* This adds a new $wgImgAuthUrlPathMap config variable
* Also fixed ImgAuthBeforeStream hook msg formatting
bug: 51136
Change-Id: I77528f92b20670e3b09adc79c49e62060f1614f3
Follows-up I1343872de7, Ia533aedf63 and I2df2f80b81.
Also updated usage in text in documentation and the
installer LocalSettingsGenerator.
Most of them were handled by this regex:
- find: (require|include|require_once|include_once)\s*\(\s*(.+?)\s*\)\s*;$
- replace: $1 $2;
Change-Id: I6b38aad9a5149c9c43ce18bd8edbab14b8ce43fa
hphpc has been superseded by hhvm, so support for hphpc is no longer
needed.
* Continue to use Preprocessor_Hash under HipHop since it is still
faster under hhvm
* Keep $wgCompiledFiles for now, so that wikihiero doesn't give an error
before Ic9d1e795 is merged
* Migrate the run-server script and associated configuration file to
hhvm. Enable EnableStaticContentFromDisk since it doesn't seem
ridiculously inefficient at first glance. Run from $IP rather than
$IP/.. since hhvm is apparently not picky about sourcing files from
outside of the current directory.
Change-Id: Ic3e769f1fbad4f7ad26dd819406796fee48c6b45
Fix up spaces in our function calls, we do not want spaces before a
comma and try to avoid multiple commas whenever possible.
Errors:
* No space found after comma in function call
* Space found before comma in function call
Change-Id: I51aec02016f742422fa60b92ad35ba3f0ef59ba3
* Made thumb_handler.php "just work" in a way similar to img_auth.
It no longer needs any "handlerUrl" setting to be set.
Change-Id: I557ba1f94db3cef0f21f5c0e2b60d8e381ea3f96
We can now do this since we finally switched to PHP 5.3 for MW 1.20 and get rid of the silly dirname(__FILE__) stuff :)
Change-Id: Id9b2c9cd2e678197aa81c78adced5d1d31ff57b1
Also update img_auth.php so it's abuse of $wg variables is done in a way that doesn't let "/*" action paths clobber it's handling.
This should theoretically fix bug 32486.
* Moved most of the bug 28235 code out to a separate library class, since I was running out of distinct function names.
* Merged the QUERY_STRING and PATH_INFO security checks, since they are dealing with the exact same problem. Removed WebRequest::isQueryStringBad().
* Deal with img_auth.php by having it specify what extension it expects to be streaming out. This extension can then be compared with the extension that IE might detect.
* Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set.
* Refactored the query string checks in WebRequest and img_auth.php into a single new function: isQueryStringBad().
* Added the ability to compile extensions. The build process is bootstrapped by running MediaWiki in interpreted mode. Extension setup file inclusions are slightly modified in a way that makes them register themselves for compilation. Then the same LocalSettings.php uses the compiled extension setup file when the compiled binary runs.
* Tested with Cite and ParserFunctions. The code which lets you have an extensions directory in a place other than $IP/../extensions is untested.
* Simplified WebStart.php slightly by using a custom $_SERVER variable to mark compiled mode. It will break if you don't use the supplied server.conf, but that will break a lot of things so don't do that.
* Fixed the core web entry points to include WebStart.php in compiled mode instead of interpreted.
* Made the build directory configurable. This is mostly so that I can grep the source tree without seeing loads of generated C++.
* In server.conf, added a rewrite rule allowing a /wiki/$1 article path.
* Removed server.conf log file location "/dev/stdout", breaks when you switch user
* Disable static content cache, breaks horribly when you set SourceRoot to a directory containing 7GB of files.
* Rewrote the run-server script in PHP, mostly to support the configurable build directory feature.
* Added an option to the run-server script to allow running in interpreted (hphpi) mode.
The localization code here is really ugly with weird things like call_user_func_array() all over the place, and there are bugs with escaping for log entries and such.
Tried to rebuild all the localization files, but rebuildLanguage.php doesn't seem to consider the messages as "unknown". Have removed from English and qqq.
https://bugzilla.wikimedia.org/show_bug.cgi?id=19646
1. Localize img_auth.php using core messages
2. Reorder checks to make sense (and eliminate redundancy)n
3. Add hook 'ImgAuthBeforeStream' to allow custom checking
4. Add globals wgImgAuthDetails,
5. Move all "wfDebugLog" into the rejection functions
This is a global search and replace of NS_IMAGE and NS_IMAGE_TALK with NS_FILE and NS_FILE_TALK respectively in all core files, excluding those already updated in step 1 (r44004).
Uses $dir in extension files, and assumes that it remains unchanged in require_once( 'maintenance/commandLine.inc' ).
In fact, it is likely that '$dir' will be set when setting up command-line, as some extensions will use the same var.
Recommended fix: Use $CentralAuth_dir, $EmailPage_dir, etc.
to forestall additional UTF-7-autodetect XSS issues. Probably not an
issue on Apache 2.0+, but most servers send only 'text/html' by default
when the script didn't specify more details.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant
on a previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
The ob_start() section should preferably be removed from older
LocalSettings.php files.
* Give Content-Length header for HTTP/1.0 clients.
* Partial support for Flash cross-domain-policy filtering. Text entry points should be protected, but uploads are not.
