CTOOLS-1985 | Pull security release into CheckUser #10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: Id53d2d1fef39f5e2b5e7371d4907f18809afc1df
Change-Id: I75e37d52c78cd1533dd3938a1dc3e86da2a8b6e6
Change-Id: I4d9e38c8211557de3c11e961f9d656e7dad5d0d2
Change-Id: I441fe40a9f9bbc7954c5ac8dedd211dc327fcb92
Change-Id: I1cace296bf302f0f00f7617a0c1c4ec4ffd53bfe
Change-Id: Ic9ce09fda968f45505142e22ffc689132ef099b2
Change-Id: Ie7211a1af7af1dfe21181cde9f206a1bdc24bbef
Change-Id: I909a16ce23e76800c778de2f3286adba97b42912
Change-Id: I4ed5255b88feba5fa52798a065cfdf0e9e2330c9
Change-Id: Ia2071d2bea4d393cf424e690c5c6b376fb3c3ade
Change-Id: I5f8849a68d5e36a67bc2278588152d68e63c9a0e
Change-Id: I0c65b51e62c4aa5c89aac4283d40e42e6df2ac4f
Change-Id: I3cbc18840ee8c043c196086b7ca4d071b7869fb3
Change-Id: Id701fd878199c8d23fe2e124ef1da86a622facab
Change-Id: Ib1307af62ea549433441d16da8f274c985f2da60
Change-Id: Ieda5af0e4c2c351babb994e20b810dc8694fac91
Change-Id: I5320de8e14cf0024fa525836a681baccbb8f800f
Change-Id: Ibe4580917993fb63db3592332a48c9c9a9b8b04a
Change-Id: Iafbb53b63994da0c8fa1b2341adcb039bc986d83
Change-Id: I7f21de37fe92b9a217b17473721a3411a705f291
SocialProfile de facto overrides user page handling when installed, so this option won't work the way it should. Bug: T390774 Change-Id: Ia8d4c9a5c555c3868092528ea2989ce59866e1db (cherry picked from commit d38b278)
Why: * SpecialInvestigateBlockTest contains two tests which fail when the SocialProfile extension is installed, because the SocialProfile disables the 'edit' API for user pages. * This causes the user page tagging to fail for these users and therefore the tests which check this fail. * This issue has been fixed in Special:InvestigateBlock by removing the checkboxes when SocialProfile is installed in d38b278 ** However, we need to skip the test that is failing when the extension is installed to be consistent with that. What: * Skip the tests in SpecialInvestigateBlockTest which attempt to assert about the existence or lack of existence of the user page tag. Bug: T390590 Change-Id: I784fc6a9492c87063773a67939e31b51d334e3ee (cherry picked from commit 76b96ad)
…sion Why: * In 76b96ad, the check to see if the SocialProfile extension was loaded was incorrectly inverted. * Furthermore, the check itself is not correct as per the patch in d38b278 the ExtensionRegistry cannot be used. * We should fix the skipping conditions to avoid the test being skipped in all cases. What: * Update SpecialInvestigateBlockTest ::markTestSkippedIfSocialProfileExtensionInstalled to skip the test using the same method as used in d38b278 to determine if the form fields should be shown. * Fix SpecialInvestigateBlock to check if SocialProfile is loaded first before attempting to access the value of an array key that will be unset if SocialProfile is installed. * Update SpecialInvestigateBlockTest ::testViewSpecialPageWithNoDataEntered to expect that the user page field is not present when SocialProfile is installed. Follow-Up: I784fc6a9492c87063773a67939e31b51d334e3ee Follow-Up: Ia8d4c9a5c555c3868092528ea2989ce59866e1db Bug: T390590 Change-Id: I9d7657f2e2f319ba50083a14ded2e7a78297952c (cherry picked from commit ebe6fd4)
This is the required notation according to core's Autoloader class Change-Id: I9114c7d3d1e317d01a14f374577987ed5db14ee4 (cherry picked from commit 9d7df77)
Change-Id: I809f81a577f24ced72786ab8e5d95ffee80a7e44
Prevents "RuntimeException: Database backend disabled" CheckUser's parse() call triggers the ParserBeforeInternalParse hook, which AtMentions implements and uses to access the database, causing the failure when run without "@group Database". Needed to make CI pass on REL1_43 for AtMentions. Bug: T398781 Change-Id: I96fdd6ac24753f85aa71d04b934ed72a15543f71
Why: * Special:Investigate has an 'Account information' tab which is currently vulnerable to i18n XSS through the 'checkuser-investigate-preliminary-table-cell-wiki-nowiki' and 'rev-deleted-user'. * These vectors should be fixed. What: * Properly escape the above noted messages in PreliminaryCheckPager Bug: T394700 Change-Id: I777fc55fef15c3b00df0db268af2b64cb2d6e381
Why: * Special:Investigate currently has i18n XSS through the 'rev-deleted-user' and 'checkuser-investigate-compare-table -cell-unregistered' messages that are used by the ComparePager. * These messages should be appropriately HTML escaped. What: * Call ::escaped instead of ::text when generating the text for the messages 'rev-deleted-user' and 'checkuser-investigate- compare-table-cell-unregistered'. Bug: T394692 Change-Id: I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e (cherry picked from commit aa72536)
Change-Id: I64973fba8e4ac555dd0ffa6b4c1789b7452f5831
Change-Id: Ie3f2c4af72b8bc1346301e01f7bdc8ae760bfcee
Change-Id: Ida70e745c8085740545bb8ddc7f3be54675915e0
Change-Id: Ie1e543fd4824872a6096557e00dcf52e95ffe4d3
Change-Id: Ibb495d3312723bab6520247eb3deb2f7715aa40d
Change-Id: Id0e24c10199c599942ba19f29ddc562cc1181efb
Change-Id: I6b8ef51ca90c04e3b399b383c7469093435e81c1
Change-Id: I24ff76dd686f5daecd7fc8a16fa1c8f22794b486
Change-Id: I5b73529071a6a2c479583bf188caf94f2d6ee979
Change-Id: I40e7eb53e5d1d629b907188be3a126daf0180de6
Change-Id: I33685fe4429208f3dd7489091d12ac1d6bfdc0bb
Change-Id: I581cf9258a1de986797b614b6b44babdaacdc51a
* GHSA-v6h2-p8h4-qcjw Additional changes: * Enable stylelint caching. Change-Id: I9739e9b21a067ed491ab3cb401dc631086fea4e1
Change-Id: I8610a3d7d70912c1662e5f6613a954ea0be34475
CVE-2025-61658 Why: - GC currently doesn't check if the viewer has read access to the wikis it's fetching the contributions from. - There exist SUL clusters with both public and private wikis (unlike the WMF's cluster). What: - Add a configuration variable that allows to exclude some wikis from Special:GlobalContributions. Bug: T404805 Change-Id: Ia3157563124164f4ab39af103392e626dd809585
Change-Id: I10548d8ad892fc5a5cff724bffbbdb6032b13406
jakubbanas
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.