In order to apply numeric formatting to the limitreport for $key, the
message $key and $key-value (or $key-value-html) needs to be defined.
The core parser doesn't define messages for non-numeric limitreport
data (so it is suppressed in the EditPage preview), but Scribunto
does.
Bug: T263592
Change-Id: Ib775739fbe3cadb28913ae61002622e80490056b
Without this, a user created from an invalid user ID would end up
representing the current requests IP address, which may lead to
confusion. Using the reserved name "Unknown user" seems safer.
Change-Id: Icbfe7c3a561ac927713b610ac9a0b5e6b88bf2f0
This builds on top of Urbanecm's patch, now also covering the case
where the actor ID does not exist in the target DB, but does exist in
the local DB.
Bug: T260485
Change-Id: I2336954c665366a99f9995df9b08071d4de6db79
(cherry picked from commit ca4094db9e7f6f5e330d89db6bf70a8af48e1561)
In ActorMigration::getInsertValues, when creating a User object, calling
User::getActorId triggers a call to User::load, which ignores
the database passed to getInsertValues, meaning incorrect actor IDs
are returned.
To ensure that the correct (foreign) database is used, try
to get the actor ID from the correct database within ActorMigration
service, and if that fails, let User class handle the actor ID creation.
Todo notes are left in the patch to fix the issue properly,
by making User object wiki-aware.
Bug: T260485
Change-Id: Iaa886a1824e5a74f4501ca7e28917c780222aac0
This basically makes it equivalent to .escaped() and not .text().
Does not affect the mediawiki.jqueryMsg version, which still accepts
whitelisted HTML tags.
CVE-2020-25828
Bug: T115888
Change-Id: I6513dfb480024309e1594abc6f07bbd3b0c5a10e
Previously you could leverage the style attribute, and external
links to execute javascript.
CVE-2020-25814
Bug: T86738
Change-Id: I6f15ece1db136369e06dfeee34d1a0c5bc03e32b
Co-Authored-By: Roan Kattouw <roan.kattouw@gmail.com>
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
firejail has an RCE in its handling of --output when dealing with untrusted
arguments (CVE-2020-17367 and CVE-2020-17368). We can avoid this issue by
preventing shelling out to firejail if any parameter starts with '--output'.
Bug: T258763
Change-Id: Ic6a5644566a51a948de7b42daf57b29ced3daff4
This reverts commit a4dc6d82af.
I've reverted the merged patch since I didn't do enough testing
on serialized/reserialized ParserOutput and CacheTime. Now I'm
confident serialization/deserialization works.
Changes since original reverted version:
- Use __get/__set instead of DeprecationHelper in order to
avoid $deprecateProperties array to be serialized.
- Add test for old format serialization new format deserialization.
Change-Id: Ic911c2724ad709931d3316e609781fb89b5b7b28
* Use options-messages instead of text() for messages used to
build HTML multi-select field.
* Clean up old FIXME conditional since T199657 has been resolved
for over a year now.
CVE-2020-25815
Bug: T256171
Change-Id: Ib8f95f5510320f7fc2163625214c3c198be5941a
This reverts commit 799c10b7eb.
Reason for revert: Didn't test how this would work with deserializing stored ParserOutput.
Change-Id: I4221bc26282f3b4bd044f0ab50d00e77eb57ede0
When ParserOutput encounters a bad page title in an editsection
placeholder, this should not cause a fatal error. We can just not
produce an edit link and continue.
It's still worth logging though, since the parser shouldn't be putting
invalid links into editsection placeholders.
Bug: T261347
Change-Id: I154e85aec4b408e659e6281b02473c51f370865d
With this minimal change, the placeholder is integrated into the
personal tools. It's basic by default, so skins can use it as is,
customize it further if need be or even unset it altogether.
For instance, Vector uses different icon from what from MonoBook
uses, but both need to duplicate the basic placeholder.
Timeless needs to unset it. Modern can use it as is.
The benefit is that this will allow us to remove the hacky string
concatenation for it in Vector and also remove the duplication for
the same thing in MonoBook.
More importantly, it will also allow us to remove a hack for the
UniversalLanguageSelector extension inside at least three skins
which was necessitated because the string concatenation, besides
being isolated from the menu building abstraction, is also
interfering with some permutations about the position of the items.
Note anonymous pages are subject to caching you please apply
?action=purge when testing.
Bug: T263382
Depends-On: I5691529ab8c59f4053cff38ea6f7dd01c326c074
Depends-On: I008511f5fc326bca10f2c2bf4e03b2df3561b56e
Depends-On: I0ba502a1e1368c1080caee2ce2bb45c27fdf77c3
Change-Id: Ice379cd8a68530b586a8a8c288ac65bb978f775c
