CVE-2025-6594
* Fix validation of API parameters. Follow-up to
c36b4634e8.
* Add an extra check for parameters that should be required by the UI.
* Remove a fallback code branch that tried to display responses for
non-pretty formats, which would have been unreachable were it not
for the format validation bug, and which handled HTML unsafely.
Bug: T395063
Change-Id: I392810e3474ffdbe273b1c668ffce4c8dace1380
CVE-2025-6591
This is the same issue as CVE-2025-32072 (T386175), except in the
API's feedcontributions module. Escape the "Contributions" and
"colon-separator" messages so administrators cannot inject HTML
into them, triggering a potential XSS in feed readers.
Bug: T392276
Change-Id: Ic590a0d0cfc0a4a1e61859ecc57a175a8f5ec098
When autoload of HookRunner class fails (due to wrong namespaced
interface), it cannot be used in the exception handler,
that results in error about not found class, hiding the real error.
Bug: T387408
Change-Id: I93daa8b05bab42a4008a3bc09f26c7e041030a22
(cherry picked from commit 2037f6e41fcfa4b5240912f7fe09bc28ea1f0ae9)
Why:
- The exception handler may be triggered during service container
initialization, e.g. if an autoloaded class triggers a deprecation
warning.
- This causes callLogExceptionHook() to try to setup the service
container once again, which then causes a cryptic "class not found"
error as the service container attempts to autoload whatever class
triggered the deprecation warning once again and fails.
What:
- Avoid attempting to initialize the service container in our exception
handler if it was not setup already, since it may be unsafe to do so.
Bug: T380456
Change-Id: Ib439f25d9e309b77eac00c59c32e39ffbf3aa2a4
(cherry picked from commit 0b1480e60ef7d649bf7d22de5a7c032d04ed0f7a)
A special page has access to the request context which includes the site
config, no need to inject that separately here.
Change-Id: If8f01466c64dbacf806b6fccfa0bc4736c259607
(cherry picked from commit 0110bba7c9a8bdaf1cd8579534300c76b29c038a)
Int and float fields that are optional cannot currently specify the min
attribute. An unfilled value fails the validation because in PHP 8 any
number is greater than the empty string.
(For comparing numbers with non-numeric strings, the number is first
converted to a string and then compared. In PHP 7, the string was
converted to a number instead.)
Bug: T397883
Bug: T397643
Change-Id: I37be84554708e17eee27a7e599815891787e95bf
(cherry picked from commit 8e7ae749c0870e8133d083ac4125280c11a12ea6)
Why:
- action=compare was used to circumvent Lockdown
What:
- use checkTitleUserPermissions() to enforce read permissions in
ApiComparePages.
Bug: T397521
Change-Id: Id275382743957004fa7fc56318fc104d8e2d267b
(cherry picked from commit c62e4d93a33e94c7fe6f716a4747b1dbd59b3f90)
Why:
- When comparing the newly generated HTML to the cached HTML, there
might be cases when the new ParserOutput doesn't contain HTML.
What:
- If hasText() returns false, don't compare HTML and use the "unknown"
value for the html_changed stats label.
Bug: T388406
Change-Id: Ibc3e79e79a6421d4780739104a949bac50a5b01f
(cherry picked from commit a275e02771bc2ed4243804d5294188f54e47f9fc)
* Update extensions/ConfirmEdit from branch 'REL1_43'
to b77a6bdfdf9fa138279fcc8e2be1db440bffceb4
- Replace mt_rand() with random_int()
Deprecated in PHP 8.3 as per https://wiki.php.net/rfc/deprecations_php_8_3#mt_rand_php
Change-Id: I206a55b191c1dbeaec0361fc10b9c1c9228a0836
Make SqlPlatform::tableNameWithAlias() include the unqualified table
name as an alias if doing so is not redundant. This assures that the
default alias from JoinGroupBase::addJoin(), equal to the unqualified
table name, will be usable in SQL (regardless of table prefixes).
Clean up use of identifier quotes for sqlite_master tables. The called
methods expect unqualified names and a passthrough exception already
exists for sqlite_* tables.
Use "block_target.bt_user" directly in ApiQueryBlocks and BlockPager,
instead of using addIdentifierQuotes(). The "block_target" alias is
automatically added to the SQL by the rdbms layer when it's not clearly
redundant, so it is always safe to use block_target.bt_user. Also, there
is no reason for aliases to include quote characters. They are supposed
to be simple alphanumerics like column names. This makes it easy for
tableNameWithAlias() to avoid redundant aliases by checking tableName().
Avoid unneeded quotes around pg_catalog.* table names in the Postgres
installer. The relevant documentation of methods like selectField() is
that the table names be unqualified (no quotes nor dots), though dots
are still supported internally for compatibility reasons and ease of
querying schemas like pg_catalog and information_schema.
Change-Id: Ic7d7826da31f49915141692cb3bd84ed1e872e96
* Update skins/Vector from branch 'REL1_43'
to 31564b81866770ed2235b9248ed9c4f93614ad92
- Localisation updates from https://translatewiki.net.
Change-Id: I54cffcf162035adfb57cea2b33540966d9ac3b8d
* Update extensions/VisualEditor from branch 'REL1_43'
to 3bce60dbcb45d7195c831e527636c88d97bd7bfc
- Localisation updates from https://translatewiki.net.
Change-Id: If482852575c64c63a8fb79e96a51c8f987826719
* Update extensions/WikiEditor from branch 'REL1_43'
to 399939f42fd910e0de5eb49e658d2d0b865b8fd3
- Localisation updates from https://translatewiki.net.
Change-Id: I41b956eb17bba7200f420fccc34008b3da414898
* Update extensions/Thanks from branch 'REL1_43'
to ae78d974e3143d9d10c48f4c8c12ecdba4fecd52
- Localisation updates from https://translatewiki.net.
Change-Id: Ic2dcd4bdd53f1afb8223c3ef45c8642c0beb5eff
* Update extensions/TitleBlacklist from branch 'REL1_43'
to aec41ad533a15282d7d4a825d7b1893b81b25c8e
- Localisation updates from https://translatewiki.net.
Change-Id: Ic2dcd4bdd53f1afb8223c3ef45c8642c0beb5eff
* Update extensions/TemplateData from branch 'REL1_43'
to 12f813122ee580a37bbacb5543b7b490f4ebc4d0
- Localisation updates from https://translatewiki.net.
Change-Id: I17aaa7b93ab5abad84cb7f1dfa943d66e410d8a4
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
to 5b790882024a38d2ba3cca25d6322d2cacf75e88
- Localisation updates from https://translatewiki.net.
Change-Id: I2ad1f5673d915f9f405bb4394f55c33a16584486
* Update extensions/OATHAuth from branch 'REL1_43'
to 806e7ea9036bf49637d1a8c40e1c8994220ea909
- Localisation updates from https://translatewiki.net.
Change-Id: I50b598d0331a20e5831d65f3b774eb53a0d824a2
* Update extensions/Nuke from branch 'REL1_43'
to d12367dc6d1c63c2b0302363a1a4c05fe7b4058d
- Localisation updates from https://translatewiki.net.
Change-Id: I6e80d6e16d0c598de66b57a1f3dbe9b953e25959
* Update extensions/Math from branch 'REL1_43'
to 641f3dff30d072cfe0db194557fc3cfc07831b31
- Localisation updates from https://translatewiki.net.
Change-Id: I7b044d4641bcf05c9ee5d0bcae052ea1de9706f9
* Update extensions/Linter from branch 'REL1_43'
to 99863268508a3a5797742868898c73ea1e2cb2c4
- Localisation updates from https://translatewiki.net.
Change-Id: I0033a76f020bae206c6bd8687ae54bc866595c54
* Update extensions/InputBox from branch 'REL1_43'
to c07b5c7f1f60781397ab48ee4ebde494146657e4
- Localisation updates from https://translatewiki.net.
Change-Id: I18aa483f03d5f06027066f0f194b7684cca9aed8
* Update extensions/Gadgets from branch 'REL1_43'
to 543775d2ce5e93ee1f3bb941d9c8261fbd2fc88c
- Localisation updates from https://translatewiki.net.
Change-Id: I3e4a816e9168c56b7fb21f60bd3ea8ea21880f8b
* Update extensions/DiscussionTools from branch 'REL1_43'
to f7a9938618ae47e7ce9ec5d6184ca9a9902f4ded
- Localisation updates from https://translatewiki.net.
Change-Id: I5902d139178a6791af58758d4919907c57a150f1
* Update extensions/Echo from branch 'REL1_43'
to ed7bf37520c5b3b4e452802a781bdee8cac01b12
- Localisation updates from https://translatewiki.net.
Change-Id: Ic84d30a4040f1e2a253bdbf93ea9b06331d2ca88
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 76b40f1224f90791d1d59fdb950bca8abb26356a
- Localisation updates from https://translatewiki.net.
Change-Id: I047e97acc74854ef71ec93172a5c7e2ff390ccab
* Update extensions/Cite from branch 'REL1_43'
to c6a08aaccb4921bc96e5f53aae88d4802fdd346c
- Localisation updates from https://translatewiki.net.
Change-Id: I2786ab7a18463e5ab977a89641f0116467166526
* Update extensions/CiteThisPage from branch 'REL1_43'
to 799d7891252021ef927bba8806cc14574e063832
- Localisation updates from https://translatewiki.net.
Change-Id: Iab84e7239c8685b9b9814f78c17d2f1782e8cf8d
* Update extensions/AbuseFilter from branch 'REL1_43'
to d06c1478ea7f5452336d78610c68ce9e8a3ec7d0
- Localisation updates from https://translatewiki.net.
Change-Id: I1244ca3ac479f645ccaecd71e767721ff419d8e3
* Update extensions/OATHAuth from branch 'REL1_43'
to edaa14b13c708fa23e6ded8f614a0a87cd049387
- UpdateTables: Fix running order of updates
Non virtual domain updates are run first, so this means UpdateForMultipleDevicesSupport
would be run before the necessary schema changes.
Bug: T396955
Follows-Up: I2985c755a2302e7cc7c8ec55041f7e5d8192e4a7
Change-Id: I50c177bc785b67f1674b556ac6a3dcce0406d92e
(cherry picked from commit ed524ba0ec4427bfb40e470831e737307d9c175a)
This patch was applied to release branches for MW 1.42 in April 2024, and
since ported to MW 1.43 and then MW 1.44 as well. This one-of-a-kind hot
patch will finally discontinue once this lands in the master branch as
part of MW 1.45+ releases.
A small handful of phan fixes make this pass so it can land; the rest
(including fixes rather than suppressions of events here) will happen in
later patches.
Bug: T328921
Bug: T359868
Change-Id: Ica2c11a6243795437ec652923e42ef3bd74a5fd8
psr/log 3.0.0 adds this return type.
For this specific case the fix is very simple, fully
compatible with the older version of psr/log, and
something we’ll have to do sooner or later anyway.
Bug: T356451
Change-Id: I49562ac7f1a71e82cab79fe44296feea573e26d4
(cherry picked from commit 9244d4b2623b9d789e7dea28e65b5ca6f9651aaf)
* Update skins/Vector from branch 'REL1_43'
to 90c7d096cf511b3eb15cbe5b6b96139f08fb08cc
- Localisation updates from https://translatewiki.net.
Change-Id: I778299251efe109518ecb416bd7c145b7ecdb033
