Commit graph

59 commits

Author SHA1 Message Date
Huji Lee df21fb2b20 Remove HitCounters from AbuseFilter and use hooks instead
Goes with Ief573fb412d332bd4ad6ad8de3052dd85d534b82

Bug: T159069
Change-Id: I38cd7cbf3e595890b53624a477010bd49c9b8552
2018-07-31 03:56:20 +00:00
jenkins-bot 55d825c325 Merge "Use empty arrays instead of empty strings for diffs" 2018-07-27 00:55:40 +00:00
jenkins-bot 0979e116b4 Merge "Show AF logs for a revdeled revision if the user can see the revision" 2018-07-18 02:04:16 +00:00
Daimona Eaytoy b825e396b5 Switch editing interface to OOUI & improve NoJS usability
This settles almost everything, leaving the tags part ready to be
further improved in the follow-ups.
Also, replaced some fields with totally different ones, improved the
warn preview area and improved a bit nojs experience by hiding unusable
buttons.

Bug: T132284
Bug: T154749
Change-Id: I7a5caa862a32f9792140c6a4d9708a2d20472672
2018-07-17 14:49:50 +02:00
jenkins-bot 3e28ac176e Merge "Use isset instead of empty+strlen when checking disallow parameters" 2018-07-17 02:20:32 +00:00
jenkins-bot fed9ca759d Merge "Remove and replace an argument in AbuseFilter::addLogEntries" 2018-07-16 22:40:00 +00:00
jenkins-bot dc39c3b052 Merge "Simplify AbuseFilter::addLogEntries" 2018-07-16 21:59:47 +00:00
Matěj Suchánek 3e1a963614 Simplify AbuseFilter::addLogEntries
Change-Id: I54bcef8c69892d184ae2362282ed7477df2b4faa
2018-07-16 11:02:03 +02:00
Matěj Suchánek df346b3995 Remove and replace an argument in AbuseFilter::addLogEntries
Change-Id: Ib4613577d1b5ac5a5cc796716c95b99196259438
2018-07-16 10:59:05 +02:00
jenkins-bot 29c7f0f818 Merge "Update LogPage to ManualLogEntry" 2018-07-15 15:08:47 +00:00
Daimona Eaytoy adc06f409d Use isset instead of empty+strlen when checking disallow parameters
This line first used to be just an "strlen". Then we merged
Iaeae672dca66ffc745054daabd6f0eae7dfbc648 to clean input and this caused
some "undefined index" notices. These were in turn fixed in Ibebedb566da705e77ffb831ebda6476adba07c93 by adding an "empty". However, this slightly changed the range of accepted parameters, for instance refusing 0 and '0'. Those should never be used, so this is just a theoretical problem, but we'd better be consistent and simplify this line.

Change-Id: I4643d0632acf5926ac8de5da9bcb3e5dc715fdc1
2018-07-15 17:01:32 +02:00
Daimona Eaytoy 6a97133310 Add the user action to warn key
Otherwise, if the user is warned for e.g. trying to move a page, and
after the warning he tries to delete it, he won't be warned again. Since
filtered action (edit, move, delete...) can be really different, we
should repeat the warning if the action changed.

Bug: T199621
Change-Id: Ia481b2bf552e16de8485c246aa5612d5bb2cd6ca
2018-07-14 16:15:52 +02:00
Daimona Eaytoy 0e87c44c74 Show AF logs for a revdeled revision if the user can see the revision
The function used to determine if a row is hidden has three possible
return values: true, false and "implicit". While the first and the
second one refer to AF own suppressing system, 'implicit' means that the
revision associated with the log entry is deleted. However, we checked
for such return value with a boolean cast, which caused true and
'implicit' to be equally treated, thus hiding revdel'ed revisions to
sysops. Bonus: fixed a comment typo.

Bug: T191699
Change-Id: I87d3a6437bb966198175e4bfd063e30ed79c345f
2018-07-14 00:46:19 +02:00
Daimona Eaytoy 0815fc6a8f Update LogPage to ManualLogEntry
We still had three entries of "LogPage", which is legacy and has some
problems (I7bb0e92b2906a2511fc4290bdc76fc39ec4617fe). This patch updates
two of them to ManualLogEntry. The last one is handled separately in
Ic23e724997e4748c8d0da8138aa73d31b17b7064.

Change-Id: I2a4f18ea6baebdc114078c57d8937ce4ca2aace5
2018-07-13 19:39:57 +00:00
Daimona Eaytoy f93134a4f7 Unbreak reverting 'degroup' action
This is something that hasn't been working since January 2009, when AF
didn't have arrays and all variables were computed non-lazily. In fact,
when reverting "degroup", we used to take old groups from edit vars, but
the variable may not have been computed for such edit. Plus, we treated
the var collection as an array instead of an AbuseFilterVariableHolder
object, and exploded user_groups since it was a string. With this patch
everything should start working as intended.

Change-Id: I76917b2e331291bd42daeef8d048507dc38048cb
2018-07-13 00:25:02 +02:00
jenkins-bot cacc034d1a Merge "Fix minor issues around" 2018-07-11 00:28:50 +00:00
Daimona Eaytoy 255e405957 Fix message key for reserved tag
Introduced in I75ce47d247cf6949117370c8c78ab7c6980538f3, the message name
was misspelled in the code and thus the message doesn't show.

Change-Id: Iad515c48035259340c4824d456a14010c977e7a8
2018-07-10 01:00:59 +02:00
Daimona Eaytoy f016c6c95f Fix minor issues around
This fixes the following minor issues:
* In HistoryPager's getQueryInfo, afh_id was listed twice
* In AbuseFilter::translateFromHistory a field named "af_" was produced
if no actions were in use
* The topnav link "Recent filter changes" wasn't STRONGed on pages like
"Special:AbuseFilter/history/123"
* In checkAllFilters and AbuseFilter::getFilter, select from DB only the
fields that will be used.
* Simplify some inline comments and remove superfluous ones

Change-Id: If72b18bedac5e580487406e696aea1fd172ae45b
2018-07-07 12:11:39 +00:00
Daimona Eaytoy 33b1b12b92 Reserve abusefilter-condition-limit tag
Right now it can manually be added when creating filters. Since the
distinction is interal to AbuseFilter, we can't use hooks to achieve the
goal (the tag isn't already usable from outside AF). Also making
isAllowedTag public to make it testable.

Change-Id: I75ce47d247cf6949117370c8c78ab7c6980538f3
2018-07-06 16:43:12 +02:00
jenkins-bot 0d8e27fed7 Merge "Don't use globals for filter validation" 2018-07-06 00:36:13 +00:00
Brian Wolff 5f73034c7a Minor escaping fixes
This will also fix some (not all) of phan-taint-check's warnings

Bug: T197002
Change-Id: I7fd1798030d83292ce46543e25c0c431ec345a11
2018-07-05 18:51:30 +00:00
Daimona Eaytoy 1ae14697b5 Don't use globals for filter validation
Some of them are available from the AbuseFilterViewEdit object, the
others from its config.

Change-Id: I8495c8cc03ef86919b325798a2c08ce7c4df277f
2018-07-05 19:57:30 +02:00
Daimona Eaytoy f9687ad678 Abstract methods in ViewEdit related to filter saving
Actually, it seems like I almost got it right at the first try. I tested
every validation scenario and it worked as espected, so ready for
review.

Bug: T193596
Change-Id: I7fd1798030d83292ce46543e25c0c431ec345a28
2018-07-02 20:27:05 +02:00
Daimona Eaytoy d6d3169754 Use empty arrays instead of empty strings for diffs
Otherwise, a blank page will be considered as having a newline inside,
which won't be marked as added (or removed) in the diff. This requires
introducing a new method and leaving the old one for backward
compatibility, and may cause regressions.

Bug: T74329
Change-Id: I9a2397fd849544b499cad97a383e5331471e9d73
2018-06-30 10:28:56 +00:00
Daimona Eaytoy 79ec4ebf8b Stop computing removed variables and show custom error message
Old_text and old_html were disabled a long time ago. With this patch,
the user will get a custom error message if trying to use them (instead
of the unrecognisedvar one), plus they'll stop appearing in /examine and
/details, unless they were computed for the examined edit (and in that case, their description message is now restored). Lastly, added a precisation to their messages.

Bug: T190698
Change-Id: Ife168522e6b1d8eb94ebbb8a16ae8831ec1dc497
2018-06-26 20:02:31 +02:00
Daimona Eaytoy c75bc35f7d Rename lists to arrays
Arrays were introduced with the name "lists". While it **may** look
user-friendlier and so on, it actually uses a wrong name: lists are
different from arrays. I ran a grep and I should've replaced
every occurrence, plus everything seems to work, however a double check
wouldn't be bad.

Change-Id: I6a858f02f5dd9250ba7e1abf9c6422fd98758c9e
2018-06-26 14:42:23 +02:00
Daimona Eaytoy 3c1dae9e14 Allow users with abusefilter-view-private to use testing interface
Now the required need will be abusefilter-modify OR
abusefilter-view-private for /tools, /test and /examine.

Bug: T193903
Change-Id: I3f1a91a2cc1df2272e5d4099cefd7c649a0683d5
2018-06-24 14:10:38 +00:00
jenkins-bot c34eda8936 Merge "Introduce sanitize() function" 2018-06-24 13:53:46 +00:00
Max Semenik 5c8a8da1f2 Fix some Doxygen problems
Change-Id: I04ce5564ec73e45a6d94c51be94bd1423a86780a
2018-06-08 13:02:40 -07:00
jenkins-bot 617e045483 Merge "Get rid of call_user_func_array()" 2018-06-08 19:32:31 +00:00
Thiemo Kreuz 9a185042b8 Update \AbuseFilter::checkSyntax documentation
Change-Id: I5c5caefab8d46773a459809d956a91fda7471863
2018-06-08 19:18:39 +00:00
Max Semenik 4c312a2693 Get rid of call_user_func_array()
Yay PHP7!

Change-Id: I2ec13d1a51981c6922949bed0c7dd2525c48f591
2018-06-07 23:01:27 -07:00
Huji Lee 2792fce41e Introduce sanitize() function
Normalizes HTML entities into unicode characters

Bug: T169122
Change-Id: Ic916a6f8976e486d62d65156fa2dab56a55cf22a
2018-06-03 16:37:23 -04:00
Max Semenik 94f3bc67ca Use PHP7 ?? operator
Change-Id: I757b832ac86f52d8b70ffc42fdb60796ab81e7fe
2018-05-31 11:53:03 -07:00
jenkins-bot 7682a61786 Merge "Reset condCount when entering checkAllFilters" 2018-05-27 11:03:56 +00:00
libraryupgrader 99c212226d build: Updating mediawiki/mediawiki-codesniffer to 20.0.0
Change-Id: Ib1d0dfa76babc01c30f4e905e8f6fb80e1e9a0bc
2018-05-25 23:31:49 +00:00
Daimona Eaytoy ef489d7ab5 Simplify contentToString function
Use TextContent::normalizeLineEndings instead of manually replacing
carriage returns, plus avoid the if with a simple string cast. This also
fixes some cases where a null edit isn't counted as such due to a "\n"
in new_wikitext which isn't trimmed.

Bug: T168736
Change-Id: Idfafab3fcf7912bf0aec22700d2c0137bdd6c3c8
2018-05-16 16:52:29 +02:00
Daimona Eaytoy 91c5f6d5b9 Improve the i18n message for throttling to show in history
With the introduction of custom block durations in Ib072433d19dabae48d8514e08be9893135b5d63c, the method which generates action display was enlarged in order to provide a more readable and complete message. However, for throttling we currently have an unreadable message like "Throttle: xx, yy, zzz". This is wrong for two reasons: first, those numbers need to be deciphered; second, the first number is the filter ID which is totally unuseful here.

Change-Id: I0ec6a27ff5f37aae864dfd91161bf44f0a217ef1
2018-05-13 13:29:45 +02:00
Umherirrender 42769ce676 Replace wfGetLB
@deprecated since 1.27, extension.json required 1.31

Change-Id: I0467cde378c85095673fd39fed1924c330c27d7b
2018-05-04 21:35:11 +02:00
Daimona Eaytoy 80ef9d442a Show "blocktalk" in AbuseFilter diff and improve message generation
Quite self-explanatory. If the talk page is blocked, a sentence is
added, otherwise it remains as it is. Plus, improved the way messages
are generated and reduced their reuse.

Bug: T193692
Change-Id: I01f5113ca586b94c25e1102c73d158ebb01c5a4b
2018-05-03 21:11:13 +02:00
Daimona Eaytoy 9b1f1b263e Fix XSS vulnerabilities
I found these vulnerabilities while trying to setup seccheck. Although
I'm not sure whether seccheck recognised them, I'm sure that they exist
since I did manual tests, and it's possible to inject custom scripts
with these.

Change-Id: I97804be8352a1b784d483195edb29e363a0c616e
2018-05-01 16:55:46 +02:00
Roan Kattouw cbabcf1276 Follow-up 392f37d516: fix undefined index notice
'disallow' rules with a missing first parameters are perfectly fine (and
quite common), so don't throw notices when that happens.

This broke Flow's unit tests, and caused exceptions for all api.php
edits that triggered a 'disallow' rule.

Change-Id: Ibebedb566da705e77ffb831ebda6476adba07c93
2018-04-30 15:24:25 -07:00
Daimona Eaytoy 04b15a1b75 Reset condCount when entering checkAllFilters
This seems like the logical way to be sure that multiple mass actions
won't be counted as one, thus reaching the conditions limit. I tried to
test this locally, but I actually had troubles to simply replicate the
issue of the reached limit in a stable manner, so I'm not totally sure.
Anyway, this shouldn't do any harm.

Bug: T193374
Change-Id: Icdc172f76705870ee502339a53e912e15a3bd31d
2018-04-30 18:42:24 +02:00
Daimona Eaytoy caa4b1c763 Add phan configuration
This is taken from I6a57a28f22600aafb2e529587ecce6083e9f7da4 and makes
all the needed changes to make phan pass. Seccheck will instead fail,
but since it's not clear how to fix it (and it is non-voting), for the
moment we may merge this and enable phan on IC.

Bug: T192325
Change-Id: I77648b6f8e146114fd43bb0f4dfccdb36b7ac1ac
2018-04-30 08:32:58 +00:00
jenkins-bot 51591b9fb8 Merge "Move AbuseFilter::buildEditBox static method to AbuseFilterView class" 2018-04-26 13:45:07 +00:00
Daimona Eaytoy d9fc90c281 Move AbuseFilter::buildEditBox static method to AbuseFilterView class
Make it non static, plus a couple of minor stylistic fixes to such method.

Bug: T190180
Change-Id: I54dd1f785d33908a0481aa2db997aa085776fc2d
2018-04-26 09:24:04 +02:00
Daimona Eaytoy 71f375f19a Add equals_to_any function
Introduce a new function which can be used to group multiple comparisons
in a single condition. In particular, equals_to_any(S, A, B) is the
equivalent of S === A || S === B. This is especially useful in checking
for multiple namespaces, as proposed in the Community health initiative.

Change-Id: I9dcfe303eb5e51e1882fe4a65fa876aa93db7686
2018-04-25 23:12:19 +00:00
jenkins-bot 913d37eba6 Merge "Filter parameters when loading/editing them" 2018-04-24 00:24:57 +00:00
Daimona Eaytoy fa413d431e Use the old textarea if JavaScript is disabled
Basically, with this we always start with a functioning textarea. If JS
is enabled (and CodeEditor installed), it gets then replaced by the Ace
editor.

Bug: T192241
Change-Id: Id4dc1debf0240d5b336f4d9ab5b363c240f08807
2018-04-23 23:43:23 +00:00
Daimona Eaytoy 392f37d516 Filter parameters when loading/editing them
Re-opening of I8eb50d38c81b4e446c0f1dc03abc27122b8fa025 by Thiemo Kreuz.

Bug: T189681
Change-Id: Iaeae672dca66ffc745054daabd6f0eae7dfbc648
2018-04-23 23:43:05 +00:00