I found these vulnerabilities while trying to setup seccheck. Although
I'm not sure whether seccheck recognised them, I'm sure that they exist
since I did manual tests, and it's possible to inject custom scripts
with these.
Change-Id: I97804be8352a1b784d483195edb29e363a0c616e
'disallow' rules with a missing first parameters are perfectly fine (and
quite common), so don't throw notices when that happens.
This broke Flow's unit tests, and caused exceptions for all api.php
edits that triggered a 'disallow' rule.
Change-Id: Ibebedb566da705e77ffb831ebda6476adba07c93
The variable was declared in the "if" branch but also used in the "else"
one. This caused the rules textarea to not have the readonly attribute
if the user wasn't allowed and CodeEditor wasn't installed.
Change-Id: I2bf69dc0f2d24efac41d1ac6100ed7e286e3afa4
This is taken from I6a57a28f22600aafb2e529587ecce6083e9f7da4 and makes
all the needed changes to make phan pass. Seccheck will instead fail,
but since it's not clear how to fix it (and it is non-voting), for the
moment we may merge this and enable phan on IC.
Bug: T192325
Change-Id: I77648b6f8e146114fd43bb0f4dfccdb36b7ac1ac
Follow-up of Iaeae672dca66ffc745054daabd6f0eae7dfbc648. Some actions
were still marked with red, specifically the ones with block inside. The
reason is that we stored the 'blocktalk' parameter as an emtpy string if
false, which wasn't filtered when loading request. Changing the empty
string to something different is enough to fix the problem, hopefully
without regressions. Note that this isn't retroactive and needs an edit
to become effective.
Bug: T189681
Change-Id: I7d7f0606fc23bad5ba342076066ab0e935680b3f
Introduce a new function which can be used to group multiple comparisons
in a single condition. In particular, equals_to_any(S, A, B) is the
equivalent of S === A || S === B. This is especially useful in checking
for multiple namespaces, as proposed in the Community health initiative.
Change-Id: I9dcfe303eb5e51e1882fe4a65fa876aa93db7686
I left as ToDo the checks between an array and something else. With this
patch, it'll work like PHP: the result will be true iff the comparison
is loose, the array is empty and the other operand is either false or
null.
Change-Id: Idc5cadb697ed4fc7f4856967274169f77495ed9f
I added searchEnabled in I0771fa048d21031ed1e0f8a6909213bdb869a5ed, but
forgot to pass it as parameter when there's an error with the regex.
This means that, if you try to make a search with a wrong regex, when
the page is reloaded the fields for searching aren't shown and you get a
PHP warning. Here I also added warning suppressions as usually done when
checking regex validity to avoid unnecessary PHP warnings.
Change-Id: Ibc3110c30959c99d0825e1e3d7edb1e96dd9d536
Basically, with this we always start with a functioning textarea. If JS
is enabled (and CodeEditor installed), it gets then replaced by the Ace
editor.
Bug: T192241
Change-Id: Id4dc1debf0240d5b336f4d9ab5b363c240f08807
As discussed in the task, wgTitle was used (overridden) since it was null in API
calls. However, the problem has been fixed in api.php in 2009, so we
don't need to deal with it anymore. This also means that we may remove
anything else that was added to restore the original title at the end of
the function. At last, this was the only remaining exception for PHPCS.
Bug: T178007
Change-Id: Id043c74ec8d57c5fb0ab22f54acf6a31fe6b6f06
This should fix every error with excluded rules, leaving only the one
for $wgTitle. A double check would be nice in order to avoid regressions
due to stupid mistakes.
Bug: T178007
Change-Id: I22c179f3a01d652640304b59e43fcb5b5a9abac3
Right now we don't have a specific exception for that, plus we don't
really check if they're closed. In fact, we use the result of strpos
without checking if it evaluates to false; if so, in some particular
cases like the one reported on phab, the while loop will never end.
Bug: T134124
Change-Id: I3b6000f197502a4832a53465b6617b4217080739
So that type and value will be identical to PHP's ones.
Bug: T191688
Depends-On: I1140900cdda63eed292d9f20aefd721ef9247fcd
Change-Id: I398c9a972b7e9fcb27d055d23939be2b8bb68244
Right now they're always returned as float values, even stuff like 1+1.
With these patch the results will have the same type as they would with
pure PHP calculation. Added a method to convert numbers to int/float
depending on their type.
Bug: T191688
Change-Id: I1140900cdda63eed292d9f20aefd721ef9247fcd
Otherwise old filters try to use it and return an error. I restored it
at the old version, like in PS1 of Ib23c418ded6ffdae7311809bf5fcbbfb2093e752
Bug: T191696
Change-Id: Ib23c418ded6ffdae7311809bf5fcbbfb2093e752
We already do it for variables and functions, so that any new feature
won't need the ace files to be edited. I originally didn't implement it
for keywords too, but it's actually much better this way.
Change-Id: I1ee81feace2ea90d5dbb2e443f01bc0f6cf74eb7
This feature was never implemented. I'm not sure whether we need a way to compare array and other types of variables (left as ToDo), since e.g. in PHP it's always false.
Bug: T179238
Change-Id: I5d2c33fd117e69cbc84c0b04b6cb82edbdcadf16
It solves a bug and other problems, especially related to permissions.
Tested as much as I could but with an imperfect global filters system,
so there may still be something wrong.
Bug: T191539
Change-Id: I0771fa048d21031ed1e0f8a6909213bdb869a5ed
This is the long-term solution for the problem. The ToDo may be
unnecessary, but leaving it there as a caveat.
Bug: T190602
Change-Id: I5e3764dbec8ac21f20c460181ae78ed73eca92f6