There are seven (used) error types in the stash class, and we umbrella'd
them all into one error message, which is mighty silly. This should give
us more information.
Also added to the mw.Api.errors list so UploadWizard can handle them.
Change-Id: I79bf0c29a4cef19363d111cc1128e35256ae572a
For non-vectorial content, requesting a thumbnail larger than
the original results in a 500. Prerendering in its current form
introduces an increase in 500s that dilutes the real problematic
500s, making troubleshooting harder than it needs to be.
Change-Id: I9418dee7653ad7954c3788ecdd350fc8772edd32
Mingle: https://wikimedia.mingle.thoughtworks.com/projects/multimedia/cards/301
Chunked uploads of SVGs are currently failing with "invalid XML" errors
because UploadBase::detectScriptInSvg() requires the full file but is
being called from UploadBase::verifyPartialFile().
So let's do the check twice: once in UploadBase::verifyPartialFile()
where it will pass if non-well-formed, and once in
UploadBase::verifyFile() where it will fail if non-well-formed.
Bug: 65724
Change-Id: I6126e185eb4b183c31946f13c576521f1ed19c16
* This causes problems with some session handlers and it is
also trickier to deal with in non CLI script without leaking
cookie headers.
Change-Id: Iaf2a57f9299e42a5f68bf85115e62e88fa0f8ed6
- Added newline at end of file
- Removed double spaces/newlines
- Added space after if/function and parentheses/brackets
- Removed space before comma/cast
- Fixed indent of some lines
Change-Id: I29867ffdffdfb7d2b56997e9393497c7dc12f7d3
* Filter <style> elements
* Normalize style elements and attributes before filtering
* Add checks for attributes that contain css
* Add unit tests for html5sec and reported bugs
Bug:69008
Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
http://phpdoc.org/docs/latest/references/phpdoc/types.html
If IDEs have many warnings, we don't look at them.
Let's minimize the number of warnings, and make them useful again.
* Some function docs fixes
* Removed unused $iwprefixes var in ApiQuerySearch.php
* declared private $blockStatusByUid in SpecialActiveusers
* declared private $repo in UploadFromChunks
Change-Id: Ifd20f78b168b9a913fdb8d89dc26a76a173b1c29
Spotted on beta:
--------
commonswiki-375c0c3e:
0.0752 1.9M mime: <image/png> extension: <png>
--------
With lot of requests, that causes them to be interlayed and ungreppable.
Change-Id: Ib99bc9547bdecb9efa59b7d292ddd7d10a552652
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: Ie419638e909a47aa72a274043604247830ee1a81
json, csv, and tsv are often detected as text/plain. However that's
not right. This patch causes MediaWiki to look at the file extension
of files detected as text/plain, and if the file extension is
for a "textual" type, use the mime type associated with that extension.
This change also changes the "does mime type match uploaded file
extension" check to use the mime based on the file contents
plus extension, as opposed to just the file contents. Various
documentation suggests this is more appropriate (e.g. line 807
of MimeMagic.php). In my opinion we should use just the file
contents when verifying file is not on blacklist, but use ext
when verifying file type matches extension, and for decided
what handler specific checks to run. Not the detect mime type
with extension doesn't override the detected mime type with
the extension, but only uses the extension if content based
detection is ambigious or not specific enough.
This patch should be reviewed by csteipp before merge for
any potential security implications.
Note: This is partially fixing a regression from 3846d10487,
where previously csv and json files were allowed to be uploaded,
and that change prevented them
Bug: 66036
Bug: 45424
Change-Id: Ib637fe6850a81b26f84dc8c00ab4772f3d3a1f34
On bug 65724, it was discovered that a user could upload SVG images
with embedded <image> elements that pulled in the resource via http.
This could allow an attacker to track all viewers of an SVG by having
the image embed another image hosted on their own server.
While testing the patch, I also identified 3 more element namespaces
that have been used on commons and seem harmless, so I added those to
the whitelist.
Change-Id: Iaaabc3a60c0ec4e6e426a8680d7a2cef5d469d29
Noticed that we have several old images on commons that use these
namespaces. They seem harmless, so I think we should add them.
Change-Id: Ib80298256c5d4717867eb857d5404a9487fed784
* Fixed bug where even using Swift/Azure on Windows
would disallow non-ASCII file names.
bug: 1780
Change-Id: I19ed72da0b099d35cae74fb08eeb22c113da1065
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Also added some missing @param.
Change-Id: I8804ebe0922d3a414863b162a2110e0b9e49b80f
Also swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: Ic36c8c7820a6c2d603f1138130670c6bf6a1ca59
In the event of a bad filename warning record the relavent variables
so that we can figure out what is causing the failure.
See also change I532f8ee7c7455e43862b0204a7fff23d6792412e
Bug: 62241
Change-Id: If5d8b9e7f34c0f9bd09684d7dada8fafd7f5f7c2
- Added spaces after if/foreach/catch
- Added new line before end of file
- Added or removed spaces before/after parenthesis, comma
- Added spaces around string concat
Change-Id: I0590070f1b3542108e242730e8d9a3ba9831e94f
When we are doing blacklisted extensions, we count all extensions
as some programs (like apache sometimes) consider extensions that
aren't the final extension. However when doing whitelists we need
to only count the last extension, otherwise people can name files
foo.goodExt.BadExt. For example [[commons:File:Deamado ko.png.bmp]]
I do not believe this represents a security risk as bad files are
still filtered out. However it does allow unwanted files to be
uploaded.
Bug: 62451
Change-Id: Ie27c15f749812710571f432bc5915e498f8017e3
Disallow uploading non-whitelisted namespaces. Also disallow iframe
elements.
User will get an error including the namespace name if they use a non-
whitelisted namespace.
Bug: 60771
Change-Id: Id5c022543184b19b77ad32d9a8a0c2dbbc5e9038
Return an error from UploadBase::detectScriptInSvg when the svg has
XML that cannot be parsed. Usually the XML is invalid, or the parser has
run out of memory trying to parse the file.
This patch is rebased on top of bug 57550.
Bug: 58553
Change-Id: I32661a27d7417cc2c69b844c805b190d6486d17a
When an file is being uploaded, we tell the user if it has been
uploaded and deleted in the past. But we shouldn't reveal the title
under which that was done if the file was suppressed via RevDel.
Note this introduces a breaking API change: clients may now receive a
"deleted-archive" warning with an empty value if the title was
suppressed.
Bug: 59167
Change-Id: I01a3ac2ba0cbac6b28de26a7f1a1d09b6b02097e
Split the variable assignment and the return statement in two lines for
better readability.
When there was two return statements in one method the logic was swapped
to have only one return statement.
Change-Id: Id7a01b4a2df96036435f9e1a9be5678dd124b0af
Make it a little harder for the developer to leak files in the temp
directory by managing the temporary file with a TempFSFile instance.
Change-Id: I8bafc3a6e6212781d9e2e4f8f370ce7c446f1fd5
