7733fcc1d0cef65febb1d04b7b6)
jenkins-bot [Tue, 18 Dec 2018 05:45:47 +0000 (05:45 +0000)]
Merge "Upgrade wikimedia/ip-set to 1.3.0" into REL1_31
jenkins-bot [Tue, 18 Dec 2018 05:45:41 +0000 (05:45 +0000)]
Merge "Use our fork of less.php" into REL1_31
Kunal Mehta [Tue, 18 Dec 2018 04:13:14 +0000 (20:13 -0800)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
5c8dde3a1611b701e28678b36a878c4e3cecfeb7
- Upgrade wikimedia/ip-set to 1.3.0
Change-Id: Ib749ec9aae5aeb3fad8232ecbea749530e0408a2
Kunal Mehta [Tue, 18 Dec 2018 04:09:56 +0000 (20:09 -0800)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
a48c47a029213b44e032b8dcdd4795876cfc93a8
- Switch to our less.php fork
Bug: T206975
Change-Id: I01e0b3328c8e1c4a69c37a471e436acd8911f1fa
Kunal Mehta [Tue, 18 Dec 2018 04:14:25 +0000 (20:14 -0800)]
Upgrade wikimedia/ip-set to 1.3.0
Bug: T209756
Depends-On: Ib749ec9aae5aeb3fad8232ecbea749530e0408a2
Change-Id: I7f5625924baea822f2679115278a3d7a02a72d57
Kunal Mehta [Tue, 18 Dec 2018 04:12:14 +0000 (20:12 -0800)]
Use our fork of less.php
Supports PHP 7.3, among other things
Bug: T206975
Depends-On: I01e0b3328c8e1c4a69c37a471e436acd8911f1fa
Change-Id: I8edcd9316cbff40aee3d52c7295f5974ee2f44b0
Brad Jorsch [Tue, 4 Dec 2018 16:08:08 +0000 (11:08 -0500)]
ImageListPager: Actor migration for buildQueryConds()
This method got missed in I8d825eb0.
Bug: T211061
Change-Id: Ice7446e54a42cbf48eae2a2092862a722650086c
(cherry picked from commit
86b081aa4100bfde2c4903c16fd593f485954326)
rvogel [Mon, 3 Dec 2018 10:48:08 +0000 (11:48 +0100)]
Save value from CLI installers `--lang` argument
This way the value of `--lang` is available to `LocalSettingsGenerator`.
Bug: T210998
Change-Id: I8b6bd83603687e4d23fc7e0642c3b8f27157b62d
(cherry picked from commit
996ac9f61e34db8b5d50ca9574a021e422cf9030)
James D. Forrester [Fri, 30 Nov 2018 23:16:20 +0000 (15:16 -0800)]
RELEASE-NOTES-1.31: Add in other cherry-picks since 1.31.1 was cut
Gone through `git log --topo-order --no-merges --reverse 1.31.1..`
from
1f664ea4 to
7a6393fc (HEAD as of writing); re-worded a couple,
grouped the PHP version work together, and skipped a couple which
were just follow-up tweaks or test fixes to ones already in the list.
Change-Id: Ic04998209348abf73eefb1cad404700da91457ed
Bartosz Dziewoński [Wed, 1 Aug 2018 01:13:18 +0000 (03:13 +0200)]
LogFormatter: Fail softer when trying to link an invalid titles
Old log entries contain titles that used to be valid, but now are not.
Bug: T185049
Change-Id: Ia66d901aedf1b385574b3910b29f020b3fd4bd97
(cherry picked from commit
26bb9d9b23eb2075eefca2097ca393a9d4aa3264)
Seb35 [Tue, 20 Nov 2018 14:25:09 +0000 (15:25 +0100)]
SQL syntax error in MS-SQL file
Bug: T209870
Change-Id: I91e4f8472832c4bb17eb1d185db1bcbde57a9287
(cherry picked from commit
e1100d2d53baa71d20cc282b6dc0a950b080aaad)
Paladox [Mon, 19 Nov 2018 21:29:44 +0000 (21:29 +0000)]
Use $revQuery['joins'] in query in populateSearchIndex
Bug: T209885
Change-Id: Iaf53179535030064788eb107c4ebdd398ed306e4
RazeSoldier [Sat, 10 Nov 2018 07:32:34 +0000 (15:32 +0800)]
Update git submodules
* Update extensions/LocalisationUpdate from branch 'REL1_31'
to
8ac18feceb9bf298a65c4e27d29cd458e4bc061a
- Use "break" instead of "continue" inside a switch
"continue" statements in a switch are equivalent to "break". In PHP 7.3, will generate a warning.
Bug: T206976
Change-Id: I7e28a59918edbbcc741a64c6c0ed2a55bd650384
(cherry picked from commit
fa93fda37e308a83e3211f53c8f828b5c3482c07)
Derk-Jan Hartman [Wed, 14 Nov 2018 20:01:22 +0000 (21:01 +0100)]
Update git submodules
* Update extensions/WikiEditor from branch 'REL1_31'
to
dca935d7de870eb5352788c0537c172b574f1475
- Modules: Protect against loading modules twice
Bug: T189029
Change-Id: Ie0dff9c1dfa8e3a0927f2915a9a237dff739289a
(cherry picked from commit
0161e37e6e67ac6eb76fbc0bea4f299e17fcdda2)
David Causse [Tue, 6 Nov 2018 13:35:03 +0000 (14:35 +0100)]
Add test for completionSearch with wgCapitalLinkOverrides
Bug: T208255
Change-Id: Id2299a013b2dc9b5391d400d7c7c4dc37185f714
David Causse [Tue, 6 Nov 2018 14:52:08 +0000 (15:52 +0100)]
Completion search should not change the search query
when extracting the namespace
Bug: T208255
Change-Id: I98206bda9a32e12acc7e515c3396fa823c3cd4f3
Niklas Laxström [Wed, 24 Oct 2018 08:33:04 +0000 (10:33 +0200)]
Update git submodules
* Update extensions/LocalisationUpdate from branch 'REL1_31'
to
bdf7b30dbada29938bd92ee6b9370a45d0ecac61
- Handle exceptions from GitHubFetcher
If a l10n directory is not found, log a message but continue.
This commit introduces some output to normal update.php run, which
can be disabled with the --quiet switch.
Bug: T176390
Change-Id: Ic1001303aef859d325e307edd4348364cab9ed7d
(cherry picked from commit
db84ba6ed2b4e255c844171db545fa451da08e1f)
addshore [Mon, 24 Sep 2018 08:25:53 +0000 (09:25 +0100)]
composer.json, require ext-fileinfo
PHPVersionCheck requires fileinfo be installed for mime_content_type
Change-Id: Iea7d2c7842c770e77c05265d4f4b08b17f9ab71f
(cherry picked from commit
139bf5bc7b66c83bd5a27d4fc6806ddaebe3f188)
Jack Phoenix [Fri, 13 Jul 2018 03:33:10 +0000 (06:33 +0300)]
Don't throw E_NOTICEs about undefined properties
Bug: T199494
Change-Id: Id24b9ece76ca0bedcaac29f1a6f5567af78658c1
(cherry picked from commit
83164669a140717797953f07baaf0b3239689017)
jenkins-bot [Mon, 22 Oct 2018 22:03:54 +0000 (22:03 +0000)]
Merge "Update wikimedia/base-convert to 2.0.0" into REL1_31
Kunal Mehta [Mon, 22 Oct 2018 18:17:22 +0000 (11:17 -0700)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
5f60e30d272ea5327b407e625b4398952d49f8cf
- Update wikimedia/base-convert to 2.0.0
Bug: T194052
Change-Id: I4de5c0ab827c96e2cef4e0b2cd7d10a109393668
(cherry picked from commit
2f3707a143c1ef3bbe69d57fa724ae9dc6541d0e)
Kunal Mehta [Mon, 22 Oct 2018 18:17:40 +0000 (11:17 -0700)]
Update wikimedia/base-convert to 2.0.0
The breaking change is dropping PHP 5 support.
Bug: T194052
Depends-On: I4de5c0ab827c96e2cef4e0b2cd7d10a109393668
Change-Id: If39ea5274bfa3c9b0ce18f9a43a27445a90ea3fc
(cherry picked from commit
bb2d81c3a47e1fb1266b6f0352bb89b786ea9235)
jenkins-bot [Mon, 22 Oct 2018 15:18:08 +0000 (15:18 +0000)]
Merge "Upgrade wikimedia/remex-html to 2.0.1" into REL1_31
Kunal Mehta [Sun, 21 Oct 2018 05:10:45 +0000 (22:10 -0700)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
48fed251a916a78bf5bff4f38fc9c1131ee21f4f
- Upgrade wikimedia/remex-html to 2.0.1
Bug: T207088
Change-Id: Id4bbbdb68678c37ec4aa84d519516199bb800393
(cherry picked from commit
48f274d9cc6b2e8d4961c831e1cc81c4edba6689)
jenkins-bot [Mon, 22 Oct 2018 15:18:02 +0000 (15:18 +0000)]
Merge "Upgrade wikimedia/remex-html to 2.0.0" into REL1_31
Kunal Mehta [Tue, 14 Aug 2018 20:38:26 +0000 (13:38 -0700)]
Update git submodules
* Update vendor from branch 'REL1_31'
to
78271def9b2b28e6f176ca470f23e24526ff2c5c
- Upgrade wikimedia/remex-html to 2.0.0
Change-Id: Ie13945649314853cbd5707363f3a10da55752743
(cherry picked from commit
1f29509a937d9ac7c6c0b876928307828a697fa9)
jenkins-bot [Mon, 22 Oct 2018 02:14:00 +0000 (02:14 +0000)]
Merge "RemexCompatMunger: Don't call endTag() in case B/b" into REL1_31
jenkins-bot [Mon, 22 Oct 2018 02:11:41 +0000 (02:11 +0000)]
Merge "<ins>/<del> elements can be phrasing or flow" into REL1_31
Kunal Mehta [Sun, 21 Oct 2018 05:12:14 +0000 (22:12 -0700)]
Upgrade wikimedia/remex-html to 2.0.1
Bug: T207088
Depends-On: Id4bbbdb68678c37ec4aa84d519516199bb800393
Change-Id: Ia5822f5f283f5d935c78402ce71e2d010e9a7a91
(cherry picked from commit
a404d87418bb332deab92fa7189b999d1c0c410c)
Kunal Mehta [Tue, 14 Aug 2018 20:38:37 +0000 (13:38 -0700)]
Upgrade wikimedia/remex-html to 2.0.0
Depends-On: Ie13945649314853cbd5707363f3a10da55752743
Change-Id: Ib6c8aaa797c128c273cde8095eb0bb1527fc0e21
(cherry picked from commit
9cac6c5645cbde9c48a4fac43c8dfdd977bb200f)
Tim Starling [Mon, 6 Aug 2018 02:30:51 +0000 (12:30 +1000)]
RemexCompatMunger: Don't call endTag() in case B/b
This was naïve, the linked bug documents a case where endTag() was
called despite children of the p-wrap still being in TreeBuilder's
stack. Instead, wait for the parent of the p-wrap to have endTag()
called on it, I've submitted a patch which will clean up the node in
that case.
Bug: T200827
Change-Id: I34694813eace9cadabf2db8f9ccca83d1368cfad
(cherry picked from commit
10c8cfea305ec1d450b16ad54ebddb5f910016f4)
Arlo Breault [Thu, 12 Jul 2018 18:31:04 +0000 (14:31 -0400)]
<ins>/<del> elements can be phrasing or flow
The changes to the parserTests.txt highlight the differing opinions that
doBlockLevels and Remex had on whether these should be paragraph wrapped.
Since the only time they wouldn't have been was when found on a line
with other flow tags, this likely isn't a behaviour that was depended on
in practice. And, indeed, the task describes this as a bug.
A sampling of pages from an insource:/\<(ins|del)\>/ search on wiki bears
this out.
Bug: T17491
Change-Id: I311da777a63aa3c45013f2cfc090be35a022497e
(cherry picked from commit
5a7f860b7859146d006d09c29f542be835165870)
Brian Wolff [Thu, 27 Sep 2018 11:42:37 +0000 (11:42 +0000)]
SECURITY: Don't allow loading unprotected JS files
This is meant to protect against malicious people while avoiding
annoying good users as much as possible. We may want to restrict
this further in the future, but that's something that can be discussed
in the normal way.
Bug: T194204
Bug: T113042
Bug: T112937
Change-Id: I27e049bae78b5c0f63b10f454b740cb1dc394813
Brian Wolff [Tue, 15 May 2018 00:34:14 +0000 (00:34 +0000)]
SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Loading JS from an unregistered user's JS subpage is a severe
security risk as someone could potentially register that account
and then modify the JS.
Bug: T207603
Change-Id: I741736e12b0ed49e95f22c869a2b53e2c97b31f0
jenkins-bot [Sun, 21 Oct 2018 17:33:31 +0000 (17:33 +0000)]
Merge "Don't pass a MailAddress pass the email to mail()" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:47 +0000 (15:59 +0000)]
Merge "Update ImportableUploadRevisionImporter for interwiki usernames" into REL1_31
jenkins-bot [Sun, 21 Oct 2018 15:59:42 +0000 (15:59 +0000)]
Merge "installer: Don't link to the obsolete "Extension Matrix" page" into REL1_31
Brad Jorsch [Wed, 17 Oct 2018 15:26:51 +0000 (11:26 -0400)]
Database: Allow selectFieldValues() to accept SQL fragments
The documentation says "This must be a valid SQL fragment", but as
written it breaks if given anything other than a field name. It's easy
enough to fix by adding an alias to the internal select() call.
Bug: T201781
Change-Id: I76428af6d3aadc266254fdb24109a0ac2db3761f
(cherry picked from commit
c5a5b022400318e52638a4d34369ddbb74d7a21b)
Zoranzoki21 [Sat, 29 Sep 2018 00:06:23 +0000 (03:06 +0300)]
installer: Don't link to the obsolete "Extension Matrix" page
Bug: T205765
Change-Id: Id1ba965c7c06ce03611ba745421dc982f5393f8c
(cherry picked from commit
8b7b5f04b7c84ffd2cda3aae06513a8e4fca6128)
Reedy [Sat, 20 Oct 2018 12:37:15 +0000 (13:37 +0100)]
Don't pass a MailAddress pass the email to mail()
Bug: T207541
Change-Id: I1516023907e9773cb093010c6b67279f695abb1a
(cherry picked from commit
c57aacb782f5ce5e53253192a53d736ece300d3c)
Kunal Mehta [Sat, 20 Oct 2018 12:35:22 +0000 (05:35 -0700)]
Include IP address in "Login for $1 succeeded" log entry
Bug: T207540
Change-Id: Iab4f2f2ddc8e64ead2f33356d03fa7beed399415
Brad Jorsch [Tue, 16 Oct 2018 14:47:44 +0000 (10:47 -0400)]
Update ImportableUploadRevisionImporter for interwiki usernames
This was somehow missed in I5401941c.
Bug: T206013
Change-Id: Ia618b05329e6cbfca7c95d9161f12ba4150705c8
(cherry picked from commit
afb2578055b49f3fe523cf9314f75d63bac4786b)
Brad Jorsch [Tue, 16 Oct 2018 14:22:33 +0000 (10:22 -0400)]
Add session_write_close() calls to SessionManager tests
PHP 7.3 doesn't like it if session_id() is called when the session has
been started, so we need to be sure to close it first in a few tests.
Bug: T207112
Change-Id: Ief36c1bb7b5c9066f158b5bb0d6d785a7f7ddd3c
(cherry picked from commit
6698b7ea1d63fbd2e3014bf563c3ad9e937bc8dd)
Aryeh Gregor [Mon, 8 Oct 2018 18:04:12 +0000 (21:04 +0300)]
Output only to stderr in unit tests
Otherwise, session tests don't work in PHP 7.2 because headers are
already sent: https://bugs.php.net/bug.php?id=75628
Bug: T206476
Change-Id: Ie88db4a61a56b756c6445d2579a2f30da22c3ee8