summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES-1.2219
-rw-r--r--includes/DefaultSettings.php2
-rw-r--r--includes/HttpFunctions.php58
-rw-r--r--includes/SkinTemplate.php5
-rw-r--r--includes/UserMailer.php1
-rw-r--r--includes/installer/PostgresUpdater.php1
-rw-r--r--includes/specials/SpecialPasswordReset.php5
-rw-r--r--includes/upload/UploadStash.php2
-rw-r--r--languages/messages/MessagesEn.php2
-rw-r--r--languages/messages/MessagesQqq.php1
-rw-r--r--maintenance/postgres/tables.sql1
11 files changed, 59 insertions, 38 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 5685fef9..56a7e3d3 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -3,6 +3,25 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.22.7 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.6 ===
+
+* (bug 65501) SECURITY: Don't parse usernames as wikitext on
+ Special:PasswordReset.
+* (bug 36356) Add space between two feed links.
+* (bug 63269) Email notifications were not correctly handling the
+ [[MediaWiki:Helppage]] message being set to a full URL. This is a regression
+ from the 1.22.5 point release, which made the default value for it a URL.
+ If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
+ you'll need to edit it locally to include the URL via the new variable
+ $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
+ you don't have to do anything.
+* Add missing uploadstash.us_props for PostgreSQL.
+* (bug 56047) Fixed stream wrapper in PhpHttpRequest.
+
== MediaWiki 1.22.6 ==
This is a security release of the MediaWiki 1.22 branch.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 32ad2db3..850c2cfb 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration;
* MediaWiki version number
* @since 1.2
*/
-$wgVersion = '1.22.6';
+$wgVersion = '1.22.7';
/**
* Name of the site. It must be changed in LocalSettings.php
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index fa2fc12b..b405ede2 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -853,6 +853,7 @@ class PhpHttpRequest extends MWHttpRequest {
}
$this->reqHeaders['Accept'] = "*/*";
+ $this->reqHeaders['Connection'] = 'Close';
if ( $this->method == 'POST' ) {
// Required for HTTP 1.0 POSTs
$this->reqHeaders['Content-Length'] = strlen( $this->postData );
@@ -861,52 +862,47 @@ class PhpHttpRequest extends MWHttpRequest {
}
}
- $options = array();
- if ( $this->proxy ) {
- $options['proxy'] = $this->urlToTCP( $this->proxy );
- $options['request_fulluri'] = true;
- }
+ // Set up PHP stream context
+ $options = array(
+ 'http' => array(
+ 'method' => $this->method,
+ 'header' => implode( "\r\n", $this->getHeaderList() ),
+ 'protocol_version' => '1.1',
+ 'max_redirects' => $this->followRedirects ? $this->maxRedirects : 0,
+ 'ignore_errors' => true,
+ 'timeout' => $this->timeout,
+ // Curl options in case curlwrappers are installed
+ 'curl_verify_ssl_host' => $this->sslVerifyHost ? 2 : 0,
+ 'curl_verify_ssl_peer' => $this->sslVerifyCert,
+ ),
+ 'ssl' => array(
+ 'verify_peer' => $this->sslVerifyCert,
+ 'SNI_enabled' => true,
+ ),
+ );
- if ( !$this->followRedirects ) {
- $options['max_redirects'] = 0;
- } else {
- $options['max_redirects'] = $this->maxRedirects;
+ if ( $this->proxy ) {
+ $options['http']['proxy'] = $this->urlToTCP( $this->proxy );
+ $options['http']['request_fulluri'] = true;
}
- $options['method'] = $this->method;
- $options['header'] = implode( "\r\n", $this->getHeaderList() );
- // Note that at some future point we may want to support
- // HTTP/1.1, but we'd have to write support for chunking
- // in version of PHP < 5.3.1
- $options['protocol_version'] = "1.0";
-
- // This is how we tell PHP we want to deal with 404s (for example) ourselves.
- // Only works on 5.2.10+
- $options['ignore_errors'] = true;
-
if ( $this->postData ) {
- $options['content'] = $this->postData;
+ $options['http']['content'] = $this->postData;
}
- $options['timeout'] = $this->timeout;
-
if ( $this->sslVerifyHost ) {
- $options['CN_match'] = $this->parsedUrl['host'];
- }
- if ( $this->sslVerifyCert ) {
- $options['verify_peer'] = true;
+ $options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
if ( is_dir( $this->caInfo ) ) {
- $options['capath'] = $this->caInfo;
+ $options['ssl']['capath'] = $this->caInfo;
} elseif ( is_file( $this->caInfo ) ) {
- $options['cafile'] = $this->caInfo;
+ $options['ssl']['cafile'] = $this->caInfo;
} elseif ( $this->caInfo ) {
throw new MWException( "Invalid CA info passed: {$this->caInfo}" );
}
- $scheme = $this->parsedUrl['scheme'];
- $context = stream_context_create( array( "$scheme" => $options ) );
+ $context = stream_context_create( $options );
$this->headerList = array();
$reqCount = 0;
diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php
index 53f11998..581dbb34 100644
--- a/includes/SkinTemplate.php
+++ b/includes/SkinTemplate.php
@@ -1826,10 +1826,11 @@ abstract class BaseTemplate extends QuickTemplate {
*/
function makeListItem( $key, $item, $options = array() ) {
if ( isset( $item['links'] ) ) {
- $html = '';
+ $links = array();
foreach ( $item['links'] as $linkKey => $link ) {
- $html .= $this->makeLink( $linkKey, $link, $options );
+ $links[] = $this->makeLink( $linkKey, $link, $options );
}
+ $html = implode( ' ', $links );
} else {
$link = $item;
// These keys are used by makeListItem and shouldn't be passed on to the link
diff --git a/includes/UserMailer.php b/includes/UserMailer.php
index 8ab10b2d..163f8361 100644
--- a/includes/UserMailer.php
+++ b/includes/UserMailer.php
@@ -747,6 +747,7 @@ class EmailNotification {
}
$keys['$PAGEEDITOR_WIKI'] = $this->editor->getUserPage()->getCanonicalURL();
+ $keys['$HELPPAGE'] = wfExpandUrl( Skin::makeInternalOrExternalUrl( wfMessage( 'helppage' )->inContentLanguage()->text() ) );
# Replace this after transforming the message, bug 35019
$postTransformKeys['$PAGESUMMARY'] = $this->summary == '' ? ' - ' : $this->summary;
diff --git a/includes/installer/PostgresUpdater.php b/includes/installer/PostgresUpdater.php
index 599b523b..304c5466 100644
--- a/includes/installer/PostgresUpdater.php
+++ b/includes/installer/PostgresUpdater.php
@@ -169,6 +169,7 @@ class PostgresUpdater extends DatabaseUpdater {
"INTEGER NOT NULL PRIMARY KEY DEFAULT nextval('archive_ar_id_seq')" ),
array( 'addPgField', 'externallinks', 'el_id',
"INTEGER NOT NULL PRIMARY KEY DEFAULT nextval('externallinks_el_id_seq')" ),
+ array( 'addPgField', 'uploadstash', 'us_props', "BYTEA" ),
# type changes
array( 'changeField', 'archive', 'ar_deleted', 'smallint', '' ),
diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php
index c486ba01..d9faacca 100644
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -208,7 +208,8 @@ class SpecialPasswordReset extends FormSpecialPage {
$firstUser = $users[0];
if ( !$firstUser instanceof User || !$firstUser->getID() ) {
- return array( array( 'nosuchuser', $data['Username'] ) );
+ // Don't parse username as wikitext (bug 65501)
+ return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) );
}
// Check against the rate limiter
@@ -235,7 +236,7 @@ class SpecialPasswordReset extends FormSpecialPage {
// All the users will have the same email address
if ( $firstUser->getEmail() == '' ) {
// This won't be reachable from the email route, so safe to expose the username
- return array( array( 'noemail', $firstUser->getName() ) );
+ return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) );
}
// We need to have a valid IP address for the hook, but per bug 18347, we should
diff --git a/includes/upload/UploadStash.php b/includes/upload/UploadStash.php
index 7db6c64b..ea117378 100644
--- a/includes/upload/UploadStash.php
+++ b/includes/upload/UploadStash.php
@@ -260,7 +260,7 @@ class UploadStash {
'us_key' => $key,
'us_orig_path' => $path,
'us_path' => $stashPath, // virtual URL
- 'us_props' => serialize( $fileProps ),
+ 'us_props' => $dbw->encodeBlob( serialize( $fileProps ) ),
'us_size' => $fileProps['size'],
'us_sha1' => $fileProps['sha1'],
'us_mime' => $fileProps['mime'],
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 4f82b86d..7b500f20 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -3031,7 +3031,7 @@ To delete the page from your watchlist, visit
$UNWATCHURL
Feedback and further assistance:
-{{canonicalurl:{{MediaWiki:Helppage}}}}',
+$HELPPAGE',
'created' => 'created', # only translate this message to other languages if you have to change it
'changed' => 'changed', # only translate this message to other languages if you have to change it
diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php
index f30453a6..e201ad47 100644
--- a/languages/messages/MessagesQqq.php
+++ b/languages/messages/MessagesQqq.php
@@ -5525,6 +5525,7 @@ Parameters:
***{{msg-mw|Enotif lastvisited}}
*$PAGEEDITOR_EMAIL and $PAGEEDITOR_WIKI are links respectively to the email user special page and user page for the user who performed the action.
*$PAGEEDITOR is the username of the user who performed the action.
+*$HELPPAGE is the full URL to the help page, defined by {{msg-mw|helppage}}.
The subject of the email is one of the following messages:
*{{msg-mw|Enotif subject deleted}}
diff --git a/maintenance/postgres/tables.sql b/maintenance/postgres/tables.sql
index 0cc1b3d7..5ed7de99 100644
--- a/maintenance/postgres/tables.sql
+++ b/maintenance/postgres/tables.sql
@@ -376,6 +376,7 @@ CREATE TABLE uploadstash (
us_key TEXT,
us_orig_path TEXT,
us_path TEXT,
+ us_props BYTEA,
us_source_type TEXT,
us_timestamp TIMESTAMPTZ,
us_status TEXT,