/**
* Get the robot policy to be used for the current view
* @param string $action the action= GET parameter
- * @param $pOutput ParserOutput
+ * @param $pOutput ParserOutput|null
* @return Array the policy that should be set
* TODO: actions other than 'view'
*/
- public function getRobotPolicy( $action, $pOutput ) {
+ public function getRobotPolicy( $action, $pOutput = null ) {
global $wgArticleRobotPolicies, $wgNamespaceRobotPolicies, $wgDefaultRobotPolicy;
$ns = $this->getTitle()->getNamespace();
$this->getContext()->getRequest()->response()->header( "HTTP/1.1 404 Not Found" );
}
+ if ( $validUserPage ) {
+ // Also apply the robot policy for nonexisting user pages (as those aren't served as 404)
+ $policy = $this->getRobotPolicy( 'view' );
+ $outputPage->setIndexPolicy( $policy['index'] );
+ $outputPage->setFollowPolicy( $policy['follow'] );
+ }
+
$hookResult = wfRunHooks( 'BeforeDisplayNoArticleText', array( $this ) );
if ( ! $hookResult ) {
$wgAllowDisplayTitle = true;
/**
- * For consistency, restrict DISPLAYTITLE to titles that normalize to the same
- * canonical DB key.
+ * For consistency, restrict DISPLAYTITLE to text that normalizes to the same
+ * canonical DB key. Also disallow some inline CSS rules like display: none;
+ * which can cause the text to be hidden or unselectable.
*/
$wgRestrictDisplayTitle = true;
'section' => 'personal/info',
);
+ $editCount = Linker::link( SpecialPage::getTitleFor( "Contributions", $userName ),
+ $lang->formatNum( $user->getEditCount() ) );
+
$defaultPreferences['editcount'] = array(
'type' => 'info',
+ 'raw' => true,
'label-message' => 'prefs-edits',
- 'default' => $lang->formatNum( $user->getEditCount() ),
+ 'default' => $editCount,
'section' => 'personal/info',
);
/**
* Pick apart some CSS and check it for forbidden or unsafe structures.
* Returns a sanitized string. This sanitized string will have
- * character references and escape sequences decoded, and comments
- * stripped. If the input is just too evil, only a comment complaining
- * about evilness will be returned.
+ * character references and escape sequences decoded and comments
+ * stripped (unless it is itself one valid comment, in which case the value
+ * will be passed through). If the input is just too evil, only a comment
+ * complaining about evilness will be returned.
*
* Currently URL references, 'expression', 'tps' are forbidden.
*
$value = preg_replace_callback( $decodeRegex,
array( __CLASS__, 'cssDecodeCallback' ), $value );
- // Remove any comments; IE gets token splitting wrong
- // This must be done AFTER decoding character references and
- // escape sequences, because those steps can introduce comments
- // This step cannot introduce character references or escape
- // sequences, because it replaces comments with spaces rather
- // than removing them completely.
- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
-
- // Remove anything after a comment-start token, to guard against
- // incorrect client implementations.
- $commentPos = strpos( $value, '/*' );
- if ( $commentPos !== false ) {
- $value = substr( $value, 0, $commentPos );
+ // Let the value through if it's nothing but a single comment, to
+ // allow other functions which may reject it to pass some error
+ // message through.
+ if ( !preg_match( '! ^ \s* /\* [^*\\/]* \*/ \s* $ !x', $value ) ) {
+ // Remove any comments; IE gets token splitting wrong
+ // This must be done AFTER decoding character references and
+ // escape sequences, because those steps can introduce comments
+ // This step cannot introduce character references or escape
+ // sequences, because it replaces comments with spaces rather
+ // than removing them completely.
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
+ // Remove anything after a comment-start token, to guard against
+ // incorrect client implementations.
+ $commentPos = strpos( $value, '/*' );
+ if ( $commentPos !== false ) {
+ $value = substr( $value, 0, $commentPos );
+ }
}
// Reject problematic keywords and control characters
$decoded = Sanitizer::decodeTagAttributes( $text );
$stripped = Sanitizer::validateTagAttributes( $decoded, $element );
- $attribs = array();
- foreach ( $stripped as $attribute => $value ) {
- $encAttribute = htmlspecialchars( $attribute );
- $encValue = Sanitizer::safeEncodeAttribute( $value );
-
- $attribs[] = "$encAttribute=\"$encValue\"";
- }
- return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
+ return Sanitizer::safeEncodeTagAttributes( $stripped );
}
/**
return $attribs;
}
+ /**
+ * Build a partial tag string from an associative array of attribute
+ * names and values as returned by decodeTagAttributes.
+ *
+ * @param $assoc_array Array
+ * @return String
+ */
+ public static function safeEncodeTagAttributes( $assoc_array ) {
+ $attribs = array();
+ foreach ( $assoc_array as $attribute => $value ) {
+ $encAttribute = htmlspecialchars( $attribute );
+ $encValue = Sanitizer::safeEncodeAttribute( $value );
+
+ $attribs[] = "$encAttribute=\"$encValue\"";
+ }
+ return count( $attribs ) ? ' ' . implode( ' ', $attribs ) : '';
+ }
+
/**
* Pick the appropriate attribute value from a match set from the
* attribs regex matches.
# Operation-based index
if ( $i == DB_SLAVE ) {
+ $this->mLastError = 'Unknown error'; // reset error string
$i = $this->getReaderIndex( false, $wiki );
# Couldn't find a working server in getReaderIndex()?
if ( $i === false ) {
*
* @ingroup JobQueue
* @ingroup Redis
- * @since 1.21
+ * @since 1.22
*/
class JobQueueRedis extends JobQueue {
/** @var RedisConnectionPool */
static function displaytitle( $parser, $text = '' ) {
global $wgRestrictDisplayTitle;
- #parse a limited subset of wiki markup (just the single quote items)
+ // parse a limited subset of wiki markup (just the single quote items)
$text = $parser->doQuotes( $text );
- #remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
+ // remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
$text = preg_replace( '/' . preg_quote( $parser->uniqPrefix(), '/' ) . '.*?'
. preg_quote( Parser::MARKER_SUFFIX, '/' ) . '/', '', $text );
- #list of disallowed tags for DISPLAYTITLE
- #these will be escaped even though they are allowed in normal wiki text
+ // list of disallowed tags for DISPLAYTITLE
+ // these will be escaped even though they are allowed in normal wiki text
$bad = array( 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', 'hr',
'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rp', 'br' );
- #only requested titles that normalize to the actual title are allowed through
- #if $wgRestrictDisplayTitle is true (it is by default)
- #mimic the escaping process that occurs in OutputPage::setPageTitle
- $text = Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags( $text, null, array(), array(), $bad ) );
+ // disallow some styles that could be used to bypass $wgRestrictDisplayTitle
+ if ( $wgRestrictDisplayTitle ) {
+ $htmlTagsCallback = function ( $params ) {
+ $decoded = Sanitizer::decodeTagAttributes( $params );
+
+ if ( isset( $decoded['style'] ) ) {
+ // this is called later anyway, but we need it right now for the regexes below to be safe
+ // calling it twice doesn't hurt
+ $decoded['style'] = Sanitizer::checkCss( $decoded['style'] );
+
+ if ( preg_match( '/(display|user-select|visibility)\s*:/i', $decoded['style'] ) ) {
+ $decoded['style'] = '/* attempt to bypass $wgRestrictDisplayTitle */';
+ }
+ }
+
+ $params = Sanitizer::safeEncodeTagAttributes( $decoded );
+ };
+ } else {
+ $htmlTagsCallback = null;
+ }
+
+ // only requested titles that normalize to the actual title are allowed through
+ // if $wgRestrictDisplayTitle is true (it is by default)
+ // mimic the escaping process that occurs in OutputPage::setPageTitle
+ $text = Sanitizer::normalizeCharReferences( Sanitizer::removeHTMLtags( $text, $htmlTagsCallback, array(), array(), $bad ) );
$title = Title::newFromText( Sanitizer::stripAllTags( $text ) );
if ( !$wgRestrictDisplayTitle ) {
* @param string $functionname name of the function we will profile
*/
function wfProfileIn( $functionname ) {
- global $wgProfiler;
- if ( $wgProfiler instanceof Profiler || isset( $wgProfiler['class'] ) ) {
+ if ( Profiler::$__instance === null ) { // use this directly to reduce overhead
+ Profiler::instance();
+ }
+ if ( Profiler::$__instance && !( Profiler::$__instance instanceof ProfilerStub ) ) {
Profiler::instance()->profileIn( $functionname );
}
}
* @param string $functionname name of the function we have profiled
*/
function wfProfileOut( $functionname = 'missing' ) {
- global $wgProfiler;
- if ( $wgProfiler instanceof Profiler || isset( $wgProfiler['class'] ) ) {
+ if ( Profiler::$__instance === null ) { // use this directly to reduce overhead
+ Profiler::instance();
+ }
+ if ( Profiler::$__instance && !( Profiler::$__instance instanceof ProfilerStub ) ) {
Profiler::instance()->profileOut( $functionname );
}
}
* @return Profiler
*/
public static function instance() {
- if ( is_null( self::$__instance ) ) {
+ if ( self::$__instance === null ) {
global $wgProfiler;
if ( is_array( $wgProfiler ) ) {
if ( !isset( $wgProfiler['class'] ) ) {
- wfDebug( __METHOD__ . " called without \$wgProfiler['class']"
- . " set, falling back to ProfilerStub for safety\n" );
$class = 'ProfilerStub';
} else {
$class = $wgProfiler['class'];
} elseif ( $wgProfiler instanceof Profiler ) {
self::$__instance = $wgProfiler; // back-compat
} else {
- wfDebug( __METHOD__ . ' called with bogus $wgProfiler setting,'
- . " falling back to ProfilerStub for safety\n" );
self::$__instance = new ProfilerStub( $wgProfiler );
}
}
$this->addOption( 'server', "The protocol and server name to use in URLs, e.g. " .
"http://en.wikipedia.org. This is sometimes necessary because " .
"server name detection may fail in command line scripts.", false, true );
+ $this->addOption( 'profiler', 'Set to "text" or "trace" show profiling output', false, true );
# Save generic options to display them separately in help
$this->mGenericParameters = $this->mParams;
$wgShowSQLErrors = true;
@set_time_limit( 0 );
$this->adjustMemoryLimit();
+
+ // Per-script profiling; useful for debugging
+ $forcedProfiler = $this->getOption( 'profiler' );
+ if ( $forcedProfiler === 'text' ) {
+ Profiler::setInstance( new ProfilerSimpleText( array() ) );
+ Profiler::instance()->setTemplated( true );
+ } elseif ( $forcedProfiler === 'trace' ) {
+ Profiler::setInstance( new ProfilerSimpleTrace( array() ) );
+ Profiler::instance()->setTemplated( true );
+ }
}
/**
* @ingroup Maintenance
*/
-$wgProfiler = array( 'class' => 'ProfilerSimpleText' );
error_reporting( E_ALL );
-
require_once __DIR__ . '/Maintenance.php';
/**
}
public function execute() {
+ Profiler::setInstance( new ProfilerSimpleText( array() ) ); // clear
+
$backend = FileBackendGroup::singleton()->get( $this->getOption( 'b1' ) );
$this->doPerfTest( $backend );
$this->doPerfTest( $backend );
}
- $profiler = Profiler::instance();
- $profiler->setTemplated( true );
-
- //NOTE: as of MW1.21, $profiler->logData() is called implicitly by doMaintenance.php.
+ Profiler::instance()->setTemplated( true );
+ // NOTE: as of MW1.21, $profiler->logData() is called implicitly by doMaintenance.php.
}
protected function doPerfTest( FileBackend $backend ) {
}
$flags = JobQueueGroup::USE_CACHE | JobQueueGroup::USE_PRIORITY;
- $lastTime = time();
+ $lastTime = time(); // time since last slave check
do {
$job = ( $type === false )
? $group->pop( JobQueueGroup::TYPE_DEFAULT, $flags )
$timePassed = time() - $lastTime;
if ( $timePassed >= 5 || $timePassed < 0 ) {
wfWaitForSlaves();
+ $lastTime = time();
}
// Don't let any queue slaves/backups fall behind
if ( $jobsRun > 0 && ( $jobsRun % 100 ) == 0 ) {
</p>
!! end
+!! test
+Verify that displaytitle handles inline CSS styles (bug 26547) - rejected value
+!! options
+showtitle
+title=[[Screen]]
+!! config
+wgAllowDisplayTitle=true
+wgRestrictDisplayTitle=true
+!! input
+this is not the the title
+{{DISPLAYTITLE:<span style="display: none;">s</span>creen}}
+!! result
+<span style="/* attempt to bypass $wgRestrictDisplayTitle */">s</span>creen
+<p>this is not the the title
+</p>
+!! end
+
+!! test
+Verify that displaytitle handles inline CSS styles (bug 26547) - accepted value
+!! options
+showtitle
+title=[[Screen]]
+!! config
+wgAllowDisplayTitle=true
+wgRestrictDisplayTitle=true
+!! input
+this is not the the title
+{{DISPLAYTITLE:<span style="color: red;">s</span>creen}}
+!! result
+<span style="color: red;">s</span>creen
+<p>this is not the the title
+</p>
+!! end
+
!! test
preload: check <noinclude> and <includeonly>
!! options
public static function provideCssCommentsFixtures() {
/** array( <expected>, <css>, [message] ) */
return array(
- array( ' ', '/**/' ),
+ // Valid comments spanning entire input
+ array( '/**/', '/**/' ),
+ array( '/* comment */', '/* comment */' ),
+ // Weird stuff
array( ' ', '/****/' ),
- array( ' ', '/* comment */' ),
- array( ' ', "\\2f\\2a foo \\2a\\2f",
+ array( ' ', '/* /* */' ),
+ array( 'display: block;', "display:/* foo */block;" ),
+ array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
'Backslash-escaped comments must be stripped (bug 28450)' ),
array( '', '/* unfinished comment structure',
'Remove anything after a comment-start token' ),