This fixes behaviour introduced by 507501d6ee.
$relPath returned false.
This "substr( $requestPath, 0, strlen( $basePath ) ) !== $basePath"
returned true, thus returned false.
$requestPath returned "/w/thumb_handler.php/7/7d/Cloudflare_dashboard_3.png/800px-Cloudflare_dashboard_3.png"
$basePath returned "/metawiki/thumb/".
Introducing wgThumbPath resolves this by allowing us to set it to
"$wgScriptPath/thumb_handler.php".
Bug: T266619
Change-Id: If9430b5b4b5db2670bb3e361b03795871aed65da
* Unlink the word "Action" in api.php description, which was unhelpfully
being autolinked to the index.php Action baseclass.
* Add links in the first sentence to the primary classes involved in
their handling so that the "Entry points" overview page includes
these links (subsequent sentence/paragraphs require an additional
click).
Change-Id: Ibe882746ea7753d5d4c90a04f6974ea807122d1c
Avoid leaking local variables into the global scope by accident, by
moving the entry point code to a function.
In index.php, document the intentional $mediaWiki global so that
nobody removes it by accident.
Change-Id: Ie1a181ae3ebdda90cd2321f0c1b50e31fb0d586e
It has become apparent that $_SERVER['SCRIPT_NAME'] may contain the same
thing as REQUEST_URI, for example in WMF production. PATH_INFO is not
set, so there is no way to split the URL into SCRIPT_NAME and PATH_INFO
components apart from configuration.
* Revert the fix for T34486, which added a route for SCRIPT_NAME to the
PathRouter for the benefit of img_auth.php. In T235357, the route thus
added contained $1, breaking everything.
* Remove calls to WebRequest::getPathInfo() from everywhere other than
index.php. Dynamic modification of $wgArticlePath in order to make
PathRouter work was weird and broken anyway. All that is really needed
is a suffix of REQUEST_URI, so I added a function which provides that.
* Add $wgImgAuthPath, for use as a last resort workaround for T34486.
* Avoid the use of $_SERVER['SCRIPT_NAME'] to detect the currently
running script.
* Deprecated wfGetScriptUrl(), a fairly simple wrapper for SCRIPT_NAME.
Apparently no callers in core or extensions.
Bug: T235357
Change-Id: If2b82759f3f4aecec79d6e2d88cd4330927fdeca
Follow-up bc1f601382, which added a group to load.php, but I forgot
to add api.php to its group.
Also, fix the pre-existing group that thumb.php and thumb_handler.php
were a part of. It looks like the entire "Media" group was not
defined anywhere, so it was ignored by Doxygen. This is now fixed.
Change-Id: Iba487aac5883f66b81f2496a38a3c978d5e6600b
Turn this into a doc group, and let the descriptions come
directly from the files in question. This makes the list easier
to maintain, and alsom means that the overview page becomes
discoverable whenever one is looking at the entry point file
as well. Previously the doc page pointed to the entry points,
but not the other way around. This is also fixed.
Bug: T244294
Change-Id: I891c5a37e17592edc1136d7367949927121c8bc8
The 'thumb' channel was being ignored.
Quoting Timo:
Those two lines using thumb are the only two in the
codebase that use that channel. The previous one being
introduced in 2015 and never enabled in prod from what
I can see. There is however a more common thumbnail
channel enabled in prod.
Bug: T225197
Change-Id: Icf25135baf3de09a8a734bb32b0364990b465a42
If an error ocurrs after output streaming has already started, don't try
to report the error to the user. Just log it internally.
Bug: T225197
Change-Id: I8fd02987844161cf2fcb6cbe5a08e211256c3d4d
Set appropriate headers and flush the output as needed to avoid blocking
the client on post-send updates for the stock apache2 server scenario.
Several cases have bits of header logic to avoid delay:
a) basic GET/POST requests that succeed (e.g. HTTP 2XX)
b) requests that fail with errors (e.g. HTTP 500)
c) If-Modified-Since requests (e.g. HTTP 304)
d) HEAD requests
This last two still block on deferred updates, so schedulePostSendJobs()
does not trigger on them as a form of mitigation. Slow deferred updates
should only trigger on POST anyway (inline and redirect responses are
OK), so this should not be much of a problem.
Deprecate triggerJobs() and implement post-send job runs as a deferred.
This makes it easy to check for the existence of post-send updates by
calling DeferredUpdates::pendingUpdatesCount() after the pre-send stage.
Also, avoid running jobs on requests that had exceptions. Relatedly,
remove $mode option from restInPeace() and doPostOutputShutdown()
Only one caller was using the non-default options.
Bug: T206283
Change-Id: I2dd2b71f1ced0f4ef8b16ff41ffb23bb5b4c7028
I doubt there was ever a good reason for mangling $_GET to add the
title, this was just b/c for the sake of b/c. It was formerly used in
core but that was so long ago that I doubt there was any usage in
extensions at the time. Now there is one usage of $_GET['title'] in an
unmaintained extension, but it was only added in 2017.
Also I added WebRequest::getQueryValuesOnly() which is an interface to
the unmodified $_GET. The motivation is allowing OAuth to work with the
REST API, since OAuth needs an unmangled view of $_GET for signature
generation. The Action API gets around the problem with a special hack
in interpolateTitle(), disabling it for the Action API only.
A review of callers of getQueryValues() suggests that many would
benefit from using getQueryValuesOnly() instead. But I only changed it for
callers in api.php and thumb.php since the effect of the change there is
certainly beneficial, whereas callers under index.php may possibly be using
the path parameters to construct self-links.
Rest\RequestFromGlobals uses $_GET directly, which means that this
change causes it to not return PathRouter matches as GET parameters
anymore.
Change-Id: Ic469577fae17c0b1ac69466df7bc9f03e61c74e3
Define the global constant MW_REST_API in rest.php, by analogy with
MW_API. Also generalize this by adding MW_ENTRY_POINT, which contains
the entry script name, "cli" or "unknown". This allows tests such as
if ( MW_ENTRY_POINT !== 'index' )
which is probably what is really intended by defined('MW_API') in many
cases.
Change-Id: I24099f4cdd170de17afd6e1bbad67c9b204071fc
T208768 introduced the PermissionManager service that can now be used
for page specific permission checks. This change replaces remaining calls
to Title::userCan() with the new service in MediaWiki core.
Bug: T220191
Change-Id: Ie45e0cb6aa49a8c66147b470946161fc18160fc1
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
Disable it in specific files and places where there are legitimate uses
to access $_GET and $_POST directly.
For EditPage, which wants to output $_POST for debugging information,
introduce WebRequest::getPostValues() as a wrapper, matching the
existing ::getQueryValues().
Change-Id: I2cb0a7012fb7ed29dcd720056b42f56508ddc5fa
There is no need to escape double quotes in content of HTML and in HTML
comments.
ENT_NOQUOTES escapes '<', '>', '&' but not "'" and '"'.
https://secure.php.net/manual/en/function.htmlspecialchars.php
Change-Id: I7146df9582fc1d9742b9e1b0e4f03d7c7d2ed91f
It's unreasonable to expect newbies to know that "bug 12345" means "Task T14345"
except where it doesn't, so let's just standardise on the real numbers.
Change-Id: If82c31fc877249d6fa3727b79c3bb8369ad9382b
This was requested because of 0px thumbnail requests, but there are
other cases where parameters are detected as invalid and 400 is
semantically more correct than 500 in that situation.
Bug: T147784
Change-Id: I4d24a93e655f04d8119e77798d5df5a45caaafcf
Status::getWikiText is used for internal logging, api error messages and
maintenance scripts. All this places are usually in english, so pass an
english language to getWikiText.
Change-Id: I3010fca8eb5740a3a851c55a8b12e171714c78f7
Add new streamFileWithStatus() methods to FileRepo and
MediaTransformOutput that can be used to get more detailed error
information on failure. The historic streamFile() methods become sinple
wrappers to the new methods. Thumb.php is changed to use the
streamFileWithStatus() methods so that failure reasons can be logged.
Change-Id: I3088cde2044a7ff00841e53ca252d0b222c8b518
The callback is named doCachedWork, not getCachedWork. The typo
made it so that if multiple people try to render a file at once,
MediaWiki would not check if the last person to go already did the
needed work.
This might not make as much difference as it would sound, as the
pool counter lock is for the entire file, not a specific size,
and I'm unsure if swift has an equivalent of "slave lag", where the
check to see if a cached version is available might happen before
the write is totally visible.
Also merge the fallback handler into the error handler, so we get
actually error messages reported.
Change-Id: I12d228961de39cffc3d492554d93e30bd741adc9
Also consistently use self:: instead of BagOStuff:: for constants
referenced within the BagOStuff class.
Change-Id: I20fde9fa5cddcc9e92fa6a02b05dc7effa846742
* This add noise to logs and graphs that can look like outages
due to a single crawler.
Bug: T110109
Change-Id: Ie2a1edd0330b0f858729fcc56c828c11d9c7476c
