* Remove checks in HTMLFileCache.php and Article.php.
These haven't been needed since the same check was added to Setup.php,
many years ago. When FileCache is enabled, The Setup.php code disables
MWDebug. There is no reason for FileCache to then also disable itself
based on unused config. That means both of them lose.
We now handle this logic in one place: MWDebug::setup().
* In rebuildFileCache.php, turn it off explicitly, just in case.
The previous code there didn't work because finalSetup()
is called after doMaintenance.php includes Setup.php, which
is what checked this config var to decide on MWDebug::init.
On the other hand, it's also always off in CLI mode.
But, let's not depend on that, maybe we decide to enable it on
CLI one day! Just keep it off explicitly here.
Bug: T189966
Change-Id: I45a8f77092249751dc6f276aa5bb67ebf5b4f64c
The code was checking for `Exception` to decide whether to produce traces,
so it wasn't providing them for PHP 7's new Errors. The code itself
works fine with any Throwable.
We have to keep parallel checks for Exception too for the time being,
because HHVM as used in Wikimedia production doesn't have Throwable.
Bug: T187147
Change-Id: Iec8a6718beb7ec09e45e332ee5762d0644ce17ab
The method for getting the declaring class name was not used when
printing the class name, and was incorrect anyway. Use reflection
when on the error path to ensure the correct class name is used.
Change-Id: Ic9cd4319535d5ab877a0563e0433371e1025d985
self::class would have been better here for consistency across
the code base but seems HHVM handles self::class diferrently from
PHP 7, when used inside a trait. The difference is significant to the
tests and thus we keep the result the same by using __CLASS__ instead.
Change-Id: I58b452341a0567f4d6e6636a7e489531a5569d20
In the array 'loggers' the key '@default' is assumed to be present,
hence be sure it is defined: this is the system default for MediaWiki,
it can be overwritten if desired.
This default php://stderr with level ERROR is inspired from Monolog’s
own default, which is php://stderr with level DEBUG: this is similar
but less violent for the average MediaWiki sysadmin.
Bug: T196906
Change-Id: Id74083fc20ddf906c40e6d149095e8ade4c68572
Introduce a new handler, similar to SyslogHandler, that will be used to
replace udp2log. The main feature of the handler is being able to vary
the 'application name' with each record's channel. This way the channel
can be reconstructed later, e.g. when writing to plaintext files.
See also an overview of the plan here:
https://phabricator.wikimedia.org/T205856#4957430
Bug: T126989
Change-Id: I0c040825b31cd70f197dc8c1d406a103dc0ed1d1
Basically turning Mediawiki to MediaWiki as all other classes exist
in that namespace
Bug: T217128
Change-Id: I95039a1a54c9900a2f2414b5a6ccce5fb6e5e612
When a unit test fails it is possible, perhaps even likely in some
cases, that some code that was run logged useful information about
how that failure came to be.
Help people out, tell them what happened!
Change-Id: I30bbc31799a65024868678d052fec9aafacc1aff
This formatter extends LogstashFormatter to prefix records with "cee token"
used for syslog and JSON structured logging. See also related task for more
context.
Bug: T211124
Change-Id: I3cdeb4c666f54039b5e8ecc67bd4937220333526
In Monolog\Logger (Logger.php), the logger levels are constants (interger values).
Logger::DEBUG is a constant (int) with value 100 which depicts that error logging
level. Datatype of these values; DEBUG, INFO, WARNING, etc are all integers not
strings.
Change-Id: I1cc67381bc64800241f5f9b7232ffe5419388d8a
Follows-up 81e8d7af41 and e861191b2c.
When using $wgShowDebug, $wgDebugComments, or $wgDebugLogFile
locally, or when using the 'log' attribute with X-Wikimedia-Debug,
all channels should be enabled and logged. But, the DBQuery logs
are currently going nowhere.
The code for MWDebug::query() is intercepting it, even if
$wgDebugToolbar is not enabled.
And after that, the code for wfLogDBError was intercepting it,
again, even if $wgDBerrorLog is not enabled.
Bug: T202764
Change-Id: I710c26a9e9c30fea20975d1bc24e1f0af077c2ad
Uses new PHP 5.6 syntax like ...parameter unpacking and
calling anything looking like a callback to make the code more readable.
There are much more occurrences but this commit is intentionally limited
to an easily reviewable size.
Change-Id: Idcec077ef3fdf029b632cceafd0150851ad723e3
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
The primary goal here is a defense in depth measure to
stop an attacker who found a bug in the parser allowing
them to insert malicious attributes.
This wouldn't stop someone who could insert a full
script tag (since at current it can't distinguish between
malicious and legit user js). It also would not prevent
DOM-based or reflected XSS for anons, as the nonce value
is guessable for anons when receiving a response cached
by varnish. However, the limited protection of just stopping
stored XSS where the attacker only has control of attributes,
is still a big win in my opinion. (But it wouldn't prevent
someone who has that type of xss from abusing things like
data-ooui attribute).
This will likely break many gadgets. Its expected that any
sort of rollout on Wikimedia will be done very slowly, with
lots of testing and the report-only option to begin with.
This is behind feature flags that are off by default, so
merging this patch should not cause any change in default
behaviour.
This may break some extensions (The most obvious one
is charinsert (See fe648d41005), but will probably need
some testing in report-only mode to see if anything else breaks)
This uses the unsafe-eval option of CSP, in order to
support RL's local storage thingy. For better security,
we may want to remove some of the sillier uses of eval
(e.g. jquery.ui.datepicker.js).
For more info, see spec: https://www.w3.org/TR/CSP2/
Additionally see:
https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
Bug: T135963
Change-Id: I80f6f469ba4c0b608385483457df96ccb7429ae5
* Use $_SERVER['REQUEST_TIME_FLOAT'] unconditionally in WebRequest.php
and libs/Timing.php. WebStart.php was doing this already without issue.
The key existst since PHP 5.4, for both Web and CLI (we require 5.5).
* In wfDebug() and wfReportTime(), use $_SERVER['REQUEST_TIME_FLOAT'] instead.
* In ApiFormatBase and MWDebug, use WebRequest::getElapsedTime() instead.
* In Maintenance.php, remove setting of $wgRequestTime.
* In rebuildFileCache.php, update mocking to $_SERVER['REQUEST_TIME_FLOAT']
so that we avoid re-introducing bug T24852.
Change-Id: I1b647da2862f815029caa533b592ec8a05b33806
Deprecate the unnamespaced version and move it to includes/compat.
Bug: T147167
Depends-On: I39c805bfb98b32f32f3d0dc1eee9e823afe1c21a
Change-Id: I3780c7adf51683f3f7adb35a88f9a25a0a2e2530
phpdbg is a gdb-style debugger for PHP that is run from the command
line. However, it has a different PHP_SAPI value, so it was impossible
to run maintenance scripts with it (until now).
To avoid having to check both PHP_SAPI values in a bunch of places,
introduce wfIsCLI() to easily check whether running from the
command-line or not.
We're (CI team) interested in generating code coverage with phpdbg
instead of xdebug, hence this patch.
Bug: T184043
Change-Id: Id1f994ca146d7858cd8bb6ab6cdbb7718ff524fb
Follows investigation from T172559, where we found that there is no explicit
way to find what script triggered particular error messages when the script
was run from the command-line (as opposed to a web request, where the
built-in WebProcessor adds fields like http_method and url).
Change-Id: Ia9641274a164137dcc30324578d750cc662976ee
In phpcs.xml rename renamed sniffs and add the failing sniffs,
because now the whole sniff is no longer excluded.
Change-Id: If5b0bd16028761abc2c47ace9e97d37ad14bb36f
And auto-fix all errors.
The `<exclude-pattern>` stanzas are now included in the default ruleset
and don't need to be repeated.
Change-Id: I928af549dc88ac2c6cb82058f64c7c7f3111598a
Undo traces of a practice we carried over from past projects and
existing examples that is neither universal nor actively encouraged in
the MediaWiki codebase.
Bug: T139301
Change-Id: I5c9c89b72a45a44aa4264a5e57b003c1a86cdf6e
Co-Authored-By: Brad Jorsch <bjorsch@wikimedia.org>
eval.php previously set $wgDebugLogFile to /dev/stdout. This had the
following problems:
* It doesn't work if the maintenance script is executed via sudo, since
/dev/stdout is typically owned by the original user, so MW can't open
it. Using php://stdout worked on HHVM but not PHP.
* Setting $wgDebugLogFile has no effect if the wiki uses MonologSpi.
* Setting $wgDebugLogFile has no effect on channels configured with
$wgDebugLogGroups.
* stderr is a more appropriate place to send logging output.
* Writing to configuration variables is discouraged.
So, add ConsoleSpi, which is a very simple logging service provider
which sends all messages to stderr. This should be suitable for
debugging with eval.php or shell.php in WMF production or beta.
Change-Id: Ib0d6ce45e0cbecd58263fc4e360c63d4149acb3a
I was bored. What? Don't look at me that way.
I mostly targetted mixed tabs and spaces, but others were not spared.
Note that some of the whitespace changes are inside HTML output,
extended regexps or SQL snippets.
Change-Id: Ie206cc946459f6befcfc2d520e35ad3ea3c0f1e0
