Basically turning Mediawiki to MediaWiki as all other classes exist
in that namespace
Bug: T217128
Change-Id: I95039a1a54c9900a2f2414b5a6ccce5fb6e5e612
When a unit test fails it is possible, perhaps even likely in some
cases, that some code that was run logged useful information about
how that failure came to be.
Help people out, tell them what happened!
Change-Id: I30bbc31799a65024868678d052fec9aafacc1aff
This formatter extends LogstashFormatter to prefix records with "cee token"
used for syslog and JSON structured logging. See also related task for more
context.
Bug: T211124
Change-Id: I3cdeb4c666f54039b5e8ecc67bd4937220333526
In Monolog\Logger (Logger.php), the logger levels are constants (interger values).
Logger::DEBUG is a constant (int) with value 100 which depicts that error logging
level. Datatype of these values; DEBUG, INFO, WARNING, etc are all integers not
strings.
Change-Id: I1cc67381bc64800241f5f9b7232ffe5419388d8a
Follows-up 81e8d7af41 and e861191b2c.
When using $wgShowDebug, $wgDebugComments, or $wgDebugLogFile
locally, or when using the 'log' attribute with X-Wikimedia-Debug,
all channels should be enabled and logged. But, the DBQuery logs
are currently going nowhere.
The code for MWDebug::query() is intercepting it, even if
$wgDebugToolbar is not enabled.
And after that, the code for wfLogDBError was intercepting it,
again, even if $wgDBerrorLog is not enabled.
Bug: T202764
Change-Id: I710c26a9e9c30fea20975d1bc24e1f0af077c2ad
Uses new PHP 5.6 syntax like ...parameter unpacking and
calling anything looking like a callback to make the code more readable.
There are much more occurrences but this commit is intentionally limited
to an easily reviewable size.
Change-Id: Idcec077ef3fdf029b632cceafd0150851ad723e3
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
The primary goal here is a defense in depth measure to
stop an attacker who found a bug in the parser allowing
them to insert malicious attributes.
This wouldn't stop someone who could insert a full
script tag (since at current it can't distinguish between
malicious and legit user js). It also would not prevent
DOM-based or reflected XSS for anons, as the nonce value
is guessable for anons when receiving a response cached
by varnish. However, the limited protection of just stopping
stored XSS where the attacker only has control of attributes,
is still a big win in my opinion. (But it wouldn't prevent
someone who has that type of xss from abusing things like
data-ooui attribute).
This will likely break many gadgets. Its expected that any
sort of rollout on Wikimedia will be done very slowly, with
lots of testing and the report-only option to begin with.
This is behind feature flags that are off by default, so
merging this patch should not cause any change in default
behaviour.
This may break some extensions (The most obvious one
is charinsert (See fe648d41005), but will probably need
some testing in report-only mode to see if anything else breaks)
This uses the unsafe-eval option of CSP, in order to
support RL's local storage thingy. For better security,
we may want to remove some of the sillier uses of eval
(e.g. jquery.ui.datepicker.js).
For more info, see spec: https://www.w3.org/TR/CSP2/
Additionally see:
https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
Bug: T135963
Change-Id: I80f6f469ba4c0b608385483457df96ccb7429ae5
* Use $_SERVER['REQUEST_TIME_FLOAT'] unconditionally in WebRequest.php
and libs/Timing.php. WebStart.php was doing this already without issue.
The key existst since PHP 5.4, for both Web and CLI (we require 5.5).
* In wfDebug() and wfReportTime(), use $_SERVER['REQUEST_TIME_FLOAT'] instead.
* In ApiFormatBase and MWDebug, use WebRequest::getElapsedTime() instead.
* In Maintenance.php, remove setting of $wgRequestTime.
* In rebuildFileCache.php, update mocking to $_SERVER['REQUEST_TIME_FLOAT']
so that we avoid re-introducing bug T24852.
Change-Id: I1b647da2862f815029caa533b592ec8a05b33806
Deprecate the unnamespaced version and move it to includes/compat.
Bug: T147167
Depends-On: I39c805bfb98b32f32f3d0dc1eee9e823afe1c21a
Change-Id: I3780c7adf51683f3f7adb35a88f9a25a0a2e2530
phpdbg is a gdb-style debugger for PHP that is run from the command
line. However, it has a different PHP_SAPI value, so it was impossible
to run maintenance scripts with it (until now).
To avoid having to check both PHP_SAPI values in a bunch of places,
introduce wfIsCLI() to easily check whether running from the
command-line or not.
We're (CI team) interested in generating code coverage with phpdbg
instead of xdebug, hence this patch.
Bug: T184043
Change-Id: Id1f994ca146d7858cd8bb6ab6cdbb7718ff524fb
Follows investigation from T172559, where we found that there is no explicit
way to find what script triggered particular error messages when the script
was run from the command-line (as opposed to a web request, where the
built-in WebProcessor adds fields like http_method and url).
Change-Id: Ia9641274a164137dcc30324578d750cc662976ee
In phpcs.xml rename renamed sniffs and add the failing sniffs,
because now the whole sniff is no longer excluded.
Change-Id: If5b0bd16028761abc2c47ace9e97d37ad14bb36f
And auto-fix all errors.
The `<exclude-pattern>` stanzas are now included in the default ruleset
and don't need to be repeated.
Change-Id: I928af549dc88ac2c6cb82058f64c7c7f3111598a
Undo traces of a practice we carried over from past projects and
existing examples that is neither universal nor actively encouraged in
the MediaWiki codebase.
Bug: T139301
Change-Id: I5c9c89b72a45a44aa4264a5e57b003c1a86cdf6e
Co-Authored-By: Brad Jorsch <bjorsch@wikimedia.org>
eval.php previously set $wgDebugLogFile to /dev/stdout. This had the
following problems:
* It doesn't work if the maintenance script is executed via sudo, since
/dev/stdout is typically owned by the original user, so MW can't open
it. Using php://stdout worked on HHVM but not PHP.
* Setting $wgDebugLogFile has no effect if the wiki uses MonologSpi.
* Setting $wgDebugLogFile has no effect on channels configured with
$wgDebugLogGroups.
* stderr is a more appropriate place to send logging output.
* Writing to configuration variables is discouraged.
So, add ConsoleSpi, which is a very simple logging service provider
which sends all messages to stderr. This should be suitable for
debugging with eval.php or shell.php in WMF production or beta.
Change-Id: Ib0d6ce45e0cbecd58263fc4e360c63d4149acb3a
I was bored. What? Don't look at me that way.
I mostly targetted mixed tabs and spaces, but others were not spared.
Note that some of the whitespace changes are inside HTML output,
extended regexps or SQL snippets.
Change-Id: Ie206cc946459f6befcfc2d520e35ad3ea3c0f1e0
Fix the following error on PHP 7.
> MediaWiki\Logger\Monolog\AvroFormatterTest::testDoesSomethingWhenSchemaAvailable
> Only variables should be passed by reference
> includes/debug/logger/monolog/AvroFormatter.php:143
Per https://github.com/researchgate/avro-php/blob/1.8.0/lib/avro/schema.php#L311-L314
the default for &$schemata is null, which is filled with a plain AvroNamedSchemata
instance. So this parameter is obsolete.
Either it needs to be assigned here and then passed. But since we don't use
it anywhere and don't pass it any constructor arguments, the default
should suffice.
Bug: T75176
Bug: T141588
Change-Id: I144bed8a78eb267a97e41f379b89c5faaae30625
Most of these are simply changing annotations to reflect
reality. If a function can return false to indicate failure
the @return should indicate it.
Some are fixing preg_match calls, preg match returns 1, 0 or false,
but the functions all claim to return booleans.
This is far from all the incorrect return types in mediawiki, there
are around 250 detected by phan, but have to start somewhere.
Change-Id: I1bbdfee6190747bde460f8a7084212ccafe169ef
* do not warn if something is overwritten with an identical value
(happens a lot with 'ip')
* move to LogstashFormatter so we can check for the value
* instead of spamming errors, just add a flag to the logstash data
Bug: T145133
Change-Id: I31caee865cd60c785126478ac75c9aefce78eaaf
This fixes the outstanding mis-spaced cast operators to bring them
into line with the coding standards on mediawiki.org (and with the
more common usage within this codebase).
Bug: T149545
Change-Id: Ib7bcf95bbee83d20c05f6d621ce7b4e1fb58a347
Normalize $level arguments to integers early to avoid confusion later
about what type the argument is.
Change-Id: I7305c0514f4383ec552afea2deb0e3fc6ba3fe8a
