wfSuppressWarnings() and wfRestoreWarnings() were split out into a
separate library. All usages in core were replaced with the new
functions, and the wf* global functions are marked as deprecated.
Additionally, some uses of @ were replaced due to composer's autoloader
being loaded even earlier.
Ie1234f8c12693408de9b94bf6f84480a90bd4f8e adds the library to
mediawiki/vendor.
Bug: T100923
Change-Id: I5c35079a0a656180852be0ae6b1262d40f6534c4
This patch is to generate specific error (warning) message when
blocking an svg file.
The checkSvgScriptCallback function has been updated, and it's
return type is changed from boolean to array.
A new variable is added to XmlTypeCheck class that contains the
type of error when svg file is uploaded, which is used to generate
concrete error messages later on.
I have added concrete error messages to i18n/en.json and their description
to qqq.json file. Please review the error messages and their description.
Bug: T85924
Change-Id: I3f687bf5b86ce66b703591b85fd03f073aacff4f
Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got
around our blacklist on embedded href targets. Use a whitelist instead.
Bug: T85850
Change-Id: I17b7ed65935b818695a83fd901fcaf90fffecf28
@import in embedded CSS is case-insensitive, meaning
an attacker can put "@iMpOrT" and it should still
work.
This uses stripos instead of strpos to make the check
case insensitive.
Bug: T85349
Change-Id: I31db9d81f46460af2d8d3f161ba46c2ab7a170d1
* Callers that should not use caches won't
* Aliased the old "bypassCache" param to "latest"
bug: T89184
Change-Id: I9f79e5942ced4ae13ba4de0b4c62908cc746e777
- As of now, we detect duplicate files by a combination of sha1
and file extension.
- Since multiple file extensions for the same MIME are permitted
this method does not reliably work.
Bug: T74070
Change-Id: If13059441097799227f23ece36a96c8375f17aab
Xhprof generates this data now. Custom profiling of various
sub-function units are kept.
Calls to profiler represented about 3% of page execution
time on Special:BlankPage (1.5% in/out); after this change
it's down to about 0.98% of page execution time.
Change-Id: Id9a1dc9d8f80bbd52e42226b724a1e1213d07af7
For non-vectorial content, requesting a thumbnail larger than
the original results in a 500. Prerendering in its current form
introduces an increase in 500s that dilutes the real problematic
500s, making troubleshooting harder than it needs to be.
Change-Id: I9418dee7653ad7954c3788ecdd350fc8772edd32
Mingle: https://wikimedia.mingle.thoughtworks.com/projects/multimedia/cards/301
Chunked uploads of SVGs are currently failing with "invalid XML" errors
because UploadBase::detectScriptInSvg() requires the full file but is
being called from UploadBase::verifyPartialFile().
So let's do the check twice: once in UploadBase::verifyPartialFile()
where it will pass if non-well-formed, and once in
UploadBase::verifyFile() where it will fail if non-well-formed.
Bug: 65724
Change-Id: I6126e185eb4b183c31946f13c576521f1ed19c16
* This causes problems with some session handlers and it is
also trickier to deal with in non CLI script without leaking
cookie headers.
Change-Id: Iaf2a57f9299e42a5f68bf85115e62e88fa0f8ed6
- Added newline at end of file
- Removed double spaces/newlines
- Added space after if/function and parentheses/brackets
- Removed space before comma/cast
- Fixed indent of some lines
Change-Id: I29867ffdffdfb7d2b56997e9393497c7dc12f7d3
* Filter <style> elements
* Normalize style elements and attributes before filtering
* Add checks for attributes that contain css
* Add unit tests for html5sec and reported bugs
Bug:69008
Change-Id: I732eece710f1bfaaeea1e5de541fcd4cfb375de7
http://phpdoc.org/docs/latest/references/phpdoc/types.html
If IDEs have many warnings, we don't look at them.
Let's minimize the number of warnings, and make them useful again.
* Some function docs fixes
* Removed unused $iwprefixes var in ApiQuerySearch.php
* declared private $blockStatusByUid in SpecialActiveusers
* declared private $repo in UploadFromChunks
Change-Id: Ifd20f78b168b9a913fdb8d89dc26a76a173b1c29
Spotted on beta:
--------
commonswiki-375c0c3e:
0.0752 1.9M mime: <image/png> extension: <png>
--------
With lot of requests, that causes them to be interlayed and ungreppable.
Change-Id: Ib99bc9547bdecb9efa59b7d292ddd7d10a552652
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: Ie419638e909a47aa72a274043604247830ee1a81
json, csv, and tsv are often detected as text/plain. However that's
not right. This patch causes MediaWiki to look at the file extension
of files detected as text/plain, and if the file extension is
for a "textual" type, use the mime type associated with that extension.
This change also changes the "does mime type match uploaded file
extension" check to use the mime based on the file contents
plus extension, as opposed to just the file contents. Various
documentation suggests this is more appropriate (e.g. line 807
of MimeMagic.php). In my opinion we should use just the file
contents when verifying file is not on blacklist, but use ext
when verifying file type matches extension, and for decided
what handler specific checks to run. Not the detect mime type
with extension doesn't override the detected mime type with
the extension, but only uses the extension if content based
detection is ambigious or not specific enough.
This patch should be reviewed by csteipp before merge for
any potential security implications.
Note: This is partially fixing a regression from 3846d10487,
where previously csv and json files were allowed to be uploaded,
and that change prevented them
Bug: 66036
Bug: 45424
Change-Id: Ib637fe6850a81b26f84dc8c00ab4772f3d3a1f34
On bug 65724, it was discovered that a user could upload SVG images
with embedded <image> elements that pulled in the resource via http.
This could allow an attacker to track all viewers of an SVG by having
the image embed another image hosted on their own server.
While testing the patch, I also identified 3 more element namespaces
that have been used on commons and seem harmless, so I added those to
the whitelist.
Change-Id: Iaaabc3a60c0ec4e6e426a8680d7a2cef5d469d29
Noticed that we have several old images on commons that use these
namespaces. They seem harmless, so I think we should add them.
Change-Id: Ib80298256c5d4717867eb857d5404a9487fed784
* Fixed bug where even using Swift/Azure on Windows
would disallow non-ASCII file names.
bug: 1780
Change-Id: I19ed72da0b099d35cae74fb08eeb22c113da1065
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Also added some missing @param.
Change-Id: I8804ebe0922d3a414863b162a2110e0b9e49b80f
In the event of a bad filename warning record the relavent variables
so that we can figure out what is causing the failure.
See also change I532f8ee7c7455e43862b0204a7fff23d6792412e
Bug: 62241
Change-Id: If5d8b9e7f34c0f9bd09684d7dada8fafd7f5f7c2
- Added spaces after if/foreach/catch
- Added new line before end of file
- Added or removed spaces before/after parenthesis, comma
- Added spaces around string concat
Change-Id: I0590070f1b3542108e242730e8d9a3ba9831e94f
When we are doing blacklisted extensions, we count all extensions
as some programs (like apache sometimes) consider extensions that
aren't the final extension. However when doing whitelists we need
to only count the last extension, otherwise people can name files
foo.goodExt.BadExt. For example [[commons:File:Deamado ko.png.bmp]]
I do not believe this represents a security risk as bad files are
still filtered out. However it does allow unwanted files to be
uploaded.
Bug: 62451
Change-Id: Ie27c15f749812710571f432bc5915e498f8017e3
Disallow uploading non-whitelisted namespaces. Also disallow iframe
elements.
User will get an error including the namespace name if they use a non-
whitelisted namespace.
Bug: 60771
Change-Id: Id5c022543184b19b77ad32d9a8a0c2dbbc5e9038
Return an error from UploadBase::detectScriptInSvg when the svg has
XML that cannot be parsed. Usually the XML is invalid, or the parser has
run out of memory trying to parse the file.
This patch is rebased on top of bug 57550.
Bug: 58553
Change-Id: I32661a27d7417cc2c69b844c805b190d6486d17a
When an file is being uploaded, we tell the user if it has been
uploaded and deleted in the past. But we shouldn't reveal the title
under which that was done if the file was suppressed via RevDel.
Note this introduces a breaking API change: clients may now receive a
"deleted-archive" warning with an empty value if the title was
suppressed.
Bug: 59167
Change-Id: I01a3ac2ba0cbac6b28de26a7f1a1d09b6b02097e
Split the variable assignment and the return statement in two lines for
better readability.
When there was two return statements in one method the logic was swapped
to have only one return statement.
Change-Id: Id7a01b4a2df96036435f9e1a9be5678dd124b0af
