The block cookie was being replicated to localStorage in an attempt
to make it harder for users to get around the block by deleting the
cookie (and changing IP addresses).
This whole setup was hard to test, had a few bugs (e.g. the localStorage
value would never expire), and given that it is a minor improvement
over just a plain cookie, it is now being removed. The cookie is only
intended to stop casual block-evaders (other users will get around it
by deleting the cookie or using incognito mode) and so it is not felt
worth having the extra complexity that will only guard against people
who know to remove cookies, not use incognito mode, and yet don't know
to remove localStorage.
Bug: T152952
Change-Id: Ifb06dc2390f4d648d7fcb39e30267de5eddc6941
I was bored. What? Don't look at me that way.
I mostly targetted mixed tabs and spaces, but others were not spared.
Note that some of the whitespace changes are inside HTML output,
extended regexps or SQL snippets.
Change-Id: Ie206cc946459f6befcfc2d520e35ad3ea3c0f1e0
It's unreasonable to expect newbies to know that "bug 12345" means "Task T14345"
except where it doesn't, so let's just standardise on the real numbers.
Change-Id: I6f59febaf8fc96e80f8cfc11f4356283f461142a
This change adds a HMAC to the block-cookie to prevent someone
spoofing a cookie and so discovering revdeleted users' names.
The HMAC is only added if $wgSecretKey is set; if it isn't, the
existing plain-ID format is used. A note about this has been
added to DefaultSettings.php.
Tests are updated and new tests added to demonstrate an
inauthentic HMAC, and for when $wgSecretKey is not definied.
Bug: T152951
Change-Id: I6a3ef9e91091408c25eaa2d36d58b365d681e8c6
Rather than use wgCookieExpiration as the basis for the maximum
life of a block cookie, just use 1 day.
Tests have been updated also.
Bug: T153347
Change-Id: I3447d97af3170308834f365c5c600430f47c66a7
Blocks made for configured proxies, dnsbls, or the configured range
soft-blocks being added in I6c11a6b9 aren't real blocks stored in the
database. Let's actually flag these blocks as such and use a more
appropriate message when displaying them to the user.
Change-Id: I697e3eec2520792e98c193200c2b1c28c35bf382
Send a cookie with blocks that have autoblock turned on so that
the user will be identified to MediaWiki and any IP they try
to edit anonymously from will be blocked, even without logging
in to the originally blocked account. Additionally, the block
info is stored in local storage as well as an even stronger
deterrence.
Note: this is meant to deter normal vandals, i.e., not attackers
who know what cookies and local storage are and will be actively
removing the cookie.
This feature is disabled by default, and can be enabled with the
new $wgCookieSetOnAutoblock configuration variable (by setting
it to true);
The cookie will expire at the same time as the block or after
$wgCookieExpiration (whichever is sooner).
Bug: T5233
Bug: T147610
Change-Id: Ic3383af56c555c1592d272490ff4da683b9d7b1b
* Renamed mDoneWrites to be clearer at what type it is.
* Also cleaned up a few callers of this method
Change-Id: I45856b210c289c2e2f193cc4328a208e20b4e0a8
This creates a new ProxyLookup service to house the
IP::isConfiguredProxy() and IP::isTrustedProxy() functions. The main
purpose of this refactoring is to make the IP class entirely independent
from MediaWiki, so it can be split into a separate library.
Change-Id: I60434a5f3d99880352bc0f72349c33b7d029ae09
This is more consistent with LoadBalancer, modern, and inclusive
of master/master mysql, NDB cluster, and MariaDB galera cluster.
The old constant is an alias now.
Change-Id: I0b37299ecb439cc446ffbe8c341365d1eef45849
Does both Title and user related methods, so it catches things that only
call $wgUser->isAllowed( 'read' ), as well as giving a nicer error message
for things that use $title->userCan().
Otherwise, the user can still do stuff and read pages if they have an
ongoing session.
Issue reported by Multichill
Bug: T129738
Change-Id: Ic929a385fa81c27cbc6ac3a0862f51190d3ae993
If Block::purgeExpired() hasn't been called due to low traffic, already
expired blocks might have their timestamps extended.
Bug: T128695
Change-Id: I21e7dca57bda77a755b54d0e09f340c3f0e75bd6
I searched for /\$(\S+) = (.+?\(.*?\);)\n.*?\$\1\[/, ignored
everything involving isset(), unset() or array assigments, then
skimmed through the remaining results and changed things where they
made sense. These changes were not automated, so please review them.
Change-Id: Ib37b4c66fc57648470f151ad412210b3629c2538
Just ignore the block and let the block insert/update code
handle the logic of pruning expired conflicting blocks as
well as other expired block to other users (as is done
already).
Bug: T92357
Change-Id: Iafcae829af09ed7e8d134cd6c1b2d5bd57ea0f22
Also consistently use self:: instead of BagOStuff:: for constants
referenced within the BagOStuff class.
Change-Id: I20fde9fa5cddcc9e92fa6a02b05dc7effa846742
These callers don't need to do purges, but can still perfectly
take advantage of this instance over a plain BagOStuff. Namely:
* Replication and snapshot lag awareness
* Preemptive regeneration
* Easy process cache support
The idea is for there to only be one caching class/factory
to use, instead of having rules for picking which one to use.
Change-Id: I8e362df451c0c28731fc853c044c4c4b8e097f01
Block::__construct now accepts an array of options instead of a myriad
of optional parameters.
Also add a test for the old constructor.
Change-Id: I6ccd4df569ab49ad841a1ad591e23cafb1715841
Mysqli is returning SELECTed ints as strings rather than as ints, I'm
guessing to avoid problems with 64-bit int types on 32-bit systems. PHP
mostly doesn't care, but it causes API JSON output to have strings
instead of ints all over the place.
This also fixes ForeignAPIFile::getUser( 'id' ) returning the user
*name*.
Bug: T98276
Change-Id: Ie6591d72b3ac40172f8176a8ca8b6fad8e9275a5
There's a bunch of stuff that probably only works because the database
representation of infinity is actually 'infinity' on all databases
besides Oracle, and Oracle in general isn't maintained.
Generally, we should probably use 'infinity' everywhere except where
directly dealing with the database.
* Many extension callers of Language::formatExpiry() with $format !==
true are assuming it'll return 'infinity', none are checking for
$db->getInfinity().
* And Language::formatExpiry() would choke if passed 'infinity', despite
callers doing this.
* And Language::formatExpiry() could be more useful for the API if we
can override the string returned for infinity.
* As for core, Title is using Language::formatExpiry() with TS_MW which
is going to be changing anyway. Extension callers mostly don't exist.
* Block already normalizes its mExpiry field (and ->getExpiry()),
but some stuff is comparing it with $db->getInfinity() anyway. A few
external users set mExpiry to $db->getInfinity(), but this is mostly
because SpecialBlock::parseExpiryInput() returns $db->getInfinity()
while most callers (including all extensions) are assuming 'infinity'.
* And for that matter, Block should use $db->decodeExpiry() instead of
manually doing it, once we make that safe to call with 'infinity' for
all the extensions passing $db->getInfinity() to Block's contructor.
* WikiPage::doUpdateRestrictions() and some of its callers are using
$db->getInfinity(), when all the inserts using that value are using
$db->encodeExpiry() which will convert 'infinity'.
This also cleans up a slave-lag issue I noticed in ApiBlock while
testing.
Bug: T92550
Change-Id: I5eb68c1fb6029da8289276ecf7c81330575029ef
Xhprof generates this data now. Custom profiling of various
sub-function units are kept.
Calls to profiler represented about 3% of page execution
time on Special:BlankPage (1.5% in/out); after this change
it's down to about 0.98% of page execution time.
Change-Id: Id9a1dc9d8f80bbd52e42226b724a1e1213d07af7
These functions actually does not return anything, so the @return is
wrong here. '@return void' is ignored.
Change-Id: I11495ee05b943c16c1c4715d617c8b50de22276c
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
- use tab as indent instead of spaces
- Added space after closures "function"
- Added spaces around string_concat
- Added newline inside empty blocks
- Removed four spaces after comma
Change-Id: I4425b0c6a69b36f40acfea6511b8950cf09ce2b2
