Update to MediaWiki 1.19.2

9 files changed, 81 insertions, 19 deletions

diff --git a/includes/AuthPlugin.php b/includes/AuthPlugin.php
index 2fdba797..e8bab859 100644
--- a/includes/AuthPlugin.php
+++ b/includes/AuthPlugin.php
@@ -157,6 +157,15 @@ class AuthPlugin {
 	}
 
 	/**
+	 * Should MediaWiki store passwords in its local database?
+	 *
+	 * @return bool
+	 */
+	public function allowSetLocalPassword() {
+		return true;
+	}
+
+	/**
 	 * Set the given password in the authentication database.
 	 * As a special case, the password may be set to null to request
 	 * locking the password to an unusable value, with the expectation
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1034ea2e..acd89bde 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -33,7 +33,7 @@ $wgConf = new SiteConfiguration;
 /** @endcond */
 
 /** MediaWiki version number */
-$wgVersion = '1.19.1';
+$wgVersion = '1.19.2';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename = 'MediaWiki';
@@ -2420,6 +2420,18 @@ $wgBreakFrames = false;
 $wgEditPageFrameOptions = 'DENY';
 
 /**
+ * Disallow framing of API pages directly, by setting the X-Frame-Options
+ * header. Since the API returns CSRF tokens, allowing the results to be
+ * framed can compromise your user's account security.
+ * Options are:
+ *   - 'DENY': Do not allow framing. This is recommended for most wikis.
+ *   - 'SAMEORIGIN': Allow framing by pages on the same domain.
+ *   - false: Allow all framing.
+ */
+
+$wgApiFrameOptions = 'DENY';
+
+/**
  * Disable output compression (enabled by default if zlib is available)
  */
 $wgDisableOutputCompression = false;
diff --git a/includes/Linker.php b/includes/Linker.php
index 3691d040..0b813ac0 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -768,31 +768,31 @@ class Linker {
 	 * Make a "broken" link to an image
 	 *
 	 * @param $title Title object
-	 * @param $html String: link label in htmlescaped text form
+	 * @param $label String: link label (plain text)
 	 * @param $query String: query string
-	 * @param $trail String: link trail (HTML fragment)
-	 * @param $prefix String: link prefix (HTML fragment)
+	 * @param $unused1 Unused parameter kept for b/c
+	 * @param $unused2 Unused parameter kept for b/c
 	 * @param $time Boolean: a file of a certain timestamp was requested
 	 * @return String
 	 */
-	public static function makeBrokenImageLinkObj( $title, $html = '', $query = '', $trail = '', $prefix = '', $time = false ) {
+	public static function makeBrokenImageLinkObj( $title, $label = '', $query = '', $unused1 = '', $unused2 = '', $time = false ) {
 		global $wgEnableUploads, $wgUploadMissingFileUrl, $wgUploadNavigationUrl;
 		if ( ! $title instanceof Title ) {
-			return "<!-- ERROR -->{$prefix}{$html}{$trail}";
+			return "<!-- ERROR -->" . htmlspecialchars( $label );
 		}
 		wfProfileIn( __METHOD__ );
+		if ( $label == '' ) {
+			$label = $title->getPrefixedText();
+		}
+		$encLabel = htmlspecialchars( $label );
 		$currentExists = $time ? ( wfFindFile( $title ) != false ) : false;
 
-		list( $inside, $trail ) = self::splitTrail( $trail );
-		if ( $html == '' )
-			$html = htmlspecialchars( $title->getPrefixedText() );
-
 		if ( ( $wgUploadMissingFileUrl || $wgUploadNavigationUrl || $wgEnableUploads ) && !$currentExists ) {
 			$redir = RepoGroup::singleton()->getLocalRepo()->checkRedirect( $title );
 
 			if ( $redir ) {
 				wfProfileOut( __METHOD__ );
-				return self::linkKnown( $title, "$prefix$html$inside", array(), $query ) . $trail;
+				return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
 			}
 
 			$href = self::getUploadUrl( $title, $query );
@@ -800,10 +800,10 @@ class Linker {
 			wfProfileOut( __METHOD__ );
 			return '<a href="' . htmlspecialchars( $href ) . '" class="new" title="' .
 				htmlspecialchars( $title->getPrefixedText(), ENT_QUOTES ) . '">' .
-				"$prefix$html$inside</a>$trail";
+				$encLabel . '</a>';
 		} else {
 			wfProfileOut( __METHOD__ );
-			return self::linkKnown( $title, "$prefix$html$inside", array(), $query ) . $trail;
+			return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
 		}
 	}
 
diff --git a/includes/User.php b/includes/User.php
index cfba748f..1529da1e 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -2812,11 +2812,16 @@ class User {
 	 * @todo Only rarely do all these fields need to be set!
 	 */
 	public function saveSettings() {
+		global $wgAuth;
+
 		$this->load();
 		if ( wfReadOnly() ) { return; }
 		if ( 0 == $this->mId ) { return; }
 
 		$this->mTouched = self::newTouchedTimestamp();
+		if ( !$wgAuth->allowSetLocalPassword() ) {
+			$this->mPassword = '';
+		}
 
 		$dbw = wfGetDB( DB_MASTER );
 		$dbw->update( 'user',
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index 543c90ce..1eee717a 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -143,6 +143,12 @@ abstract class ApiFormatBase extends ApiBase {
 
 		$this->getMain()->getRequest()->response()->header( "Content-Type: $mime; charset=utf-8" );
 
+		//Set X-Frame-Options API results (bug 39180)
+		global $wgApiFrameOptions;
+		if ( $wgApiFrameOptions ) {
+			$this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
+		}
+
 		if ( $isHtml ) {
 ?>
 <!DOCTYPE HTML>
diff --git a/includes/db/Database.php b/includes/db/Database.php
index 9d517e4a..f3e84675 100644
--- a/includes/db/Database.php
+++ b/includes/db/Database.php
@@ -1973,7 +1973,9 @@ abstract class DatabaseBase implements DatabaseType {
 
 		# Quote the $database and $table and apply the prefix if not quoted.
 		if ( isset( $database ) ) {
-			$database = ( $format == 'quoted' || $this->isQuotedIdentifier( $database ) ? $database : $this->addIdentifierQuotes( $database ) );
+			if ( $format == 'quoted' && !$this->isQuotedIdentifier( $database ) ) {
+				$database = $this->addIdentifierQuotes( $database );
+			}
 		}
 
 		$table = "{$prefix}{$table}";
diff --git a/includes/installer/OracleUpdater.php b/includes/installer/OracleUpdater.php
index c4c52ee2..93c2726b 100644
--- a/includes/installer/OracleUpdater.php
+++ b/includes/installer/OracleUpdater.php
@@ -40,17 +40,16 @@ class OracleUpdater extends DatabaseUpdater {
 
 			//1.19
 			array( 'addIndex', 'logging',       'i05',      'patch-logging_type_action_index.sql'),
-			array( 'addTable', 'globaltemplatelinks', 'patch-globaltemplatelinks.sql' ),
-			array( 'addTable', 'globalnamespaces', 'patch-globalnamespaces.sql' ),
-			array( 'addTable', 'globalinterwiki', 'patch-globalinterwiki.sql' ),
 			array( 'addField', 'revision', 'rev_sha1', 'patch-rev_sha1_field.sql' ),
 			array( 'addField', 'archive', 'ar_sha1', 'patch-ar_sha1_field.sql' ),
 			array( 'doRemoveNotNullEmptyDefaults2' ),
 			array( 'addIndex', 'page', 'i03', 'patch-page_redirect_namespace_len.sql' ),
-			array( 'modifyField', 'user', 'ug_group', 'patch-ug_group-length-increase.sql' ),
+			array( 'modifyField', 'user_groups', 'ug_group', 'patch-ug_group-length-increase.sql' ),
 			array( 'addField', 'uploadstash', 'us_chunk_inx', 'patch-us_chunk_inx_field.sql' ),
 			array( 'addField', 'job', 'job_timestamp', 'patch-job_timestamp_field.sql' ),
 			array( 'addIndex', 'job', 'i02', 'patch-job_timestamp_index.sql' ),
+			array( 'doPageRestrictionsPKUKFix' ),
+			array( 'modifyField', 'user_former_groups', 'ufg_group', 'patch-ufg_group-length-increase.sql' ),
 
 			// KEEP THIS AT THE BOTTOM!!
 			array( 'doRebuildDuplicateFunction' ),
@@ -180,6 +179,23 @@ class OracleUpdater extends DatabaseUpdater {
 	}
 
 	/**
+	 * Fixed wrong PK, UK definition
+	 */
+	protected function doPageRestrictionsPKUKFix() {
+		$this->output( "Altering PAGE_RESTRICTIONS keys ... " );
+
+		$meta = $this->db->query( 'SELECT column_name FROM all_cons_columns WHERE owner = \''.strtoupper($this->db->getDBname()).'\' AND constraint_name = \'MW_PAGE_RESTRICTIONS_PK\' AND rownum = 1' );
+		$row = $meta->fetchRow();
+		if ( $row['column_name'] == 'PR_ID' ) {
+			$this->output( "seems to be up to date.\n" );
+			return;
+		}
+
+		$this->applyPatch( 'patch-page_restrictions_pkuk_fix.sql', false );
+		$this->output( "ok\n" );
+	}
+
+	/**
 	 * rebuilding of the function that duplicates tables for tests
 	 */
 	protected function doRebuildDuplicateFunction() {
diff --git a/includes/specials/SpecialBlock.php b/includes/specials/SpecialBlock.php
index 7d93cc75..da8eed1b 100644
--- a/includes/specials/SpecialBlock.php
+++ b/includes/specials/SpecialBlock.php
@@ -257,7 +257,13 @@ class SpecialBlock extends FormSpecialPage {
 				$fields['DisableUTEdit']['default'] = $block->prevents( 'editownusertalk' );
 			}
 
-			$fields['Reason']['default'] = $block->mReason;
+			// If the username was hidden (ipb_deleted == 1), don't show the reason
+			// unless this user also has rights to hideuser: Bug 35839
+			if ( !$block->mHideName || $this->getUser()->isAllowed( 'hideuser' ) ) {
+				$fields['Reason']['default'] = $block->mReason;
+			} else {
+				$fields['Reason']['default'] = '';
+			}
 
 			if( $this->getRequest()->wasPosted() ){
 				# Ok, so we got a POST submission asking us to reblock a user.  So show the
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 13ea5def..764ff401 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -326,6 +326,12 @@ class LoginForm extends SpecialPage {
 			return false;
 		}
 
+		# Include checks that will include GlobalBlocking (Bug 38333)
+		$permErrors = $this->getTitle()->getUserPermissionsErrors( 'createaccount', $currentUser, true );
+		if ( count( $permErrors ) ) {
+				throw new PermissionsError( 'createaccount', $permErrors );
+		}
+
 		$ip = $this->getRequest()->getIP();
 		if ( $currentUser->isDnsBlacklisted( $ip, true /* check $wgProxyWhitelist */ ) ) {
 			$this->mainLoginForm( $this->msg( 'sorbs_create_account_reason' )->text() . ' (' . htmlspecialchars( $ip ) . ')' );