Follow up to 7491b52. The 'private, must-revalidate' argument to
session_cache_limiter() does not match any expected values for the
function. This results in the PHP runtime treating it like the
documented empty string argument which completely disables the automatic
addition of cache related headers. Change the implementation to use the
empty string argument explicitly rather than continuing to rely on
the undocumented and potentially confusing existing behavior.
session_cache_limiter( '' ) is called unconditionally in
MediaWiki\Session\PHPSessionHandler::install(). This is safe now that it
is understood that we are disabling the setting of the automatic
headers.
Bug: T124510
Change-Id: I63164f8b7a408e370ff01dead42be27a0135dd35
The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.
Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.
This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager
Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
Always treat this as on and simplify the code.
This will also make it easier to move updateWatchlistTimestamp() into
the EnotifNotifyJob class to avoid query timeouts.
Change-Id: I8ceaa42cdcfe3ad00a26368be6a73052be329045
Call `session_cache_limiter( 'private, must-revalidate' );` before
starting a session to specify the cache control headers that PHP will
automatically emit. The calls are wrapped in MediaWiki\quietCall to
suppress "headers have already been sent" warnings that may come from PHP.
If not called explicitly PHP will default to using
the value of the session.cache_limiter ini setting. Some values of that
setting will cause PHP to add a "Pragma: no-cache" header to the
response. Certain user agents (e.g. Firefox) treat that particular
header as a signal to aggressively flush the response from local cache
to the point that back button navigation will not work.
The value used was present in `wfSetupSession` prior to a73c5b7.
Bug: T124510
Change-Id: I942f8420c39c8cec5781ea8f6cc5619fd15f13cd
It's not guaranteed that loadSessionFromStore() will succeed after
whatever alterations the SessionProvider might have made later in the
request.
So instead, let's make a new global object that stores the SessionId
of the persistent session that was loaded during Setup.php, if any. Then
we can check that when we need to know whether the session was
persisted.
Bug: T124468
Change-Id: I1e8e616c83b16aadd86b0a0a40826d40f6e8abe4
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
Follow-up to a4a3d04540.
Unlikely to be a security problem, as $2 generally has to
appear somewhere before $1 in this config option.
Bug: T48998
Change-Id: I08788713d9bd7c4c8d81479c18b5a404997a778d
Instead of relying on the global $wgRequest, which probably isn't initialized
so far, create the request object when RequestContext::getRequest() is called
the first time.
Change-Id: I6115ba44e474619d02d456a103758fe73ed298e0
Previously, logged-out users either only saw "Create account" and "Log in"
links in the personal area, or if $wgShowIPinHeader was true, they saw
[icon] 127.0.0.1 Talk for this IP address Create account Log in
where the IP address itself linked to the IP user page.
Now, logged-out users by default see the following:
[icon] Not logged in Talk Contributions Create account Log in
The old $wgShowIPinHeader feature is removed. It is very unfriendly to
show the user's IP address (in red, no less) at the top of every page,
since this will mean nothing to most visitors. Caching means that this
can't even be done reliably, anyway.
Another improvement is that the "talk" and "contributions" links are not
shown if anonymous users don't have the 'edit' right.
Modelled after the loggedOutTalkPage() function at Dutch Wikipedia
<https://nl.wikipedia.org/w/index.php?oldid=44706954>
Bug: T112724
Change-Id: I6f44e3e5d97ea917e4a03af47f3795792e4ca122
Remove the backwards compatibility shims for $wgRateLimitLog which was
deprecated in 1.23 (I86131c4).
Change-Id: I771bbaff43b44d011bff81ddda4f35166ea5f77e
When relative URL used in $wgArticlePath, and $wgArticlePath does not
start with slash (/), raise FatalError.
Bug: T48998
Change-Id: Ic7cd6f774cff97081f4f35af351161170b4b26eb
In HHVM, the settings 'upload_max_filesize' and 'post_max_size' are
not available via ini_get() due to some long-standing bug
(https://github.com/facebook/hhvm/issues/4993). Instead, one can use
'hhvm.server.upload.upload_max_file_size' and 'hhvm.server.max_post_size'
(in a typical PHP fashion, their names are subtly different than the
originals as to increase the potential for confusion).
Added a new method UploadBase::getMaxPhpUploadSize() to handle this.
Additionally:
* 'post_max_size' can be set to 0, which is equivalent to no limit.
Handle this correctly.
* $wgMaxUploadSize can be an array structure, instead of just a number.
Handle this correctly by using UploadBase::getMaxUploadSize().
* When no maximum is set, use PHP_INT_MAX rather than 1e100. It should
be big enough, and the latter is a float, results in 0 when cast to
int, and doesn't look as pretty when formatted in GB in the interface.
Bug: T116347
Change-Id: Idf707253eeae1b90792a7e26d2ab66d1317e67ae
The configuration, tested on wiki.wikimedia.it, generally improves
performance for all parties involved.
Bug: T114098
Change-Id: I76a34e8782908a28523531b2a928ea4ef7710b19
This fixes a few shortcomings in the chunked uploader:
* Raises an error if offset + chunksize > filesize.
* Enforces a minimum chunk size for non-final chunks.
* Refuses additional chunks after seeing a final chunk.
* Status of a chunked upload in progress is now available with
'checkstatus'.
Bug: T91203
Bug: T91205
Change-Id: I2262db1bc8460616b069c564475d2e4148001768
* The '.php5' entrypoints were deprecated in I68b1ae842, $wgScriptExtension
in I3690f78bc.
* Drop the associated ResourceLoader configuration variable, too. `mwgrep`
shows no usage in the MediaWiki namespace.
* Keep the scriptExtension configuration parameter for FileRepo for people who
would like to interoperate with older MediaWiki installations that still use
'.php5'.
Change-Id: I17c8a15484b7e82cd5970d34e688109a2aae3840
In previous versions, the installer often outputted the following
in the generated LocalSettings.php:
> $wgEmergencyContact = '';
> $wgPasswordSender = '';
While this case did not result in providing default values in recent
MediaWiki versions, the mail handling didn't cause an error.
As of MediaWiki 1.25, the error handling is more strict and these
values being empty causes a fatal error and breaks all outgoing mail.
Bug: T104142
Change-Id: Ibf1f857b2f250dac9b725aff8f442e08b8ecd5c9
This make re-configuring these much easier by only needing to update
one variable instead of four.
Also remove redundant hardcoding of wgStylePath and wgResourceBasePath
in the generated LocalSettings.php file during installation. This way
changing wgScriptPath will naturally result in the other variables
updating too. We already do this for many other variables (such as
wgLoadScript, wgScript, wgExtensionAssetsPath, etc.).
Change-Id: Ide74355b4054c78214c17f3b2d6fa2f5270e0ab9
Update the ParsoidVirtualRESTService and the
RestbaseVirtualRESTService to use Parsoid's v3 API, instead of the
deprecated v1/v2 APIs. Since Visual Editor still issues requests
using the Parsoid v1 API, convert Parsoid v1 API requests into Parsoid
v3 API requests when needed for a smooth transition. We also add
support for converting RESTBase v1 API requests to Parsoid v3 API
requests.
The next step will be to convert Visual Editor to issue RESTBase v1
API requests (https://gerrit.wikimedia.org/r/217995), and then the
Parsoid v1 conversion code added here can be removed (T100681).
Tested Parsoid v1->v3 conversion, Parsoid v1->RESTBase conversion,
plus Parsoid v3 and RESTBase v1->Parsoid v3 conversion using VE
patched to issue RESTBase v1 API requests.
Bug: T100681
Change-Id: I07ac60cdec7a52ef93187d40099325a069e3239a
Instead of littering includes/ with stub back-compat aliases, house such
classes in includes/compat/.
Change-Id: I4c1b83e35c8d6c18777a4a3e17d81023915cfb7f
Alternatively, removing this completely might surface the issue for users
more quickly. Without this change, resolving {T74420} becomes more of an issue.
Bug: T74420
Change-Id: Ib2dc9ed56a945acb06b64f3b85ff07ac2a6b7600
(cherry picked from commit 6b4d6662b5b5005bb84f4c5e6315288611bf57f1)
- Removed space after casts
- Removed spaces in array index
- Added spaces around string concat
- Added space after words: switch, foreach
- else if -> elseif
- Removed parentheses around require_once, because it is not a function
- Added newline at end of file
- Removed double spaces
- Added spaces around operations
- Removed repeated newlines
Bug: T102609
Change-Id: Ib860222b24f8ad8e9062cd4dc42ec88dc63fb49e
wfSuppressWarnings() and wfRestoreWarnings() were split out into a
separate library. All usages in core were replaced with the new
functions, and the wf* global functions are marked as deprecated.
Additionally, some uses of @ were replaced due to composer's autoloader
being loaded even earlier.
Ie1234f8c12693408de9b94bf6f84480a90bd4f8e adds the library to
mediawiki/vendor.
Bug: T100923
Change-Id: I5c35079a0a656180852be0ae6b1262d40f6534c4
Make password policies defined in a configurable policy, which is
defined by group. A user's password policy will be the maximum of
each group policy that the user belongs to.
Bug: T94774
Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
Also sets default paths immediately (not in Setup.php) so
they are available before extensions register.
Bug: T98319
Change-Id: I41a8aec7a3e9c576ec7344abf51f8106248ade4b
The lowest commonly supported length is a bit over 2000. That is the limit of
Internet Explorer. For discussion of the IE limit see
http://blogs.msdn.com/b/ieinternals/archive/2014/08/13/url-length-limits-in-internet-explorer.aspx .
Some servers only support 4k.
Having it unlimited does not work when running qunit jenkins test jobs of the
Wikibase extension or when running its qunit tests in vagrant, because it hits
the nginx limit.
This also adds a mw.track call for when the request split happens.
Bug: T90453
Change-Id: Ic416def846f361425c46f7bd1022ed85fa8ac85e
Instead of instantiating this on every single request. Removes
wfGetLangConverterCacheStorage() and $wgLangConvMemc which were
otherwise unused.
Change-Id: Ic500944a92c2a94bc649e1b492c33714d81dca00
Added 1.5x and 2x-density variants of the 'Powered by MediaWiki' footer
icon, built from this SVG version on Commons:
https://commons.wikimedia.org/wiki/File:Powered_by_MediaWiki.svg
Note the SVG version is too large to use directly right now as it
contains a huge amount of detail; the PNGs are only a few KiB.
Renderings from Commons taken and run through pngcrush.
Note that adding 'srcset' attributes to footer icons appears to work
just fine here, so can be done for others.
Bug: T65872
Change-Id: I785d21add456eeddb6ed1ee36a1906d178323e63
Introduces wfLoadExtension()/wfLoadSkin() which should be used in
LocalSettings.php rather than require-ing a PHP entry point.
Extensions and skins would add "extension.json" or "skin.json" files
in their root, which contains all the information typically
present in PHP entry point files (classes to autoload, special pages,
API modules, etc.) A full schema can be found at
docs/extension.schema.json, and a script to validate these to the
schema is provided. An additional script is provided to convert
typical PHP entry point files into their JSON equivalents.
The basic flow of loading an extension goes like:
* Get the ExtensionRegistry singleton instance
* ExtensionRegistry takes a filename, reads the file or tries
to get the parsed JSON from APC if possible.
* The JSON is run through a Processor instance,
which registers things with the appropriate
global settings.
* The output of the processor is cached in APC if possible.
* The extension/skin is marked as loaded in the
ExtensionRegistry and a callback function is executed
if one was specified.
For ideal performance, a batch loading method is also provided:
* The absolute path name to the JSON file is queued
in the ExtensionRegistry instance.
* When loadFromQueue() is called, it constructs a hash
unique to the members of the current queue, and sees
if the queue has been cached in APC. If not, it processes
each file individually, and combines the result of each
Processor into one giant array, which is cached in APC.
* The giant array then sets various global settings,
defines constants, and calls callbacks.
To invalidate the cached processed info, by default the mtime
of each JSON file is checked. However that can be slow if you
have a large number of extensions, so you can set $wgExtensionInfoMTime
to the mtime of one file, and `touch` it whenever you update
your extensions.
Change-Id: I7074b65d07c5c7d4e3f1fb0755d74a0b07ed4596
We've already broken profiling completely in this release. Make
this abundantly clear in the RELEASE-NOTES and just remove the
awful back-compat attempt from I2af28cd3 and I49c0a83e.
Change-Id: Ib0b87192e2a6e87db19f7821906dd7b2063081e3
The API output for help and 'fm' formats will soon have need of
including ResourceLoader modules on an otherwise-bare page. The easiest
way to do this is to use OutputPage, but that requires a skin. So let's
add a skin that outputs a basic page without any navigation elements or
other chrome (that may be added later, but that can wait for Design to
decide they want to design it).
Change-Id: Ifa95fae5acaa3cfbf2ca58a15f8d0c51d84b455a
The problem here is that the path to 'wiki.png' is saved in users'
LocalSettings.
We likely should not remap the path, like we did for footer license
icons in Ic7c32e56:
* It's likely that users changed their logo image by overwriting the
file in skins/common/.
* If the normal upgrade process is followed (overwrite-uploading new
files), the old file will still be there with the skins/common/
directory.
* If it does cause problems, they'll be rather easy to notice and fix.
On the other hand, maybe we should?
* This is going to be annoying for git users.
* It will bite anyone who deletes all MediaWiki files when upgrading
via tarball, which is more likely with the recent skin system
changes encouraging users to remove old cruft from skins/ directory.
Bug: 69277
Change-Id: I175fe57048ebf9d348fb2fe67bf62cf5df389003
Bonus: actually make $wgResourceBasePath default to $wgScriptPath, rather than
special-casing it in ResourceLoaderFileModule.
Change-Id: I608435cef00d3e77a5bbdb0a0122d3e7e1a4eb78
While it's "semantically" incorrect (these files are not
ResourceLoader resources), putting them in that subdirectory is a lot
less hassle than introducing a new toplevel directory.
Follow-up to 2b4b9a3f. Discussion that resulted in the toplevel
assets/ took place on I6268d663 (now abandoned).
Change-Id: Iedbfd802457fe35803899e3479540177760ec30b
poweredby_mediawiki_88x31.png is straightforward, just need to update
some paths.
The six license icons are more problematic, as the paths to them are saved
in users' LocalSettings. We're remapping them in Setup.php.
Bug: 69277
Change-Id: Ic7c32e56043cfbf94ef2271de4ff41ef18fbeee7
- Added space after reserved words: function, foreach, if
- Combined 'else if' into elseif
- Added braces to one-line statements
- Added spaces after comma, before parentheses
Change-Id: Ie5bbf680d6fbe0f0872dab2700c16b1394906a72
Callers should instead use DeferredUpdates::addUpdate. The
function is superior because it is able to enforce type-hinting
rather than throwing a fatal error. Also it's not a global :)
The only extension still using the global is FlaggedRevs,
for which I've submitted I1a7c6540b2.
Change-Id: Ic59c90c0d0131039295bd785280dc70ebde6e40f
Since this doesn't rely on functions defined in GlobalFunctions.php;
this can be in the first "defaults" section of the file.
Change-Id: I24f1a14322d90d053adf51716516001477364e16
This feature was necessary when it was only possible to specify the
name of the class a skin used, this was the only way for one class to
dynamically serve multiple skins (such as if the skins were purely
template based with no PHP or if one skin had different themes to it).
It also provided an option for other skins to set $this->skinname dynamically.
See code review on I5c442f3c9e.
Change-Id: I7315fadf2e26d164ccc4f47b6d883945fa2570da
Removing the hack added in Ib4bdda5e.
This will cause an error message to be shown to almost every MediaWiki
user who upgrades their installation (including us developers) until
they add entries for their skins to LocalSettings. This is deemed an
acceptable trade-off, and the message makes it easy to resolve the
issue.
Bug: 68402
Change-Id: I2596ef73088ce94d78ce3dc3ae4da9d81023a2cb
It just displays a helpful message that explains why and how to
install and enable skins. There is no navigation nor other basic page
elements (like the logo or site notice), since this is not intended to
be a fully functional skin.
Bug: 68332
Change-Id: Id14fbb8733cd8fbb912a724ac658f5e7244364b5
- Move the overrides of e-mail settings along with other
configuration corrections instead of being near global object
definitions
- Also force $wgUseEnotif to false if $wgEnableEmail;
previously it could remain true since $wgEnotifUserTalk
and $wgEnotifWatchlist were forced to false after they
were checked to set $wgUseEnotif
- Also put the removal of 'enotifminoredits' preference nearby
Change-Id: I9af6bb78d34ce053fc36eaa7cc3852de3ecbee8e
- Removed spaces after not operator (!)
- Removed spaces inside array index
- use tab as indent instead of spaces
- Add newline at end of file
- Removed spaces after casts
Change-Id: I9ba17c4385fcb43d38998d45f89cf42952bc791b
Depending on the configuration used in LocalSettings.php, $IP can be
changed between the time that configuration is loaded and the wiki
runtime by logic in WebStart.php. Attempt to mitigate the effects of
such changes on the cache file name computation by canonicalizing both
$IP and the path using PHP's realpath() function.
Related but distinct is the possible need to configure the canonical
location for finding cache files on disk separately from
$wgCacheDirectory. This change introduces a new configuration variable
named $wgGitInfoCacheDirectory that can be set to a path that diverges
from the default location of $wgCacheDirectory/gitinfo. This will be
useful in the WMF cluster where $wgCacheDirectory points to a directory
that is not managed by the deployment system.
Finally add wfDebugLog logging to make tracking down issues such as
miscomputed cache paths easier.
Bug: 53972
Change-Id: Iceb9e1ce8d3b4bb08f89fa6ec5d5e7392aaafd46
Some of the setup code in some of the configurations apparently depends
on all extensions and skins being already required by the point
Setup.php is being loaded. We ran into issues with LocalisationCache.
Bug: 67318
Change-Id: Idde13c2e835a9969593a4716a62b392d4c1388d6
Special page PageLanguage to set the page language of a page.
To enable the feature, set $wgPageLanguageUseDB to true
and assign the 'pagelang' user right to a user group.
Bug: 35489
Change-Id: I0f82b146fbe948f917c1c5d29f7469644d797e80
This makes it behave exactly like a custom skin.
* Renamed directory to reflect skin name.
* Split skin classes to separate PHP files.
* Removed core autoloader entries for skin classes.
* Changed the hack in Setup.php to require_once the skin PHP file, as
the skin is now registered there.
* Extracted skin-specific localisation messages.
* Extracted skin-specific resources.
Change-Id: Ife9926d12b6baaa84cd2aa9a415f1183415863c8
This makes it behave exactly like a custom skin, with the caveat that
it is still hardcoded in several places :(, most notably lots of
skinStyles in Resources.php, the installer and some tests.
* Renamed directory to reflect skin name.
* Split skin classes to separate PHP files.
* Removed core autoloader entries for skin classes.
* Changed the hack in Setup.php to require_once the skin PHP file, as
the skin is now registered there.
* Extracted skin-specific localisation messages.
* Extracted skin-specific resources. Did not touch skinStyles yet.
* Hacked up the installer not to fall over entirely if Vector is
missing.
* Adjusted hardcoded paths in some more places...
Change-Id: Idfffc1430790b3a104cc9835a6367137bcbf0e4e
Step one on the way to killing the autodiscovery mechanism and making
the core skins less intertwined with core.
This only moves the files and fixes hardcoded paths throughout core.
Any further changes will be done in separate patch(es).
Moved files:
* skins/MonoBook.php → skins/monobook/MonoBook.php
* skins/Vector.php → skins/vector/Vector.php
Bug: 65748
Change-Id: Ib4bdda5ed3c133fce0113eb17fa39950aa812f87
