Revisions of mediawiki
Carsten Ziepke (Kieltux)
accepted
request 1150029
from
Carsten Ziepke (Kieltux)
(revision 94)
- Use %autosetup macro. Allows to eliminate the usage of deprecated %patchN, prepare for RPM 4.20
Carsten Ziepke (Kieltux)
accepted
request 1138568
from
Carsten Ziepke (Kieltux)
(revision 93)
- Update to Mediawiki 1.39.6 Security and maintenance release * Localisation updates. * Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0. * Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0. * (T344912) mail: Encode period (ascii 46) if it appears in encoded email header. * Added symfony/polyfill-php82. * Added symfony/polyfill-php83. * Updated symfony/yaml from 5.4.10 to 5.4.23. * (T329609) ApiQueryLanguageinfoTest: Do not pass a float to setFakeTime. * Updated wikimedia/timestamp from 4.0.0 to 4.1.1. * tests: Provide coverage for StatusValue::__toString. * StatusValue: Improve logging/debug output with multibyte characters. * (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped messages used in rights log. * Updated wikimedia/parsoid from 0.16.1 to 0.16.2. * (T229992) LocalisationCache: Preserve fallback source language info. * (T275085) Fix logging Status objects to 'authevents' channel. * (T341310) DEVELOPERS.md: mention git clone and WSL. * (T351758) DEVELOPERS.md: reword WSL instructions to include best practices. * (T349115) LocalisationCache: Fix a rare case in fallback source language. * SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated". * maintenance: Add missing parenthesis to SQL in attachLatest.php. * (T353472) maintenance: Fix join condition in DeduplicateArchiveRevId.
Johannes Weberhofer (weberho)
accepted
request 1116512
from
Carsten Ziepke (Kieltux)
(revision 92)
- Update to Mediawiki 1.39.5 Security and maintenance release * Localisation updates. * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. * (T317255) VueComponentParser: Use Zest's getElementsByTagName() rather than PHP's. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively. * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer. * (T237898) installer: Check MariaDB version in updater/installer. * (T342632) ApiComparePages: Add help url. * (T326182, T324903) EditPage: Add #[AllowDynamicProperties]. * (T342351) rdbms: Fix postgres db function call. * (T343675) user: Use {@} to escape annotation when writting about annotation. * (T343797) LanguageWa: Fix double timezone adjustment. * (T326454) Update pear/mail to 1.5.1. * (T343622) docs: Set the <comment> tag back to optional. * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3. * (T337463) wdio-mediawiki: await saveScreenshot. * (T274041) Include core PSR-4 classes in the generated classmap. * (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. * doc: Improve description of "type" in extension.schema.v2.json. * Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above). * HTMLForm: Fix E_NOTICE when hide-if is used with setFormIdentifier. * (T288624) MultiHttpClient: Unset $this->cmh after closing it. * (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally. * (T265734) API Help: Note that parameters may be inherited from other context. * API: Make continue parameter help description more specific. * (T285545) i18n: Split apihelp for standard dir parameter. * (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show. * (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=. * (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=. * (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=. * (T285545) i18n: Split apihelp for parameter action=managetags&operation=. * (T285545) api: Add message for list=watchlist&wlprop=expiry. * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed. * (T342633) api: Add message for action=compare&prop=timestamp. * API: revids=… does not necessarily return the queried revisions. * (T326696) user: Truncate option value in UserOptionsManager. * (T326696) ApiOptions: Give warning if the value is too long. * API i18n: Add {{PLURAL:}} for byte count messages. * (T235207) Get correct main page in API call examples. * doc: Make extension.schema.v2.json a valid JSON schema. * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). * doc: Improve description of type in extension.schema.v1.json. * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).
Lars Vogdt (lrupp)
accepted
request 1096981
from
Carsten Ziepke (Kieltux)
(revision 91)
- Update to Mediawiki 1.39.4 Security and maintenance release * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5). * (T333776) Template:ACTIVEUSERS wasn't being updated without updateSpecialPages.php. * (T258860) Prevent LogicCache exception from message cache during IO errors from memcache. * (T336868) Improve idempotency of postgres index upgrades. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * A fake MessageLocalizer for use in unit tests. * (T338114) Title: Add forward alias. * composer: Add symfony/polyfill-php81 like symfony/polyfill-php80. * (T330464) Work around argument corruption bug in XMLReader::open. * Fix frame and frameless rdfa depending on file existing. * Fixes for the phan upgrade, part 1. * Fixes for the phan upgrade, part 2. * (T298571) build: Update mediawiki/mediawiki-phan-config to 0.12.0. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
Johannes Weberhofer (weberho)
accepted
request 1076713
from
Carsten Ziepke (Kieltux)
(revision 90)
- Update to Mediawiki 1.39.3 Security and maintenance release * Localisation updates. * (T225218) LinksUpdate: Use DB key for category links table. * GlobalFunctions: Remove check for MEDIAWIKI constant. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330382) postgres: Make the upgrade ignore dropping indexes that might not exist. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T291753) rdbms: escape backslashes in makeConnectionString for PostgreSQL. * (T325529) Fix total breakage of wgCanonicalServer fallback. * (T318103) mediawiki.storage: Disable async GC during integration test. * (T332461, T332397) TempFSFile: Keep the WeakMap alive. * (T332902) page: fix InvalidArgumentException in SQLPlatform::makeList. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. - Fix some rpmlint warnings
Johannes Weberhofer (weberho)
accepted
request 1072946
from
Carsten Ziepke (Kieltux)
(revision 89)
- Update to Mediawiki 1.39.2 Maintenance release * Localisation updates. * (T325872) ChangeTags: Remove table name from condition. * (T324895) MWCallbackStream: Add explicit $stream property. * (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField. * (T321319) Produce HTML for invalid JSON. * (T215466, T326071) MigrateActors: Write to revision table (Follow-up 24115a8). * (T223027) ReservedUsernames config: Add reserved names from maintenance scripts. * (T325000, T324896, T307631) Updated OOUI from v0.44.3 to v0.44.5. * Remove /images .htaccess rules that are no longer relevant. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * LocalFileTest: use encodeBlob/decodeBlob for img_metadata. * DatabaseSqlite: fix null blobs. * rdbms: avoid pg_escape_bytea() call-style deprecation notices. * (T322278) Improve LocalisationCache post-merge validation check. * (T324408, T326367) Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * (T322278) Fix the remaining Phan failures on PHP 8.1. * (T322278, T326367) Respond to some messages from Phan on PHP 8.1. * Fix phan error when Excimer is enabled. * (T326021) Add matrix: to $wgUrlProtocols. * (T314099) stream wrapper: Declare $context class property. * (T314099) libs\jsminplus: Declare JSNode::$expression. * (T314096) composer.json: Updated composer/spdx-licenses from 1.5.6 to 1.5.7. * (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1). * (T308536) rdbms: Remove deprecation mark for $wgSharedDB. * (T215466, T326071) installer: Split drop action out of the SQL patch for actor migration. * (T322603) SqliteMaintenance.php: Fix fatally broken instanceof check. * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being released. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses * (T327821) skin: Restore default 'value' attribute in makeSearchButton(). * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T329415) Clear the statsd data buffer regardless of StatsdServer config. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if no path. * (T324894 TempFSFile: Use a WeakMap for reference tracking if available. * (T295637) Add no to fallback chain of nb and nn.
Johannes Weberhofer (weberho)
accepted
request 1045157
from
Carsten Ziepke (Kieltux)
(revision 88)
- Update to Mediawiki 1.39.1 Security and maintenance release * Localisation updates. * PostgresUpdater: Remove trailing space from 'user_id ' column. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324516) postgres: Fix upgrade for templatelinks primary key. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists. * (T314099) OutputPage: Remove unused dynamic property ParserOptions->isBogus. * (T314099) api: Remove use of undeclared property in action=comparepages. * Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6). * (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1). * Updated pear/mail (v1.4.1 => v1.5.0). * Removed wikimedia/dodo (v0.4.0). * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot=<role-name> query parameters. * (T322637) SECURITY: sqlite should not create DB file world-readable.
Johannes Weberhofer (weberho)
accepted
request 1040399
from
Carsten Ziepke (Kieltux)
(revision 87)
- Update to Mediawiki 1.39.0 * MediaWiki 1.39 is an LTS and is due to be supported until the end of November 2025. * Please visit and read before update: https://www.mediawiki.org/wiki/Release_notes/1.39 - Update Requires to php > 7.4.3 and < 8.2.0 - Rebase and rename mediawiki-use-localsettings-from-webroot.patch
Johannes Weberhofer (weberho)
accepted
request 1007289
from
Carsten Ziepke (Kieltux)
(revision 86)
- Update to Mediawiki 1.37.6 Maintenance release * Fix missing use statement from backport of fix for T307278. - Changes in Mediawiki 1.37.5 Security and maintenance release * Localisation updates. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1. * (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource. * Fix tests so getName() doesn't return null. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T313663) Mock UserOptionsManager::getOption for php8.1. * (T289879, T289926) Get rid of warnings on PHP 8.1. * (T313663) Check for null return of preg_replace in MediaWikiTitleCodec. * (T313663) cast db name to string when checking if it is read only [php8.1]. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T314099) preprocessor: Add missing field declarations. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1. * (T313663) Do not test giving a null fragment to Title::makeTitle. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T307613) Validate length of user email on Special:ChangeEmail/Special:CreateAccount. * (T314226) LoginSignupSpecialPage: Check if $value is a string before length. * (T314824) tests: Update parser test after i18n change. * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T313049) Bump wikimedia/parsoid to v0.14.2. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318079) SpecialEditTags: Set default value of wpTagsToRemove to empty array. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) Update docs for HTMLFormField::validate() to permit all data types. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name.
Johannes Weberhofer (weberho)
accepted
request 988048
from
Carsten Ziepke (Kieltux)
(revision 85)
- Update to Mediawiki 1.37.4 Maintenance release * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor. * (T296435, T297669) cache: Add four fields to LinkCache::getSelectFields. - Changes since Mediawiki 1.37.3 Security and maintenance release * Localisation updates. * (T289879) Type hints for ArrayAccess and JsonSerializable. * (T304783) TemplateParser: avoid warnings when called by NoLocalSettings. * Rebuilt vendor with composer 2.3.3. * Fix old_name in UserLogoutComplete hook. * (T289879) Address some deprecations for PHP 8.1. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1. * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T308473) SECURITY: Escape contributions-title msg for use within page title. * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * Updated wikimedia/shellbox from v2.0.0 to v2.1.1. * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T311473) rollbackEdits: Pass user identity to RollbackPage. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T281741) ChangeTags: Fix adding CSS classes for hidden tags. * (T296642) changetags: Fix management of a '0' tag. * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * (T303033) Handle null in ChangeTags::modifyDisplayQuery. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.
Johannes Weberhofer (weberho)
accepted
request 968120
from
Carsten Ziepke (Kieltux)
(revision 84)
- Update to Mediawiki 1.37.2 Security and maintenance release * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T289956) WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest. * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * (T275673) objectcache: Avoid getCurrentTime() call in MapCacheLRU::has(). * (T275673) objectcache: split up MapCacheLRU::getAge() to avoid conditional overhead. * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * (T195807, T256401) Fix signature of DatabasePostgres::buildGroupConcatField. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T300462) SpecialUndelete: Do not show empty comments as deleted. * (T297708) Allow setting max execution time to several special pages. * (T205349) LinkCache: Try invalidating cache before throwing. * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. * (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.
Lars Vogdt (lrupp)
accepted
request 941500
from
Carsten Ziepke (Kieltux)
(revision 83)
- Update to Mediawiki 1.37.1 Security and maintenance release * (T296112) Allow inserting new sections named '0'. * Fix path for ZhConversion.php. * nukeNS: don't run purgeRedundantText() after every change. * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model.
Johannes Weberhofer (weberho)
accepted
request 933780
from
Johannes Weberhofer (weberho)
(revision 82)
- Update to Mediawiki 1.37.0 Read the full release notes at https://www.mediawiki.org/wiki/Release_notes/1.37
Johannes Weberhofer (weberho)
accepted
request 924557
from
Carsten Ziepke (Kieltux)
(revision 81)
- Update to Mediawiki 1.36.2 Security and maintenance release * Don't access MWServices prematurely in Maintenence.php. * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode. * Installer: Fix foundation.wikimedia.org link in config-pingback-help. * (T283273) Make postgres IRC channel point to libera.chat. * composer.json: Promote and pin monolog/monolog to require from require-dev. * (T287526) JavaScriptMinifer: Recognize `...` as a single token. * (T287526) Update wikimedia/minify to 2.2.4. * (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas. * (T281549) Installer: Fix mediawiki-announce auto subscription code. * FormatJson: Optimize encode() for supported PHP versions. * (T290398) renameRestrictions.php: Update protected_titles as well. * (T290489) objectcache: Fix PHP warning for ReplicatedBagOStuff::setMulti. * $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes. * (T277788) parser: Avoid calling ParserOptions::getOption() too many times. * (T291244) Unserialize objects in ParserCache->mExtensionData as objects. * MysqlUpdater: Add updatelog entries for dropDefault. * (T290776) Fix $phase check in OutputHandler. * The wikimedia/parsoid library has been upgraded from v0.13.0 to v0.13.1. * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions.
Johannes Weberhofer (weberho)
accepted
request 902277
from
Johannes Weberhofer (weberho)
(revision 80)
- Update to Mediawiki 1.36.1 Security release * (T283942) DatabaseInstaller.php: Only run core schema file if specified table doesn't already exist. * (T247223) Optimise MessageCache::isMainCacheable() for the single-message case. * (T283244) JavaScriptMinifer: Fix handling of "delete" as object property. * (T284391) Fix SkinModule to correctly prepend remote path on document root installs. * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. * (T278579) Don't send headers on ob_end_clean(). * (T285287) MultiHttpClient: Replace PHP version check with defined(). * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.
Christian Wittmer (computersalat)
accepted
request 898844
from
Johannes Weberhofer (weberho)
(revision 79)
Update to version 1.36.0
Johannes Weberhofer (weberho)
accepted
request 887329
from
Johannes Weberhofer (weberho)
(revision 78)
Update to version 1.35.2: Fixes for several security issues
Johannes Weberhofer (weberho)
accepted
request 874117
from
Johannes Weberhofer (weberho)
(revision 77)
- Fixed invocation of upgrade script - Hard-Code main version - scripts don't work nicely with osc
Johannes Weberhofer (weberho)
accepted
request 874113
from
Carsten Ziepke (Kieltux)
(revision 76)
- Update to version 1.35.1 * (T263929) purgeList.php Fix all-namespaces option to match one used in code. * (T248719) ParserCache::get - fix wfDeprecated call. * (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab. * Preload mediawiki.watchstar.widgets before api request. * (T261030) ApiEditPage: Show existing watchlist expiry if status is not being changed. * (T264502) Fix PHP 8 compat with strcspn() $length parameter exceeding string. * (T248925) Remove final modifier on private function. * (T264683) Remove ipb_anon_only from ipb_address_unique index addition. * (T261415) Add days left messages to changes-lists' clock icons. * Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave. * (T261260) Preload class used in HeaderCallback. * (T260868, T260009) Normalize WatchedItem expiry field. * (T264683) Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields. * (T264534) ApiPageSet: Avoid infinite loop when merging redirects. * (T196906) Empty Monolog loggers are now real blackholes. * (T258649) WatchAction: avoid UPDATE when old and new watch period is indefinite. * Parser: Adjust typehint to show that getTitle can return null. * (T263592) media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData(). * (T265223) BaseTemplate: Guard against passing zero arg to array_merge(). * (T264965) Fix base path handling for MessagePosterModule registration. * (T252183) Fix Database::getTempTableWrites for multi table DDLs. * (T182546) Fix switch/case indentation per mediawiki coding conventions. * Flip Yoda conditionals. * (T263213) Move SkinTemplate::getFooterLinks() to Skin. * build: Updating mediawiki/mediawiki-codesniffer to 33.0.0. * (T267105) Make ImageBuilder::checkMissingImage public. * Updating guzzlehttp/guzzle (6.5.4 => 6.5.5). * (T266681) Support new style hook registration on install and update. * (T266980) Fix unsetting of copyright icon in FooterIcons. * upload.js: Don't assume that warnings array will include 'code' key. * upload.js: Fix typo in upload API. * (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded. * (T267558) importTextFiles.php: Replace deprecated WikiRevision:setText(). * (T266418) composer.json: add requirement for composer-plugin-api ^1.1. * (T261431) Add ARIA attributes to watchlink and its notification. * (T258877) Change invalid 'Content-Encoding: none' header. * Fix trailing ; in patch-sites-site_language-35.sql. * (T248852) wfAssembleUrl: Handle empty query field in URL bits. * (T268846) Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0). * (T268887) migrateComments: Cast array keys back to string before passing to the DB. * (T266619) Introduce new $wgThumbPath config. * (T269178) MemcachedClient: Cast Resource to integer. * (T263925) Use the old HookContainer to set up the post-reset services. * Change "site cache" to just "cache" in the right-purge message. * [UploadedFileStreamTest] Skip test with chmod. * (T269710) Updating composer/semver (1.5.1 => 1.7.2). * (T269710) Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0). * (T260631, T260633), BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database. * (T265778) Fix English/*nix specific error messages in FSFileBackend. * (T267543) Split dropping of image.img_user_timestamp. * [FileTest] Do not assume /tmp exists on windows. * Clean up temp files correctly after unit tests. * Skip undo related phpunit tests when diff3 is missing. * (T269964) rdbms: Remove outer parentheses in insert query for Postgres. * (T263911) In MWExceptionHandler::report(), catch all throwables. * (T268894, CVE-2020-35474) SECURITY: Use Html::element in ChangeListSpecialPage for sanity. * (T268917) Use Xml::element in SpecialUserrights for sanity. * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity. * (T268938) Fixed mixed escaping in Language::translateBlockExpiry. * (T263911) UserOptionsManager: don't differentiate anons caches. * (T261260) HeaderCallback: pre-cache request ID. * Parsoid updated to v0.12.1. * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. * (T270145) Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP. - Add requires cron, fix missing-dependency-to-cron for cron script /etc/cron.d/mediawiki
Johannes Weberhofer (weberho)
accepted
request 856050
from
Johannes Weberhofer (weberho)
(revision 75)
- New cronjob must run as root
Displaying revisions 1 - 20 of 94