| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The idea is that all entry points should share the code in the
MediaWikiEntryPoint base class. This change just moves code from
the file scope into a class, without any structural changes.
Bug: T354216
Change-Id: Ie2e827d30a070bcc63bdce56891c3aa0a4dacddd
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I4dbef138fd0110c14c70214282519189d70c94fb
|
| |
|
|
|
|
|
| |
This has been approved as part of RFC T166010
Bug: T321882
Change-Id: I6bbdbbe6ea48cc1f50bc568bb8780fc7c5361a6f
|
| |
|
|
| |
Change-Id: I5a2cd33efe494ac8d476f619077506d4f684f48f
|
| |
|
|
|
|
|
|
|
|
| |
Use str_starts_with, str_ends_with or string offset where appropriate.
This fixes a bug in MimeAnalyzer where the "UTF-16LE" header could not
be identified because of wrong constant. This is the exact type of bug
that the new functions can avoid.
Change-Id: I9f30881e7e895f011db29cf5dcbe43bc4f341062
|
| |
|
|
|
|
|
|
|
| |
The Hooks class contains deprecated functions and the whole class is
going to get removed, so remove the convenience function and inline the
code.
Bug: T335536
Change-Id: I8ef3468a64a0199996f26ef293543fcacdf2797f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is moderately messy.
Process was principally:
* xargs rg --files-with-matches '^use Title;' | grep 'php$' | \
xargs -P 1 -n 1 sed -i -z 's/use Title;/use MediaWiki\\Title\\Title;/1'
* rg --files-without-match 'MediaWiki\\Title\\Title;' . | grep 'php$' | \
xargs rg --files-with-matches 'Title\b' | \
xargs -P 1 -n 1 sed -i -z 's/\nuse /\nuse MediaWiki\\Title\\Title;\nuse /1'
* composer fix
Then manual fix-ups for a few files that don't have any use statements.
Bug: T166010
Follows-Up: Ia5d8cb759dc3bc9e9bbe217d0fb109e2f8c4101a
Change-Id: If8fc9d0d95fc1a114021e282a706fc3e7da3524b
|
| |
|
|
|
| |
Bug: T321882
Change-Id: I5dc1f7e9c303cd3f5b9dd7010d6bb470d8400a18
|
| |
|
|
| |
Change-Id: I271473cedb1d10b8a2b9529d4af0c42f04bfcd98
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 2bdc0b2b7209441a42a784157633a8a01b321922.
Reason for revert: T166010#8349431
Bug: T166010
Change-Id: Idcd3025647aec99532f5d69b9c1718c531761283
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Moving:
- DerivativeRequest
- FauxRequest
- FauxRequestUpload
- PathRouter
- WebRequest
- WebRequestUpload
Bug: T166010
Change-Id: I5ea70120d745f2876ae31d039f3f8a51e49e9ad8
|
| |
|
|
|
|
|
|
| |
Introduced in PHP 7.1. Because it's shorter and looks nice.
I used regex replacement.
Change-Id: I0555e199d126cd44501f859cb4589f8bd49694da
|
| |
|
|
|
|
|
|
| |
This reverts commit 900c6663b05b6a33498a81c187ac027209dd6502.
Reason for revert: breaks Parsoid CI. Instead of fixing the test in presence of the FlaggedRevs hook, I would rather convert DefaultPreferencesFactory to Authority and fix the tests once instead of doing it twice.
Change-Id: Iaa440a9804c9ed97339e737162ef64ccf29ceb51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new methods:
- ::getGroupsWithAnyPermissions
- ::getGroupsWithAllPermissions
- ::groupHasAnyPermission
- ::groupHasAllPermission
Replaced relevant calls to PermissionManager with
calls to GroupPermissionsLookup.
Bug: T254537
Change-Id: I0b9c3352c5bebc94e1649239fe0527144e7c2eb2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Incorrect parameters to FileBackend::streamFile() caused
Cache-Control:private and Vary:Cookie response headers to be omitted
when requesting a file in a path configured by $wgImgAuthUrlPathMap.
Typically this is used to deliver images generated by extensions.
CVE-2020-15005
Bug: T248947
Change-Id: I404d9462e4b35d3d832bfab21954ff87e46e3eb2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has become apparent that $_SERVER['SCRIPT_NAME'] may contain the same
thing as REQUEST_URI, for example in WMF production. PATH_INFO is not
set, so there is no way to split the URL into SCRIPT_NAME and PATH_INFO
components apart from configuration.
* Revert the fix for T34486, which added a route for SCRIPT_NAME to the
PathRouter for the benefit of img_auth.php. In T235357, the route thus
added contained $1, breaking everything.
* Remove calls to WebRequest::getPathInfo() from everywhere other than
index.php. Dynamic modification of $wgArticlePath in order to make
PathRouter work was weird and broken anyway. All that is really needed
is a suffix of REQUEST_URI, so I added a function which provides that.
* Add $wgImgAuthPath, for use as a last resort workaround for T34486.
* Avoid the use of $_SERVER['SCRIPT_NAME'] to detect the currently
running script.
* Deprecated wfGetScriptUrl(), a fairly simple wrapper for SCRIPT_NAME.
Apparently no callers in core or extensions.
Bug: T235357
Change-Id: If2b82759f3f4aecec79d6e2d88cd4330927fdeca
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[X] Create just one MW services instance and use it all the way down.
[X] Use same $permissionManager object for checking basic authorization
of the user.
[X] Use a MediaWiki service for both local file repository and file backend
group. Using singletons have been deprecated.
Change-Id: Iaf183c312de2235c36d99e01007712bb22fa43ec
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Turn this into a doc group, and let the descriptions come
directly from the files in question. This makes the list easier
to maintain, and alsom means that the overview page becomes
discoverable whenever one is looking at the entry point file
as well. Previously the doc page pointed to the entry points,
but not the other way around. This is also fixed.
Bug: T244294
Change-Id: I891c5a37e17592edc1136d7367949927121c8bc8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Deprecate WebRequest::checkUrlExtension() and have it always return
true. This reverts the security fixes made for T30235.
* Remove IEUrlExtension. This is a helper for checkUrlExtension() which
is not used in any extensions.
* Remove CSS sanitization code which is specific to IE6. This reverts
the changes made to fix T57332, and related followups. I confirmed
that the relevant test cases do not result in XSS on IE8.
* Remove related tests.
Bug: T232563
Change-Id: I7318ea4a63210252ebc64968691d4f62d79a63e9
|
| |
|
|
|
|
| |
Let the template do the output encoding.
Change-Id: I01fc60f10f98c032c5104d3a2f4b44cdfbeee51c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set appropriate headers and flush the output as needed to avoid blocking
the client on post-send updates for the stock apache2 server scenario.
Several cases have bits of header logic to avoid delay:
a) basic GET/POST requests that succeed (e.g. HTTP 2XX)
b) requests that fail with errors (e.g. HTTP 500)
c) If-Modified-Since requests (e.g. HTTP 304)
d) HEAD requests
This last two still block on deferred updates, so schedulePostSendJobs()
does not trigger on them as a form of mitigation. Slow deferred updates
should only trigger on POST anyway (inline and redirect responses are
OK), so this should not be much of a problem.
Deprecate triggerJobs() and implement post-send job runs as a deferred.
This makes it easy to check for the existence of post-send updates by
calling DeferredUpdates::pendingUpdatesCount() after the pre-send stage.
Also, avoid running jobs on requests that had exceptions. Relatedly,
remove $mode option from restInPeace() and doPostOutputShutdown()
Only one caller was using the non-default options.
Bug: T206283
Change-Id: I2dd2b71f1ced0f4ef8b16ff41ffb23bb5b4c7028
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Define the global constant MW_REST_API in rest.php, by analogy with
MW_API. Also generalize this by adding MW_ENTRY_POINT, which contains
the entry script name, "cli" or "unknown". This allows tests such as
if ( MW_ENTRY_POINT !== 'index' )
which is probably what is really intended by defined('MW_API') in many
cases.
Change-Id: I24099f4cdd170de17afd6e1bbad67c9b204071fc
|
| |
|
|
|
| |
Bug: T220191
Change-Id: Ifa8afa90c432723b0bba0033a46b6a499c77e6fc
|
| |
|
|
| |
Change-Id: I3c6fd7b0c39d7fd52c484494233241093d152f88
|
| |
|
|
|
|
|
|
|
| |
T208768 introduced the PermissionManager service that can now be used
for page specific permission checks. This change replaces remaining calls
to Title::userCan() with the new service in MediaWiki core.
Bug: T220191
Change-Id: Ie45e0cb6aa49a8c66147b470946161fc18160fc1
|
| |
|
|
| |
Change-Id: Ifdf379dc7f2501e561dfbc06f9afa7a9089306f2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HHVM does not support variadic arguments with type hints. This is
mostly not a big problem, because we can just drop the type hint, but
for some reason PHPUnit adds a type hint of "array" when it creates
mocks, so a class with a variadic method can't be mocked (at least in
some cases). As such, I left alone all the classes that seem like
someone might like to mock them, like Title and User. If anyone wants
to mock them in the future, they'll have to switch back to
func_get_args(). Some of the changes are definitely safe, like
functions and test classes.
In most cases, func_get_args() (and/or func_get_arg(), func_num_args() )
were only present because the code was written before we required PHP
5.6, and writing them as variadic functions is strictly superior. In
some cases I left them alone, aside from HHVM compatibility:
* Forwarding all arguments to another function. It's useful to keep
func_get_args() here where we want to keep the list of expected
arguments and their meanings in the function signature line for
documentation purposes, but don't want to copy-paste a long line of
argument names.
* Handling deprecated calling conventions.
* One or two miscellaneous cases where we're basically using the
arguments individually but want to use them as an array as well for
some reason.
Change-Id: I066ec95a7beb7c0665146195a08e7cce1222c788
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace
@var $foo type
by
@var type $foo
Change-Id: Iec8b90ffea4028a1005daef422b7c4ec38c2715f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This note is very old; it was added in r2832 (635388356be70130) and
r3285 (7ab7a50cf928861f). Modern versions of MediaWiki support CGI and
FastCGI installations nearly as well as mod_php installations. In fact,
Wikimedia currently uses HHVM's "fastcgi" server type, and intends to
use php-fpm with PHP 7 (see migration plan in T176370).
For a basic MediaWiki installation using the web installer, the only
difference I know of is the default URLs: /w/index.php?title=$1 for CGI,
as opposed to /w/index.php/$1 for mod_php. This issue is easy to fix by
changing $wgArticlePath, if the web server sets REQUEST_URI. Admins who
want to use short URLs (e.g. /wiki/$1) have to do this anyway.
Also, in img_auth.php and the "img-auth-nopathinfo" message, don't imply
that CGI and FastCGI server configurations generally can't provide path
information or support MediaWiki features that need it.
Change-Id: I89212e9d51f950a58f911083b9e109b69cd4e060
|
| |
|
|
|
|
|
| |
It's unreasonable to expect newbies to know that "bug 12345" means "Task T14345"
except where it doesn't, so let's just standardise on the real numbers.
Change-Id: If82c31fc877249d6fa3727b79c3bb8369ad9382b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added HTTP options headers parameter to streamFile().
* Refactored doStreamFile() to either call StreamFile::stream()
or delagate that to the subclass. SwiftFileBackend now relays
the full Swift response rather than manually making the headers.
This also makes Range headers easy to support.
* Made use of this in img_auth.php for performance on private wikis.
* Elimate stat call in streamFile() for Swift if "headers" is empty.
* Refactored StreamFile a bit to inject request headers instead
of using the $_SERVER global. A header options parameter is used
instead, which also supports Range.
* Removed now unused prepareForStream().
* Cleaned up streamFile() unit tests.
Change-Id: I2ccbcbca6caabb8cf65bd6b3084cede2e6ea628a
|
| |
|
|
|
|
|
|
|
|
| |
Per wikitech-l consensus:
https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html
Notes:
* Disabled CallTimePassByReference due to false positives (T127163)
Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
|
| |
|
|
|
|
|
|
| |
Also:
* Update wfHttpError() to use uppercase DOCTYPE, to match other code
such as Html.php, wfThumbError(), HttpError.php, etc.
Change-Id: I4027e7fe1a138b03f78797b6d1bfe7bd1064d360
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Added doPreOutputCommit() and doPostOutputShutdown(),
which most entry points just using the later
* Also fixed problem where text profiling did not show up
* Avoid calling triggerJobs() in the file streaming
entry points
Bug: T100127
Bug: T100085
Change-Id: Ibc7e768fd483389a01847f08cdeba4058c853d3f
|
| |
|
|
| |
Change-Id: I074deaa7dabc9512812a0ec76a8cc2ea4535a484
|
| |
|
|
|
|
|
|
|
| |
For img_auth.php see
http://validator.w3.org/check?uri=https%3A%2F%2Fwww.mediawiki.org%2Fw%2Fimg_auth.php;No200=1
For profileinfo.php consistently use "/>" for self-closing elements.
Change-Id: I7e6aad0e7a2a745836adc430e3b2f3be5f31b6bb
|
| |
|
|
| |
Change-Id: I31c81c78715048004fc8fca0f27d09c1fa71c118
|
| |
|
|
| |
Change-Id: Iab2ed48ef00e55dcf5313b9c2a94ffdca2fdb790
|
| |
|
|
|
|
|
|
|
|
| |
- use tab as indent instead of spaces
- Added space after closures "function"
- Added spaces around string_concat
- Added newline inside empty blocks
- Removed four spaces after comma
Change-Id: I4425b0c6a69b36f40acfea6511b8950cf09ce2b2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
img_auth.php does not currently handle filepaths for transcoded videos
at all, and instead falls back attempting to open files out of the
public zone, which obviously fails as these files do not exist there.
Add a branch that handles transcoded containers in the same manner as
thumbs and thus allowing access to those files from private wiki.
Bug: 65007
Change-Id: I7182206ba09dd2466fc51aa1d51116dd13db980c
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: I57083d3fe0517b94d3b786970b412e6ec51cf5f0
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| | |
* For public wikis, using img_auth.php cannot hurt, and thumb.php
is already available anyway. Treat it as always "false".
Change-Id: I1240e00386a76593c37c9ac7b4c1f547c655452d
|
| |/
|
|
|
| |
bug: 56269
Change-Id: I8cf5c070899d281c7efbac853f04c2fea9374e4d
|
| |
|
|
|
|
|
|
|
| |
* Specifically check isDeleted() instead of relying on the file
being moved to the deleted zone alone.
* Made img_auth.php skip some unnecessary checks for public wikis.
Also made it set the private cache control headers only if needed.
Change-Id: If82589acd53c02943d5f3bbafd29381fd63f8f68
|
| |
|
|
|
|
|
|
| |
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: I8c9f30128b46086064326708a4878228ba459447
|
| |
|
|
|
|
|
|
|
|
| |
This parameter triggers Content-Disposition: Attachment which
makes the browser download the image instead of displaying it.
This is needed by Media Viewer to allow users to click a button in
order to download an image at a given resolution or the original.
Change-Id: I470a24a09139ac65588312104995e34d97a89b0f
|
| |
|
|
| |
Change-Id: Iea84018c3dee45d5f062b41b1337af40e3de2fcf
|
