Add missing namespace prefix to the constant
Change-Id: I3ba37863b1e4de9d64d1c09045c0e5b1da678425
(cherry picked from commit ec02426638f0732a345bd8376f55819ec777741a)
A non-existing field may return null, when trying to drop the default.
Avoid a fatal error in this situation.
There is no real issue yet, but good coding practice to check for null.
Change-Id: I1041f24361febb52fd7fb20c42348b712dd70fe9
* Fix test failures
* Cherry-pick message cache change I957b6fb2bc0d9d4b1aae6e
* Cherry-pick part of I638d6d6d23f9624ba1dff0f4fcc to change cache from
static to non-static.
Change-Id: I77a2facf9923d38269538e48c79365fa117af9af
Follows-Up: Id5462b942f5e916c2f1dc725739615d54a1070de
Follows-Up: I5471fe615d222b936c6668bf3089dd8b5931cc75
Follows-Up: I7bbd6ae36a11840ed6b4620b5d07fa5158ff139e
CVE-2025-6927
In BlockListPager, restore the bl_deleted=0 condition removed in the
previous commit. Add tests.
Bug: T397595
Change-Id: I5471fe615d222b936c6668bf3089dd8b5931cc75
CVE-2025-6927
ApiQueryBlock was relying only on the filter returned by
HideUserUtils::getExpression which only works for blocks targeting a
user account
Bug: T397595
Change-Id: I7bbd6ae36a11840ed6b4620b5d07fa5158ff139e
CVE-2025-6590
The HTMLUserTextField is accessible to logged-out users on private wikis
through Special:PasswordReset. Validation error messages returned by this
field included unescaped usernames parsed as wikitext. This allowed
logged-out attackers arbitrary access to the parser, enabling them to
reveal page contents through transclusion, e.g., "{{:Private page}}".
Escape the username parameter using wfEscapeWikiText() to prevent
wikitext interpretation in error messages.
Bug: T392746
Change-Id: Ifd8283e107e1655fa3f5694183c4f67954e5c4c5
CVE-2025-6926
This is a workaround for extensions with some sort of "autologin"
implemented via the login page to indicate that the login flow
didn't involve the user actually logging in, it merely copied
some central login state, and so isn't appropriate for the
reauthentication flag.
This isn't the best way to provide an interface to extensions
(if we keep it, a more explicit interface, such as a
SessionPropertiesAuthenticationRequest object that's part of
the initial request set and can be modified by providers,
and can also be used for the "remember me" flag, would be
nicer), and maybe the whole approach of letting extensions
suppress the reauthentication flag is not the best way of
handling the problem in the first place, but it's simple
which is important for a security patch.
Bug: T389010
Change-Id: Ifce73837b25b0caad2d3d3cba000cceb0184c29d
CVE-2025-6597
Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.
Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
CVE-2025-6591
This is the same issue as CVE-2025-32072 (T386175), except in the
API's feedcontributions module. Escape the "Contributions" and
"colon-separator" messages so administrators cannot inject HTML
into them, triggering a potential XSS in feed readers.
Bug: T392276
Change-Id: Ic590a0d0cfc0a4a1e61859ecc57a175a8f5ec098
When autoload of HookRunner class fails (due to wrong namespaced
interface), it cannot be used in the exception handler,
that results in error about not found class, hiding the real error.
Bug: T387408
Change-Id: I93daa8b05bab42a4008a3bc09f26c7e041030a22
(cherry picked from commit 2037f6e41fcfa4b5240912f7fe09bc28ea1f0ae9)
Why:
- The exception handler may be triggered during service container
initialization, e.g. if an autoloaded class triggers a deprecation
warning.
- This causes callLogExceptionHook() to try to setup the service
container once again, which then causes a cryptic "class not found"
error as the service container attempts to autoload whatever class
triggered the deprecation warning once again and fails.
What:
- Avoid attempting to initialize the service container in our exception
handler if it was not setup already, since it may be unsafe to do so.
Bug: T380456
Change-Id: Ib439f25d9e309b77eac00c59c32e39ffbf3aa2a4
(cherry picked from commit 0b1480e60ef7d649bf7d22de5a7c032d04ed0f7a)
A special page has access to the request context which includes the site
config, no need to inject that separately here.
Change-Id: If8f01466c64dbacf806b6fccfa0bc4736c259607
(cherry picked from commit 0110bba7c9a8bdaf1cd8579534300c76b29c038a)
Int and float fields that are optional cannot currently specify the min
attribute. An unfilled value fails the validation because in PHP 8 any
number is greater than the empty string.
(For comparing numbers with non-numeric strings, the number is first
converted to a string and then compared. In PHP 7, the string was
converted to a number instead.)
Bug: T397883
Bug: T397643
Change-Id: I37be84554708e17eee27a7e599815891787e95bf
(cherry picked from commit 8e7ae749c0870e8133d083ac4125280c11a12ea6)
Why:
- action=compare was used to circumvent Lockdown
What:
- use checkTitleUserPermissions() to enforce read permissions in
ApiComparePages.
Bug: T397521
Change-Id: Id275382743957004fa7fc56318fc104d8e2d267b
(cherry picked from commit c62e4d93a33e94c7fe6f716a4747b1dbd59b3f90)
Why:
- When comparing the newly generated HTML to the cached HTML, there
might be cases when the new ParserOutput doesn't contain HTML.
What:
- If hasText() returns false, don't compare HTML and use the "unknown"
value for the html_changed stats label.
Bug: T388406
Change-Id: Ibc3e79e79a6421d4780739104a949bac50a5b01f
(cherry picked from commit a275e02771bc2ed4243804d5294188f54e47f9fc)
Make SqlPlatform::tableNameWithAlias() include the unqualified table
name as an alias if doing so is not redundant. This assures that the
default alias from JoinGroupBase::addJoin(), equal to the unqualified
table name, will be usable in SQL (regardless of table prefixes).
Clean up use of identifier quotes for sqlite_master tables. The called
methods expect unqualified names and a passthrough exception already
exists for sqlite_* tables.
Use "block_target.bt_user" directly in ApiQueryBlocks and BlockPager,
instead of using addIdentifierQuotes(). The "block_target" alias is
automatically added to the SQL by the rdbms layer when it's not clearly
redundant, so it is always safe to use block_target.bt_user. Also, there
is no reason for aliases to include quote characters. They are supposed
to be simple alphanumerics like column names. This makes it easy for
tableNameWithAlias() to avoid redundant aliases by checking tableName().
Avoid unneeded quotes around pg_catalog.* table names in the Postgres
installer. The relevant documentation of methods like selectField() is
that the table names be unqualified (no quotes nor dots), though dots
are still supported internally for compatibility reasons and ease of
querying schemas like pg_catalog and information_schema.
Change-Id: Ic7d7826da31f49915141692cb3bd84ed1e872e96
This patch was applied to release branches for MW 1.42 in April 2024, and
since ported to MW 1.43 and then MW 1.44 as well. This one-of-a-kind hot
patch will finally discontinue once this lands in the master branch as
part of MW 1.45+ releases.
A small handful of phan fixes make this pass so it can land; the rest
(including fixes rather than suppressions of events here) will happen in
later patches.
Bug: T328921
Bug: T359868
Change-Id: Ica2c11a6243795437ec652923e42ef3bd74a5fd8
psr/log 3.0.0 adds this return type.
For this specific case the fix is very simple, fully
compatible with the older version of psr/log, and
something we’ll have to do sooner or later anyway.
Bug: T356451
Change-Id: I49562ac7f1a71e82cab79fe44296feea573e26d4
(cherry picked from commit 9244d4b2623b9d789e7dea28e65b5ca6f9651aaf)
== What ==
This method was "Copied from OOUI\Tag", which no longer does this
since last year (I42c7a7b4d, 6e4e1a1796). Apply the same change here.
== Why now ==
Triggering E_USER_ERROR is deprecated in PHP 8.4+.
Bug: T381341
Bug: T379445
Change-Id: I1bac121caf746c30996dccd7fb95c4c240742951
(cherry picked from commit 751eca89fe473cc4a649e47dd54e9ab38f7c1957)
== Why ==
While psr/log represents our original an first use of Composer,
this is nowadays "just" another dependency among many. It does not
justify or help understand what to do next.
== What ==
Use the same "external libraries" terminology, as on mediawiki.org.
== History ==
* 2014 (Ie66794441): Add first ever Composer dependency (psr/log)
* 2015 (Ie47467657): Add LoggerFactory with check for missing Composer
dependency, to address a then-common issue.
* 2015 (Ib60261237): Move check earlier, to WebStart.
* 2017 (I633a6ff23): Move check earlier, to Setup.
* 2021 (Ia81903fb2): Remove redundant exit(1).
* 2025 (I6050ec4ca): Replace deprecated E_USER_ERROR.
Change-Id: I890d1f285997ccbc04cdb378a69815982c2bf64f
(cherry picked from commit b538453cdc6438419d044854cc730706988cb908)
== Background ==
E_USER_ERROR is a deprecated error code for "recoverable fatal error",
a confusing description no longer used upstream and replaced by the
Throwable/Error concept, i.e. something that is meant to be fatal,
but could in theory be caught if you know what you're doing, via a
risky catch for Throwable instead of Exception.
What trigger_error with E_USER_ERROR does:
* (If we haven't sent headers yet)
Emit header "HTTP/1.1 500 Internal Server Error".
* (If display_errors is enabled)
Print the message, again, along with a strack trace.
* Notify set_error_handler letting you "catch" a non-Exception error.
* Write it to error_log, e.g. STDERR for composer serve and CLI,
or an Apache/php-fpm error.log file.
* End with exit(1).
Issues:
* When enabling display_errors, the message is printed twice.
* The HTTP 500 status didn't work because headers are already sent,
... by the "echo" statement, right above it.
== Option A: throw Error $message ==
`throw Error($message)` is the natural successor to E_USER_ERROR.
I would recommend this, if
1) we didn't already echo it, and
2) the message didn't contain HTML, and
3) we needed to keep compat with someone catching this, or
4) we wanted a stack trace.
We echo it because display_errors can be off, and the most likely
audience for this is someone new to PHP/MediaWiki, installing in prod
or locally, when debugging is either intentionally off, or before
they're familiar with debugging modes. As such, we want to print it
ourselves either way, and printing it again as part of E_USER_ERROR
isn't needed.
The HTML part is important because one subtle difference between
trigger_error and throw Error is that the former allows raw HTML,
while the latter treats exception messages as plain text. Our message
intentionally uses HTML to link to docs in the browser, so this is
unhelpful.
The catchable-ness of this is not important to us, as no extension or
distro code (e.g. PlatformSettings.php) can run this early. There
are no runtime consumers of this error, only the end-user's browser.
== Option B: echo+exit ==
Given we already print the message, we just need to exit.
== History ==
* 2014 (Ie66794441): Add first ever Composer dependency (psr/log)
* 2015 (Ie47467657): Add LoggerFactory with check for missing Composer
dependency, to address a then-common issue.
* 2015 (Ib60261237): Move check earlier, to WebStart.
* 2017 (I633a6ff23): Move check earlier, to Setup.
* 2021 (Ia81903fb2): Remove redundant exit(1).
== Change ==
* Emit HTTP 500 before the echo.
* Keep echo (for browser) and error_log (for discovery via CLI or log
file).
* Replace trigger_error with just exit(1), avoid duplicate message.
Bug: T379445
Change-Id: I6050ec4ca857d3c92c1c43f6a38e4154cd60e5d5
(cherry picked from commit 98c6d3c4c3511ecf60ffc693ff6c7164964270ca)
For a long time now, since PHP 7.0.0, access to non-public properties
has thrown Error, not emitted E_ERROR.
Example - https://3v4l.org/dHChU
Our simulation of this in DeprecationHelper is meant to do what PHP
does, so, given we no longer support PHP 5.6 and can thus construct
Error ourselves, we should do the same.
This is identical - https://3v4l.org/koUqu
== Why ==
Referencing the E_USER_ERROR constant causes a deprecation warning
in PHP 8.4+.
== Change ==
The source change is straight-forward.
One of the tests (testSet, dataset 4 "fallbackGetterOnly") was
previously passing by accident. The source called trigger_error twice,
first with E_USER_DEPRECATED (via wfDeprecated) and then again with
E_USER_ERROR. Given that these are asserted via set_error_handler,
an event calback, the callback is run after the callback finished
(it does not interrupt), at which point only the last values are
reported to the event handler. Improve on this by explicitly hiding
the deprecation warning, and focus the case on testing the error.
Bug: T379445
Change-Id: Ia0aff9906102023370f3907e01962a5e1e369125
(cherry picked from commit d0920b8fb5be462a7aba5c21e47b02c2c2f5025f)
File::getShortDesc() is documented to return HTML, but some handlers
return unescaped plain text.
Bug: T395834
Change-Id: I150f0215339b4ac18254fce2be138b1cde2277d5
(cherry picked from commit b2a9cc1564397e27fd80e44e99e1905fcbd10684)
- Don't strike all entries in Miser Mode
- This does a query for each entry, however other pages like
Special:DoubleRedirects already do that so it shouldn't cause
performance problems.
- If the redirect is no longer broken because its target now exists then
strike the entire entry rather than displaying a red link to a page
that actually exists
Bug: T351055
Change-Id: I9189b1ba537f0ca590b41a3db76621f11df2a224
Why:
- Using an anonymous user object at the start of account creation helps
ensure that downstream code paths do not record the association
between a temporary account and a named account
What:
- Use an anonymous user object during account creation initiated by
temp account users
- Update the session to use the anonymous user and set the request
context user based on the session user
- Ensure the temp account username is removed from the session, to avoid
issues where account creation fails and code thinks that a temporary
account username is already defined for the session
- Add a test to exercise this code path
Bug: T393628
Change-Id: I6d2df8c1d842c4fefa916ed395479f479a0051eb
(cherry picked from commit 3d80e63f109834b90a83597d6d924895b2c6ae71)
Why:
- Title has several in-memory caches for Titles constructed via
newFromText() and for the canonical mainpage instance that
isMainPage() compares against.
- These caches are not reset between tests, which can cause cryptic
integration test failures. It's not safe to persist either of these
caches across tests, as neither the internal state of Title objects nor
the identity of the canonical mainpage is valid across tests.
What:
- Clear the cached main page instance in Title::clearCaches().
- Call Title::clearCaches() from MediaWikiIntegrationTestCase::resetNonServiceCaches().
Bug: T395214
Depends-On: Ic35b45015ff5a53f6e728b69b59cc57efe0b390b
Change-Id: Ie6cac7e1282f794277dfc8ff3673f12e9969818c
(cherry picked from commit 3f7905bc9ff9006831f8573b7fe948dc7243107e)
We do this above for formatNum(), so this approach seems to be
idiomatic to this code.
Bug: T394989
Change-Id: I804cc180e5de8ddf22b70e9f532f0f2416713eb7
(cherry picked from commit a6a777ae853f0f989b1438bd5c1c3af5dbed135a)
