Without brace expansion the result is empty.
The test counts as skipped test
Follow-Up: I757eb043f8043d6620fb69bd072d9bb9e97ad163
Change-Id: I394c58887a30befe25ed72897bf0608b49f37b0d
(cherry picked from commit 030a951e142d15e90fbee16d2bf1571505e4c2a6)
Catch the exception and return Http Code 400 as already done in the
class for the non-redirect code path.
To get the exception, visit /thumb.php?f=Redirect.jpg
Bug: T387684
Change-Id: I45202572dfce8b60a8aed9343f7d99e2eee12415
(cherry picked from commit b43c89b297e895cb77fbf0f9efd987c6dbf7f50e)
When q is not followed by =, the array has not enough items and
unpacking results in undefined array key. Also $val is set to null,
resulting in php deprecation warning on trim()
Bug: T391867
Change-Id: Ia5d4c9b6fb788ad4390d2562c6f38682f280a634
(cherry picked from commit cda46ed9f0c31280a8db59a2f0387e64e6308906)
CVE-2025-32699
Ensure that Unicode NFC normalization can be applied to our HTML
output safely. Even though the W3C officially recommends against
normalizing HTML
https://www.w3.org/International/questions/qa-html-css-normalization#converting
this is still easily done inadvertently, especially when using the
MediaWiki action API which normalizes parameters and results by
default.
See also I671648603c4635a35585c860b4857f5ea085e47f in Parsoid, and
T266140 / I2e78e660ba1867744e34eda7d00ea527ec016b71 for another similar
issue.
The following changes are made:
* The various HTML serializers (Remex/Tidy-derived, as well as the
Html::* helpers) are tweaked to entity-escape U+0338 wherever it
appears.
* Similarly, Message::escaped() is tweaked to entity-escape U+0338.
* Finally, a post-processing pass is added to the OutputTransform
pipeline to catch any remaining U+0338 and entity-escape them.
This catches U+0338 added during any of the previous OutputTransform
stages (like TOC insertion, section edit links, etc).
*When backporting* this code will likely need to be moved to
ParserOutput::getText(), as the OutputTransform pipeline wasn't added
until MW 1.42.
Bug: T387130
Change-Id: I66564e14e730f5393f4fa5780b80f24de6075af5
Same as was done in 5f2584b648
Bug: T391586
Follows-Up: I966cddb337c9373ed3a369496548a8d8c538ae84
Change-Id: I757eb043f8043d6620fb69bd072d9bb9e97ad163
(cherry picked from commit 7a84c34398639d3422f81ab9711539c34d435621)
A crude solution for the acquireTarget() race condition. Use SQL
GET_LOCK() to lock the target from the acquireTarget() call until the
transaction is committed.
Add FOR UPDATE to the acquireTarget() SELECT, otherwise it just sees the
snapshot version of the row and inserts a new row anyway.
Add a test which reliably failed prior to the change.
Reword the ipb-block-not-found message. This is normal for simultaneous
blocks of the same target. Don't contact us. In the API, remap it to
"alreadyblocked".
Bug: T389028
Change-Id: I1fa35bf08d456a93930194786f77df389217ba61
(cherry picked from commit 2b65587e4d92e7f27661e8821b14f74ade939cfa)
Added in 2022 with I7d97c9e2d4 (c6a0d433ec) for Ie430acd075
(e82f11c246) which was (after a revert and re-apply) eventually
removed after the warmup completed (I852060c8a4, 3df4952385).
Bug: T322672
Bug: T387478
Change-Id: I1921b4f985fb27b2227aef4a0eba6751c1c0b8d5
(cherry picked from commit 2a5cf3fde93263156557bc1efd21c5a74ce67725)
These .htaccess files are intended to prohibit all web access. But if
the user sets "Satisfy Any" on a parent directory, in conjunction with
any permissive require directive like "Require all granted", access will
be allowed despite "Require all denied" in .htaccess.
So, override Satisfy so that the "Require all denied" will reliably take
effect.
Note that "Satisfy All" is the default. This only affects non-default
installations.
Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
(cherry picked from commit a50d2e69f8ce9e5720b05615d04c35cc9008b6ae)
Why:
`ChangeTags::buildTagFilterSelector` is an opinionated chain of calls
that results in the markup for a select input with specific tag options
(explicitly and software defined tags that have hits). In order to
support customization to the `HTMLTagFilter` widget, add support for
parameters.
These parameters will support filtering for active-only tags or not
and choosing between all on-wiki tags or software-defined tags only.
What:
- Support an `activeOnly` parameter, which will either show all defined
tags or only tags that have hits (active)
+ For legibility, add `TAG_SET_ACTIVE_ONLY` and `TAG_SET_ALL` constants
to support this parameter
- Support a `useAllTags` parameter, which if true will use all tags
and if which false will only use software-defined tags
+ For legibility, add `USE_ALL_TAGS` and `USE_SOFTWARE_TAGS_ONLY`
constants to support this parameter
Bug: T378622
Change-Id: Ib6ba27944cdf22bdb05dbfd34b2e5f8727261da7
This patch reworks RestrictionStore::getCascadeProtectionSourcesInternal
to return a third and fourth array:
* One for cascading restrictions originating from templatelinks
* Another for those originating from imagelinks
They are used in PermissionManager::checkCascadingSourcesRestrictions
to differentiate cascading protection of file content and file page,
but could also be used in the future by action=info and other callers.
Bug: T24521
Bug: T62109
Bug: T140010
Change-Id: Ia5863f418538106f4fd657c672298ff6ac835805
(cherry picked from commit 7a4952ef2c5d593fae9419bad39f3e9894f42adf)
Why:
- PermissionManager::getUserPermissions() checks whether the user is
blocked if $wgBlockDisablesLogin = true, so that it can then limit
user's permissions to the set of permissions assigned to unregistered
users if so.
- This causes the GetUserBlock hook to run, which may itself check
permissions on the user (e.g. in the GlobalBlocking extension),
causing an infinite loop.
- Since the decision whether the user is blocked isn't yet final by the
time GetUserBlock runs, any permission checks triggered by
GetUserBlock handlers should see the user's full set of permissions.
What:
- Stash the user's permissions in PermissionManager's in-memory cache
before running block checks if BlockDisablesLogin = true.
- Add tests.
Bug: T384197
Change-Id: I3e3804fe518627e9edc2b574cce88f533fd93fe4
(cherry picked from commit 27062b9f8752cc853a65e8a46c9d7d1a9af32c48)
Why:
- Revision meta-data output was failingfor revisions with suppressed
user or comment
What:
- Handle suppressed user and comment gracefully
- add regression test
Bug: T386368
Bug: T387397
Change-Id: Ic6d3fc89d24030f5c3fd422637816de9976fc709
(cherry picked from commit 8c53a15ba0fae2677aa8e28055f06ef557595be6)
Why:
- Setting the increment to 0 should check the limit without bumping it.
- This was apparently broken by If3e66491306f22650.
What:
- Use LimitBatch::peek if the increment amount is 0
Bug: T381033
Change-Id: Ife76a1976a2063f051f00302e5adaebd701e6367
(cherry picked from commit e09606b3dc44711571cc6cf2d0d11bd7784d0cdd)
If $mailparts does not contain two elements (which would be the case when the separator `@` is not present in the string), then we cannot
access $mailparts[1].
In this case, the entire path as is, is treated as the host.
Bug: T380880
Change-Id: I10187c93e67ce9294ff0b3866939d2c7d7292a9a
(cherry picked from commit c2db58c55bef207dd37ac5fe0b07aa28ee4bd2d5)
Why:
- The REST API takes an optional renderid param when converting HTML
back to source wikitext, which is user-provided and may be invalid.
- Invalid render IDs cause an InvalidArgumentException to be thrown that
causes a 500 response.
What:
- Introduce a new error message for invalid render IDs in the REST API.
- Return a 400 with this new error message for HTML reverse-parses with
an invalid render ID.
Bug: T385568
Change-Id: I062419fe8952329a39781a49cdca2e94c3996447
(cherry picked from commit cd1d42a5066e4bcb9b9d4ed9b4f7714fd428fea3)
Why:
- ParsoidRenderID::newFromKey() validates incoming keys and throws an
InvalidArgumentException if a required key component was missing.
- It does so by eagerly destructuring the return value of explode(),
which causes a PHP Notice for invalid inputs as the expected offsets
won't exist then.
What:
- Check the count of key parts before destructuring.
- Add unit tests.
Bug: T385567
Change-Id: I1d936ae038f85ffa2e5d1d3d8a75fdc75e4c8ef8
(cherry picked from commit eec130925c081c2da1c475f9a9ce719e6838ca51)
SemanticMediaWiki creates its own bootstrap and displays
a bunch of information. In [0] this broke this.
We already look for bootstrap anyways, we just don't use it.
We fix this by checking for bootstrap and only setting a default
if not supplied.
[0] d2a30096f1
Change-Id: Iebb1949cc6a253640f40f1ac048ab50f99cac02a
(cherry picked from commit d43c69b25f05801ac3c255a2dfdbe03e820029ca)
session.use_trans_sid is a PHP antifeature that tells PHP to add
session IDs to all local URLs by modifying the HTML it's told to
output. We have set it to false just in case, but now that's
triggering deprecation warnings.
Bug: T380755
Change-Id: Iace0dcdb23eedb432cc1c032bbb3ce31d34071be
(cherry picked from commit 3b948a3da4be2a20573db01d611d601f2f90f2e5)
This has been failing integration tests since 20250101 because all 2024
become 2025.
Bug: T382848
Change-Id: I5aa71bb7644cfb42140d8eaba9f408e762b2937c
(cherry picked from commit ba68c4494298bcaba7c8d1e1acaecff002cb3aac)
json_decode now emits a deprecation warning when called with null.
Before it would just return null anyway in these cases so I just
introduced a way around that avoids calling the mehod in the frist
place.
Bug: T382590
Change-Id: I47b7aca331a405bb3d2865cc280ef3ced537f84b
(cherry picked from commit b2fad75337256aaabd6e892bdd4bea8f86b47d5c)
Why:
- The test ClockTest::testShouldReturnCurrentTime is flaky.
- Ie48d9400cf3bb99467a16b9ea0cce6172e2e2568 recently augmented
the ConvertibleTimestamp library to allow faking hrtime(), which will
be a better solution for this class and test than the current
assertion.
What:
- Skip the test until core is updated to the latest version of
ConvertibleTimestamp.
Bug: T379562
Change-Id: Iae502ed0344f45f89da575f1c5d1e0fb9c1e4dfa
(cherry picked from commit a930114b4240ec311a56eef7f814f378cc3d5f88)
There's no point in retrying a job when you get "Revision x is not current".
It just causes log spam. Makes people think there's a problem when there isn't as it
logs in the error channel.
Bug: T379656
Change-Id: Iaa5bd006bf3f26277e81ad5bea1387ef4b925f68
Why:
* Special:PasswordReset allows users to send an email containing
a temporary password to the email address attached to an account.
* Temporary accounts do not have passwords and cannot have an email
address set (as they cannot access Special:Preferences).
* Therefore, Special:PasswordReset does not provide holders of
temporary accounts a way to get access back into the temporary
account if they loose access.
* However, the form currently accepts temporary account usernames
and we should update the functionality to reject such usernames.
What:
* Update SpecialPasswordReset to reject temporary account usernames.
* Expand tests for SpecialPasswordReset to check this fix has worked.
Bug: T380085
Change-Id: I004453d4d16cd2a0448ac3922e4d13c24a158c8d
(cherry picked from commit e27be818690820c0df227cb06206da499eb94d38)
When parsing wikitext like `{{func:a|b|c}}`, jqueryMsg accepted
multiple expressions in the parameters following '|' (which are
handled by templateParam()), but not in the first parameter
following ':' (which is handled by templateWithOutReplacement()).
So, `{{#FORMAL:Informal hello|{{GENDER:|Formal}} hello}}` worked,
but `{{#FORMAL:{{GENDER:|Informal}} hello|Formal hello}}` didn't.
Now they both work.
Bug: T379418
Change-Id: Ia4d57fd953dbd34e45789208ec8e765cce6ddf15
(cherry picked from commit 8b173830762738206919bd7b1a9ce3bba72dab5d)
MWCryptHKDF was added ten years ago (in af66c04d39), and as far as
I can tell, it was never used anywhere. It seems unlikely that CryptHKDF
will be used in the future, at least in its current form, for several
reasons:
* PHP 7.1.2+ has hash_hkdf(), so HKDF() would not be needed.
* At the time MWCryptHKDF was created, access to a CSPRNG was dependent
on server configuration: operating system, enabled PHP extensions,
open_basedir, etc. The "clock drift" RNG used as a last resort was not
considered to be secure or fast enough for generating large amounts of
output.[1] random_bytes(), added in PHP 7, changed the situation.
* Depleting the input pool of Linux's RNG is no longer a concern; there
is no more blocking output pool for /dev/random.[2][3] In 2022, this
change and others, including some that improved performance,[4] were
backported to stable kernels as old as 4.9.[5]
* $wgAuthenticationTokenVersion obviated the primary use case of
quickly resetting the user_token field for all users, assuming all
the existing tokens are unique.
* CryptHKDF seems to perform much slower than random_bytes(), at least
on Linux, making it pointless to use given that the other reasons for
its existence no longer apply.
[1]: https://bots.wmflabs.org/logs/%23mediawiki-core/20161004.txt
[2]: https://lwn.net/Articles/808575/
[3]: https://lore.kernel.org/all/cover.1577088521.git.luto@kernel.org/
[4]: https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
[5]: https://lore.kernel.org/all/Yo3pmh9hiUFtQz77@zx2c4.com/T/
Change-Id: I29136fad826341d21728671aa30285d5551f1162
* Add FileBackend::addShellboxInputFile(), allowing Shellbox to read
directly from a FileBackend. Add generic, FS and Swift
implementations.
* Add FileRepo wrapper, which takes a FileRepo virtual URL.
* Add File::addToShellboxCommand(), which allows a File to be used as
input in a Shellbox command.
* Add configuration.
* Extend FileBackend::getFileHttpUrl(), adding method and ipRange
parameters. Unindent existing code.
I was going to add support for PUT requests, but I reverted it due to
the impossibility of supporting FileBackendMultiWrite. I left the method
parameter in getFileHttpUrl().
Bug: T292322
Change-Id: If9487a0c9586065bf044b69ac04cc7a06b6e8856
(cherry picked from commit 8cdde9dcb03e33332e49aed06aa71b60ae2c9b33)
This can cause PHP to try to load the param value as a class, with
potentailly disastrous results (though it’s not quite clear if this can
actually cause attacker-supplied code execution or not).
Bug: T377912
Change-Id: I0239b3e65cf516c6fdf287882f05e47a01f963c1
(cherry picked from commit cdf11b23474024dfe39057993372f2126302e244)
Add support for the new {{#FORMAL:}} syntax in jqueryMsg.
Add formalityIndex to mw.language.data, and add parsing for
this syntax mediawiki.jqueryMsg.js.
Bug: T366602
Change-Id: Idc6ce0d590729830fd734cccae860f2430b8475c
(cherry picked from commit 05170a2ea8d10b5f177cba1797e00babea52e941)
This was seen in WMF production during a train deployment, where namespacing of classes,
which had been serialized (for example CacheTime), along with our PSR-4 definitions may result
in cases where PHP tries to load the same PHP file more than once. Combined with non obvious
error messages, require_once gives us better behaviour and error messages.
More explicitly:
In T378006, the autoloader is entered from class_exists(), and the class has a filename
resolvable with PSR-4 which is already loaded by a non-PSR-4 class name. Using require_once
would allow class_exists() to return false in that case.
In T372500, the autoloader is entered from unserialize(). It looks like require_once would
just give you a more informative error message.
Bug: T378006
Bug: T372500
Change-Id: I928f29198af9baf81a3cae604b3adf41595c2176
(cherry picked from commit 03dd4ae7ae0e2ce7e45f0bf2cb913642eef842a8)
Implicitly marking parameter $... as nullable is deprecated in php8.4,
the explicit nullable type must be used instead.
Followup to e662614f, using PHPStan.
Bug: T376276
Change-Id: I60d639b042b537bf2f531cc132f1b75a66b85acb
(cherry picked from commit da0a395efa7847916371f9c0a6b271faa022ff59)
Why:
- When a revision is imported and the wiki is configured to show
category changes in RecentChanges, a CategoryMembershipChangeJob is enqueued
that in turn runs CategoryMembershipChange for each category change.
- The resulting RC entries use the timestamp of the imported revision,
rather than the current time.
- If the revision being imported is older than $wgRCMaxAge, this can
cause the RC entries to be immediately deleted with a 1/10 chance by a
probabilistically enqueued RecentChangesUpdateJob.
What:
- Use the current timestamp for RC entries derived from
CategoryMembershipChange instances created for imported revisions,
instead of using the revision's timestamp.
Bug: T377932
Change-Id: Id697087b29e76ac64885f8c7a0e670f201474449
(cherry picked from commit 83d6c6870c1dca7e063bb4ac82c8675b085cc0fb)
Changes to the use statements done automatically via script
Addition of missing use statement done manually
Change-Id: I73fb416573f5af600e529d224b5beb5d2e3d27d3
