The feature no longer exists starting in PHP 5.4.0, and MediaWiki
now only supports PHP 5.5.9 or newer.
Change-Id: I3f2d1b564c50f0a28ec1ec0abd7d1b242e26953b
Follow up to 7491b52. The 'private, must-revalidate' argument to
session_cache_limiter() does not match any expected values for the
function. This results in the PHP runtime treating it like the
documented empty string argument which completely disables the automatic
addition of cache related headers. Change the implementation to use the
empty string argument explicitly rather than continuing to rely on
the undocumented and potentially confusing existing behavior.
session_cache_limiter( '' ) is called unconditionally in
MediaWiki\Session\PHPSessionHandler::install(). This is safe now that it
is understood that we are disabling the setting of the automatic
headers.
Bug: T124510
Change-Id: I63164f8b7a408e370ff01dead42be27a0135dd35
The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.
Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.
This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager
Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
The only use of the return value of count() is, to check, if the array is empty or
not. This can be done in an easier way and a bit more performant, especially for
large arrays.
Change-Id: If119ead9230ba1783b8c853c18c379f174910e51
Call `session_cache_limiter( 'private, must-revalidate' );` before
starting a session to specify the cache control headers that PHP will
automatically emit. The calls are wrapped in MediaWiki\quietCall to
suppress "headers have already been sent" warnings that may come from PHP.
If not called explicitly PHP will default to using
the value of the session.cache_limiter ini setting. Some values of that
setting will cause PHP to add a "Pragma: no-cache" header to the
response. Certain user agents (e.g. Firefox) treat that particular
header as a signal to aggressively flush the response from local cache
to the point that back button navigation will not work.
The value used was present in `wfSetupSession` prior to a73c5b7.
Bug: T124510
Change-Id: I942f8420c39c8cec5781ea8f6cc5619fd15f13cd
Validate the return value of sys_get_temp_dir(), and use upload_tmp_dir
if that is not writable. If nothing is writable, throw an exception.
Bug: T119934
Change-Id: I27d784f55c47277bbab1192853e2e04a9d8bd39a
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
With the great help of:
@reedy <reedy@wikimedia.org>
@MtDu <justin.d128@gmail.com>
@Unicornisaurous <crazy4sb@gmail.com>
@Victorbarbu <victorbarbu08@gmail.com>
and anyone I forgot (sorry), we did our best to find and replace any usage
of the remaining extensions, that use these functions (as you can follow in
the linked task).
Now, finally, these functions were removed from MediaWiki :)
Bug: T70750
Change-Id: Ie9e3d247bf6ab1234ff4f11383d5a4fdf7563397
Respect the "private" context variable for debug log events when passing
events from MediaWiki\Logger\LegacyLogger to MWDebug::debugMsg. Passing
debug log events marked as private to MWDebug was a regression
introduced by the PSR-3 logging system.
Restore handling of $dest argument to wfDebug which was removed in 1.25
with the PSR-3 logging conversion. The documentation for $dest = 'log'
has also been removed. This third debug log event handling option was
not implemented in the PSR-3 logging conversion in 1.25. A follow up
change will remove known usage of $dest = 'log' in core.
Bug: T122644
Change-Id: Ib1d999b8b54e584e3944b46e9163a700f11c2e72
* ApiQueryTest: One random is enough.
* FileBackendTest: More consistent and idiomatic via wfRandomString()
* MigrateFileRepoLayoutTest: Use getNewTempDirectory(). Similar to
what FileBackendTest used already.
* UploadFromUrlTestSuite: Use getNewTempDirectory().
Change-Id: I772de2134be41506d8ed08367be8c18f354bfc72
Using the new system introduced in
1c57794e37 (see T47843).
This change allows Title::getUserPermissionsErrors() to include
MessageSpecifiers instead of string message keys in its return value.
This doesn't seem to have any bad effects, and should work seamlessly as
long as callers aren't trying to do anything stupid and just pass the
value to PermissionsError or OutputPage::showPermissionsErrorPage()
or wfMessage() or some such.
If the callers *are* trying something stupid, nothing worse than
duplicated or otherwise less-than-perfect error messages (in code
which tries to handle some message keys specially) should happen.
(I fixed wfMergeErrorArrays(), but who knows what else lurks in all
this code.) Any problems should only affect new-style errors using
MessageSpecifier, though.
Since MessageSpecifiers tend to be stringable, we probably won't get
fatals, but might get incorrect checks. Should we try to log this
happening somehow?
Goes with I42a0c5b0ea7e61088dd609b764dd7d1396c60cd5 in TitleBlacklist.
Bug: T115258
Change-Id: I1334ba21a2862973a9d8ff5be2c9bec06a82698b
LBFactory inherits $wgReadOnly, the LBs inherit
any LBFactory read only mode, and Database objects
inherit any LB read-only mode.
Add some methods callers can use to check if
a DB/LB handle is read-only before trying writes.
Additionally:
* Fix 5ec1e47475 regression where readOnlyBySection
read-only mode would not affect wfReadOnly() but only
lagged-slave read-only mode for LBFactoryMulti.
* Catch errors when getLaggedSlaveMode() is called after
master connection and object is established.
* Make getLaggedSlaveMode() a no-op if there are no slaves.
* Make string/false logic for read-only consistent everywhere.
* Remove mLaggedSlaveMode "m" prefix.
Change-Id: Ice3224caae564aa5ffb41b424c23d1593229117a
This fixes a few shortcomings in the chunked uploader:
* Raises an error if offset + chunksize > filesize.
* Enforces a minimum chunk size for non-final chunks.
* Refuses additional chunks after seeing a final chunk.
* Status of a chunked upload in progress is now available with
'checkstatus'.
Bug: T91203
Bug: T91205
Change-Id: I2262db1bc8460616b069c564475d2e4148001768
This allows empty lines inside the comment as found by the
MediaWiki.WhiteSpace.SpaceBeforeSingleLineComment.EmptyComment sniff
Change-Id: Iac155bbda4a84562db2b452baeae9b8973899453
* Add a string `keyspace` member to BagOStuff instances. The default
implementation, meant for simple key/value stores, treats the key space
as a string prefix to prepend to keys. By default, its value is `local`,
but any instance created via ObjectCache::newFromParams() (or or one of
its callers) will have that default to $wgCachePrefix / wfWikiID().
* Add `makeKey` and `makeGlobalKey` methods to the base BagOStuff class.
These methods are not static to allow for BagOStuff types which require
a configured instance to know the underlying storage engine's key semantics.
* Make wfMemcKey() and wfGlobalCacheKey() delegate to these methods on the main
ObjectCache instance.
Change-Id: Ib7fc2f939be3decfa97f66af8c2431c51039905f
Doxygen doesn't quite grok PHP's use of the reverse solidus (backslash)
character as a namespace separator. The C++ based parser it uses needs
them to be escaped in comments just as if they were being used in
a literal string context in PHP.
Change-Id: I9aff9dd0fb74a95039da1091c2f247cf71fd085a
* The '.php5' entrypoints were deprecated in I68b1ae842, $wgScriptExtension
in I3690f78bc.
* Drop the associated ResourceLoader configuration variable, too. `mwgrep`
shows no usage in the MediaWiki namespace.
* Keep the scriptExtension configuration parameter for FileRepo for people who
would like to interoperate with older MediaWiki installations that still use
'.php5'.
Change-Id: I17c8a15484b7e82cd5970d34e688109a2aae3840
* This is used to set sticky DC cookies to avoid
session replication lag (which also makes sure
ChronologyProtector works)
Bug: T91816
Change-Id: I7bc2f8185a3c05cb3ca5ccc42d300eccffae48e1
* Callers end up hitting wfFindFile() anyway, so we
may as well use/prime the process cache. By trying
to call checkRedirect() manually, it actually just
caused an extra memcached query.
* 404 pages are often customized to show various
icons file from sister sites, so this was taking
up a significant portion of rendering time.
Change-Id: I7e2a1c6acf853629fcca3a8b3c2c810ebacd2acb
Changed some old bugzilla links to new phabricator links in comments,
test data and error message. This reduces the need for redirects from
old bugzilla to new phabricator from our source code.
Change-Id: Id98278e26ce31656295a23f3cadb536859c4caa5
