* Update skins/Vector from branch 'REL1_43'
to c49fab7557ab0f2478e1053a54e47dfd0e9ec6df
- SECURITY: Insert sticky header labels as text instead of HTML
CVE-2025-61657
Assigning to.innerHTML to from.textContent essentially unescapes
any characters inside the labels.
This fixes a stored XSS vulnerability through system messages.
Bug: T398636
Change-Id: Ib78c3113a3d7b195bf348e8a52f29058eaf9a59f
CVE-2025-61639
Why:
* ManualLogEntry::getRecentChange creates the RecentChange object
for the ManualLogEntry instance.
** This does not currently include the deleted flags set in the
ManualLogEntry
** Without this, the RecentChange that is created will not be
marked as deleted and published as public.
* Therefore, this means that any code which hides a log entry
from the creation of the entry will cause a unintentionally
public recent change entry.
** The AbuseFilter extension attempts to suppress the log entry
for the block on it's creation, which therefore hits this
security bug.
What:
* Update RecentChange::newLogEntry to accept a $deleted field
which is set by default as 0 which is used as the value of
rc_deleted.
* Update ManualLogEntry::getRecentChange to pass the value of
ManualLogEntry::getDeleted to RecentChange::newLogEntry.
* Test that this fix worked.
Bug: T280413
Change-Id: I681a49ac7d7b22ffe259b976ad5315490dda467b
CVE-2025-61646
If an individual editor makes consecutive revisions on a single page,
and only some are marked as hidden username, the non-hidden ones will
reveal the (username hidden) true identity.
Enable the "Group changes by page in recent changes and watchlist" and
"Use non-JavaScript interface" preferences to reproduce the issue. See
the referenced Phabricator tasks for more details.
The solution here is to separate hidden and visible editors from the
grouping on the frontend side, using existing helper functions.
Bug: T398706
Change-Id: I1408fe7712ffef3ba76294d8483c7b7624a0d11c
CVE-2025-61643
Why:
* Some RecentChange objects being processed by
RecentChangeRCFeedNotifier::notifyRCFeeds can be already
deleted / suppressed
** This can happen for log entries which are deleted or suppressed
when they are created such as described by T280413
* RecentChanges feeds are often not equipped to handle appropriate
redaction of deleted or suppressed recent change entries
** Therefore, sending them suppressed recentchanges entries will
likely publicly expose the suppressed information
* As a short-term fix we can stop sending any defined RCFeed
instances RecentChange objects which are suppressed
** We may want to consider making RCFeeds capable of suppressing
information before publishing the data, but that would need a
more considered approach.
What:
* Update RecentChangeRCFeedNotifier::notifyRCFeeds to return early
if the rc_deleted attribute on the provided RecentChange object
isn't zero (0 means not deleted).
* Add a PHPUnit test to check for this
Bug: T403757
Change-Id: Ic5e553bab8e82e7faee323a46ed6704043c5163b
CVE-2025-61642
HTMLButtonField::buildCodexComponent() expects raw HTML for its button
label parameter, and this makes sense in the context of that class. But
it was also being used to build the submit button, where we were passing
in a plain text button label.
Escape the button label before passing it in, and more clearly document
that this parameter expects raw HTML.
Bug: T402313
Change-Id: I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c
CVE-2025-61640
This fixes a stored i18n XSS vulnerability in
Special:RecentChangesLinked.
Bug: T402075
Change-Id: I94d89e3f14920122cfd2f949850027122d1e2b6b
CVE-2025-61638
Previously, if you managed to get data- attributes with e.g spaces or
slashes in the name into validateAttributes(), then the rest of the
attribute name would not be validated and get concatenated into HTML
that would eventually be parsed as separate attributes (or even tag
contents and new markup, if you had a > in the name). I don’t think this
was possible via regular <p> parsing, as decodeTagAttributes() would
decode the attributes differently in that case, but it was possible via
various wikitext constructs, including {{#tag:}}.
Tighten the regex to throw out such invalid attributes, and add a few
tests in this direction. More refactoring, and especially more tests,
can happen later, once this chaneg is public and we can benefit from CI.
Bug: T401099
Change-Id: Id095a3278083dbedba083d5aa3c1cbaa379a682f
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
CVE-2025-61637
This addresses three stored XSS vulnerabilities that allowed
injecting scripts into the DOM by editing the 'preview',
'editlink' and 'viewsourcelink' system messages.
Bug: T394856
Change-Id: I8e5a234d647ce5559a052f86d1b2ad61812764b9
CVE-2025-61634
Indirect redirect loops can cause a series of 307 redirects
that overwhelm the servers. Caching the redirect allows
this to resolve.
Bug: T387478
Change-Id: Ibfde4e5ece3d58a1f573c37b46b568a5847fca01
As Debian's Lintian tool points out, the FSF has actually moved offices
and this address is no longer valid.
All updates are directly copy-pasted from
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Bug: T400642
Change-Id: Idb9af3119641b614d810843730fb73aebd30318c
(cherry picked from commit 8b215b44a03712b260fb71a4934fda2f89b458ae)
* Update skins/MinervaNeue from branch 'REL1_43'
to f9c39a05ed0cb795330e9225ed56b85a5821a69d
- Localisation updates from https://translatewiki.net.
Change-Id: I2b8c84a69e41b257c9e0b31ed6a19b36d5522e2e
* Update skins/Vector from branch 'REL1_43'
to 2c348ec4b81c0d2bb13520e2e0a2013604ff06f2
- Localisation updates from https://translatewiki.net.
Change-Id: I4bfe0275ced60421a60de37b6dab7f6a985beaea
* Update skins/MonoBook from branch 'REL1_43'
to 91a719b94ec03964eff71ff1ba9cfb4cae4a84df
- Localisation updates from https://translatewiki.net.
Change-Id: Id19aa9b699b3f0480588913d06c63bcd2de5e2ea
* Update extensions/VisualEditor from branch 'REL1_43'
to 79f3eeb4931194e61caf25a3b6d5a0448653f2d6
- Localisation updates from https://translatewiki.net.
Change-Id: I808fc1ca5f2aa4429e3d99a6ef362090d8864d27
* Update extensions/WikiEditor from branch 'REL1_43'
to f1aaaed8f14d1e6a3aa01cebed27f5aca8eb21c5
- Localisation updates from https://translatewiki.net.
Change-Id: I808fc1ca5f2aa4429e3d99a6ef362090d8864d27
* Update extensions/Thanks from branch 'REL1_43'
to 8e23f487b4db9f45e53861ce6bdd9f3a7aa4a344
- Localisation updates from https://translatewiki.net.
Change-Id: Iceca1404ae33f55ac1231276e1c620a56fc6b962
* Update extensions/TemplateData from branch 'REL1_43'
to 3e260da9cd287dc4b827aabdf5c2a46f83aafbc4
- Localisation updates from https://translatewiki.net.
Change-Id: I176411c9a26432a17f5a8b924ed852264e29dd9d
* Update extensions/SpamBlacklist from branch 'REL1_43'
to b6c3567c2991d342426ccc488f5eadadc2645ec3
- Localisation updates from https://translatewiki.net.
Change-Id: I82d5f2d4791d3c474c557dcd2befcf8f56a80865
* Update extensions/Scribunto from branch 'REL1_43'
to ddc54a3fca760823bd06ea0f0ebf045bf48a6ba8
- Localisation updates from https://translatewiki.net.
Change-Id: Id303f0893696fa5df174ae08973c5abef0296e59
* Update extensions/OATHAuth from branch 'REL1_43'
to a0efb41affd25c2f14e47ae1755307ee90e35b1e
- Localisation updates from https://translatewiki.net.
Change-Id: Ibb9d11fdf29b04f843eff9a61664dfff5bf3633d
* Update extensions/Nuke from branch 'REL1_43'
to 79b168a74cdc379bd6099efb3a510d3d286305fb
- Localisation updates from https://translatewiki.net.
Change-Id: I4b98110b6e9bd29a9eacc66cc4e65b8127742d24
* Update extensions/Math from branch 'REL1_43'
to 9bdf88a7a971d5b30b50c17a88f592320780f107
- Localisation updates from https://translatewiki.net.
Change-Id: Ic04f84810ca71410ca480fb9c16880b2d67a9085
* Update extensions/InputBox from branch 'REL1_43'
to 0f9f87177b79490019650ae0e6965397d08ad299
- Localisation updates from https://translatewiki.net.
Change-Id: If91fedcac6475514972c5508bf43934fbd4d9cae
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 54908a917b43cee8f3f473ad97f5d5b6758b4861
- Localisation updates from https://translatewiki.net.
Change-Id: I40be83cd67657a901944ed432cd84f3c046088d9
* Update extensions/DiscussionTools from branch 'REL1_43'
to 3f25bcc823c0fa09a8d604fb436daa06ddb244df
- Localisation updates from https://translatewiki.net.
Change-Id: Ia98dc81c3ea460ab88339d9a22d8e7b19656a46a
* Update extensions/Echo from branch 'REL1_43'
to fb8fe7bf4096a40e7a000d9a25264ab4d101bdb3
- Localisation updates from https://translatewiki.net.
Change-Id: I419cfc9dcbe24416c384260668beff75b3563d0c
* Update extensions/CiteThisPage from branch 'REL1_43'
to 8db01cb5b59cd647ddc178127bc0c365e609dbc6
- Localisation updates from https://translatewiki.net.
Change-Id: Ib2ba0e6671cb5ddce444c97b9d9ee842e881d998
* Update extensions/Cite from branch 'REL1_43'
to 99f2c99c9d8a27cedfadc1d3e3ff71d9c73e0076
- Localisation updates from https://translatewiki.net.
Change-Id: Iee5b3446b8eb91e4ded2f1ea9e3d7dac66d817ed
* Update extensions/AbuseFilter from branch 'REL1_43'
to 309c87a224ff278d57d4cb25420fec3bba8abe7a
- Localisation updates from https://translatewiki.net.
Change-Id: I9c22244bc450c78e5509fe1f223692b601dbbc98
* Update extensions/DiscussionTools from branch 'REL1_43'
to 9176fadd2b9abafff7dd6ec892f12dbfbf7c8b3b
- ApiDiscussionToolsPageInfo: Show nice error for deleted revisions
This is similar fix as b8a28d6cfc53e41aa04abe855818213f95df322d.
Bug: T380351
Change-Id: I1b03a00c5627e1fa9e48aee9e2ed3d8b1ea332f7
(cherry picked from commit 6e17c85409a618303937382ab74850d16b60d26a)
* Update extensions/DiscussionTools from branch 'REL1_43'
to 7f68a99593ff4f10457d0aea9a5723f39c1264c6
- Support placeholders mangled by MF's HtmlFormatter
Bug: T396695
Change-Id: Ie12e90639e13218b77c7d01d50196ff0c474a4c7
(cherry picked from commit 2bce20e8e60a8bcd2eccc6cc4bff2ed150021a83)
(cherry picked from commit a13737b884150e28aee65d04a91a2125126ed4cd)
* Update extensions/DiscussionTools from branch 'REL1_43'
to 802e034f11376918636074ac16b0fdaa3f92068e
- Remove placeholders when features disabled
We should always be removing unused placeholders, but
now that they are custom elements, it is more important
as they can affect CSS selectors.
Bug: T397011
Change-Id: I7c337149aceeb237a836439456dc8e9b826b3799
(cherry picked from commit b93d0d64b0647bc6055856bfe9d65283e48231f3)
(cherry picked from commit a4686b050bc7342970f8757acfc9fbb468c2685e)
* Update extensions/DiscussionTools from branch 'REL1_43'
to 330e614a1506a63cae6af6fdd9338bb040d6000a
- Post-process timestamp links whenever DT is available
This matches the logic in ParserHooks which adds the
timestamp link placeholders.
Change-Id: Ia3116eb2d75f6034f131a53093fbf44bceb0d9d5
(cherry picked from commit 2cb7b2f527d5a59cb3343a28b00f9ad74267808b)
(cherry picked from commit f874b2145c2c7f44f1d914a5a4d34f80537a31d2)
* Update extensions/SecureLinkFixer from branch 'REL1_43'
to d7ffecb943c6f43c992f29bce3977be6d1298b03
- Updating domains.php from Mozilla
Change-Id: I7966190849dec262e75906d4e1deb107125ee64a
* Update extensions/DiscussionTools from branch 'REL1_43'
to 7737d63e81f8fb5c9ca4accd288e9cc075374536
- Use custom elements for content placeholders, with HtmlHelper::modifyElement
Instead of comment nodes and complex regexes.
Bug: T396248
Change-Id: I563219f3298a8740e158d130492bf3d2897784d7
(cherry picked from commit 37856941cffb646067c3df1a7ef639ffe65a475c)
This reverts commit 7f63d5250e,
re-applying commit 82da9cf14b.
It can be re-applied safely after T354361 was fixed.
Most of the incidental changes from the original patch are
no longer needed, as they were made unnecessary by other work,
or were applied in I4cb2f29cf890af90f295624c586d9e1eb1939b95.
Change-Id: I1ff9a7c94244bffffe5574c0b99379ed1121a86d
(cherry picked from commit 09703c2c774a65dd9ee57ec83154aa1eab5a9d03)
This is more robust and secure than the regular expression previously
used to extract the <meta> tag.
We also improve HtmlHelper slightly be adding the ability to replace
an element with an 'outerHTML' string.
Because our output is being run through Remex, there is a slightly
larger degree of HTML normalization in the output than previously,
which is visible in some small tweaks to test case outputs.
Bug: T381617
Depends-On: I2712e0fa9272106e8cd686980f847ee7f6385b6f
Change-Id: I4cb2f29cf890af90f295624c586d9e1eb1939b95
(cherry picked from commit 7ebd8034b54495f28f4c5583d4fa55071634b593)
* Update extensions/DiscussionTools from branch 'REL1_43'
to 3af0166f131a8147c05c1045df3edfbc51690172
- Add signature range markers to the DOM
Without these, the client side code is unable to
extract comment message bodies. In theory there can
be multiple signatures in one comment, but in practice
we only care about the last one.
Change-Id: I515a2878eb5aef88d05d8b62462e91500907a73a
(cherry picked from commit 7fb4369ae8c283caa2a41a27f809b091124c0b4b)
