Stop using a TLD in the EmailNotification class that can now
potentially become a valid domainname.
Bug: T97711
Change-Id: If69d5f32b97320986b14260c851d4aca0d28aa69
When an entry point specifies MW_NO_SESSION, actually enforce that by
having both SessionManager and PHP's session handling (session_start()
and friends) throw exceptions.
If an entry point needs the old behavior of using PHP's default session
handling (as defined in php.ini), it should define
MW_NO_SESSION_HANDLER instead of or in addition to MW_NO_SESSION.
This also makes PHPSessionHandler be installed in CLI mode, where it
wasn't installed before.
Bug: T127233
Change-Id: I2a3db06ee8e44a044096c57a819b5fd5e51c5c5c
As an attempt to detect SessionManager errors that log people into
the wrong account, log multiple IPs using the same session, or the same
user account.
Bug: T125455
Change-Id: I27468a3f6d582d9b46984227b9307dc71190fd6a
Follow up to 7491b52. The 'private, must-revalidate' argument to
session_cache_limiter() does not match any expected values for the
function. This results in the PHP runtime treating it like the
documented empty string argument which completely disables the automatic
addition of cache related headers. Change the implementation to use the
empty string argument explicitly rather than continuing to rely on
the undocumented and potentially confusing existing behavior.
session_cache_limiter( '' ) is called unconditionally in
MediaWiki\Session\PHPSessionHandler::install(). This is safe now that it
is understood that we are disabling the setting of the automatic
headers.
Bug: T124510
Change-Id: I63164f8b7a408e370ff01dead42be27a0135dd35
The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.
Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.
This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager
Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
Always treat this as on and simplify the code.
This will also make it easier to move updateWatchlistTimestamp() into
the EnotifNotifyJob class to avoid query timeouts.
Change-Id: I8ceaa42cdcfe3ad00a26368be6a73052be329045
Call `session_cache_limiter( 'private, must-revalidate' );` before
starting a session to specify the cache control headers that PHP will
automatically emit. The calls are wrapped in MediaWiki\quietCall to
suppress "headers have already been sent" warnings that may come from PHP.
If not called explicitly PHP will default to using
the value of the session.cache_limiter ini setting. Some values of that
setting will cause PHP to add a "Pragma: no-cache" header to the
response. Certain user agents (e.g. Firefox) treat that particular
header as a signal to aggressively flush the response from local cache
to the point that back button navigation will not work.
The value used was present in `wfSetupSession` prior to a73c5b7.
Bug: T124510
Change-Id: I942f8420c39c8cec5781ea8f6cc5619fd15f13cd
It's not guaranteed that loadSessionFromStore() will succeed after
whatever alterations the SessionProvider might have made later in the
request.
So instead, let's make a new global object that stores the SessionId
of the persistent session that was loaded during Setup.php, if any. Then
we can check that when we need to know whether the session was
persisted.
Bug: T124468
Change-Id: I1e8e616c83b16aadd86b0a0a40826d40f6e8abe4
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
Follow-up to a4a3d04540.
Unlikely to be a security problem, as $2 generally has to
appear somewhere before $1 in this config option.
Bug: T48998
Change-Id: I08788713d9bd7c4c8d81479c18b5a404997a778d
Instead of relying on the global $wgRequest, which probably isn't initialized
so far, create the request object when RequestContext::getRequest() is called
the first time.
Change-Id: I6115ba44e474619d02d456a103758fe73ed298e0
Previously, logged-out users either only saw "Create account" and "Log in"
links in the personal area, or if $wgShowIPinHeader was true, they saw
[icon] 127.0.0.1 Talk for this IP address Create account Log in
where the IP address itself linked to the IP user page.
Now, logged-out users by default see the following:
[icon] Not logged in Talk Contributions Create account Log in
The old $wgShowIPinHeader feature is removed. It is very unfriendly to
show the user's IP address (in red, no less) at the top of every page,
since this will mean nothing to most visitors. Caching means that this
can't even be done reliably, anyway.
Another improvement is that the "talk" and "contributions" links are not
shown if anonymous users don't have the 'edit' right.
Modelled after the loggedOutTalkPage() function at Dutch Wikipedia
<https://nl.wikipedia.org/w/index.php?oldid=44706954>
Bug: T112724
Change-Id: I6f44e3e5d97ea917e4a03af47f3795792e4ca122
Remove the backwards compatibility shims for $wgRateLimitLog which was
deprecated in 1.23 (I86131c4).
Change-Id: I771bbaff43b44d011bff81ddda4f35166ea5f77e
When relative URL used in $wgArticlePath, and $wgArticlePath does not
start with slash (/), raise FatalError.
Bug: T48998
Change-Id: Ic7cd6f774cff97081f4f35af351161170b4b26eb
In HHVM, the settings 'upload_max_filesize' and 'post_max_size' are
not available via ini_get() due to some long-standing bug
(https://github.com/facebook/hhvm/issues/4993). Instead, one can use
'hhvm.server.upload.upload_max_file_size' and 'hhvm.server.max_post_size'
(in a typical PHP fashion, their names are subtly different than the
originals as to increase the potential for confusion).
Added a new method UploadBase::getMaxPhpUploadSize() to handle this.
Additionally:
* 'post_max_size' can be set to 0, which is equivalent to no limit.
Handle this correctly.
* $wgMaxUploadSize can be an array structure, instead of just a number.
Handle this correctly by using UploadBase::getMaxUploadSize().
* When no maximum is set, use PHP_INT_MAX rather than 1e100. It should
be big enough, and the latter is a float, results in 0 when cast to
int, and doesn't look as pretty when formatted in GB in the interface.
Bug: T116347
Change-Id: Idf707253eeae1b90792a7e26d2ab66d1317e67ae
The configuration, tested on wiki.wikimedia.it, generally improves
performance for all parties involved.
Bug: T114098
Change-Id: I76a34e8782908a28523531b2a928ea4ef7710b19
This fixes a few shortcomings in the chunked uploader:
* Raises an error if offset + chunksize > filesize.
* Enforces a minimum chunk size for non-final chunks.
* Refuses additional chunks after seeing a final chunk.
* Status of a chunked upload in progress is now available with
'checkstatus'.
Bug: T91203
Bug: T91205
Change-Id: I2262db1bc8460616b069c564475d2e4148001768
* The '.php5' entrypoints were deprecated in I68b1ae842, $wgScriptExtension
in I3690f78bc.
* Drop the associated ResourceLoader configuration variable, too. `mwgrep`
shows no usage in the MediaWiki namespace.
* Keep the scriptExtension configuration parameter for FileRepo for people who
would like to interoperate with older MediaWiki installations that still use
'.php5'.
Change-Id: I17c8a15484b7e82cd5970d34e688109a2aae3840
In previous versions, the installer often outputted the following
in the generated LocalSettings.php:
> $wgEmergencyContact = '';
> $wgPasswordSender = '';
While this case did not result in providing default values in recent
MediaWiki versions, the mail handling didn't cause an error.
As of MediaWiki 1.25, the error handling is more strict and these
values being empty causes a fatal error and breaks all outgoing mail.
Bug: T104142
Change-Id: Ibf1f857b2f250dac9b725aff8f442e08b8ecd5c9
This make re-configuring these much easier by only needing to update
one variable instead of four.
Also remove redundant hardcoding of wgStylePath and wgResourceBasePath
in the generated LocalSettings.php file during installation. This way
changing wgScriptPath will naturally result in the other variables
updating too. We already do this for many other variables (such as
wgLoadScript, wgScript, wgExtensionAssetsPath, etc.).
Change-Id: Ide74355b4054c78214c17f3b2d6fa2f5270e0ab9
Update the ParsoidVirtualRESTService and the
RestbaseVirtualRESTService to use Parsoid's v3 API, instead of the
deprecated v1/v2 APIs. Since Visual Editor still issues requests
using the Parsoid v1 API, convert Parsoid v1 API requests into Parsoid
v3 API requests when needed for a smooth transition. We also add
support for converting RESTBase v1 API requests to Parsoid v3 API
requests.
The next step will be to convert Visual Editor to issue RESTBase v1
API requests (https://gerrit.wikimedia.org/r/217995), and then the
Parsoid v1 conversion code added here can be removed (T100681).
Tested Parsoid v1->v3 conversion, Parsoid v1->RESTBase conversion,
plus Parsoid v3 and RESTBase v1->Parsoid v3 conversion using VE
patched to issue RESTBase v1 API requests.
Bug: T100681
Change-Id: I07ac60cdec7a52ef93187d40099325a069e3239a
Instead of littering includes/ with stub back-compat aliases, house such
classes in includes/compat/.
Change-Id: I4c1b83e35c8d6c18777a4a3e17d81023915cfb7f
Alternatively, removing this completely might surface the issue for users
more quickly. Without this change, resolving {T74420} becomes more of an issue.
Bug: T74420
Change-Id: Ib2dc9ed56a945acb06b64f3b85ff07ac2a6b7600
(cherry picked from commit 6b4d6662b5b5005bb84f4c5e6315288611bf57f1)
- Removed space after casts
- Removed spaces in array index
- Added spaces around string concat
- Added space after words: switch, foreach
- else if -> elseif
- Removed parentheses around require_once, because it is not a function
- Added newline at end of file
- Removed double spaces
- Added spaces around operations
- Removed repeated newlines
Bug: T102609
Change-Id: Ib860222b24f8ad8e9062cd4dc42ec88dc63fb49e
wfSuppressWarnings() and wfRestoreWarnings() were split out into a
separate library. All usages in core were replaced with the new
functions, and the wf* global functions are marked as deprecated.
Additionally, some uses of @ were replaced due to composer's autoloader
being loaded even earlier.
Ie1234f8c12693408de9b94bf6f84480a90bd4f8e adds the library to
mediawiki/vendor.
Bug: T100923
Change-Id: I5c35079a0a656180852be0ae6b1262d40f6534c4
Make password policies defined in a configurable policy, which is
defined by group. A user's password policy will be the maximum of
each group policy that the user belongs to.
Bug: T94774
Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
Also sets default paths immediately (not in Setup.php) so
they are available before extensions register.
Bug: T98319
Change-Id: I41a8aec7a3e9c576ec7344abf51f8106248ade4b
