* Update extensions/Linter from branch 'REL1_43'
to ecca5245dec10ec6909fb7eb1d9fd69c99376d43
- Localisation updates from https://translatewiki.net.
Change-Id: Ib4224fa83c58d71ccb7c32a07bab526f330a7b80
* Update extensions/Gadgets from branch 'REL1_43'
to eccf183962b111db3c7f211ad2ee817756c9bc7b
- Localisation updates from https://translatewiki.net.
Change-Id: I24ecaac3a01a37432664c41e52f6bf55015e28ee
* Update extensions/Echo from branch 'REL1_43'
to ada204d7f98718ba47c4064b2b11e6f0748a65ad
- Localisation updates from https://translatewiki.net.
Change-Id: Ida32e8117e0468f068bc5b4b5d8c9a099f654301
* Update extensions/DiscussionTools from branch 'REL1_43'
to 98112b29a668625217d4960f179f10668f65bad4
- Localisation updates from https://translatewiki.net.
Change-Id: I3827dce7627369a0f85f6b4bc12d0924b8e4ec01
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 18cd7afc9e557807ac447f3e165bc8195523ddd5
- Localisation updates from https://translatewiki.net.
Change-Id: I14322cb7c8ddae5b25de12164fc1ab7f49b40d5f
* Update extensions/CodeEditor from branch 'REL1_43'
to f2643fe78b47d3d0be9a5c70d2d0b0fc03d0a60a
- Localisation updates from https://translatewiki.net.
Change-Id: I4f86ca31a713b40425550f2748066b49aab0fc24
* Update extensions/CiteThisPage from branch 'REL1_43'
to 3393d4165ca81ff2d862b4aa467490a127644436
- Localisation updates from https://translatewiki.net.
Change-Id: If21629a15c082defc69dcf55dbddaa6015eeec3f
* Update extensions/CategoryTree from branch 'REL1_43'
to 750aa4b68f723917bccb5817066da4a2c6f33219
- Localisation updates from https://translatewiki.net.
Change-Id: I871cd34098f7e3aefca6f2fa704134d33e1712bd
* Update extensions/AbuseFilter from branch 'REL1_43'
to dbfc5ff1831d19ef3073361bb1f7cd2811eb79c2
- Localisation updates from https://translatewiki.net.
Change-Id: I532b8b55ec97fc8d9a719a9b8cf9fde4235d2f15
CVE-2025-6927
In BlockListPager, restore the bl_deleted=0 condition removed in the
previous commit. Add tests.
Bug: T397595
Change-Id: I5471fe615d222b936c6668bf3089dd8b5931cc75
CVE-2025-6927
ApiQueryBlock was relying only on the filter returned by
HideUserUtils::getExpression which only works for blocks targeting a
user account
Bug: T397595
Change-Id: I7bbd6ae36a11840ed6b4620b5d07fa5158ff139e
* Update skins/Vector from branch 'REL1_43'
to 29d89be3529fc0b0a2c00dd6cc7bea9c9606546f
- SECURITY: Insert portlet labels as text instead of HTML
CVE-2025-6596
This addresses a stored XSS vulnerability through system
messages.
Bug: T396685
Change-Id: Ib474c00a887a9cbe4816c25a798cb869044bcf13
(cherry picked from commit 9a92de327ba7d4748b8dece500df442d2ba45b25)
CVE-2025-6590
The HTMLUserTextField is accessible to logged-out users on private wikis
through Special:PasswordReset. Validation error messages returned by this
field included unescaped usernames parsed as wikitext. This allowed
logged-out attackers arbitrary access to the parser, enabling them to
reveal page contents through transclusion, e.g., "{{:Private page}}".
Escape the username parameter using wfEscapeWikiText() to prevent
wikitext interpretation in error messages.
Bug: T392746
Change-Id: Ifd8283e107e1655fa3f5694183c4f67954e5c4c5
CVE-2025-6926
This is a workaround for extensions with some sort of "autologin"
implemented via the login page to indicate that the login flow
didn't involve the user actually logging in, it merely copied
some central login state, and so isn't appropriate for the
reauthentication flag.
This isn't the best way to provide an interface to extensions
(if we keep it, a more explicit interface, such as a
SessionPropertiesAuthenticationRequest object that's part of
the initial request set and can be modified by providers,
and can also be used for the "remember me" flag, would be
nicer), and maybe the whole approach of letting extensions
suppress the reauthentication flag is not the best way of
handling the problem in the first place, but it's simple
which is important for a security patch.
Bug: T389010
Change-Id: Ifce73837b25b0caad2d3d3cba000cceb0184c29d
CVE-2025-6597
Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.
Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
CVE-2025-6594
* Fix validation of API parameters. Follow-up to
c36b4634e8.
* Add an extra check for parameters that should be required by the UI.
* Remove a fallback code branch that tried to display responses for
non-pretty formats, which would have been unreachable were it not
for the format validation bug, and which handled HTML unsafely.
Bug: T395063
Change-Id: I392810e3474ffdbe273b1c668ffce4c8dace1380
CVE-2025-6591
This is the same issue as CVE-2025-32072 (T386175), except in the
API's feedcontributions module. Escape the "Contributions" and
"colon-separator" messages so administrators cannot inject HTML
into them, triggering a potential XSS in feed readers.
Bug: T392276
Change-Id: Ic590a0d0cfc0a4a1e61859ecc57a175a8f5ec098
When autoload of HookRunner class fails (due to wrong namespaced
interface), it cannot be used in the exception handler,
that results in error about not found class, hiding the real error.
Bug: T387408
Change-Id: I93daa8b05bab42a4008a3bc09f26c7e041030a22
(cherry picked from commit 2037f6e41fcfa4b5240912f7fe09bc28ea1f0ae9)
Why:
- The exception handler may be triggered during service container
initialization, e.g. if an autoloaded class triggers a deprecation
warning.
- This causes callLogExceptionHook() to try to setup the service
container once again, which then causes a cryptic "class not found"
error as the service container attempts to autoload whatever class
triggered the deprecation warning once again and fails.
What:
- Avoid attempting to initialize the service container in our exception
handler if it was not setup already, since it may be unsafe to do so.
Bug: T380456
Change-Id: Ib439f25d9e309b77eac00c59c32e39ffbf3aa2a4
(cherry picked from commit 0b1480e60ef7d649bf7d22de5a7c032d04ed0f7a)
A special page has access to the request context which includes the site
config, no need to inject that separately here.
Change-Id: If8f01466c64dbacf806b6fccfa0bc4736c259607
(cherry picked from commit 0110bba7c9a8bdaf1cd8579534300c76b29c038a)
Int and float fields that are optional cannot currently specify the min
attribute. An unfilled value fails the validation because in PHP 8 any
number is greater than the empty string.
(For comparing numbers with non-numeric strings, the number is first
converted to a string and then compared. In PHP 7, the string was
converted to a number instead.)
Bug: T397883
Bug: T397643
Change-Id: I37be84554708e17eee27a7e599815891787e95bf
(cherry picked from commit 8e7ae749c0870e8133d083ac4125280c11a12ea6)
Why:
- action=compare was used to circumvent Lockdown
What:
- use checkTitleUserPermissions() to enforce read permissions in
ApiComparePages.
Bug: T397521
Change-Id: Id275382743957004fa7fc56318fc104d8e2d267b
(cherry picked from commit c62e4d93a33e94c7fe6f716a4747b1dbd59b3f90)
Why:
- When comparing the newly generated HTML to the cached HTML, there
might be cases when the new ParserOutput doesn't contain HTML.
What:
- If hasText() returns false, don't compare HTML and use the "unknown"
value for the html_changed stats label.
Bug: T388406
Change-Id: Ibc3e79e79a6421d4780739104a949bac50a5b01f
(cherry picked from commit a275e02771bc2ed4243804d5294188f54e47f9fc)
* Update extensions/ConfirmEdit from branch 'REL1_43'
to b77a6bdfdf9fa138279fcc8e2be1db440bffceb4
- Replace mt_rand() with random_int()
Deprecated in PHP 8.3 as per https://wiki.php.net/rfc/deprecations_php_8_3#mt_rand_php
Change-Id: I206a55b191c1dbeaec0361fc10b9c1c9228a0836
Make SqlPlatform::tableNameWithAlias() include the unqualified table
name as an alias if doing so is not redundant. This assures that the
default alias from JoinGroupBase::addJoin(), equal to the unqualified
table name, will be usable in SQL (regardless of table prefixes).
Clean up use of identifier quotes for sqlite_master tables. The called
methods expect unqualified names and a passthrough exception already
exists for sqlite_* tables.
Use "block_target.bt_user" directly in ApiQueryBlocks and BlockPager,
instead of using addIdentifierQuotes(). The "block_target" alias is
automatically added to the SQL by the rdbms layer when it's not clearly
redundant, so it is always safe to use block_target.bt_user. Also, there
is no reason for aliases to include quote characters. They are supposed
to be simple alphanumerics like column names. This makes it easy for
tableNameWithAlias() to avoid redundant aliases by checking tableName().
Avoid unneeded quotes around pg_catalog.* table names in the Postgres
installer. The relevant documentation of methods like selectField() is
that the table names be unqualified (no quotes nor dots), though dots
are still supported internally for compatibility reasons and ease of
querying schemas like pg_catalog and information_schema.
Change-Id: Ic7d7826da31f49915141692cb3bd84ed1e872e96
* Update skins/Vector from branch 'REL1_43'
to 31564b81866770ed2235b9248ed9c4f93614ad92
- Localisation updates from https://translatewiki.net.
Change-Id: I54cffcf162035adfb57cea2b33540966d9ac3b8d
* Update extensions/VisualEditor from branch 'REL1_43'
to 3bce60dbcb45d7195c831e527636c88d97bd7bfc
- Localisation updates from https://translatewiki.net.
Change-Id: If482852575c64c63a8fb79e96a51c8f987826719
* Update extensions/WikiEditor from branch 'REL1_43'
to 399939f42fd910e0de5eb49e658d2d0b865b8fd3
- Localisation updates from https://translatewiki.net.
Change-Id: I41b956eb17bba7200f420fccc34008b3da414898
* Update extensions/Thanks from branch 'REL1_43'
to ae78d974e3143d9d10c48f4c8c12ecdba4fecd52
- Localisation updates from https://translatewiki.net.
Change-Id: Ic2dcd4bdd53f1afb8223c3ef45c8642c0beb5eff
* Update extensions/TitleBlacklist from branch 'REL1_43'
to aec41ad533a15282d7d4a825d7b1893b81b25c8e
- Localisation updates from https://translatewiki.net.
Change-Id: Ic2dcd4bdd53f1afb8223c3ef45c8642c0beb5eff
* Update extensions/TemplateData from branch 'REL1_43'
to 12f813122ee580a37bbacb5543b7b490f4ebc4d0
- Localisation updates from https://translatewiki.net.
Change-Id: I17aaa7b93ab5abad84cb7f1dfa943d66e410d8a4
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
to 5b790882024a38d2ba3cca25d6322d2cacf75e88
- Localisation updates from https://translatewiki.net.
Change-Id: I2ad1f5673d915f9f405bb4394f55c33a16584486
* Update extensions/OATHAuth from branch 'REL1_43'
to 806e7ea9036bf49637d1a8c40e1c8994220ea909
- Localisation updates from https://translatewiki.net.
Change-Id: I50b598d0331a20e5831d65f3b774eb53a0d824a2
* Update extensions/Nuke from branch 'REL1_43'
to d12367dc6d1c63c2b0302363a1a4c05fe7b4058d
- Localisation updates from https://translatewiki.net.
Change-Id: I6e80d6e16d0c598de66b57a1f3dbe9b953e25959
* Update extensions/Math from branch 'REL1_43'
to 641f3dff30d072cfe0db194557fc3cfc07831b31
- Localisation updates from https://translatewiki.net.
Change-Id: I7b044d4641bcf05c9ee5d0bcae052ea1de9706f9
* Update extensions/Linter from branch 'REL1_43'
to 99863268508a3a5797742868898c73ea1e2cb2c4
- Localisation updates from https://translatewiki.net.
Change-Id: I0033a76f020bae206c6bd8687ae54bc866595c54
* Update extensions/InputBox from branch 'REL1_43'
to c07b5c7f1f60781397ab48ee4ebde494146657e4
- Localisation updates from https://translatewiki.net.
Change-Id: I18aa483f03d5f06027066f0f194b7684cca9aed8
* Update extensions/Gadgets from branch 'REL1_43'
to 543775d2ce5e93ee1f3bb941d9c8261fbd2fc88c
- Localisation updates from https://translatewiki.net.
Change-Id: I3e4a816e9168c56b7fb21f60bd3ea8ea21880f8b
* Update extensions/DiscussionTools from branch 'REL1_43'
to f7a9938618ae47e7ce9ec5d6184ca9a9902f4ded
- Localisation updates from https://translatewiki.net.
Change-Id: I5902d139178a6791af58758d4919907c57a150f1
* Update extensions/Echo from branch 'REL1_43'
to ed7bf37520c5b3b4e452802a781bdee8cac01b12
- Localisation updates from https://translatewiki.net.
Change-Id: Ic84d30a4040f1e2a253bdbf93ea9b06331d2ca88
* Update extensions/ConfirmEdit from branch 'REL1_43'
to 76b40f1224f90791d1d59fdb950bca8abb26356a
- Localisation updates from https://translatewiki.net.
Change-Id: I047e97acc74854ef71ec93172a5c7e2ff390ccab
