From 7bf2eb8ba09b54cec804446ea39a3e658773fac9 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Sat, 21 May 2016 08:33:14 +0200
Subject: Update to MediaWiki 1.26.3

---
 tests/phpunit/includes/api/ApiMainTest.php         | 27 ++++++++++++++++++++++
 .../includes/api/format/ApiFormatJsonTest.php      |  4 ++--
 tests/phpunit/includes/upload/UploadBaseTest.php   |  6 +++++
 3 files changed, 35 insertions(+), 2 deletions(-)

(limited to 'tests/phpunit/includes')

diff --git a/tests/phpunit/includes/api/ApiMainTest.php b/tests/phpunit/includes/api/ApiMainTest.php
index 94b741dc..a2bc7aed 100644
--- a/tests/phpunit/includes/api/ApiMainTest.php
+++ b/tests/phpunit/includes/api/ApiMainTest.php
@@ -248,4 +248,31 @@ class ApiMainTest extends ApiTestCase {
 		);
 	}
 
+	/**
+	 * @covers ApiMain::lacksSameOriginSecurity
+	 */
+	public function testLacksSameOriginSecurity() {
+		// Basic test
+		$main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+		$this->assertFalse( $main->lacksSameOriginSecurity(), 'Basic test, should have security' );
+
+		// JSONp
+		$main = new ApiMain(
+			new FauxRequest( array( 'action' => 'query', 'format' => 'xml', 'callback' => 'foo'  ) )
+		);
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'JSONp, should lack security' );
+
+		// Header
+		$request = new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) );
+		$request->setHeader( 'TrEaT-As-UnTrUsTeD', '' ); // With falsey value!
+		$main = new ApiMain( $request );
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'Header supplied, should lack security' );
+
+		// Hook
+		$this->mergeMwGlobalArrayValue( 'wgHooks', array(
+			'RequestHasSameOriginSecurity' => array( function () { return false; } )
+		) );
+		$main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+		$this->assertTrue( $main->lacksSameOriginSecurity(), 'Hook, should lack security' );
+	}
 }
diff --git a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
index 3dfcaf0f..8d599b08 100644
--- a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
+++ b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
@@ -61,7 +61,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
 				array( array( 1 ), '/**/myCallback([1])', array( 'callback' => 'myCallback' ) ),
 
 				// Cross-domain mangling
-				array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy \u003E"]' ),
+				array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy >"]' ),
 			) ),
 			self::addFormatVersion( 2, array(
 				// Basic types
@@ -102,7 +102,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
 				array( array( 1 ), '/**/myCallback([1])', array( 'callback' => 'myCallback' ) ),
 
 				// Cross-domain mangling
-				array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy \u003E"]' ),
+				array( array( '< Cross-Domain-Policy >' ), '["\u003C Cross-Domain-Policy >"]' ),
 			) )
 		);
 	}
diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php
index 9441b77f..a3f8ae48 100644
--- a/tests/phpunit/includes/upload/UploadBaseTest.php
+++ b/tests/phpunit/includes/upload/UploadBaseTest.php
@@ -374,6 +374,12 @@ class UploadBaseTest extends MediaWikiTestCase {
 				false,
 				'SVG with external entity'
 			),
+			array(
+				"<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"> <g> <a xlink:href=\"javascript:alert('1&#10;https://google.com')\"> <rect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:1;stroke:rgb(0,0,2)\" /> </a> </g> </svg>",
+				true,
+				true,
+				'SVG with javascript <a> link with newline (T122653)'
+			),
 
 			// Test good, but strange files that we want to allow
 			array(
-- 
cgit v1.2.2