* Update extensions/AbuseFilter from branch 'REL1_43'
to 3f0366cdbbbf0f5c1691f8b07e7b54a2b7613ace
- Localisation updates from https://translatewiki.net.
Change-Id: I33dc5181ba52675a54913baf231733170f46c201
Why:
- DeduplicateStyles runs as a default post-cache output transformation
for every backend pageview. It tokenizes the article HTML via Remex to
deduplicate style nodes within.
- This is expensive for large pages. On the Barack Obama page, the
transform takes 350+ ms on a parser cache hit.
- Some other transforms, like HandleSectionLinks, already use regexes to
only run Remex-driven transforms on relevant elements to avoid a
potentially expensive tokenization of the whole page.
What:
- Use a regular expression to limit this transform so that it only
tokenizes potential <style> nodes. This takes ~2ms to execute on a
large page[1], compared to ~166ms currently.
- Restrict this optimization to legacy parser output transformations,
since the naïve regex used might otherwise match encoded style tags
within data-parsoid attribute values, as described in
I32d3d1772243c3819e1e1486351d16871b6e21c4.
Add a test for this.
[1] https://en.m.wikipedia.org/wiki/Democratic_Party_(United_States)?action=render
Bug: T394059
Change-Id: I33ebcc2da7685b4b6dafdad3ed3ef2a9edea9a00
(cherry picked from commit 02f69d5dc99a964981c57b597eedffa1f253a14c)
This reverts commit 596c2615de.
Reason for revert: This has already been fixed in
I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c. This second patch does not
address the issue properly and causes strings to be double escaped that
should only be escaped once.
Full reasoning:
* The parameter is now marked as `@param-taint $buttonLabel exec_html`
since the fix for T402313
* All callers outside of HTMLButtonField escape the label now
* There is another method call in HTMLButtonField, which passes the
`buttonLabel` property to the function. This property is assigned
in the following places:
** L63: Parsed message
** L67: String literal with a unicode character
** L69: Escaped string
** L72: Intentionally raw HTML string
** L126: `$this->getDefault()`, which will be escaped again in that line
after this patch is reverted
Bug: T394396
Change-Id: Ifc982e93c3cf2b6658cb8943eb717cb7a2aea7f5
* Update extensions/Thanks from branch 'REL1_43'
to 7b1006569a9b8b228fbf4306162dd731f30b8209
- SECURITY: Exclude deleted entries when counting thanks
CVE-2025-61654
Why:
- `ThanksQueryHelper` counts all thanks, even those that user is not
authorized to see.
What:
- Count only those thanks, which are visible to everybody
(`log_deleted` = 0).
- May be later extended to take into account the permissions of the
current user.
Bug: T397497
Change-Id: Idbc1b5a288ffaa7074eedcbac066358a8ec649dc
(cherry picked from commit ceea84f682ac52fe521b02733fb718add296efde)
CVE-2025-11261
It should be possible to use the result of this method as HTML
without introducing i18n XSSs.
The PHP-equivalent Language::listToText also escapes the messages.
This fixes a stored i18n XSS in CheckUser.
Bug: T406322
Change-Id: Ieb809b043dec288e92356d8f6492d22340c8c3f6
(cherry picked from commit d951fa4ff07a96907b023e4f7e5dd7c630a78fc1)
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 5acd36799ee4177c5eea52751f1b7a0e2140f858
- Update code for voice and tone reasons
* Reduces use of whitelist
* Deprecates and provides new $wg to replace $wgCaptchaWhitelistIP and $wgCaptchaWhitelist
Bug: T277936
Change-Id: I9c4a572321bb06e5a1d4208a295e21b73e75b787
* Update extensions/DiscussionTools from branch 'REL1_43'
to c6a33d6564b75ad18fc35a7e09d02832d989a30f
- SECURITY: In API check user read permissions before showing PageInfo
CVE-2025-61652
Bug: T397580
Change-Id: If39b4732b616b89bb58b9be6f8dcab103edd61ce
(cherry picked from commit 94ba9d3d12d8160a505c620f9291b374d964927c)
* Update extensions/AbuseFilter from branch 'REL1_43'
to e0c1a9ab0dedcf652632fb7fb95d05d751eac3f5
- Load CodeEditor resources conditionally
On CI, we would like to remove the recursive injection of extensions
dependencies. When AbuseFilter is a dependency, we are required to add
CodeEditor and WikiEditor to fullfil the requirement that all
dependencies are defined (ResourcesTest::testValidDependencies).
This makes it so that the `ext.abuseFilter.ace` resource loader module
is only registered when CodeEditor is enabled.
Bug: T389998
Change-Id: Ib295c354c90901c43a7b654fa39bb60e94bfc546
(cherry picked from commit f299b9d8042c7b53eb50346cb879b89eed745dfa)
* Update extensions/VisualEditor from branch 'REL1_43'
to 0c17d239a6f337eb57a8934895b87f498e2221ea
- Update lib/ve to HEAD of REL1_43
Change-Id: Idb23c94c446a88b48209cfaea44d4c2545635ca1
* Update extensions/VisualEditor from branch 'REL1_43'
to 19567501cb05fdcfe547b9c1a0a3d82ca5a309ad
- SECURITY: Properly escape and parse system messages
CVE-2025-61655
* Parse lastmodifiedat in PHP and return via API to support
tags that are not supported by jQueryMsg
* Escape parentheses message and manually insert the parameter
This addresses two stored i18n XSS vulnerabilities.
Bug: T395858
Change-Id: Id0c62956bf5ae6e0d952cbd1eddfc845d2cdc9a6
* Update extensions/ConfirmEdit from branch 'REL1_43'
to d92c701ac1f50eb1624e9b061b096ff4c7169afd
- SECURITY: ApiFancyCaptchaReload: Reuse badcaptcha rate limit
CVE-2025-61635
* Set a default badcaptcha rate limit in extension.json
* Mark the API as internal
Bug: T355073
Change-Id: I713e587e18879cbc6756882b62e021625e899eb1
* Update extensions/TextExtracts from branch 'REL1_43'
to 55355a15514691ca7b88ad43fd90eedff3a2c4b1
- SECURITY: Add authorizeRead check for extracts endpoint
CVE-2025-61653
Why:
- A check for appropriate read permissions should be added
to the extracts action API endpoint to improve security.
What:
- This change loops through titles and performs a permission
check via Authority::authorizeRead(). If the user does not
have appropriate permissions, an error is thrown and any
relevant titles are unset.
Bug: T397577
Change-Id: I126f7fcda864cf51d005214c7f74fcff76c791c3
* Update skins/Vector from branch 'REL1_43'
to c49fab7557ab0f2478e1053a54e47dfd0e9ec6df
- SECURITY: Insert sticky header labels as text instead of HTML
CVE-2025-61657
Assigning to.innerHTML to from.textContent essentially unescapes
any characters inside the labels.
This fixes a stored XSS vulnerability through system messages.
Bug: T398636
Change-Id: Ib78c3113a3d7b195bf348e8a52f29058eaf9a59f
CVE-2025-61639
Why:
* ManualLogEntry::getRecentChange creates the RecentChange object
for the ManualLogEntry instance.
** This does not currently include the deleted flags set in the
ManualLogEntry
** Without this, the RecentChange that is created will not be
marked as deleted and published as public.
* Therefore, this means that any code which hides a log entry
from the creation of the entry will cause a unintentionally
public recent change entry.
** The AbuseFilter extension attempts to suppress the log entry
for the block on it's creation, which therefore hits this
security bug.
What:
* Update RecentChange::newLogEntry to accept a $deleted field
which is set by default as 0 which is used as the value of
rc_deleted.
* Update ManualLogEntry::getRecentChange to pass the value of
ManualLogEntry::getDeleted to RecentChange::newLogEntry.
* Test that this fix worked.
Bug: T280413
Change-Id: I681a49ac7d7b22ffe259b976ad5315490dda467b
CVE-2025-61646
If an individual editor makes consecutive revisions on a single page,
and only some are marked as hidden username, the non-hidden ones will
reveal the (username hidden) true identity.
Enable the "Group changes by page in recent changes and watchlist" and
"Use non-JavaScript interface" preferences to reproduce the issue. See
the referenced Phabricator tasks for more details.
The solution here is to separate hidden and visible editors from the
grouping on the frontend side, using existing helper functions.
Bug: T398706
Change-Id: I1408fe7712ffef3ba76294d8483c7b7624a0d11c
CVE-2025-61643
Why:
* Some RecentChange objects being processed by
RecentChangeRCFeedNotifier::notifyRCFeeds can be already
deleted / suppressed
** This can happen for log entries which are deleted or suppressed
when they are created such as described by T280413
* RecentChanges feeds are often not equipped to handle appropriate
redaction of deleted or suppressed recent change entries
** Therefore, sending them suppressed recentchanges entries will
likely publicly expose the suppressed information
* As a short-term fix we can stop sending any defined RCFeed
instances RecentChange objects which are suppressed
** We may want to consider making RCFeeds capable of suppressing
information before publishing the data, but that would need a
more considered approach.
What:
* Update RecentChangeRCFeedNotifier::notifyRCFeeds to return early
if the rc_deleted attribute on the provided RecentChange object
isn't zero (0 means not deleted).
* Add a PHPUnit test to check for this
Bug: T403757
Change-Id: Ic5e553bab8e82e7faee323a46ed6704043c5163b
CVE-2025-61642
HTMLButtonField::buildCodexComponent() expects raw HTML for its button
label parameter, and this makes sense in the context of that class. But
it was also being used to build the submit button, where we were passing
in a plain text button label.
Escape the button label before passing it in, and more clearly document
that this parameter expects raw HTML.
Bug: T402313
Change-Id: I7fe42df7b9a3fd97eaf89515b7c1afb5ae3e688c
CVE-2025-61640
This fixes a stored i18n XSS vulnerability in
Special:RecentChangesLinked.
Bug: T402075
Change-Id: I94d89e3f14920122cfd2f949850027122d1e2b6b
CVE-2025-61638
Previously, if you managed to get data- attributes with e.g spaces or
slashes in the name into validateAttributes(), then the rest of the
attribute name would not be validated and get concatenated into HTML
that would eventually be parsed as separate attributes (or even tag
contents and new markup, if you had a > in the name). I don’t think this
was possible via regular <p> parsing, as decodeTagAttributes() would
decode the attributes differently in that case, but it was possible via
various wikitext constructs, including {{#tag:}}.
Tighten the regex to throw out such invalid attributes, and add a few
tests in this direction. More refactoring, and especially more tests,
can happen later, once this chaneg is public and we can benefit from CI.
Bug: T401099
Change-Id: Id095a3278083dbedba083d5aa3c1cbaa379a682f
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
CVE-2025-61637
This addresses three stored XSS vulnerabilities that allowed
injecting scripts into the DOM by editing the 'preview',
'editlink' and 'viewsourcelink' system messages.
Bug: T394856
Change-Id: I8e5a234d647ce5559a052f86d1b2ad61812764b9
CVE-2025-61634
Indirect redirect loops can cause a series of 307 redirects
that overwhelm the servers. Caching the redirect allows
this to resolve.
Bug: T387478
Change-Id: Ibfde4e5ece3d58a1f573c37b46b568a5847fca01
As Debian's Lintian tool points out, the FSF has actually moved offices
and this address is no longer valid.
All updates are directly copy-pasted from
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Bug: T400642
Change-Id: Idb9af3119641b614d810843730fb73aebd30318c
(cherry picked from commit 8b215b44a03712b260fb71a4934fda2f89b458ae)
* Update skins/MinervaNeue from branch 'REL1_43'
to f9c39a05ed0cb795330e9225ed56b85a5821a69d
- Localisation updates from https://translatewiki.net.
Change-Id: I2b8c84a69e41b257c9e0b31ed6a19b36d5522e2e
* Update skins/Vector from branch 'REL1_43'
to 2c348ec4b81c0d2bb13520e2e0a2013604ff06f2
- Localisation updates from https://translatewiki.net.
Change-Id: I4bfe0275ced60421a60de37b6dab7f6a985beaea
* Update skins/MonoBook from branch 'REL1_43'
to 91a719b94ec03964eff71ff1ba9cfb4cae4a84df
- Localisation updates from https://translatewiki.net.
Change-Id: Id19aa9b699b3f0480588913d06c63bcd2de5e2ea
* Update extensions/VisualEditor from branch 'REL1_43'
to 79f3eeb4931194e61caf25a3b6d5a0448653f2d6
- Localisation updates from https://translatewiki.net.
Change-Id: I808fc1ca5f2aa4429e3d99a6ef362090d8864d27
* Update extensions/WikiEditor from branch 'REL1_43'
to f1aaaed8f14d1e6a3aa01cebed27f5aca8eb21c5
- Localisation updates from https://translatewiki.net.
Change-Id: I808fc1ca5f2aa4429e3d99a6ef362090d8864d27
* Update extensions/Thanks from branch 'REL1_43'
to 8e23f487b4db9f45e53861ce6bdd9f3a7aa4a344
- Localisation updates from https://translatewiki.net.
Change-Id: Iceca1404ae33f55ac1231276e1c620a56fc6b962
* Update extensions/TemplateData from branch 'REL1_43'
to 3e260da9cd287dc4b827aabdf5c2a46f83aafbc4
- Localisation updates from https://translatewiki.net.
Change-Id: I176411c9a26432a17f5a8b924ed852264e29dd9d
* Update extensions/SpamBlacklist from branch 'REL1_43'
to b6c3567c2991d342426ccc488f5eadadc2645ec3
- Localisation updates from https://translatewiki.net.
Change-Id: I82d5f2d4791d3c474c557dcd2befcf8f56a80865
* Update extensions/Scribunto from branch 'REL1_43'
to ddc54a3fca760823bd06ea0f0ebf045bf48a6ba8
- Localisation updates from https://translatewiki.net.
Change-Id: Id303f0893696fa5df174ae08973c5abef0296e59
* Update extensions/OATHAuth from branch 'REL1_43'
to a0efb41affd25c2f14e47ae1755307ee90e35b1e
- Localisation updates from https://translatewiki.net.
Change-Id: Ibb9d11fdf29b04f843eff9a61664dfff5bf3633d
* Update extensions/Nuke from branch 'REL1_43'
to 79b168a74cdc379bd6099efb3a510d3d286305fb
- Localisation updates from https://translatewiki.net.
Change-Id: I4b98110b6e9bd29a9eacc66cc4e65b8127742d24
* Update extensions/Math from branch 'REL1_43'
to 9bdf88a7a971d5b30b50c17a88f592320780f107
- Localisation updates from https://translatewiki.net.
Change-Id: Ic04f84810ca71410ca480fb9c16880b2d67a9085
* Update extensions/InputBox from branch 'REL1_43'
to 0f9f87177b79490019650ae0e6965397d08ad299
- Localisation updates from https://translatewiki.net.
Change-Id: If91fedcac6475514972c5508bf43934fbd4d9cae
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 54908a917b43cee8f3f473ad97f5d5b6758b4861
- Localisation updates from https://translatewiki.net.
Change-Id: I40be83cd67657a901944ed432cd84f3c046088d9
* Update extensions/DiscussionTools from branch 'REL1_43'
to 3f25bcc823c0fa09a8d604fb436daa06ddb244df
- Localisation updates from https://translatewiki.net.
Change-Id: Ia98dc81c3ea460ab88339d9a22d8e7b19656a46a
* Update extensions/Echo from branch 'REL1_43'
to fb8fe7bf4096a40e7a000d9a25264ab4d101bdb3
- Localisation updates from https://translatewiki.net.
Change-Id: I419cfc9dcbe24416c384260668beff75b3563d0c
* Update extensions/CiteThisPage from branch 'REL1_43'
to 8db01cb5b59cd647ddc178127bc0c365e609dbc6
- Localisation updates from https://translatewiki.net.
Change-Id: Ib2ba0e6671cb5ddce444c97b9d9ee842e881d998
* Update extensions/Cite from branch 'REL1_43'
to 99f2c99c9d8a27cedfadc1d3e3ff71d9c73e0076
- Localisation updates from https://translatewiki.net.
Change-Id: Iee5b3446b8eb91e4ded2f1ea9e3d7dac66d817ed
* Update extensions/AbuseFilter from branch 'REL1_43'
to 309c87a224ff278d57d4cb25420fec3bba8abe7a
- Localisation updates from https://translatewiki.net.
Change-Id: I9c22244bc450c78e5509fe1f223692b601dbbc98
