Commit graph

5358 commits

Author SHA1 Message Date
jenkins-bot 2d2e524dca Merge "Tokenizer: don't strip backslashes from \x" 2019-11-22 13:36:49 +00:00
Translation updater bot 8bed72cfd6 Localisation updates from https://translatewiki.net.
Change-Id: Id9cb9d30d31efd6fd30ecf9d25c8a57e0accf94f
2019-11-22 09:12:14 +01:00
jenkins-bot 9a7027fe64 Merge "SECURITY: Require view-private or modify for the evalexpression API" 2019-11-21 15:54:46 +00:00
Daimona Eaytoy cee8e14cf1 SECURITY: Require view-private or modify for the evalexpression API
This is consistent with the "anti-DoS" measures on other API modules.
Although this may not be a serious DoS vector, it makes sense to
restrict this module. Moreover, it's also consistent with
Special:AbuseFilter/tools (which is the corresponding web interface),
which requires the same user rights.

Bug: T238451
Change-Id: Id09fd57195d71884674ac0470f137ca30c56e13c
2019-11-21 16:33:04 +01:00
Translation updater bot 956eca36cb Localisation updates from https://translatewiki.net.
Change-Id: Ie63e3492a0790a9233dc29f07474e31c4e880448
2019-11-20 09:35:53 +01:00
jenkins-bot 89170711a8 Merge "Set the utf-8 flag for var dumps in the text table" 2019-11-19 15:28:52 +00:00
Translation updater bot adbeec5176 Localisation updates from https://translatewiki.net.
Change-Id: I80d0b3824b80819062f927145aa472608a17a1ca
2019-11-19 09:32:01 +01:00
Translation updater bot 29bd469e02 Localisation updates from https://translatewiki.net.
Change-Id: I80a2dbf283d50c4d3c63f59fa707449fb03d0161
2019-11-18 09:19:21 +01:00
Daimona Eaytoy b3e58067ac Set the utf-8 flag for var dumps in the text table
This is not retroactive; that will be handled as part of T213006.

Bug: T34478
Change-Id: I2c532da71719a9ace1279bbf67d6e6e30e9a986c
2019-11-16 16:00:45 +00:00
Daimona Eaytoy c03f0a3b08 Convert static arrays to constants
Beloved PHP7!

Change-Id: Id5170662f7c5ceacfc0ac8d90787f2c92fd93464
2019-11-16 16:32:36 +01:00
Daimona Eaytoy c73381b6db Tokenizer: don't strip backslashes from \x
Bug: T238475
Change-Id: I8c2ea6ad369946df93440eece60d456dc1a3fd7a
2019-11-16 16:21:39 +01:00
Translation updater bot a0b349d4c3 Localisation updates from https://translatewiki.net.
Change-Id: Ib8d00edacae2b6bdb654ee247711c4f198bd72bb
2019-11-15 09:18:35 +01:00
Martin Urbanec 5fd861365f SECURITY: Make sure provided filter id match provided history ID in history view
AbuseFilterViewEdit does privilege checks based on filter ID,
and displays what is hidden under given history ID, but doesn't
make sure those two IDs actually belong to one filter.

That means user can easily change filter ID to a public
filter and view old versions of nowadays private filters.

Bug: T237887
Change-Id: Ic12790bd33982473f77551bde9599ed083a3e1f1
2019-11-14 15:53:14 -06:00
Translation updater bot af000125ac Localisation updates from https://translatewiki.net.
Change-Id: Iff2e73bd4dd691d14598c63c10dd06b9a9f18e34
2019-11-13 09:24:23 +01:00
jenkins-bot 80f4742416 Merge "When viewing old filter revisions, show abusefilter-view-oldwarning to users who cannot edit the filter" 2019-11-12 18:59:28 +00:00
Daimona Eaytoy 98bcad25c3 Also parse numbers with the new syntax and hard-deprecate the old one
This will allow people to switch their filters to the new syntax. The
deprecation warning is now more exhaustive, and the info() warning is
kept to ensure that everything proceeds smoothly.
The regex v2 has also been fixed to:
 - Consume all the digits/letters on the right (*)
 - Have named groups
 - Be created dynamically with other constants

(*) The previous version of v2 could complete the match and leave
digits/letters on the right when encountering numbers with the old
syntax, hence dropping support too early. We also cannot use a word
boundary (\b) because that would prevent matching numbers with trailing
dots (e.g. "5.").

Bug: T212730
Change-Id: Ibf6ac571f6b5c09149d69a19c38240ce6b024dff
2019-11-12 11:52:38 +00:00
Daimona Eaytoy a77a59b962 Hard-deprecate empty operands
This bumps the level to WARN, and makes it very clear that people should
fix the affected filters. It also removes the calling method, which was
mostly meant for debugging purposes, and changes the type to 'op_type'
to avoid conflicting with type:mediawiki in logstash.

Bug: T156096
Change-Id: Ie73f1604e8ed82bc2e1be9fc90fa065be37889a3
2019-11-12 11:39:25 +00:00
DannyS712 338341d097 When viewing old filter revisions, show abusefilter-view-oldwarning to users who cannot edit the filter
Currently, `abusefilter-edit-oldwarning` is shown to all users, but not all users are able to edit the filters, and thus the warning about editing isn't applicable to them.

Bug: T235590
Change-Id: I3717d06d4a757684fe6622961391ae06b5bd3c38
2019-11-12 11:36:44 +00:00
Translation updater bot c0a99d876b Localisation updates from https://translatewiki.net.
Change-Id: Ic6e345e2870282bc8083fc58a19d195f571cf8d5
2019-11-12 09:30:12 +01:00
jenkins-bot c4eb01186a Merge "Hard-deprecate too many params" 2019-11-11 23:38:31 +00:00
Translation updater bot 805cca30bc Localisation updates from https://translatewiki.net.
Change-Id: I8151efee17a589f15e2567b61f634f734fbf9186
2019-11-11 15:32:19 +01:00
Translation updater bot d23086323b Localisation updates from https://translatewiki.net.
Change-Id: Idc0c1d853e1c4f46e4abca6b41e630c1906e11fb
2019-11-11 14:44:48 +01:00
Daimona Eaytoy f7ac35d5c6 Hard-deprecate too many params
Bug: T230803
Change-Id: Icec8bcb8ab23956654857acc8b3d235889f587a9
2019-11-10 12:59:33 +00:00
jenkins-bot 91bc961712 Merge "Check for 0-like floats passed to the modulo operator" 2019-11-10 11:51:28 +00:00
jenkins-bot 77681bd67b Merge "Restrict viewing Special:Log/AbuseFilter, and remove from recent changes" 2019-11-10 11:48:15 +00:00
Daimona Eaytoy c0f8374624 Check for 0-like floats passed to the modulo operator
That throws an error in PHP.

Bug: T237459
Change-Id: Ia0b29d6a8b9f4aac6b5b72ce8f2f45afb03f4c99
2019-11-10 11:22:04 +00:00
jenkins-bot 7ff4b95aec Merge "Expand the list of types that can be cast to int" 2019-11-10 11:00:36 +00:00
jenkins-bot 398500121a Merge "Fix conditionals examples in i18n messages" 2019-11-10 10:41:39 +00:00
DannyS712 a137992900 Restrict viewing Special:Log/AbuseFilter, and remove from recent changes
Only allow users with `abusefilter-view` to see abuse filter log
entries. Note that this is different from the abuse log itself.

Bug: T34959
Change-Id: I587c2eb9bdc2e5ca2652aa338440cdc5b6eb9235
2019-11-10 10:41:17 +00:00
Daimona Eaytoy 585d6cdb24 Make to sure to report division by zero when the LHS is undefined
Bug: T234339
Change-Id: I1575ec013c1e7e321a8f13f40804ebc5ab076268
2019-11-08 14:08:52 +00:00
Daimona Eaytoy 1abaff1aac Better handling of keywords and functions
Always run the keyword/function handler, even if there are DUNDEFINED
arguments, so that the handler can perform further validation on the
input and report any error to the user. However, replace DUNDEFINED with
DNULL before running the handler, to avoid special-casing DUNDEFINED in
every handler. If any argument was a DUNDEFINED, we will return
DUNDEFINED anyway.

Also centralize the keyword handling logic to a new method, like it
happens for functions.

Bug: T234339
Change-Id: I875cb77418a39790e91fe5867c49917bfe406ed4
2019-11-08 15:07:20 +01:00
Daimona Eaytoy e98799a00a Centralize the code for calling keywords
This allows sharing the code between cachingparser and the old parser
(for DRY-ness), and even when the old parser will be killed, having the
logic outside of the generic parse method seems saner.

This copies what I446a307e5395ea8cc8ec5ca5d5390b074bea2f24 did for
functions.

Change-Id: Ie6290243a6c78661510a9b4cb713d6e7b2778248
2019-11-08 15:02:17 +01:00
Translation updater bot e1a2aa37a4 Localisation updates from https://translatewiki.net.
Change-Id: I958d7b361b4f1b26ed02714bdcf87cb602fd9239
2019-11-08 09:43:34 +01:00
Daimona Eaytoy b7c7ae168d Explicitly forbid negative indexes in arrays
This emits its own error because:
1- It's clearer to understand
2- It's easier to find where we're dealing with negative offsets, if
we'll ever want to allow that.

Note that trying to use a negative index already results in a hard PHP
error being thrown.

Bug: T237219
Change-Id: Ib11eaaca5e21f740269141c75e62bac48093e8d0
2019-11-08 05:55:56 +00:00
Daimona Eaytoy a7b28369ea Expand the list of types that can be cast to int
Bug: T237624
Change-Id: I2220cb8a8ec998a433a4469d7e0591ec0b4f2b12
2019-11-07 15:14:17 +01:00
Translation updater bot 6a1531b7d4 Localisation updates from https://translatewiki.net.
Change-Id: I3a38fd0004d7f4f48841c304cd2e2f2fa0ac207c
2019-11-07 09:39:33 +01:00
Translation updater bot 4bbb8911d5 Localisation updates from https://translatewiki.net.
Change-Id: I95dcc01683e3eb58ed5beb648514523975e81817
2019-11-05 09:42:51 +01:00
Translation updater bot 93dcea0043 Localisation updates from https://translatewiki.net.
Change-Id: I002d7a6729067b78855a708716a63d7cfbabac7c
2019-11-04 09:25:40 +01:00
Daimona Eaytoy cb15400f97 Fix conditionals examples in i18n messages
Bug: T237131
Change-Id: I68ca3906c64f3da43c7a4985c16f1ab031caebb5
2019-11-02 11:32:05 +01:00
jenkins-bot 5562aade87 Merge "Use PHP regexps instead of SQL to filter on Special:AbuseFilter" 2019-11-01 00:52:28 +00:00
Daimona Eaytoy 7bc70d116e Use PHP regexps instead of SQL to filter on Special:AbuseFilter
As the code comment says, and as it was suggested in
Iafe54285384bc28b3e8812b495166f2682d4571c, we were validating the
provided regexp as PCRE, but using it in SQL, which only supports POSIX.
Furthermore, we won't have to worry about cross-DBMS compat anymore.

Bug: T193068
Change-Id: If6d8717795b6c1dcf619a23363eb6144902cfaed
2019-11-01 11:26:17 +11:00
Translation updater bot 61742d946e Localisation updates from https://translatewiki.net.
Change-Id: Ia909ee4552530bd21da4c5e1fec174bcde658468
2019-10-31 09:24:25 +01:00
Petr Pchelko 915b9a1538 Remove usages of deprecated User methods
Bug: T220191
Change-Id: I54e20870a32ff98b41a98495694ff563c4c4c5ca
2019-10-30 12:51:01 +00:00
Translation updater bot e3cffb465d Localisation updates from https://translatewiki.net.
Change-Id: Ide766b61933462b10dfd8c6d2aafb93afa75d070
2019-10-30 09:30:27 +01:00
Daimona Eaytoy 03b3a555ba SECURITY: Check visibility for each version in ViewDiff
Instead of checking if the filter is currently hidden, check the
visibility for each version and, if the user cannot see private filters,
only show the diff if none of the revision is hidden.
Also avoid showing a "diff" link if the user cannot see it.

Bug: T104807
Change-Id: Ie23e8234ae550273bf3f6f9c5ac45b7fc54eec2a
2019-10-28 15:32:00 -05:00
Translation updater bot c3e78ced15 Localisation updates from https://translatewiki.net.
Change-Id: I78563bb06749bdf44aab9539f7c7bbc3204ba9b9
2019-10-28 14:53:16 +01:00
Translation updater bot 037f037995 Localisation updates from https://translatewiki.net.
Change-Id: If929688a7909e9e110a72f7d344fa213ab16a8e3
2019-10-25 09:15:41 +02:00
Translation updater bot aa5c8d8ae3 Localisation updates from https://translatewiki.net.
Change-Id: I31c266b6342164a516f156a843c692eaf9b78002
2019-10-24 10:37:49 +02:00
Daimona Eaytoy 3a9eac9ad5 Unbreak filter edit form
In Ib7427e15f673a575738489476e604c387f449ddd, I thought that $parameters could've only been null if $action wasn't
enabled, but actually, they're null even if the action is just not set.
Which is true for all actions when creating a new filter, and all
non-set actions when editing an existing one.

Hence, revert the part that touched ViewEdit.

Also add a selenium test to ensure that warn parameters are visible.

Bug: T236286
Change-Id: I8150baa077208eb1fc54ebc1d8415a243d0f3bd3
2019-10-23 18:50:44 +02:00
Translation updater bot cdee6802ea Localisation updates from https://translatewiki.net.
Change-Id: I9d7a230175216f5228571eadfd9f0d292656333e
2019-10-23 09:50:54 +02:00