Derk-Jan Hartman [Sat, 19 May 2018 11:12:18 +0000 (13:12 +0200)]
makeCollapsible: Remove animations
The animations are:
* not well liked
* non-configurable (in presence and time)
* bad for performance
* javascript based instead of CSS
Removing them allows us to make it easier to replace NavFrame and
collapsible as deployed by the communities, and will be better for
mobile use as well.
Bug: T195049
Change-Id: I5eb505d1bd2097fe5d98db47293583e7225310de
jenkins-bot [Sat, 19 May 2018 09:26:48 +0000 (09:26 +0000)]
Merge "Add Special:PasswordPolicies"
Reedy [Sat, 18 Nov 2017 21:59:47 +0000 (21:59 +0000)]
Add Special:PasswordPolicies
Bug: T174812
Change-Id: Ifb4876f7309a667154c7469c29e703b6c33d54af
jenkins-bot [Sat, 19 May 2018 08:55:05 +0000 (08:55 +0000)]
Merge "Define pt as fallback for tet"
jenkins-bot [Sat, 19 May 2018 08:47:21 +0000 (08:47 +0000)]
Merge "resourceloader: Allow style-only modules to have deprecation warnings"
jenkins-bot [Fri, 18 May 2018 20:39:25 +0000 (20:39 +0000)]
Merge "Remove else from UserGroupMembership"
Translation updater bot [Fri, 18 May 2018 20:18:58 +0000 (22:18 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I22321d32a7eff63c6aadeaf86d60f12b9cc11b09
Reedy [Fri, 18 May 2018 19:39:26 +0000 (19:39 +0000)]
Remove else from UserGroupMembership
Change-Id: I7c18df1cab69df5f124c95b1ddb241e3f1be5927
jenkins-bot [Fri, 18 May 2018 18:44:01 +0000 (18:44 +0000)]
Merge "Special:Preferences: Construct fake tabs to avoid FOUC"
jenkins-bot [Fri, 18 May 2018 18:27:26 +0000 (18:27 +0000)]
Merge "Remove everything related to CollationFa"
Ed Sanders [Mon, 23 Apr 2018 11:56:13 +0000 (12:56 +0100)]
Special:Preferences: Construct fake tabs to avoid FOUC
Bug: T192769
Bug: T189366
Change-Id: I4aabda97d14d97dce3e35abda2ce82925d721c9b
jenkins-bot [Fri, 18 May 2018 17:03:47 +0000 (17:03 +0000)]
Merge "Make Special:TrackingCategories sortable"
jenkins-bot [Fri, 18 May 2018 16:58:34 +0000 (16:58 +0000)]
Merge "Use redirect=no in whatLinksHere if the target is a redirect"
jenkins-bot [Fri, 18 May 2018 16:54:52 +0000 (16:54 +0000)]
Merge "Add checkbox in Special:ListUsers to display only users in temporary user groups"
jenkins-bot [Fri, 18 May 2018 16:54:50 +0000 (16:54 +0000)]
Merge "resourceloader: Refactor CSP $nonce passing"
Daimona Eaytoy [Mon, 7 May 2018 18:37:46 +0000 (20:37 +0200)]
Use redirect=no in whatLinksHere if the target is a redirect
When the user is looking at links to a redirect page and clicks on the
link of the page, he would expect to be sent to the page itself, not to
the final destination of the redirect.
Bug: T189860
Change-Id: I11e663cbce32b4199f16df6ed1e9b980630ece7a
jenkins-bot [Fri, 18 May 2018 16:42:47 +0000 (16:42 +0000)]
Merge "Names.php: Remove U+200E after autonym of language 'lki'"
Amir Sarabadani [Fri, 18 May 2018 14:44:18 +0000 (16:44 +0200)]
Remove everything related to CollationFa
This workaround was needed when ICU in production was broken
but after T189295 this is not needed anymore and we switched off
this collation from all Persian Wikis already
Bug: T139110
Change-Id: Ifad89555b6ac96a3eb36ca24b55e1f8ee57a1f05
jenkins-bot [Fri, 18 May 2018 15:32:34 +0000 (15:32 +0000)]
Merge "Strip Unicode 6.3.0 directional formatting characters from title"
jenkins-bot [Fri, 18 May 2018 15:32:30 +0000 (15:32 +0000)]
Merge "Strip soft hyphens (U+00AD) from title"
jenkins-bot [Fri, 18 May 2018 14:52:06 +0000 (14:52 +0000)]
Merge "Fix documentation of InfoAction::pageInfo"
jenkins-bot [Fri, 18 May 2018 13:32:38 +0000 (13:32 +0000)]
Merge "Special:PrefixIndex: Convert to OOUI"
jenkins-bot [Fri, 18 May 2018 13:06:09 +0000 (13:06 +0000)]
Merge "makeCollapsible: Add test for nested collapsibles"
jenkins-bot [Fri, 18 May 2018 12:55:34 +0000 (12:55 +0000)]
Merge "Use .json extension for OOUI source maps"
gopavasanth [Sat, 21 Apr 2018 13:24:16 +0000 (18:54 +0530)]
Special:PrefixIndex: Convert to OOUI
Bug: T117726
Change-Id: I13c4d6d5132b7085bc954a97d270efbef0acb846
Bartosz Dziewoński [Mon, 14 May 2018 17:49:30 +0000 (19:49 +0200)]
Use .json extension for OOUI source maps
OOUI is being changed to use .json in
I94eff6d2588937bf1d932b7624576dfe35016ead.
Bug: T194676
Change-Id: I5971efc2db7a2cdc5ca0ba843625b76de25dbd8b
jenkins-bot [Fri, 18 May 2018 11:35:52 +0000 (11:35 +0000)]
Merge "Special:AllPages: Overriding the title for form submission"
Jayprakash12345 [Tue, 8 May 2018 20:21:43 +0000 (01:51 +0530)]
Special:AllPages: Overriding the title for form submission
Bug: T193965
Change-Id: I10867b89e94d9aa54f30f5f4f8b5974f68479f6f
jenkins-bot [Fri, 18 May 2018 09:19:41 +0000 (09:19 +0000)]
Merge "Enable a bunch of disabled phan checks that are no longer failing"
jenkins-bot [Fri, 18 May 2018 09:13:24 +0000 (09:13 +0000)]
Merge "Enable "PhanTypeInvalidRightOperand" phan checks"
jenkins-bot [Fri, 18 May 2018 09:08:53 +0000 (09:08 +0000)]
Merge "Enable "PhanUndeclaredVariable" phan check"
jenkins-bot [Fri, 18 May 2018 09:08:50 +0000 (09:08 +0000)]
Merge "Fix improper parameters to ReflectionMethod::invoke"
jenkins-bot [Fri, 18 May 2018 08:08:44 +0000 (08:08 +0000)]
Merge "mw.special.changeslist.enhanced: Remove special case handled by jquery.makeCollapsible now"
Kunal Mehta [Fri, 18 May 2018 06:27:59 +0000 (23:27 -0700)]
Enable a bunch of disabled phan checks that are no longer failing
Change-Id: I471bffa8a4aa20d22e7e1830a2b01fce3e099d9e
Kunal Mehta [Fri, 18 May 2018 06:27:42 +0000 (23:27 -0700)]
Enable "PhanTypeInvalidRightOperand" phan checks
HTMLFormField subclasses triggered false positives when phan incorrectly
thought that $this->mOptions was only a boolean.
ReplacementArray $this->data was defined as possibly being boolean, but
in reality that never happened.
Change-Id: I06bae9c9952366ff7927df37373b146d570f4a02
Kunal Mehta [Fri, 18 May 2018 05:35:31 +0000 (22:35 -0700)]
Enable "PhanUndeclaredVariable" phan check
All of the instances of it have been fixed. This would have prevented
T194899 from happening in the first place.
Change-Id: I19357ffc858022d3b89a040eafe9047f83df1c88
Kunal Mehta [Fri, 18 May 2018 05:30:58 +0000 (22:30 -0700)]
Fix improper parameters to ReflectionMethod::invoke
The first argument to the function is supposed to be an object, or null if
the method is static.
Otherwise on PHP 7.2 the tests fail with:
ReflectionMethod::invoke() expects parameter 1 to be object, string given
Change-Id: I7002be5809f9dfbee0788907fe85139d05c0e1fc
Timo Tijhof [Thu, 17 May 2018 18:25:49 +0000 (20:25 +0200)]
resourceloader: Refactor CSP $nonce passing
Follows-up
70941efd35562dcb700 which broke various public
signatures of the ClientHtml class that I'd prefer to handle
differently.
This commit mainly restores support for all previously public
signatures, and either removes the need for a parameter, or moves
it to the end of the original signature (as optional param).
* ClientHtml::getHeadHtml: Remove the positional/required parameter
that was added. Restoring the method to being a stateless computer
that requires no parameters. Pass the option via construct instead.
* ClientHtml::makeLoad:
- Make $nonce optional.
- Restore $extraQuery as optional.
* ResourceLoader::makeInlineScript: Document $nonce as optional
(matching the implementation).
Change-Id: Iaf33f2a060048e6606fba8d875b6d2953b21ef45
Kunal Mehta [Fri, 18 May 2018 05:18:20 +0000 (22:18 -0700)]
ApiCSPReport: Fix undefined $userAgent variable
Bug: T194899
Change-Id: Ia83f961da1db2d1245859ae584db883b7a11081c
Derk-Jan Hartman [Thu, 17 May 2018 18:20:13 +0000 (20:20 +0200)]
makeCollapsible: Add test for nested collapsibles
Follow-up to: I1c3c29dc9ca4ccbf8da83796e56964a7a6d58a81
Bug: T168689
Change-Id: I7059d870976e36b20634e9c2c919408b3eb1d7fc
Translation updater bot [Thu, 17 May 2018 19:54:02 +0000 (21:54 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I75e62a47c7b013e87304f62e87f589ea588a469e
jenkins-bot [Thu, 17 May 2018 18:50:45 +0000 (18:50 +0000)]
Merge "resourceloader: Make various CSSMin performance optimizations and cleanups"
Thiemo Kreuz [Thu, 19 Apr 2018 13:45:44 +0000 (15:45 +0200)]
resourceloader: Make various CSSMin performance optimizations and cleanups
This is called relatively often. Even small improvements might have an
impact.
I'm intentionally replacing method_exists with class_exists because the
old check looked like it was done for backwards compatibility (MediaWiki
before 1.27 did not contained the method), while in reality this code is
meant to run without MediaWiki. This is much better reflected with a
straight "if this class doesn't exist, there is no MediaWiki".
I'm intentionally using the …::class feature. Yes, this works, even if the
class is not there.
Change-Id: I7f250a7cb000105bb751f68f25c6cc1c44c8f221
Bartosz Dziewoński [Tue, 8 May 2018 14:28:01 +0000 (16:28 +0200)]
mw.special.changeslist.enhanced: Remove special case handled by jquery.makeCollapsible now
No longer needed after
8cdfcc5fd4ba36b7c91ac8097390220de230f8ae.
This reverts
070374b7a4811bfb5c9da4350bc16b77321537e3.
Change-Id: I78879358f6305c1b0fa6dbba8fe9fdc06ab05cc0
jenkins-bot [Thu, 17 May 2018 17:44:09 +0000 (17:44 +0000)]
Merge "CSSMin: Do not escape U+FFFD as code point"
jenkins-bot [Thu, 17 May 2018 16:26:16 +0000 (16:26 +0000)]
Merge "mediawiki.special.watchlist: Combine visitedstatus module"
jenkins-bot [Thu, 17 May 2018 16:15:22 +0000 (16:15 +0000)]
Merge "mediawiki.special: Combine various tiny specialpage style modules"
jenkins-bot [Thu, 17 May 2018 11:45:14 +0000 (11:45 +0000)]
Merge "jquery.spinner: Remove obsolete IE8 support"
jenkins-bot [Thu, 17 May 2018 11:45:11 +0000 (11:45 +0000)]
Merge "jquery.spinner: Move files to their own src/ directory"
Fomafix [Thu, 17 May 2018 10:18:27 +0000 (12:18 +0200)]
CSSMin: Do not escape U+FFFD as code point
The current editors draft from 23 April 2018 does not require to escape
the REPLACEMENT CHARACTER (U+FFFD) as code point anymore.
https://drafts.csswg.org/cssom/#serialize-a-string
If the character is NULL (U+0000), then the REPLACEMENT CHARACTER
(U+FFFD).
https://www.w3.org/TR/2016/WD-cssom-1-
20160317/#serialize-a-string
If the character is NULL (U+0000), then the REPLACEMENT CHARACTER
(U+FFFD) escaped as code point.
Change-Id: Ia67e89b3c9561ca29e133d61a2eca8f3db306d8c
Bartosz Dziewoński [Wed, 16 May 2018 15:56:26 +0000 (17:56 +0200)]
resourceloader: Allow style-only modules to have deprecation warnings
The deprecation warning for the module 'mediawiki.ui' (used
e.g. on Special:UserLogin) is now actually shown.
Change-Id: If35a106c77622dbf7e8b5628fbea28f9e7ffd76d
jenkins-bot [Thu, 17 May 2018 07:54:30 +0000 (07:54 +0000)]
Merge "objectcache: add BagOStuff comment additions about access scope"
Aaron Schulz [Tue, 15 May 2018 22:33:38 +0000 (15:33 -0700)]
objectcache: add BagOStuff comment additions about access scope
Change-Id: Id23859a58ea3bde0338ba4d22ce12ffcbbf4480a
Timo Tijhof [Wed, 16 May 2018 22:57:25 +0000 (00:57 +0200)]
jquery.spinner: Remove obsolete IE8 support
This is a JS-only module that cannot be loaded on IE8 given
it's currently in Grade C (Grade A requires IE11).
Change-Id: I8707d7d2fd1d20c2b354c1589248ba7fda0d5e85
Timo Tijhof [Wed, 16 May 2018 22:55:42 +0000 (00:55 +0200)]
jquery.spinner: Move files to their own src/ directory
Reduce clutter in src/jquery/.
Bug: T193826
Change-Id: Idb9c7ab89a10728249b6051057b7edbf7efcca78
Timo Tijhof [Fri, 11 May 2018 15:18:23 +0000 (16:18 +0100)]
mediawiki.special.watchlist: Combine visitedstatus module
The 'mediawiki.special.changeslist.visitedstatus' module is only
used in SpecialWatchlist.php, which also always loads
'mediawiki.special.watchlist'. Thus, registering them as seperate
deliverables isn't needed.
In terms of size, they're also sufficiently small that even if
they could load under different conditions, it'd fine to load
as one module regardless.
Bug: T192623
Change-Id: I67d78083ce7a3000c05356e3eb0bcb98d0c1e990
Timo Tijhof [Fri, 11 May 2018 14:33:41 +0000 (15:33 +0100)]
mediawiki.special: Combine various tiny specialpage style modules
These stylesheets are sufficiently tiny that it doesn't make sense to
offer them the ability to be loaded separately from each other (saving
bytes in double-digits) at the cost of 1) exporting a dedicated registry
item with meta data shipped on every page view, 2) reduced cache re-use
from increased fragmentation.
Instead, move these to the 'mediawiki.special' style module.
The entries retain their own files to keep them as easy to find
and edit as before.
Where not already, ensure addModuleStyles() is always placed above
any addModules() call in the same method. The load order isn't
affected by the call order, but given blocking style-modules load
before async JS, it helps to order them in a way that visually
matches the effective load order (from top to bottom).
The following 7 modules were remove without deprecation:
1. "mediawiki.special.apisandbox.styles" (1 rule)
2. "mediawiki.special.edittags.styles" (3 rules)
3. "mediawiki.special.movePage.styles" (1 rule)
4. "mediawiki.special.pagesWithProp" (1 rule)
5. "mediawiki.special.upload.styles" (2 rules)
6. "mediawiki.special.watchlist.styles" (3 rules)
7. "mediawiki.special.comparepages.styles" (4 rules)
These module names were only used on the core classes loading them, and
aren't depended on outside core by module name, rather, extensions and
gadgets depend on the styles styles being loaded in a blocking manner on
these pages, which remains unaffected.
Bug: T192623
Change-Id: I6e663dc3c80c7104c9b9abdde44c654543185373
jenkins-bot [Wed, 16 May 2018 21:58:21 +0000 (21:58 +0000)]
Merge "Preferences: Fix timezone selectors"
Translation updater bot [Wed, 16 May 2018 20:47:27 +0000 (22:47 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Id63d8cbbd732543020b777d068e00cc48657a6bf
Brad Jorsch [Wed, 4 Apr 2018 20:22:01 +0000 (16:22 -0400)]
API: Introduce "templated parameters"
With MCR coming up, ApiEditPage is going to need to be able to take
"text" and "contentmodel" parameters for each slot-role, and enumerating
such parameters for every possible slot would probably get rather
confusing as to what is required when, or at least long-winded in
repeating the exact same thing for every possible role.
So let's abstract it: we'll have an "editroles" parameter to specify which
slots are being edited, and ApiEditPage will just declare that
"text-{role}" and "contentmodel-{role}" parameters should exist for each
value of "editroles" in the submission.
Note this patch doesn't introduce anything that uses templated
parameters, just the functionality itself. For testing purposes you
might cherry pick I2d658e9a.
Bug: T174032
Change-Id: Ia19a1617b73067bfb1f0f16ccc57d471778b7361
Fomafix [Wed, 16 May 2018 18:10:05 +0000 (20:10 +0200)]
Names.php: Remove U+200E after autonym of language 'lki'
The LEFT-TO-RIGHT MARK (U+200E) after the RTL autonym of the language
'lki' was inserted in
04fcd20c.
The LRM causes wrong parentheses on mixed bidi sequences on Google
Chrome:
<span dir="rtl">({{#language:lki}}) Foo</span>
Change-Id: I9db84938e2b2142a3cb61955dfcbda790e6bbc5f
Ed Sanders [Wed, 16 May 2018 17:10:47 +0000 (18:10 +0100)]
Preferences: Fix timezone selectors
Change-Id: I6a3c4c811361188a9a288cf688f64155b48a906d
jenkins-bot [Wed, 16 May 2018 16:51:38 +0000 (16:51 +0000)]
Merge "parser: Don't unnecessarily add and remove a pipe "
jenkins-bot [Wed, 16 May 2018 16:40:07 +0000 (16:40 +0000)]
Merge "resourceloader: avoid use of $.globalEval in mediawiki.js"
Arlo Breault [Wed, 16 May 2018 15:29:10 +0000 (11:29 -0400)]
parser: Don't unnecessarily add and remove a pipe
Change-Id: I884ab88f9e8ac6f402cd4b3a54e33ccbd30637a2
Raymond [Wed, 16 May 2018 13:39:44 +0000 (15:39 +0200)]
Make Special:TrackingCategories sortable
https://de.wikipedia.org/wiki/Spezial:Tracking-Kategorien is longer
than 1 screen page
Change-Id: Idf2681960bc87f5f189b1666899bd609d74495bb
jenkins-bot [Wed, 16 May 2018 13:31:56 +0000 (13:31 +0000)]
Merge "Deprecate overriding SearchEngine::search*"
jenkins-bot [Wed, 16 May 2018 13:00:35 +0000 (13:00 +0000)]
Merge "Add missing __METHOD__ to onTransactionPreCommitOrIdle() caller"
jenkins-bot [Wed, 16 May 2018 12:53:05 +0000 (12:53 +0000)]
Merge "Deduplicate archive.ar_rev_id"
Brad Jorsch [Fri, 27 Apr 2018 17:10:36 +0000 (13:10 -0400)]
Deduplicate archive.ar_rev_id
Old bugs and such may have left the archive table with multiple rows
using the same ar_rev_id, or rows that also exist in the revision table.
These need to be cleaned up for MCR.
The maintenance script added here will delete rows that appear to be
duplicates of the same change, and will assign new IDs to rows that do
not appear to be duplicates.
Bug: T193180
Change-Id: I39b0825c9469e074ded3df33a4f06a1ef0edb494
jenkins-bot [Wed, 16 May 2018 07:58:23 +0000 (07:58 +0000)]
Merge "Special:PrefixIndex: Fix regression on prefix input value"
jenkins-bot [Wed, 16 May 2018 01:09:47 +0000 (01:09 +0000)]
Merge "mw.widgets.datetime.DateTimeInputWidget: Increase width"
Prateek Saxena [Tue, 15 May 2018 08:41:35 +0000 (14:11 +0530)]
mw.widgets.datetime.DateTimeInputWidget: Increase width
The condition to add extra width for 'strings' was already there
but was putting the same value for both. Increased from 1.15 to
1.25 per character for strings.
Bug: T193907
Change-Id: I474a8a84756d7222a47ef9d4f2d4b50050c4e20e
jenkins-bot [Tue, 15 May 2018 23:20:50 +0000 (23:20 +0000)]
Merge "registration: Improve duplicate config setting exception"
Aaron Schulz [Tue, 15 May 2018 19:52:19 +0000 (12:52 -0700)]
Add missing __METHOD__ to onTransactionPreCommitOrIdle() caller
Change-Id: I3722411dc63ff69253096f9c05e4fd1f130931ae
jenkins-bot [Tue, 15 May 2018 20:09:59 +0000 (20:09 +0000)]
Merge "Make internal search methods private for db implementations"
jenkins-bot [Tue, 15 May 2018 19:59:35 +0000 (19:59 +0000)]
Merge "installer: Don't shell out if it's disabled"
Translation updater bot [Tue, 15 May 2018 19:58:24 +0000 (21:58 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I753e6748d026de5a07d3a6b9b07484671059d8db
jenkins-bot [Tue, 15 May 2018 19:15:08 +0000 (19:15 +0000)]
Merge "Populate externallinks.el_index_60 and drop default"
Kunal Mehta [Tue, 15 May 2018 18:23:38 +0000 (11:23 -0700)]
installer: Don't shell out if it's disabled
Bug: T191947
Change-Id: I16a82d271157cd0024aa14d7eaec80b4870947b5
Kunal Mehta [Tue, 15 May 2018 17:26:43 +0000 (10:26 -0700)]
registration: Improve duplicate config setting exception
We don't keep track of what set a specific global, so at least mention
the name of the extension that is setting a duplicate for easier
debugging.
Also, fix the case where if the first extension to be loaded was setting
a core setting, it would not throw an exception since config was being
processed before the rest of extension.json. Now we process config after
all core settings, going only before attributes.
Bug: T194319
Change-Id: I4fd96e7d167cf0652ee3e8e66167c86f2b91b992
jenkins-bot [Tue, 15 May 2018 16:21:29 +0000 (16:21 +0000)]
Merge "User: System block reasons shouldn't expand templates"
Brad Jorsch [Fri, 18 Nov 2016 20:42:11 +0000 (15:42 -0500)]
Populate externallinks.el_index_60 and drop default
Adds a maintenance script to populate the field, has that be
automatically run during update.php, and drops the no-longer-needed
default value on the column (where possible: mssql has some sort of
constraint thing going on that I have no idea how it works).
Bug: T59176
Change-Id: I971edf013a1a39466aca3b6e34c915cb24fd3aa7
Erik Bernhardson [Thu, 10 May 2018 20:52:47 +0000 (13:52 -0700)]
Deprecate overriding SearchEngine::search*
The plan is to convert these methods into final, considering
it a removal under the deprecation policy. By making entry
points into the search engine final we provide a guaranteed
point where generic handling can be applied to all search engines.
The first use case for this generic handling is pushing pagination
via overfetch into the SearchEngine class instead of re-implementing
an overfetch in individual parts of the code that perform searches.
Change-Id: I3426d6a2f32d8b368b044b154e1cb70dac007c62
jenkins-bot [Tue, 15 May 2018 07:31:09 +0000 (07:31 +0000)]
Merge "Add setting to control the creation of NullRevision on upload"
Brad Jorsch [Mon, 26 Mar 2018 17:59:24 +0000 (13:59 -0400)]
Resolve used lazy options in ParserOptions::optionsHash()
If a lazy option is passed to ParserOptions::optionsHash(), we should
resolve the option so the hash can incorporate the proper value instead
of omitting it.
Also, completely unrelatedly, refactor the hook overriding in the unit
test because people won't stop whining about it in code review.
Change-Id: I2df78ed90875c229090b503b65f20fbbbba7f237
Brian Wolff [Tue, 15 May 2018 04:14:37 +0000 (04:14 +0000)]
Add whether user is elevated to unsafe js load log
To better triage the log entries.
Change-Id: Idf6d967d06b118ebd7b4d848e12bb36faf55a1b6
Volker E [Sat, 5 May 2018 23:19:08 +0000 (16:19 -0700)]
Special:PrefixIndex: Fix regression on prefix input value
Regression introduced in Ieb9713f8346316e9c3cf1e83eae00848f3921b43
Bug: T193927
Change-Id: I9a3477af89a7e303a67f1769859a649b86113604
jenkins-bot [Tue, 15 May 2018 01:08:20 +0000 (01:08 +0000)]
Merge "Disallow loading JS/CSS/Json subpages from unregistered users and log"
jenkins-bot [Tue, 15 May 2018 00:59:09 +0000 (00:59 +0000)]
Merge "Better logging for botpasswords"
Brian Wolff [Tue, 15 May 2018 00:34:14 +0000 (00:34 +0000)]
Disallow loading JS/CSS/Json subpages from unregistered users and log
Loading JS from an unregistered user's JS subpage is a severe
security risk as someone could potentially register that account
and then modify the JS.
Bug: T194204
Change-Id: I741736e12b0ed49e95f22c869a2b53e2c97b31f0
Translation updater bot [Mon, 14 May 2018 20:04:40 +0000 (22:04 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I0d75de10ff839f02973bf055e40d65ff7277c102
Thiemo Kreuz [Mon, 14 May 2018 11:27:23 +0000 (13:27 +0200)]
ConnectionManager: Require ILoadBalancer instead of LoadBalancer
Since I4fdf7f7 more code stops returning the implementation, but only
returns the interface. This is a good, very welcome change. However,
ConnectionManager still requires the LoadBalancer implementation, for
no obvious reason. All code in this class works fine with the interface.
This is currently reported by Phan as a violation (and it actually is
one), e.g.:
https://integration.wikimedia.org/ci/job/mwext-php70-phan-docker/6433/console
Change-Id: I63cbb98fd277b0c64ab8b303888b9354c4be29e2
jenkins-bot [Mon, 14 May 2018 04:17:15 +0000 (04:17 +0000)]
Merge "Initial support for Content Security Policy, disabled by default"
Brian Wolff [Mon, 29 Feb 2016 04:13:10 +0000 (23:13 -0500)]
Initial support for Content Security Policy, disabled by default
The primary goal here is a defense in depth measure to
stop an attacker who found a bug in the parser allowing
them to insert malicious attributes.
This wouldn't stop someone who could insert a full
script tag (since at current it can't distinguish between
malicious and legit user js). It also would not prevent
DOM-based or reflected XSS for anons, as the nonce value
is guessable for anons when receiving a response cached
by varnish. However, the limited protection of just stopping
stored XSS where the attacker only has control of attributes,
is still a big win in my opinion. (But it wouldn't prevent
someone who has that type of xss from abusing things like
data-ooui attribute).
This will likely break many gadgets. Its expected that any
sort of rollout on Wikimedia will be done very slowly, with
lots of testing and the report-only option to begin with.
This is behind feature flags that are off by default, so
merging this patch should not cause any change in default
behaviour.
This may break some extensions (The most obvious one
is charinsert (See
fe648d41005), but will probably need
some testing in report-only mode to see if anything else breaks)
This uses the unsafe-eval option of CSP, in order to
support RL's local storage thingy. For better security,
we may want to remove some of the sillier uses of eval
(e.g. jquery.ui.datepicker.js).
For more info, see spec: https://www.w3.org/TR/CSP2/
Additionally see:
https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
Bug: T135963
Change-Id: I80f6f469ba4c0b608385483457df96ccb7429ae5
Translation updater bot [Sun, 13 May 2018 19:54:52 +0000 (21:54 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: I2fe5d9477437629090322b4647bee405ed4ec9e5
Framawiki [Mon, 28 Aug 2017 16:45:49 +0000 (18:45 +0200)]
Add checkbox in Special:ListUsers to display only users in temporary user groups
New checkbox "temporaryGroupsOnly" with new message "listusers-temporarygroupsonly"
Bug: T174313
Change-Id: I388a8aab1145dc958ee110da324aeeb03660ff40
Translation updater bot [Sat, 12 May 2018 22:28:48 +0000 (00:28 +0200)]
Localisation updates from https://translatewiki.net.
Change-Id: Ibe96d7ea807526ab2df4dc6cad608016b432fe88
Brad Jorsch [Sat, 12 May 2018 12:03:04 +0000 (08:03 -0400)]
User: System block reasons shouldn't expand templates
The block reasons for "system" blocks shouldn't expand wikitext
templates immediately. That should be left for the code parsing the
block reason for display.
This should only affect how these blocks are reported to API clients, as
when the block is displayed in the web UI it's passed through the parser
anyway. The main drawback, as far as the default messages go, is that
MediaWiki:sorbsreason won't have {{SITENAME}} expanded in
the API response anymore.
Bug: T191939
Change-Id: Ib2024721ea0e26358b9b50efdac16316d6d0f0b6
jenkins-bot [Sat, 12 May 2018 07:40:54 +0000 (07:40 +0000)]
Merge "Use {{int:}} on MediaWiki:Blockedtext and MediaWiki:Autoblockedtext"