While there is currently no demonstrated vulnerability, this provides
additional hardening against SPECTRE-like attacks, and any potential
future timing attacks.
Bug: T184156
Change-Id: I2b5cc177bded1a9b5600d77116e67817841204be
The serialization format of PSquare changed so that trying to unserialize
an older version of the class results in data corruption, causing
"Division by zero" warnings.
Bug: T186839
Change-Id: Ie5d68d98402d0ab74b800c874ae50bc36e23e2bf
When passing an array from PHP to Lua, stringify integer array keys
beyond the range a lua_Number can represent.
When passing a table from Lua to PHP,
* Avoid exponential encoding for integer keys beyond 1e14, so Zend PHP
will interpret them as integers.
* Always encode integer keys as integers, so HHVM will interpret them as
integers.
* Detect collisions, e.g. { [0] = 'foo', ["0"] = 'bar' }
Bug: T186240
Change-Id: I078068ed57df078248a307608381614bdfc70801
For integers from Lua to PHP, make sure they won't use exponential
notation that will confuse unserialize(), and pass the integer size from
PHP so Lua can know which numbers are representable as integers.
For doubles in both directions, increase the precision to avoid
truncation of the least significant bits.
Change-Id: Icfaff71cab0ee1aac04acf752d108049b5569380
When we're making a call from Lua to PHP, serialization errors should be
propagated to whatever in Lua made the call. That works fine.
But when we're returning data in response to a call from PHP, if there's
a serialization error we need to catch it and tell PHP about it.
Otherwise PHP just gets a useless "the interpreter exited".
Change-Id: Iaac498fa2e486631d38e2366977b360140756519
The extraneous whitespace in the return value from wfShellExec() causes
multiplying $size to trigger the newly introduced "A non well formed
numeric value encountered" warning in PHP 7.1+.
Work around that by using trim() to get rid of the whitespace.
Bug: T186299
Change-Id: I3d47ef6cc7fb99b4d4840dc847d150c3939ee535
This extension requires 1.31 (it follows the release branches compatibility
policy), so we can remove a lot of legacy checks and code.
Change-Id: Ieb42073010caffb1f6811d3a2f629aa60c1d2034
The two lualib/ustring generation scripts run independently of MediaWiki, so
the new wfIsCLI() isn't usable there.
Bug: T184043
Change-Id: I217657d12e16a7b76dc814be5fed03540c461e7c
The following sniffs are failing and were disabled:
* Generic.Files.OneObjectStructurePerFile.MultipleFound
* Squiz.Scope.MethodScope.Missing
The following sniffs now pass and were enabled:
* MediaWiki.Files.OneClassPerFile.MultipleFound
Change-Id: I7499d975eb378abd500619f0026a32b59fe6dda6
Before this, tools like Phan and others read
`Scribunto_LuaLibraryBase::register()` returns `\Lua` type
from the document comment,
but it actually returns `array` type since the implementation
of this function should returns the value of
`Scribunto_LuaEngine::registerInterface()` which returns
`array` type.
Change-Id: I25beea963444b715bed7b2890475c0c812949520
PHP 7.2 made the questionable decision to raise a warning for
count( null ). So test for null explicitly before calling count in the
one place where null is expected.
Bug: T181891
Change-Id: I94146c14b63e32ad1e9f2ab9de9ebc403b251102
