MediaWiki-l September 2020

mediawiki-l@lists.wikimedia.org

24 participants
25 discussions

by Jeffrey Walton

Hi Everyone, During a Mediawiki 1.34.3 to Mediawiki 1.34.4 upgrade... When updating vendor components using 'php -d extension=phar.so composer.phar update': Package wikimedia/password-blacklist is abandoned, you should avoid using it. Use wikimedia/common-passwords instead. Package jakub-onderka/php-parallel-lint is abandoned, you should avoid using it. Use php-parallel-lint/php-parallel-lint instead. Package jakub-onderka/php-console-color is abandoned, you should avoid using it. Use php-parallel-lint/php-console-color instead. Package jakub-onderka/php-console-highlighter is abandoned, you should avoid using it. Use php-parallel-lint/php-console-highlighter instead. Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested. Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested. I don't add things to vendor/, and I did not install packages like password-blacklist or php-parallel-lint. It looks like these are part of a Mediawiki installation. /var/www/html/wiki# find . -name password-blacklist ./vendor/wikimedia/password-blacklist /var/www/html/wiki# find . -name php-parallel-lint ./vendor/jakub-onderka/php-parallel-lint Jeff

1 year, 3 months

Announcing MediaWiki 1.35.0

by Sam Reed

I am happy to announce the belated availability of the general release of MediaWiki 1.35! Tarballs have already been uploaded, and the git tag has been pushed. Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidates and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.35 final release. To see what's changed in 1.35, see the release notes below. Please note that the PHP version requirement has been raised from 7.2.9 in MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19. MediaWiki 1.35 is an LTS and is due to be supported until the end of September 2023. As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due to become end of life in November 2020. As per the pre-release announcement, 1.35.0 also includes some security fixes that weren't in the release candidates, which came out yesterday for the ther supported MediaWiki branches. Known/outstanding issues: * VisualEditor and Parsoid are now bundled in the tarball and no longer need a separate Node.js service. The documentation for this still may still require some updates. Please report any bugs [2] if this affects you. * (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work using SQLite as the database backend for MediaWiki. This is due to the lack of write concurrency in SQLite. If you wish to use this feature, it is recommended to use MySQL/MariaDB rather than SQLite. * Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still experimental. It should become stable in a later point release. Please report any issues/bugs [3]. == Security fixes == * (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users. * (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions. * (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList. * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality. * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute. * (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse(). * (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database. * (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used. * (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T232568 * https://phabricator.wikimedia.org/T255918 * https://phabricator.wikimedia.org/T256171 * https://phabricator.wikimedia.org/T258763 * https://phabricator.wikimedia.org/T86738 * https://phabricator.wikimedia.org/T115888 * https://phabricator.wikimedia.org/T260485 * https://phabricator.wikimedia.org/T251661 === Changes since MediaWiki 1.35.0-rc.3 === * (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler. * (T260232) Don't include null page ids in query list for category dumps. * (T260009) Check existing watchitem when saving action=watch. * (T259055) Correct success messages for action=watch. * mediawiki.page.ready: Simpler tablesorter/makeCollapsible call. * mediawiki.page.ready: Fix skin override config flags, wrong way round. * (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase. * (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch. * (T261901, T261476) mediawiki.notification: Don't close notif when clicking <select> element. * (T251506) Sanitizer: Truncate IDs to a reasonable length. * (T259452) Parsoid updated to v0.12.0. * (T261970) watch.ajax: Add expiry support to watchpage.mw event. * (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook. * (T263014) Hard deprecate File::userCan() with $user=null. * (T262547) Use localized success message after watching via action=watch. * (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`. * (T261081) Installer: consistently reset Language objects. * (T250449, T250450) Installer: consistently reset Language objects. * Explicitly wrap some XML calls in libxml_disable_entity_loader(). * (T262934) Ensure dropdown label is always on its own line. * (T246855) resourceloader: Use a local HookRunner. * (T263604) Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc. * (T263606) Set fake time, to avoid flaky tests. * (T261325) Add FindMissingActors script. * (T262364) shell: Don't blacklist /run/firejail. * (T263655) NewPagesPager: Ignore nonexistent namespaces. * Update specialPageAliases and magicWords for Egyptian Arabic (arz). * (T261347) ParserOutput: don't throw on bad editsection. * (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions. * (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList. * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality. * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute. * (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse(). * (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database. * (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used. * Add Finnish special page aliases. * Fix GuzzleHttpRequest request headers. * Fix description for pruneFileCache.php. * emptyUserGroup.php: handle more than 5000 users. * Make ApiSandbox copyable URL absolute. * (T261087) Add a link from a deleted page to that page's logs. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4035/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-… [3] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz Patch to previous version (1.35.0-rc.3): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html Release Notes https://www.mediawiki.org/wiki/Release_notes/1.35

2 years, 5 months

Fwd: Public API for Wikimedia map tiles to be discontinued in 45 days

by Erica Litrenta

[crosspost from Maps-l] Today the Wikimedia Foundation is announcing the deprecation of the public API for Wikimedia map tiles. Around mid October the Foundation will end support for the Wikimedia Maps Service API [1]. This change affects people using Wikimedia maps on their own website or app. Maps on the Wikimedia sites, in Wikimedia-hosted tools and gadgets, and on maps.wikimedia.org won't be affected. This decision was made based on recent outage incidents, primarily due to spikes in third party usage, along with an analysis showing that more than a third of maps provided are to non-Wikimedia services (including many to for-profit organizations). After the most recent incident [2], the service was limited so that only cached maps tiles would be available. While this protected the servers, it made the service unpredictable and highlighted the unsustainability of our tile service. So, we have made the decision to discontinue the maps APIs for non-Wikimedia users. This change will allow our teams working on Maps to focus on the sustainability of the maps used within Wikimedia projects. You can follow the implementation of this change on Phabricator [3]. Best, Erica Litrenta [1] https://maps.wikimedia.org/osm-intl/ [2] https://wikitech.wikimedia.org/wiki/Incident_documentation/20200204-maps [3] https://phabricator.wikimedia.org/T261424 -- Erica Litrenta Manager, Community Relations Specialists https://meta.wikimedia.org/wiki/User:Elitre_(WMF)

2 years, 5 months

Seeking ease of updating MediaWiki with extensions

by Even Thorbergsen

Hallo all, I have been maintaining a number of wiki installations based on MW and extensions (including SMW) for more than a decade. I must admit, I find it increasingly hard to update these installations. The old zips have mostly disappeared, and the once promising Composer is not straightforward to use, nor is GitHub. Composer is even disallowed by some internet providers, for some reason. I would have liked to see a management frontend where you select your choice of extensions, and get the corresponding code and possibly database updated, not having to know technical details, such as the structure of JSON files or other. As the situation is now, I suspect many wiki installations use rather old code versions, which is really a pity. Regards, Even Thorbergsen

2 years, 6 months

MediaWiki Extensions and Skins Security Release Supplement (1.31.9/1.34.3/1.35.0)

by Scott Bassett

Greetings- With the security/maintenance release of MediaWiki 1.31.9/1.34.3/1.35.0 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == MobileFrontend == + (T238075) - Alert group Cookie(s) without HttpOnly flag are set due to default configuration < https://gerrit.wikimedia.org/r/q/I8e84f1cbc8878974532b511cebd9de40c5de55c6 > == MobileFrontend == + (T262213, CVE-2020-26120) - XSS on Pages viewed within MobileFrontend extension < https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea > == CentralAuth == + (T260485, CVE-2020-25869) - CentralAuth uses wrong actor ID when locally suppressing the user < https://gerrit.wikimedia.org/r/q/Iaa886a1824e5a74f4501ca7e28917c780222aac0 > < https://gerrit.wikimedia.org/r/q/I2336954c665366a99f9995df9b08071d4de6db79 > == FileImporter == + (T262628, CVE-2020-26121) - FileImporter imports the file even when the target page is protected on Commons < https://gerrit.wikimedia.org/r/q/Ib852a96afc4dca10516d0510e69c10f9892b351b > The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000… [1] https://phabricator.wikimedia.org/T256342 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett sbassett(a)wikimedia.org

2 years, 6 months

Mediawiki speed running concept

by Julien Tremblay McLellan

Hello, I discovered a nifty game for any wiki, which is "wiki speedrunning". Where one measures the time it takes to get from page A to page B. This video has a small blurb about it, and is how I found it by chance, when searching for mediawiki related talks on youtube. https://www.youtube.com/watch?v=GhzmfHTuIJI I thought it neat, and wanted to share with the community at large. -- Regards, Julien Tremblay McLellan Ottawa, Canada Let's talk, just book me here +1-613-618-6699

2 years, 6 months

The Second round of voting for mediawiki logo just started!

by Amir Sarabadani

Hello, The subject line is self-explanatory, you can go to the voting page <https://www.mediawiki.org/wiki/Project:Proposal_for_changing_logo_of_MediaW…> and cast your vote. This is going to continue for a month and it's about different variants of the top contender (different colors, different wordmarks, etc.). You need to order logos based on your preference (the most preferred one first, the least preferred one the last) and then cast your vote. The final winner will be chosen using Schulze method <https://en.wikipedia.org/wiki/Schulze_method>. If you have mistakenly voted in the test phase, you can just copy your vote from the test page <https://www.mediawiki.org/wiki/User:Ladsgroup/Round_2/votes> to the actual voting page <https://www.mediawiki.org/wiki/Project:Proposal_for_changing_logo_of_MediaW…> (the numbers of logos haven't changed). Special thank you to Chuck Roslof from WMF legal for doing the preliminary clearance of the proposal. Have a nice weekend! -- Amir (he/him)

2 years, 6 months

MediaWiki 1.31.10 patching issues

by Sam Reed

Hello all, Sorry for the numerous emails on this usually quiet mailing list. It came to our attention that the 1.31.10 patch doesn't apply ontop of the 1.31.9 patch [1]. This was due to the diff patches being created ignoring whitespace, which we are slightly surprised this hasn't bitten us before. It has been fixed going forward. To that extent, if you have already applied mediawiki-1.31.9.patch.gz [2] and mediawiki-1.31.10.patch.gz [3] won't apply ontop of it, please use mediawiki-1.31.10-fixup.patch.gz [4] instead. The signature can be found at mediawiki-1.31.10-fixup.patch.gz.sig [5] for those who verify their downloaded files. If you haven't yet upgraded, I have re-issued the 1.31.9.patch [2] and 1.31.10.patch [3] to take account of the whitespace changes. So you can download those two patches fresh and they should apply as expected (i.e. follow the original instructions). If you require the old version of those patches, they can be found below: * mediawiki-1.31.10.patch.gz.old [6] * mediawiki-1.31.10.patch.gz.old.sig [7] * mediawiki-1.31.9.patch.gz.old [8] * mediawiki-1.31.9.patch.gz.old.sig [9] Once again I apologise for the inconvenience, but hopefully this resolves all outstanding issues. Thanks Sam [1] https://phabricator.wikimedia.org/T263866 [2] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz [3] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.patch.gz [4] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10-fixup.patch… [5] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10-fixup.patch… [6] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.patch.gz.old [7] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.patch.gz.ol… [8] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.old [9] https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.old…

2 years, 6 months

What’s up

by Omar Watkin

Info I don’t know what’s going on

2 years, 6 months

Allowing HTML

by Tim Starling

I enabled HTML email on this list, since most people were OK with me enabling it on wikitech-l in the recent discussion there, and the audience is much the same. -- Tim Starling

2 years, 6 months

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

MediaWiki-l September 2020