* (bug 35317) CSRF in Special:Upload
Revert r56793, which removed the CSRF check for Special:Upload for normal file
uploads. Cross-site posting of file uploads without user interaction has been
possible since at least as early as Chrome 8 (late 2010) and Firefox 6 (mid
2011).
Commonist has used api.php since version 0.4.0 (April 2010), and the API
already requires an edit token, so Commonist 0.4.0+ is not affected by this
change.
* (bug 34907) Fix for CSRF vulnerability due to mw.user.tokens. Patch by Roan
Kattouw and Tim Starling.
* Filter out private modules early in ResourceLoader::makeResponse() and just
pretend they weren't specified. This means these modules cannot be loaded
through load.php . This filtering must not happen in makeModuleResponse(),
because that would break inlining.
* Force inlining of private modules in OutputPage::makeResourceLoaderLink(),
disregarding $wgResourceLoaderInlinePrivateModules
* Remove $wgResourceLoaderInlinePrivateModules
* Remove special treatment of private modules ($private) in
ResourceLoader::makeResponse() and sendResponseHeaders(), because we're not
allowing private modules to be loaded through here any more
* Remove identity checks in ResourceLoaderUserOptionsModule and
ResourceLoaderUserCSSPrefsModule, they didn't make a lot of sense before but
they're certainly useless now.
* Factored out error comment construction in ResourceLoader.php and stripped
comment terminations from exception messages. I didn't find an XSS
vulnerability but it looked scary.
Patchset2:
Removes whitespace error that prevented automatic merge by Gerrit:
includes/resourceloader/ResourceLoaderUserOptionsModule.php
Change-Id: I2dec8b8caf9db3c64919763865cc10cccdd6a1a3
* Introduces $wgPreloadJavaScriptMwUtil
* Instead of loading mediawiki.util as base module from the bottom, now loading it from queue position "top" if $wgPreloadJavaScriptMwUtil is true. And if false it'll remain in the bottom in practice as implied by other modules loading it as a dependency (i.e. mediawiki.page.ready depends on it)
* Fixes bug 33746
* Removed 'pcache_miss_invalid' from stats.php and clear_stats.php, no longer used
* Added missing 'job-insert' and 'job-pop' to clear_stats.php
* Added missing call to wfIncrStats( 'pcache_miss_absent' ) when there's no key in ParserCacge::get()
* Removed useless 'pcache_not_possible' stat from OutputPage::addWikiTextTitle() since that function is mostly used for interface messages
* Action/Context stuff is pretty deeply nested everywhere.
* Should be okay now, at last.
* Reverts reverting r109243
* Same as r109223, except adding this:
+ if ( !$context->canUseWikiPage() ) {
+ return 'view';
+ }
* Add the mediawiki.debug module from OutputPage::addDefaultModules() along with other modules
* Get the request information when building the JS output instead of in Setup.php
* Fixes bug 4438
* Depends on r108342. See also r108343 which did a similar thing for mw.config wgAction
Previously attempted in r91871, which was reverted in r94131.
Added in OutputPage instead of Skin::getPageClasses, as this is not directly page nor skin related. It also ensures independency from skins, this CSS class should be always available so that it can be relied on by the front-end.
* Moved message parsing (including $1 replacement) to Message.prototype.parser(), and let jqueryMsg override that when loaded
** Make the Message constructor public to make this possible
** Moved logic for skipping jqueryMsg when the message is simple from mw.Message to mw.jqueryMsg, where it belongs
* Remove mw.jqueryMsg from the default modules list in OutputPage. Modules that require PLURAL/GENDER should depend on mw.jqueryMsg
* TODOs
** The jqueryMsg parser is recreated for every mw.msg() call. It should probably be cached, but the only way I can think of is to add it as a member of the Map object, which is kind of weird
** Because jqueryMsg doesn't support a 'text' mode that expands PLURAL/GENDER but doesn't output HTML (leaves e.g. links alone), mw.Message.plain() and mw.Message.parse() currently behave identically. This is wrong and should be fixed, but that needs support in jqueryMsg too
Follow up r107556 and based on the discussions on wikitech-l about this.
mediawiki.jqueryMsg is now loaded always. mw.msg uses the parser if required.
Add qunit test cases.
* Added a "blocking" state to mw.loader . When loading scripts while the document is not ready, the loader will use document.write() if blocking is true, and append to the <body> or the <head> if blocking is false. If the document is ready, the loader will always append to the <body>
* Enable blocking mode while loading the top queue, and disable it after. This ensures that modules in the top queue are still loaded in a blocking way as they were before
* If $wgResourceLoaderExperimentalAsyncLoading is true, the bottom queue is also loaded in the head, but with blocking mode disabled. Otherwise, it's loaded at the bottom of the <body> as before
* scripts-only and messages-only requests need special treatment:
** in the top queue, they can continue to use <script src="..."> tags because they are blocking
** if the bottom queue is at the bottom of the <body> (experimental async loading disabled), they can continue to use <script src="..."> tags as before
** if the bottom queue is in the <head> (experimental async loading enabled), they cannot use <script src="..."> tags, because those would block. Instead, call mw.loader.load() on the load.php URL
* Removed SkinTemplate::setupUserJs() since it's no longer used and marked OutputPage::isUserJsAllowed() for removal in 1.20 since its last call is now gone
* mw.config is the new way, and global config variable lookups are deprecated
* Based on two phase3-wide quick searches:
-- of " wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=321&hash=81700bf7486e4fee3b7bc1f83eb9eba6
-- of "!wg": http://toolserver.org/~krinkle/wikimedia-svn-search/view.php?id=327&hash=47c9d54a7a1d5d58a724dd834585f40d
Related changes:
* Changed some php comments mentioning "wg" variables to include the dollar sign, and a typo when the wf function prefix was meant.
* Removed TODO comment in wikibits.js and made it use the JS equivalent of wfUrlencode, which we have now, mw.util.wikiUrlencode
* SpecialUpload.php: use OutputPage::addJsConfigVars instead of creating a new script tag through OutputPage::addScript(Skin::makeVariablesScript(..))
* Renamed wgUploadSetup in upload.js and made it local. Not used anywhere in ./trunk/phase3 and ./trunk/extensions
* Fix OutputPage::addJsConfigVars so that it can actually be called with an array instead of two arguments for key/value
* Some minor whitespace/convention stuff around the same line
* Embed "private" ResourceLoader modules in the <head> before the first loader link, instead of in the <body> after the last loader link
* Wow, was in the opposite place where it should've been :D
* Fixes bug 30914
