This log message was added at the request of Wikimedia's Security team
in 2016, but as far as I can tell was never enabled on Wikimedia sites.
Rather than adding more logic to avoid logspam when browsers include an
Origin header for same-orign requests, let's just get rid of it
entirely.
Bug: T243908
Change-Id: I799b17a5f4891f9e739d6b62551a5736b8a6664e
The method was soft-deprecated in 1.34. It's not used in any WMF
installed extensions or the tarball, so it can be hard deprecated.
Bug: T220191
Change-Id: I2f48d62a8dd3592918a6197168d31a1e08bd2a3e
The cleanest way to add the block cookie is to check for the users block when
the Caching headers are being added to the request. This prevents side effects
when checking for blocks and also prevents extensions from having to be aware
of block cookies.
Bug: T196575
Change-Id: I4f8de725e4be616e41d842f09f6144518237bbd5
This will allow constructing API modules that need services.
This overhauls some of the internals of the ApiModuleManager,
but the public interface remains unchanged.
The $class parameter of addModule, (now called $spec)
also allows passing an array with the spec of the module.
Note that this spec requires the attribute 'class' to be present,
even when 'factory' is specified. This is the same as before,
where $class was always required.
In a perfect DI world ObjectFactory would be injected into
ApiMain::__construct and ApiMain would pass that to its instance
of ApiModuleManager, but that is currently not possible, so for now
it is injected in ApiModuleManager by having ApiMain::__construct
call the service locator.
Bug: T222388
Change-Id: Iee04afc27283547dd68d6db93f44ac2e0ebf1258
*LogPage::timestamp was introduced with r4919 back in 2004, and is unused
since then.
*ApiMain::mCommit was introduced in r33133, then removed in r33381 but that
line was forgotten.
*SpecialRecentChangesLinked::mResultEmpty was introduced in r36682, then
removed at some point with this leftover.
*SpecialStatistics::hook, introduced in r54511 and unused since then.
*MergeMessageFileList::hasError introduced in Id4b16083435ef7f4fce31861c72889e664d07236
and removed in I3d9cf1d614dacaa91fb2092019ccf1d14d61ccab with a leftover
Change-Id: Ie15c148a3217ee8da62874840f3ef7739893f69e
This allows us to remove many suppressions for phan false positives.
Bug: T231636
Depends-On: I82a279e1f7b0fdefd3bb712e46c7d0665429d065
Change-Id: I5c251e9584a1ae9fb1577afcafb5001e0dcd41c7
HHVM sniffs the content type and so probably correctly guesses
application/x-www-form-urlencoded and fills in $_POST, while PHP 7 does
not sniff and so doesn't fill in $_POST.
Since there are clients that have been expecting the HHVM behavior, give
a warning both to let them know and so we can have some idea of how many
such clients there are.
This also adds any warnings and errors as an HTML comment at the top of
the auto-generated help page, to hopefully make it easier for people
getting that unexpectedly to find out why.
Bug: T230735
Change-Id: I017b7afe808844d74d376f6436894a5a2f525a9f
These implemented a since-abandoned draft IETF spec, and the code was
broken due to (1) case-(in)sensitivity issues with the Accept-Language
header and (2) the BCP47 language code compatibility workaround we use.
Change-Id: Ia53d07cd8ce8ab1497294ea244c13c7499f632c7
- Use 'Z' UTC timezone on dt
- Don't provide empty arrays if no data entries
- No need to set X-Request-Id in http.request_headers, it is meta.request_id
Bug: T214080
Bug: T212529
Change-Id: I37aa41a46ce74b372070e88a2f4da746fcbe2449
This is inspired by Ib117e05.
As far as I can tell this is functionally identical. Even arrays should
behave the same, as both the getVal() and getCheck() methods do have a
special case that returns the `null` default in case the user tried to
pass multiple values instead of a single scalar.
Change-Id: Id4e4ec91f39d3c39461bd41673bdafc3bde11737
$request->getHeader( 'Api-user-agent' ) was returning false,
and we can only accept string header values.
Bug: T214080
Change-Id: I3de8a455ad7dab9e3a67e24439e95f4968c93243
I would argue that these comments do not add any information that
would not be there already. Having them adds mental overhead, because
one needs to read both the comment and the next line of code first to
understand they say the exact same. I don't find this helpful, but
more distracting.
Change-Id: I39c98f25225947ebffdcc2fd8f0243e7a6c070d7
An updated spec[1] removed the User-Agent header from the list of forbidden
headers for XHR, so some clients are now requesting to use it.
[1] https://github.com/whatwg/fetch/commit/dab09b0c483
Change-Id: I43d42c3c3a6510721ff7e5fc406db797bf08ffae
The code for all uncaught exceptions will in the future be
"internal_api_error". If the client needs to know the class name for
some reason, it can check the new 'errorclass' data item on the error.
Change-Id: Ia9e32bbb8d17692203f4fbcee53a20e87be1776e
Validate them in ApiMessageTrait when the message is created, and again
in ApiMain before they're included in the header.
This also introduces an "api-warning" log channel, since "api" is too
spammy for real use, and converts a few existing things to use it.
Bug: T208926
Change-Id: Ib2d8bd4d4a5d58af76431835ba783c148de7792a
Depends-On: Iced44f2602d57eea9a2d15aee5b8c9a50092b49c
Depends-On: I5c2747f527c30ded7a614feb26f5777d901bd512
Depends-On: I9c9bd8f5309518fcbab7179fb71d209c005e5e64
ApiMain (and also api.php) tries to catch any Exception so as to provide
a properly-formatted error message to the client instead of an HTML
error page.
With PHP 7.0, some cases that produce an Exception in HHVM instead
produce an Error. The API code should catch these too.
Fortunately neither Zend PHP nor HHVM care if you try to catch a class
that doesn't exist, so we can just add catch blocks for Throwable and
not worry about it.
Bug: T202416
Change-Id: I189eee466bd09870bc172f2420be393a7c0b1900
Clarify and simplify exception output by deprecating
$wgShowSQLErrors and wgShowDBErrorBacktrace.
$wgShowExceptionDetails will now control most related output.
$wgShowHostnames will now solely control output of
MWExceptionRenderer::reportOutageHTML.
Bug: T165768
Change-Id: Idead2c11c499463dfa6293c3d4b33be3bde92e1a
The rate will be about 8k req/s, whereas currently graphite1001
receives about 350k metric updates per second, so we would expect
this to increase statsd load by about 2%.
This would have been very helpful in diagnosing API cluster overload
incidents such as the one on July 11.
Change-Id: I0a248e1bcec05915d98ec735f4cfb9800e64412d
ApiMain already caches the printer in ->mPrinter, so if
getPrinterByName() is being called more than once that's because we
really want a new printer instance, without any cached errors or other
behavior that results from reusing the same instance.
Bug: T199949
Change-Id: I779cbbaa8aab9b049a8eed732416edd828121ec4
Specifically, check the assert and assertuser parameters before setting
up the action module, so errors in parsing the module's parameters due
to being logged out don't override the client's intended "am I logged
in?" check.
Note this means that assertion failures will no longer use custom module
output formatters. This seems like an acceptable tradeoff: on Wikimedia
sites in May 2018 there were no requests that would have been affected
by this change.
Bug: T197672
Change-Id: I02a71395d5ed9f445e57162f2136292825f8dbb5
This will be useful when an extension does something expensive and wants to
make sure users don't put too much pressure on the system.
Bug: T194950
Change-Id: I8a396d07c2d5764a680d0e5536cd1f99edbe141e
With MCR coming up, ApiEditPage is going to need to be able to take
"text" and "contentmodel" parameters for each slot-role, and enumerating
such parameters for every possible slot would probably get rather
confusing as to what is required when, or at least long-winded in
repeating the exact same thing for every possible role.
So let's abstract it: we'll have an "editroles" parameter to specify which
slots are being edited, and ApiEditPage will just declare that
"text-{role}" and "contentmodel-{role}" parameters should exist for each
value of "editroles" in the submission.
Note this patch doesn't introduce anything that uses templated
parameters, just the functionality itself. For testing purposes you
might cherry pick I2d658e9a.
Bug: T174032
Change-Id: Ia19a1617b73067bfb1f0f16ccc57d471778b7361
