These allows for some chance of avoiding extra save parses.
Also add wfDebug() call to mention the vary-* flag.
Bug: T226432
Depends-on: Idcd30a3fa3f7012dac76ce8bbf46625453ae331f
Change-Id: Id3bc207382aac90bd63df2d83d6334aae9b2477d
Ideally we'd just have composer.json require UtfNormal so we'd know
where it is and have an autoloader to load it for us, but that seems to
not be done in the world of MediaWiki extensions.
Previously we had been taking paths to the two data files from UtfNormal
and loading them into a stub class, but phan has started complaining
about the definition of the stub class colliding with the real UtfNormal.
So let's try loading the real UtfNormal\Validator and its data files.
Hopefully this continues to not try to pull in any other files via the
nonexistent autoloader.
Change-Id: I93baf20f0eef1892685e272793b4f99236e8c905
RFC 3986 allows IPv6 literals (and future IP versions) by having the
"host" enclosed in brackets, like `http://[2001:db8::]`. mw.uri should
handle these appropriately.
Bug: T223267
Change-Id: I6f712b87bc376cf606c6c2ebbe80176037d6dddb
For whenever anyone else has to recompile the binaries, it's easier if
the patch file is in git.
I copied it directly out of T72541, and verified with:
patch -p1 < ../CVE-2014-5461.patch
in the lua5.1 source tree.
Change-Id: I714a9d55096d9b5d081cd3e54f3b2e6848dcafef
It's easily possible for Lua to raise errors where the string is not
valid UTF-8. When we turn that into a Scribunto_LuaError, we should
normalize it so other things don't break.
Bug: T208689
Change-Id: Idc5514261e99d64222b86877dd0500d425a26988
No need to display three decimal points for the
given cpu limit all the time.
Will change outputs like:
"1.728/10.000 seconds"
to
"1.728/10 seconds"
Change-Id: Ib1f5b435825232eaf9fde7ff0d953c137c06ac32
As documented, string.gub( 'foo', '%a', '%1' ) should raise an invalid
capture index error because there is no capture with index 1 in the
pattern. But in fact it treats %1 as %0 in this situation. The ustring
library should match this behavior.
This patch also adds some tests for the behavior of gsub with table and
function replacements when the pattern does have captures.
Bug: T207623
Change-Id: Ie3e6c2eafa4a05989815c62c7037167642581751
Its a command line script, so echoing is not an XSS. It can
do malicious things if given a malicious command line argument,
but that is by design
The last remaining phan-taint-check warning is due to a bug
in the plugin.
Bug: T202380
Change-Id: I19a07f741980a7e4d5e8458395c67523d240d221
The following sniffs are failing and were disabled:
* MediaWiki.Usage.ForbiddenFunctions.popen
* MediaWiki.Usage.ForbiddenFunctions.proc_open
* MediaWiki.Usage.ForbiddenFunctions.shell_exec
Change-Id: I39e352194565a5526c1a8a34992c028fb305b03b
If the replacement table or function results in a value that isn't a
string or number (or nil), string.gsub raises an error. Have ustring
raise the same error.
Bug: T195326
Change-Id: Ic36f9f5d7adc0c14e7a4a94d3747335107acd8b6
Manually import LuaSandbox's git repository as a composer dependency to
provide the PHP stubs for phan.
Change-Id: I6226b9211f31d829da5a2775c6f5cf3599dd8ebc
normalization-data.lua is updated to Unicode 8.0.0 (libicu57).
charsets.lua is updated to match the character classes used by PCRE 8.35,
which seems to be Unicode 6.3.0.
upper.lua and lower.lua are still based on whatever ancient version of
Unicode is used by mb_strtoupper and mb_strtolower in HHVM 3.18.6.
Bug: T177498
Change-Id: I00b471176e1fd21123c22d187ff222928819e459