diff options
author | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-06-01 19:12:52 -0400 |
---|---|---|
committer | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-06-01 19:12:52 -0400 |
commit | c2bfd4b6e3ef8436c5963ace9435b4c0555f047f (patch) | |
tree | 2d0c8f68f18d5f87b3f5bf9980bfcfc3833c4c5e | |
parent | 3d86add3dfa5e0b3ead9859593d4a52cf7555a34 (diff) | |
parent | 3d92394be2570f9f49c7904cacc2bc8d790e72f2 (diff) |
Merge branch 'archwiki'
-rw-r--r-- | RELEASE-NOTES-1.22 | 19 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 | ||||
-rw-r--r-- | includes/HttpFunctions.php | 58 | ||||
-rw-r--r-- | includes/SkinTemplate.php | 5 | ||||
-rw-r--r-- | includes/UserMailer.php | 1 | ||||
-rw-r--r-- | includes/installer/PostgresUpdater.php | 1 | ||||
-rw-r--r-- | includes/specials/SpecialPasswordReset.php | 5 | ||||
-rw-r--r-- | includes/upload/UploadStash.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesEn.php | 2 | ||||
-rw-r--r-- | languages/messages/MessagesQqq.php | 1 | ||||
-rw-r--r-- | maintenance/postgres/tables.sql | 1 |
11 files changed, 59 insertions, 38 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 5685fef9..56a7e3d3 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,25 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.7 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.6 === + +* (bug 65501) SECURITY: Don't parse usernames as wikitext on + Special:PasswordReset. +* (bug 36356) Add space between two feed links. +* (bug 63269) Email notifications were not correctly handling the + [[MediaWiki:Helppage]] message being set to a full URL. This is a regression + from the 1.22.5 point release, which made the default value for it a URL. + If you customized [[MediaWiki:Enotif body]] (the text of email notifications), + you'll need to edit it locally to include the URL via the new variable + $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise + you don't have to do anything. +* Add missing uploadstash.us_props for PostgreSQL. +* (bug 56047) Fixed stream wrapper in PhpHttpRequest. + == MediaWiki 1.22.6 == This is a security release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 32ad2db3..850c2cfb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.6'; +$wgVersion = '1.22.7'; /** * Name of the site. It must be changed in LocalSettings.php diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index fa2fc12b..b405ede2 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -853,6 +853,7 @@ class PhpHttpRequest extends MWHttpRequest { } $this->reqHeaders['Accept'] = "*/*"; + $this->reqHeaders['Connection'] = 'Close'; if ( $this->method == 'POST' ) { // Required for HTTP 1.0 POSTs $this->reqHeaders['Content-Length'] = strlen( $this->postData ); @@ -861,52 +862,47 @@ class PhpHttpRequest extends MWHttpRequest { } } - $options = array(); - if ( $this->proxy ) { - $options['proxy'] = $this->urlToTCP( $this->proxy ); - $options['request_fulluri'] = true; - } + // Set up PHP stream context + $options = array( + 'http' => array( + 'method' => $this->method, + 'header' => implode( "\r\n", $this->getHeaderList() ), + 'protocol_version' => '1.1', + 'max_redirects' => $this->followRedirects ? $this->maxRedirects : 0, + 'ignore_errors' => true, + 'timeout' => $this->timeout, + // Curl options in case curlwrappers are installed + 'curl_verify_ssl_host' => $this->sslVerifyHost ? 2 : 0, + 'curl_verify_ssl_peer' => $this->sslVerifyCert, + ), + 'ssl' => array( + 'verify_peer' => $this->sslVerifyCert, + 'SNI_enabled' => true, + ), + ); - if ( !$this->followRedirects ) { - $options['max_redirects'] = 0; - } else { - $options['max_redirects'] = $this->maxRedirects; + if ( $this->proxy ) { + $options['http']['proxy'] = $this->urlToTCP( $this->proxy ); + $options['http']['request_fulluri'] = true; } - $options['method'] = $this->method; - $options['header'] = implode( "\r\n", $this->getHeaderList() ); - // Note that at some future point we may want to support - // HTTP/1.1, but we'd have to write support for chunking - // in version of PHP < 5.3.1 - $options['protocol_version'] = "1.0"; - - // This is how we tell PHP we want to deal with 404s (for example) ourselves. - // Only works on 5.2.10+ - $options['ignore_errors'] = true; - if ( $this->postData ) { - $options['content'] = $this->postData; + $options['http']['content'] = $this->postData; } - $options['timeout'] = $this->timeout; - if ( $this->sslVerifyHost ) { - $options['CN_match'] = $this->parsedUrl['host']; - } - if ( $this->sslVerifyCert ) { - $options['verify_peer'] = true; + $options['ssl']['CN_match'] = $this->parsedUrl['host']; } if ( is_dir( $this->caInfo ) ) { - $options['capath'] = $this->caInfo; + $options['ssl']['capath'] = $this->caInfo; } elseif ( is_file( $this->caInfo ) ) { - $options['cafile'] = $this->caInfo; + $options['ssl']['cafile'] = $this->caInfo; } elseif ( $this->caInfo ) { throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); } - $scheme = $this->parsedUrl['scheme']; - $context = stream_context_create( array( "$scheme" => $options ) ); + $context = stream_context_create( $options ); $this->headerList = array(); $reqCount = 0; diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 53f11998..581dbb34 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -1826,10 +1826,11 @@ abstract class BaseTemplate extends QuickTemplate { */ function makeListItem( $key, $item, $options = array() ) { if ( isset( $item['links'] ) ) { - $html = ''; + $links = array(); foreach ( $item['links'] as $linkKey => $link ) { - $html .= $this->makeLink( $linkKey, $link, $options ); + $links[] = $this->makeLink( $linkKey, $link, $options ); } + $html = implode( ' ', $links ); } else { $link = $item; // These keys are used by makeListItem and shouldn't be passed on to the link diff --git a/includes/UserMailer.php b/includes/UserMailer.php index 8ab10b2d..163f8361 100644 --- a/includes/UserMailer.php +++ b/includes/UserMailer.php @@ -747,6 +747,7 @@ class EmailNotification { } $keys['$PAGEEDITOR_WIKI'] = $this->editor->getUserPage()->getCanonicalURL(); + $keys['$HELPPAGE'] = wfExpandUrl( Skin::makeInternalOrExternalUrl( wfMessage( 'helppage' )->inContentLanguage()->text() ) ); # Replace this after transforming the message, bug 35019 $postTransformKeys['$PAGESUMMARY'] = $this->summary == '' ? ' - ' : $this->summary; diff --git a/includes/installer/PostgresUpdater.php b/includes/installer/PostgresUpdater.php index 599b523b..304c5466 100644 --- a/includes/installer/PostgresUpdater.php +++ b/includes/installer/PostgresUpdater.php @@ -169,6 +169,7 @@ class PostgresUpdater extends DatabaseUpdater { "INTEGER NOT NULL PRIMARY KEY DEFAULT nextval('archive_ar_id_seq')" ), array( 'addPgField', 'externallinks', 'el_id', "INTEGER NOT NULL PRIMARY KEY DEFAULT nextval('externallinks_el_id_seq')" ), + array( 'addPgField', 'uploadstash', 'us_props', "BYTEA" ), # type changes array( 'changeField', 'archive', 'ar_deleted', 'smallint', '' ), diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php index c486ba01..d9faacca 100644 --- a/includes/specials/SpecialPasswordReset.php +++ b/includes/specials/SpecialPasswordReset.php @@ -208,7 +208,8 @@ class SpecialPasswordReset extends FormSpecialPage { $firstUser = $users[0]; if ( !$firstUser instanceof User || !$firstUser->getID() ) { - return array( array( 'nosuchuser', $data['Username'] ) ); + // Don't parse username as wikitext (bug 65501) + return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) ); } // Check against the rate limiter @@ -235,7 +236,7 @@ class SpecialPasswordReset extends FormSpecialPage { // All the users will have the same email address if ( $firstUser->getEmail() == '' ) { // This won't be reachable from the email route, so safe to expose the username - return array( array( 'noemail', $firstUser->getName() ) ); + return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) ); } // We need to have a valid IP address for the hook, but per bug 18347, we should diff --git a/includes/upload/UploadStash.php b/includes/upload/UploadStash.php index 7db6c64b..ea117378 100644 --- a/includes/upload/UploadStash.php +++ b/includes/upload/UploadStash.php @@ -260,7 +260,7 @@ class UploadStash { 'us_key' => $key, 'us_orig_path' => $path, 'us_path' => $stashPath, // virtual URL - 'us_props' => serialize( $fileProps ), + 'us_props' => $dbw->encodeBlob( serialize( $fileProps ) ), 'us_size' => $fileProps['size'], 'us_sha1' => $fileProps['sha1'], 'us_mime' => $fileProps['mime'], diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 4f82b86d..7b500f20 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -3031,7 +3031,7 @@ To delete the page from your watchlist, visit $UNWATCHURL Feedback and further assistance: -{{canonicalurl:{{MediaWiki:Helppage}}}}', +$HELPPAGE', 'created' => 'created', # only translate this message to other languages if you have to change it 'changed' => 'changed', # only translate this message to other languages if you have to change it diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index f30453a6..e201ad47 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -5525,6 +5525,7 @@ Parameters: ***{{msg-mw|Enotif lastvisited}} *$PAGEEDITOR_EMAIL and $PAGEEDITOR_WIKI are links respectively to the email user special page and user page for the user who performed the action. *$PAGEEDITOR is the username of the user who performed the action. +*$HELPPAGE is the full URL to the help page, defined by {{msg-mw|helppage}}. The subject of the email is one of the following messages: *{{msg-mw|Enotif subject deleted}} diff --git a/maintenance/postgres/tables.sql b/maintenance/postgres/tables.sql index 0cc1b3d7..5ed7de99 100644 --- a/maintenance/postgres/tables.sql +++ b/maintenance/postgres/tables.sql @@ -376,6 +376,7 @@ CREATE TABLE uploadstash ( us_key TEXT, us_orig_path TEXT, us_path TEXT, + us_props BYTEA, us_source_type TEXT, us_timestamp TIMESTAMPTZ, us_status TEXT, |