Add missing namespace prefix to the constant
Change-Id: I3ba37863b1e4de9d64d1c09045c0e5b1da678425
(cherry picked from commit ec02426638f0732a345bd8376f55819ec777741a)
* Update extensions/ConfirmEdit from branch 'REL1_43'
to ff362a6f056d48998a2ebbfd48d58f797a016009
- CaptchaPreAuthenticationProvider: Set correct action on account creation
So we use the appropriate error message
Change-Id: I32957f5afae4013ded1f11ce1f213c0a21f193fe
Follows-Up: I0da671a546700110d789b79a3089460abd9cce3b
(cherry picked from commit 3ae6236f4469bd6430d831a1db881603c8a49266)
A non-existing field may return null, when trying to drop the default.
Avoid a fatal error in this situation.
There is no real issue yet, but good coding practice to check for null.
Change-Id: I1041f24361febb52fd7fb20c42348b712dd70fe9
When MovePage::move() returns an error, doMove() should return false
instead of carrying on with move log adjustment.
Bug: T394556
Change-Id: I0864bd491d59fff42a062d7e5db957e46852761a
While looking at the list of tests for an extension I found 3000+
ScopeStructureTest which are generated from the php files in
mediawiki/core (more precisely `$wgAutoloadLocalClasses`):
* those tests take 21 seconds to complete on my machine.
* None were generated for the extension being tested, those tests are
thus solely affected by mediawiki/core.
`tests/phpunit/structure` is included in the `extensions` and `skins`
PHPUnit testsuites and any patches made to them would run that 21
seconds suite even though its only testing mediawiki/core.
Move the test outside of `structure` so it is no longer run for
`extensions` and `skins`.
Bug: T225730
Change-Id: I628210b8b270773f3dad12bbde9d72f0328fcceb
(cherry picked from commit d10835b8bc933a49724010f0c39dfeaccfa9108c)
* Update vendor from branch 'REL1_43'
to ff925b8b4d47c62b3a451f8f52d5468cd575fae9
- Re-add symfony/polyfill-php82/symfony/polyfill-php83
Were removed from composer.json, but not actually from disk...
Bug: T398269
Follows-Up: Iefc3dcb5f111653a4c7b857d8577bda13116562a
Change-Id: I40292d13e15a628b3c2b86b1ae26c89dba9cec29
* Update skins/Vector from branch 'REL1_43'
to 304e9f1db2fc2207d7a5a1ceceb48c1b0939bae5
- Localisation updates from https://translatewiki.net.
Change-Id: I5f38fba4ed95372084110c0818e663e45a285d8e
* Update skins/Timeless from branch 'REL1_43'
to bc8bec6e8a16a215ad4bfe86d2ea7f30a7bad139
- Localisation updates from https://translatewiki.net.
Change-Id: I4c37e3c12db4694ce7b3fcd53b31e7e18fe6cedb
* Update skins/MinervaNeue from branch 'REL1_43'
to d3508af247711e2cc61f4ae1eb8d97f4e8187f41
- Localisation updates from https://translatewiki.net.
Change-Id: I4780224c626ff0fd5649c5b777cf998595d61d72
* Update extensions/VisualEditor from branch 'REL1_43'
to ad33e89582770747564ae14e83621b9f9faa105a
- Localisation updates from https://translatewiki.net.
Change-Id: Ic3dcf0f0c5bb85f82ebf8118dacf24b99ccfcba5
* Update extensions/WikiEditor from branch 'REL1_43'
to b47c43872425fa545fdb8c7ec5bea1874b4c44ba
- Localisation updates from https://translatewiki.net.
Change-Id: I4e8a6b2ffda84f329eac6adb6c5d5526d3386853
* Update extensions/TemplateData from branch 'REL1_43'
to 6199e15c32f351bab7ad09857fcf152bb62ff392
- Localisation updates from https://translatewiki.net.
Change-Id: If2f7b687f2d0ac01457d0ebebacd9801247ad10c
* Update extensions/TextExtracts from branch 'REL1_43'
to 296c9ea67d8f22d9e65700936c9bbea4e39f77d7
- Localisation updates from https://translatewiki.net.
Change-Id: Ib0d1cd6a1876d5127dbe07ae520fe6b082bc2f3c
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
to 9481d2dd97116ca284908801313ecbcab6fd536f
- Localisation updates from https://translatewiki.net.
Change-Id: I70f9b1f041d6066940c523b59ac69d29f148e3af
* Update extensions/ParserFunctions from branch 'REL1_43'
to e0cf7317fa977961c1fbb02530f4c7a212b33239
- Localisation updates from https://translatewiki.net.
Change-Id: I5027adcd353240976064a39f80f74b3920d73dca
* Update extensions/Nuke from branch 'REL1_43'
to a1c788d9454d069a1f4c56466d747dca326d3c8c
- Localisation updates from https://translatewiki.net.
Change-Id: I1e1c2aa1ac62670c0934619f45964052ce7fe08d
* Update extensions/MultimediaViewer from branch 'REL1_43'
to 8653e26a14443368284d1c1e7c4dc889b6db851e
- Localisation updates from https://translatewiki.net.
Change-Id: I016813aa5a7cd63af7e5d132e396111d80340233
* Update extensions/Linter from branch 'REL1_43'
to ecca5245dec10ec6909fb7eb1d9fd69c99376d43
- Localisation updates from https://translatewiki.net.
Change-Id: Ib4224fa83c58d71ccb7c32a07bab526f330a7b80
* Update extensions/Gadgets from branch 'REL1_43'
to eccf183962b111db3c7f211ad2ee817756c9bc7b
- Localisation updates from https://translatewiki.net.
Change-Id: I24ecaac3a01a37432664c41e52f6bf55015e28ee
* Update extensions/Echo from branch 'REL1_43'
to ada204d7f98718ba47c4064b2b11e6f0748a65ad
- Localisation updates from https://translatewiki.net.
Change-Id: Ida32e8117e0468f068bc5b4b5d8c9a099f654301
* Update extensions/DiscussionTools from branch 'REL1_43'
to 98112b29a668625217d4960f179f10668f65bad4
- Localisation updates from https://translatewiki.net.
Change-Id: I3827dce7627369a0f85f6b4bc12d0924b8e4ec01
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 18cd7afc9e557807ac447f3e165bc8195523ddd5
- Localisation updates from https://translatewiki.net.
Change-Id: I14322cb7c8ddae5b25de12164fc1ab7f49b40d5f
* Update extensions/CodeEditor from branch 'REL1_43'
to f2643fe78b47d3d0be9a5c70d2d0b0fc03d0a60a
- Localisation updates from https://translatewiki.net.
Change-Id: I4f86ca31a713b40425550f2748066b49aab0fc24
* Update extensions/CiteThisPage from branch 'REL1_43'
to 3393d4165ca81ff2d862b4aa467490a127644436
- Localisation updates from https://translatewiki.net.
Change-Id: If21629a15c082defc69dcf55dbddaa6015eeec3f
* Update extensions/CategoryTree from branch 'REL1_43'
to 750aa4b68f723917bccb5817066da4a2c6f33219
- Localisation updates from https://translatewiki.net.
Change-Id: I871cd34098f7e3aefca6f2fa704134d33e1712bd
* Update extensions/AbuseFilter from branch 'REL1_43'
to dbfc5ff1831d19ef3073361bb1f7cd2811eb79c2
- Localisation updates from https://translatewiki.net.
Change-Id: I532b8b55ec97fc8d9a719a9b8cf9fde4235d2f15
* Fix test failures
* Cherry-pick message cache change I957b6fb2bc0d9d4b1aae6e
* Cherry-pick part of I638d6d6d23f9624ba1dff0f4fcc to change cache from
static to non-static.
Change-Id: I77a2facf9923d38269538e48c79365fa117af9af
Follows-Up: Id5462b942f5e916c2f1dc725739615d54a1070de
Follows-Up: I5471fe615d222b936c6668bf3089dd8b5931cc75
Follows-Up: I7bbd6ae36a11840ed6b4620b5d07fa5158ff139e
CVE-2025-6927
In BlockListPager, restore the bl_deleted=0 condition removed in the
previous commit. Add tests.
Bug: T397595
Change-Id: I5471fe615d222b936c6668bf3089dd8b5931cc75
CVE-2025-6927
ApiQueryBlock was relying only on the filter returned by
HideUserUtils::getExpression which only works for blocks targeting a
user account
Bug: T397595
Change-Id: I7bbd6ae36a11840ed6b4620b5d07fa5158ff139e
* Update skins/Vector from branch 'REL1_43'
to 29d89be3529fc0b0a2c00dd6cc7bea9c9606546f
- SECURITY: Insert portlet labels as text instead of HTML
CVE-2025-6596
This addresses a stored XSS vulnerability through system
messages.
Bug: T396685
Change-Id: Ib474c00a887a9cbe4816c25a798cb869044bcf13
(cherry picked from commit 9a92de327ba7d4748b8dece500df442d2ba45b25)
CVE-2025-6590
The HTMLUserTextField is accessible to logged-out users on private wikis
through Special:PasswordReset. Validation error messages returned by this
field included unescaped usernames parsed as wikitext. This allowed
logged-out attackers arbitrary access to the parser, enabling them to
reveal page contents through transclusion, e.g., "{{:Private page}}".
Escape the username parameter using wfEscapeWikiText() to prevent
wikitext interpretation in error messages.
Bug: T392746
Change-Id: Ifd8283e107e1655fa3f5694183c4f67954e5c4c5
CVE-2025-6926
This is a workaround for extensions with some sort of "autologin"
implemented via the login page to indicate that the login flow
didn't involve the user actually logging in, it merely copied
some central login state, and so isn't appropriate for the
reauthentication flag.
This isn't the best way to provide an interface to extensions
(if we keep it, a more explicit interface, such as a
SessionPropertiesAuthenticationRequest object that's part of
the initial request set and can be modified by providers,
and can also be used for the "remember me" flag, would be
nicer), and maybe the whole approach of letting extensions
suppress the reauthentication flag is not the best way of
handling the problem in the first place, but it's simple
which is important for a security patch.
Bug: T389010
Change-Id: Ifce73837b25b0caad2d3d3cba000cceb0184c29d
CVE-2025-6597
Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.
Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
CVE-2025-6594
* Fix validation of API parameters. Follow-up to
c36b4634e8.
* Add an extra check for parameters that should be required by the UI.
* Remove a fallback code branch that tried to display responses for
non-pretty formats, which would have been unreachable were it not
for the format validation bug, and which handled HTML unsafely.
Bug: T395063
Change-Id: I392810e3474ffdbe273b1c668ffce4c8dace1380
CVE-2025-6591
This is the same issue as CVE-2025-32072 (T386175), except in the
API's feedcontributions module. Escape the "Contributions" and
"colon-separator" messages so administrators cannot inject HTML
into them, triggering a potential XSS in feed readers.
Bug: T392276
Change-Id: Ic590a0d0cfc0a4a1e61859ecc57a175a8f5ec098
