The previous "application/x-javascript" was non-standard. It was used as
unregistered mime type by various vendors after stakeholders agreed it
shouldn't be text/javascript anymore, but "application/javascript" was
still pending approval. That was settled in 2006 with RFC 4329.
http://www.iana.org/assignments/media-types/media-types.xhtmlhttps://tools.ietf.org/html/rfc4329
It also previously inconsistently returned "application/x-javascript" or
"text/javascript" depending on whether you call MimeMagic with or without
the flag that asks for "improved" mime magic (in the latter mode, it picks
the first one from the mime-info list as override).
This makes MimeMagic match the behaviour of HHVM-static server, NGINX,
and Apache 2.4; with regards to Content-Type for .js files.
Change-Id: Idfe0a80c60c548fe28283c62ee9803bff7bdb2d6
The pre-SessionManager code did this, and the change in combination with
the API not honoring forceHTTPS led to T124252.
Bug: T124252
Change-Id: Ic6a79fbb30491040facd7c200b1f47d6b99ce637
There's no reason this should be only in CookieSessionProvider when
we're already handling deduplication in WebResponse.
Further, this fixes the bug in the existing CookieSessionProvider
implementation that a setCookie() followed by a clearCookie() wouldn't
actually clear the cookie.
This reverts commit 1ce684fcef.
Bug: T124252
Change-Id: I1098d054facacd59f03ebed7c747ec9ff6bf66e7
Depends-On: I61d14bf80fa7c857dec9cffb366dc3f84dbb4faf
Some API clients seem to be confused by cookie deletion.
Prevent cookie deletion on the first leg of the API login sequence
(for a client with an empty cookie jar) by only emitting deletion
headers for cookies which are set in the current request.
Bug: T124252
Change-Id: I180e094ea32f951e22adab2ec87d16e5de7cef97
It's not guaranteed that loadSessionFromStore() will succeed after
whatever alterations the SessionProvider might have made later in the
request.
So instead, let's make a new global object that stores the SessionId
of the persistent session that was loaded during Setup.php, if any. Then
we can check that when we need to know whether the session was
persisted.
Bug: T124468
Change-Id: I1e8e616c83b16aadd86b0a0a40826d40f6e8abe4
None of this works and it's been long begging for a mercy kill.
All it does is waste contributor time on updating deprecations
in the dead code. I imagine we wouldn't reuse much of this
code if we're ever going to reimplement it.
Bug: T119336
Change-Id: Ibd26a4bea621857aac77823017e9be9b7dc52cca
I think it's saner to treat this as invalid syntax, and output the
mismatched tag code verbatim. The current behavior is particularly
annoying for <ref> tags, which often swallow everything afterwards.
This does not affect HTML tags, though. Assuming Tidy is enabled, they
are still auto-closed at the end of the page content.
Related to T17712 and T58306. I think this brings the PHP parser closer
to Parsoid's interpretation.
It reduces performance somewhat in the worst case, though. Testing with
https://phabricator.wikimedia.org/F3245989 (a 1 MB page starting with
3000 opening tags of 15 different types), parsing time rises from
~0.2 seconds to ~1.1 seconds on my setup. We go from O(N) to O(kN),
where N is bytes of input and k is the number of types of tags present
on the page. Maximum k shouldn't exceed 30 or so in reasonable setups
(depends on installed extensions, it's 20 on English Wikipedia).
To consider:
* Should we keep previous behavior for unclosed <includeonly> /
<noinclude>? This would be particularly disruptive for these if
someone relied on the old behavior, and they're already
special-cased in places.
* Unclosed <pre> tags are now treated as HTML tags, and are still
displayed as preformatted text, but without suppressing wikitext
formatting.
Change-Id: Ia2f24dbfb3567c4b0778761585e6c0303d11ddd0
It's easily possible for SessionManager::getSessionById() to not be
able to load the specified session and to not be able to create an empty
one by that ID, for example if the user's token changed. So change this
from an exceptional condition to an expected one, and adjust callers to
deal with it appropriately.
Let's also make the checks for invalid data structure when loading the
session from the store delete the bogus data entirely.
At the same time, let's change the silly "$noEmpty" parameter to
"$create" and make the default behavior be not to create an empty
session.
Bug: T124126
Change-Id: I085d2026d1b366b1af9fd0e8ca3d815fd8288030
The titles of "action" special pages are normally expressed as actions
("Move page", "Reset password", "Upload file"), and the names of
log types are normally nouns ("Deletion log", "Content model change log").
In any case, "Change language log" and "$1 changed page language for $3"
are not good English.
Log entries also do not end in full stops.
Change-Id: I1d2fed64549ce584418bb3b72d33bf5657c2681f
I created a basic test yesterday to cover two bugs. Now the test covers
all public methods. I was also able to get rid of the test double.
Change-Id: I53110280e3ef7b7a72d175b11b7fc4ccf1d648b3
Sigh, PHP. You allow for an array to have string "1" as a key (e.g. when
casting from object to array), but then you do everything wrong when
trying to deal with it.
Bug: T123663
Change-Id: I49f09901a69aab39ca1519bbe9e41267bf9a1216
Bot passwords are something like OAuth-lite, or Google's application
passwords: the bot can use API action=login to log in with the special
username and password, and will then be allowed to use the API with a
restricted set of rights.
This is intended to provide an easy migration path for legacy bots and
for bots on wikis without OAuth, since AuthManager is going to greatly
complicate non-interactive authentication. If OAuth is available, an
owner-only consumer would be a better choice.
Bug: T121113
Change-Id: Iaa4015e00edbfbfaedcc8b2d27a2d3fd25009159
Depends-On: I7e15331efb162275c4116bcae61f19d6b884cbe3
This also adds code to User to allow SessionProviders to apply the grant
restrictions without needing to hook UserGetRights.
Change-Id: Ida2b686157aab7c8240d6a7a5a5046374ef86d52
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
Introduce an ogv video file to the parser file testsuite, so that we
can use it later in TimedMediaHandler parsertests.
Change-Id: I6a3b307ad9c82e9df0aeec025934d736eec8375f
For ExtensionDistributor to provide git metadata, we need to be able to
store the cache file inside the extension directory itself. The GitInfo
class will now first check if the $wgGitInfoCacheDirectory is populated,
otherwise it will fallback to "$extensionDir/gitinfo.json".
Bug: T122769
Change-Id: Ib3457589ca6899925ae4610cfcdae22af8eaaaeb
Into a new MediaWikiPageNameNormalizer.
The code has been copied over almost 1:1, I only
left the phpunit test special handling in MediaWiki site.
Change-Id: I008cadd29a2aa1f21098339b895c35a100959b04
Use the Maintenance class's new $orderedOptions and support for
passing options multiple times. This allows for option "chaining".
The BackupDumper and TextPassDumper class now extend Maintenance, but
should continue to function as before. The public function processArgs()
has been removed and replaced by processOptions(), which takes no
parameters. It is unlikely that users of these classes were calling
processArgs.
Inheritors of these classes that overrode processOption() will now need to
override processOptions() and use Maintenance::getOption() and friends.
The maintenance/backupTextPass.inc file has been deleted. Users should
include maintenance/dumpTextPass.php instead.
Bug: T122587
Change-Id: I2473ee119c185d1b2b00ac4b1e70ee8a6cafe4a3
Very useful for passing in arguments to test Maintenance scripts.
Also, add a comment clarifying when $orderedOptions is available.
Change-Id: Ib25b3b36816bdf566c427b67646554a31a9fef0f
Normally the registry load queue should filter out duplicates, but if
people do weird things with symlinks, throw a useful error message if
the double-loading makes it all the way to the processor.
Bug: T121493
Change-Id: I47f5cd754e5f3c91e6b83a6d0ab542404347a421
Extensions that have composer dependencies can set
"load_composer_autoloader": true
to load "$dir/vendor/autoload.php" if it exists.
While it is recommended to use composer-merge-plugin to manage
composer dependencies for extensions, using a local autoloader
can be easier for development and is used by ExtensionDistributor.
Bug: T119766
Change-Id: Ib031bef17c8a7d708a5c7878e74967d19217bbc8
