Replace it all with random_bytes(), leave
only MWCryptRand::generateHex() as a convenience helper.
Change-Id: Ic30376a90e66d8f00dab86e7e6466fb3a750b87d
Uses new PHP 5.6 syntax like ...parameter unpacking and
calling anything looking like a callback to make the code more readable.
There are much more occurrences but this commit is intentionally limited
to an easily reviewable size.
In one occurrence, a simple conditional instead of trickery was much more readable.
This patch finishes all the easy stuf in the core, the remainder is either unobvious
or would result in smaller readability gains. It will be carefully dealt with in
further commits.
Change-Id: I79a16c48bfb98b75e5b99f2f6f4fa07b3ae02c5b
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
`$a <=> $b` returns `-1` if `$a` is lesser, `1` if `$b` is lesser,
and `0` if they are equal, which are exactly the values 'sort()'
callbacks are supposed to return.
It also enables the neat idiom `$a[x] <=> $b[x] ?: $a[y] <=> $b[y]`
to sort arrays of objects first by 'x', and by 'y' if they are equal.
* Replace a common pattern like `return $a < $b ? -1 : 1` with the
new operator (and similar patterns with the variables, the numbers
or the comparison inverted). Some of the uses were previously not
correctly handling the variables being equal; this is now
automatically fixed.
* Also replace `return $a - $b`, which is equivalent to `return
$a <=> $b` if both variables are integers but less intuitive.
* (Do not replace `return strcmp( $a, $b )`. It is also equivalent
when both variables are strings, but if any of the variables is not,
'strcmp()' converts it to a string before comparison, which could
give different results than '<=>', so changing this would require
careful review and isn't worth it.)
* Also replace `return $a > $b`, which presumably sort of works most
of the time (returns `1` if `$b` is lesser, and `0` if they are
equal or `$a` is lesser) but is erroneous.
Change-Id: I19a3d2fc8fcdb208c10330bd7a42c4e05d7f5cf3
For addScriptFile(), just remove the appending of wgStyleVersion.
Going forward, anyone still using this, should simply append a query
parameter themselves in a way that is specific to that one url
(instead of relying on a generic global variable). Alternatively, one
could use OutputPage::transformResourcePath if the file is in /w/.
For addStyles(), also remove the appending of wgStyleVersion. Since this
method takes paths relative to /w/skins, we can easily update this to
automatically use transformResourcePath(), so that file-hash based query
parameters are automatically added.
Test Plan:
* Add calls to top of OutputPage::output():
`$this->addStyle( 'Vector/README.md' );`
`$this->addScriptFile( "{$GLOBALS['wgScriptPath']}/composer.json" );`
* Before, they are both inserted as `<link>` (head) and `<script>` (body)
with a query parameter based on wgStyleVersion.
* After, the `<script>` (end of body) has no query.
After, the stylesheet (head) has a SHA1 content hash as query.
Bug: T181318
Change-Id: Ie5ab5066ef7d07279086bde838d7305e9e4eabaf
Test Plan:
* Add calls `$this->addScriptFile( 'example.js' )` and
`$this->addScriptFile( '/example.js' )` to top of OutputPage::output().
* Without this change, two `<script>` are added.
* With this change, only for the latter a script is added,
and the former triggers a deprecation warning.
Bug: T71277
Bug: T181318
Change-Id: I0576ef09fafa4ba34d52d75f4211fcfa28f4f3b0
This effectively applies safemode to the mw.loader client,
without the client itself needing specific knowledge of safemode.
Test Plan:
* Unchanged: When viewing a page in safemode, the 'user' and
'site' modules are still not queued by OutputPage.
* New: mw.loader.getState('site'), previously would yield
'registered', but will now yield null.
* New: mw.loader.load('site'), previously loaded the module,
it now logs a dependency warning for unknown module, like for
any other unknown module.
* New: mw.loader.using('site'), previously resolved, it is now
rejected.
Bug: T185303
Change-Id: I672e3891c8e1b3c2d13655fa134d0f1d031b8247
Follows-up 70941efd35 which broke various public
signatures of the ClientHtml class that I'd prefer to handle
differently.
This commit mainly restores support for all previously public
signatures, and either removes the need for a parameter, or moves
it to the end of the original signature (as optional param).
* ClientHtml::getHeadHtml: Remove the positional/required parameter
that was added. Restoring the method to being a stateless computer
that requires no parameters. Pass the option via construct instead.
* ClientHtml::makeLoad:
- Make $nonce optional.
- Restore $extraQuery as optional.
* ResourceLoader::makeInlineScript: Document $nonce as optional
(matching the implementation).
Change-Id: Iaf33f2a060048e6606fba8d875b6d2953b21ef45
The primary goal here is a defense in depth measure to
stop an attacker who found a bug in the parser allowing
them to insert malicious attributes.
This wouldn't stop someone who could insert a full
script tag (since at current it can't distinguish between
malicious and legit user js). It also would not prevent
DOM-based or reflected XSS for anons, as the nonce value
is guessable for anons when receiving a response cached
by varnish. However, the limited protection of just stopping
stored XSS where the attacker only has control of attributes,
is still a big win in my opinion. (But it wouldn't prevent
someone who has that type of xss from abusing things like
data-ooui attribute).
This will likely break many gadgets. Its expected that any
sort of rollout on Wikimedia will be done very slowly, with
lots of testing and the report-only option to begin with.
This is behind feature flags that are off by default, so
merging this patch should not cause any change in default
behaviour.
This may break some extensions (The most obvious one
is charinsert (See fe648d41005), but will probably need
some testing in report-only mode to see if anything else breaks)
This uses the unsafe-eval option of CSP, in order to
support RL's local storage thingy. For better security,
we may want to remove some of the sillier uses of eval
(e.g. jquery.ui.datepicker.js).
For more info, see spec: https://www.w3.org/TR/CSP2/
Additionally see:
https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
Bug: T135963
Change-Id: I80f6f469ba4c0b608385483457df96ccb7429ae5
And the counter-part in ParserOutput as well.
This follows-up on 80e5b160e0, which removed the last use of this
method. It also deprecated ResourceLoaderClientHtml::setModuleScripts()
but that isn't usually used directly. The public interfaces are
mainly in OutputPage/ParserOutput, which are now deprecated as well.
Bug: T188689
Change-Id: I90baafdfc089ac03c4c3abc12065c0b60d43994e
This optimisation attempts to minimise loading the styles in places
they are not needed.
The logic is kept inside Skin::getDefaultModules to avoid fragmentation
of where modules get defined.
Update ApiParse to avoid repetition of code.
Bug: T42792
Bug: T42812
Change-Id: I59f02a7bab3baa9d43f6bc2ef1f549d9d31d8456
There has long been a hack for previewing edits to user JS/CSS, where
OutputPage would pass an 'excludepage' parameter to
ResourceLoaderUserModule to tell it not to load one particular page and
would instead embed that page statically. That's nice, but there are
other places where we could use the same thing.
This patch generalizes it:
* DerivativeResourceLoaderContext may now contain a callback for mapping
titles to replacement Content objects.
* ResourceLoaderWikiModule::getContent() uses the overrides, and
requests embedding when they're used. All subclasses in Gerrit should
pick it up automatically.
* OutputPage gains methods for callers to add to the override mapping,
which it passes on to RL. It loses a bunch of the special casing it
had for the 'user' and 'user.styles' modules.
* EditPage sets the overrides on OutputPage when doing the preview, as
does ApiParse for prop=headhtml. TemplateSandbox does too in I83fa0856.
* OutputPage::userCanPreview() gets less specific to editing user CSS
and JS, since RL now handles the embedding based on the actual
modules' dependencies and EditPage only requests it on preview.
ApiParse also gets a new hook to support TemplateSandbox's API
integration (used in I83fa0856).
Bug: T112474
Change-Id: Ib9d2ce42931c1de8372e231314a1f672d7e2ac0e
The siteinfo API response's 'writeapi' value is now hard-set to true,
as are the ResourceLoader variables wgEnableAPI and wgEnableWriteAPI,
to be deprecated later.
Bug: T115414
Change-Id: I54ff9428b247ba203d67aba079149393f323d5a9
In preparation for passing down 'safemode' from OutputPage.
Only used in one place in Wikimedia Git: OutputPage::getRlClient().
Bug: T185303
Change-Id: If01eca96986ff8d7dcdaab6910bf183ba7c7311f
This also removes all the in-core calls that had been kept for the
benefit of extensions, and causes them to not have any effect since
anything that had been calling them was already either a no-op or will
probably be broken now that nothing in core is setting or checking the
flags.
Change-Id: Id22c1a5a6d6a249debb14063ae3f8838d105b634
Eighteen uses of readOnlyPage and three of addExtensionStyle; all
have fixes awaiting merge. Marking as dependent on the only one
in a Wikimedia-deployed extension.
Depends-On: Ib3ea649bc68dd0edc025133721b46996d1e8901f
Change-Id: I636ebc7dead55f1ae654a13d3b6ebb023ecfe8e1
These comments do not add anything. I argue they are worse than having
no comments, because I have to read them first to understand they
actually don't explain anything. Removing them makes room for actual
improvements in the future (if needed).
Change-Id: Iee70aad681b3385e9af282d5581c10addbb91ac4
For browsers that support older versions of the Referrer Policy
specification (Edge and Safari), using a value from a newer version of
the specification will result in those browsers falling back to a
default of "default".
So allow $wgReferrerPolicy to have fallbacks if the browser does not
recognize the currently set value. It will emit <meta> tags for each
value in the array, but in reverse order, as browsers will use the last
one that they recognize.
Bug: T180921
Change-Id: Ie0f523fc6937c9ecffc8a6fc791c6b54d5a1cb06
We still set the state in many cases for benefit of extensions, but all
calls within core should no longer be using non-default state.
Change-Id: I78b62ec33fcb8273acb9b3b4e9012215442be94c
Depends-On: I140ff32373430b61b92226689ef9b58cca317450
The only known callers were using it to call ->setEditSections( false ),
which has been the default since MediaWiki 1.19.
Change-Id: Ib021d7e80e44782ba6ebe66cf8366bae9147ce00
Depends-On: I7de0102e6cac6b5aa0147b825fa2cb6ebd37b434
Depends-On: I7b0604773a8692c7cb37fffa3fcb8aaac83d81ba
Renamed and deprecated in MediaWiki in f606fd8d since 1.27.
Only six uses in Wikimedia-hosted git repositories, marked as
dependencies. Also one use snuck back into MediaWiki itself,
fixed in this patch.
Depends-On: Ie8c13a6b1dc1b7861f6c27bbba996099375f066b
Depends-On: Ic2ea90343efda6533c06ca1325bc85d9aa776078
Depends-On: Ibba2f486f0ecb684ded7efb09f9942f5e0f5fd7a
Depends-On: Id27a48e10fd127e00f68e1020e8f40e30ba9a251
Depends-On: Ifd6db7910a71bb700484d6b588327424f11c00e0
Depends-On: I6523059941eb5f86274e364a8d5cc74b849655a4
Change-Id: I2cdfcd60fc7934830e3e6ec132958aa2aa1fe486
SVGs could already be used through $wgLogo. However, if a PNG fallback
is desired for older browsers, using SVGs was previously not possible.
This commit adds support for using an SVG image in $wgLogoHD and,
using $wgLogo as the fallback image.
Usage example:
> $wgLogo = '/path/to/png';
> $wgLogoHD = [
> 'svg' => 'path/to/svg',
> ];
Note: When the 'svg' key is set in $wgLogoHD, any '1.5x' and '2x' keys will
no longer be used because SVGs can render optimally on any screen sizes.
@Reedy, @Krinkle and @Brion VIBBER helped me alot with this.
Bug: T86229
Change-Id: I6197d96ce9110f4711ef2c4b198445bc5c6ae110
Make it impossible to instantiate this class without passing it
context. This appears to be the oldest wfDeprecated() in MediaWiki.
All callers have been updated.
Change-Id: I00b9e283ad22c6274b358063b9f9e60fe93d5ee7
This lets us take advantage of ResourceLoader's on the fly minification
rather than needing to ship a minified copy, which is problematic for
other distributions like Debian.
Because the startup module excludes raw modules, it is not possible to
load or depend upon this module, and trying to use
`mw.loader.load('html5shiv')` for example will throw an exception.
This follows-up 3a30e03645.
Change-Id: I635e224fb043c614c4918771c7c8f836575c683b
