Skip to content

Upgrade to 1.43.9#156

Open
harnash wants to merge 511 commits into
REL1_43-Fandomfrom
upgrade/REL1_43-Fandom-to-1.43.9
Open

Upgrade to 1.43.9#156
harnash wants to merge 511 commits into
REL1_43-Fandomfrom
upgrade/REL1_43-Fandom-to-1.43.9

Conversation

@harnash

@harnash harnash commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

translatewiki and others added 30 commits May 12, 2026 05:13
* Update extensions/AbuseFilter from branch 'REL1_43'
  to 2e670e614142db737fc94d111ffb2cae1adee7ef
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ia00b32454ab45cf76e792ee190b0a5c7514f792d
* Update extensions/CiteThisPage from branch 'REL1_43'
  to 860b96a8d12e8fe1ea9d23b431a78c8ac2dc550a
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ia438e75b8de604ce607c12f515d3d9a902fef17f
* Update extensions/Cite from branch 'REL1_43'
  to 222c4adbc1a04a16482ebe8142dc9d756a866edc
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ib395ba2da57a79eea98f8f8e2430462b91ebd206
* Update extensions/ConfirmEdit from branch 'REL1_43'
  to f56adade85b7da6c198bc2e6bb6f83b22696df8a
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Iff1c245e71da31fc3d0c83aa830f6cba5de7518e
* Update extensions/Echo from branch 'REL1_43'
  to 13cf926adaf0507d5629b46b5cb9da86fa90302c
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ie6ef44ef8bd264664e5b5f1605ce372615ba2fa4
* Update extensions/DiscussionTools from branch 'REL1_43'
  to b2db82d79e691e93799f82e39783ef7f4ed16604
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Iec160dfeee3dd3a9b243cf809ec09c7b69895af5
* Update extensions/Gadgets from branch 'REL1_43'
  to 5a33ad77b009a660f7903474bc4110a47eb38082
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Id266390b65aac9453c23804df8367f4870d738ac
* Update extensions/InputBox from branch 'REL1_43'
  to 0ff45ea7ad60b7a3bde962a79a06a954304e10af
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ie79676098c68b30ad0859c4f6f17d8c9edd1389d
* Update extensions/Math from branch 'REL1_43'
  to bbcdbd94865c6246408958687ed9370e0de3c64a
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ibf8079e2bc189bf61561dd75891457335326dcb6
* Update extensions/OATHAuth from branch 'REL1_43'
  to 604b49a027822d6594c23732f014a217248ad814
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Iab9a6232c52500c6065bb06fb3604ea6589acbc1
* Update extensions/Linter from branch 'REL1_43'
  to 1457a7c46a3d53019886ca83f86480f1931ae21d
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I9f12625e651f03bbc1a3f683bf97c3dee165d0b7
* Update extensions/Scribunto from branch 'REL1_43'
  to cb61d6efa0a86a2f2147f34e1f7a915b2f98cea2
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I02228d5261f3304f71d2281dbb486ac5ae166027
* Update extensions/TemplateData from branch 'REL1_43'
  to ed8e4d304129f7a2660b5416fb03421258010723
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ic45339da23f032e0cf012ca551670aab97ff1ce1
* Update extensions/PageImages from branch 'REL1_43'
  to 51afd35e7b1197659207ced64fdc9b7816036b86
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I96139bb159e4d0c89fe9963dd836ff3b7f2fc922
* Update extensions/ParserFunctions from branch 'REL1_43'
  to 55c8cbcdc7b3b47833bc735f3f3f5446549b6fb2
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I8886259e74774f1595fbd2ab2b583f0cff189a1f
* Update extensions/PdfHandler from branch 'REL1_43'
  to b950f28f1f7785d7ea613faa0d9f87c7956744f4
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I9739c7a769aeb59e6b4591347328ae559806097d
* Update extensions/ReplaceText from branch 'REL1_43'
  to 34ea544ef716a59ffab212cb7fcd88226a35fc4b
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ic5cbe7884ada73a7b11b8732de2602dacf74355f
* Update extensions/VisualEditor from branch 'REL1_43'
  to a70d62011f1bec9a77648765fb81a0264d282f2c
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Id88515621e4964e54aec6e96e9e33bb38240139d
* Update extensions/WikiEditor from branch 'REL1_43'
  to 523a175952fe117c5e9a12760742112a9965fec1
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I7db3d2efa5cb7fef211330b4531caee89df7a825
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
  to 8ed28d35ef8b1ba3ef24eb5424783ab2547c8974
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I7e52137a33a0b5bdeb2d4bc823e850914d79f561
* Update skins/MinervaNeue from branch 'REL1_43'
  to e906f935042c966535724a3c64f45acbc77d2883
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I186d83a42dca9a242d5ee081df3ece7c515c2f56
* Update skins/Timeless from branch 'REL1_43'
  to 08db2051c8ad0495a1091729e4443cd529841aad
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Iaad68c72ef78105c69412d032f1121a3640e0697
* Update skins/Vector from branch 'REL1_43'
  to bdbbfdd18815d1e2d2604b48e921dc3e50f7fbf3
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: I28f2257dfade47c627c2f758f8db82c05ef7a751
* Improve docs
* Add some pointers
* Link test case for T424114 to that task

Bug: T424114
Change-Id: I3885cb7a1d67366a28a9da60e5c9da6061195de0
Same as SpecialChangeEmail

Change-Id: I24aed19877e9530e7399d7b8ba460558d311e522
(cherry picked from commit d260740)
Only output to structured logging, but may be useful
for short term tracking of changes of this sort

Change-Id: I19df7ecdc25cfe836a7776a1c1ddcf6ee73b3492
(cherry picked from commit 8d466a7)
Change-Id: If7fdeb88811cc95e5c3d82a5df54e7b731d8bee1
(cherry picked from commit 9b7ecab)
… change

Change-Id: I57d61a957725d655413bb813c9a22c2d4a44a723
(cherry picked from commit 6668a5f)
* Update skins/MinervaNeue from branch 'REL1_43'
  to 3383326e7426d576317d0e5d823b13812bb500f5
  - build: Updating fast-uri to 3.1.2
    
    * GHSA-q3j6-qgpj-74h6
    * GHSA-v39h-62p7-jpjc
    
    Change-Id: I6492aeab13f218fe7975538fc4d58f50878889b4
* Update skins/MonoBook from branch 'REL1_43'
  to 89dbb3b84c0a5e7904f91b23c89b5eafe1df98ae
  - build: Updating fast-uri to 3.1.2
    
    * GHSA-q3j6-qgpj-74h6
    * GHSA-v39h-62p7-jpjc
    
    Change-Id: Icea418755691e6e046e59a81f1c457223dfff3b8
translatewiki and others added 29 commits June 23, 2026 05:13
* Update skins/MinervaNeue from branch 'REL1_43'
  to b4b36b50330c4a9c24c4eceb27a008df7349c5a6
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ib618935c6665f983b3b0d39d43004a67aad9e02c
* Update skins/Vector from branch 'REL1_43'
  to f3fa365c7a653f8eeffb625b9cb2dfdd169b876a
  - Localisation updates from https://translatewiki.net.
    
    Change-Id: Ic50fb69fa183f17920dca11b4dd686945ba3f6c1
* Update vendor from branch 'REL1_43'
  to fc5527cd236ad5628e53390ab0ef443be37d7d1c
  - Upgrade guzzlehttp/*
    
      - Upgrading guzzlehttp/guzzle (7.12.1 => 7.12.3)
      - Upgrading guzzlehttp/psr7 (2.12.1 => 2.12.3)
    
    Bug: T429965
    Change-Id: I12587800b14be67ebebd6dd151f05bf5845d3e71
Bug: T429965
Depends-On: I12587800b14be67ebebd6dd151f05bf5845d3e71
Change-Id: I1a702ade97efcfbda81cb5518ec64add772f71e7
(cherry picked from commit 75af966)
Add a library providing date/time formatting according to the user's
preferred time zone and date preference.

I tested formatting of an example date with all defined formats in all
languages, and I found that it gives identical output to PHP in about
90% of our ~500 languages.

Resolve some of the outstanding issues by aliasing the problematic date
formats on the client side, so that the user will see the date in
another acceptable format for the same language.

The remaining issues mostly relate to the use of a fallback language to
display weekdays and non-Gregorian month names.

Details:

* Add Language::getJsDateFormats(), which converts existing date formats
  to an options array that can be interpreted by the client.
* In Messages*.php, add $numberingSystem, which is the CLDR numbering
  system ID. I set it for all languages that had overriden
  $digitTransformTable. This is sent to the client in the library's JSON
  config and is used as the default numberingSystem option when
  formatting dates.
* In Messages*.php, add $jsDateFormats, which overrides the
  automatically generated date format options.

Bug: T389161
Change-Id: Ib6bc8ebd4d01317aaf32225c6006ea2dc7a1b39e
Bug: T382781
Change-Id: I0b3a253b401995b44600f9f23fe8b2f9124ccb49
(cherry picked from commit c13f73e)
PHP 8.4 adds a 'native' translation to arabic numerals for apc, so
we need to add entries to the digitTransformTable to map them back.

Bug: T382781
Change-Id: I827b6979064bb5a440ed6c72a3d0e6e586bafeba
(cherry picked from commit 33006d7)
Not sure if this is relevant at all to the cases causing us to
not get any error messages in production, but it's one of the ways
I can imagine not getting an error message, and seems a harmless change.

Bug: T383047
Change-Id: Ie10e7ccf2352c3f140f9fae719f12a3ac4eda906
(cherry picked from commit 5ea0f7d)
Change-Id: I732e5b27acbc59f497252c2e7a9a6fc79ffb4196
Change-Id: Ieaff55b4ed9635284b3e1a20b00b0d0babc78af5
Follows-Up: I732e5b27acbc59f497252c2e7a9a6fc79ffb4196
Why:

- Prep for wrapping the mail() path in a retry loop (T383047)

What:

- Move the PHP mail() branch of send() into a private helper
- No behaviour change; the SMTP branch ($wgSMTP), which uses
  symfony/mailer, is left untouched

Assisted-by: Claude Opus 4.8
Bug: T383047
Change-Id: Ia2d8359f3e844231667103693a2ee2ef9c0c5b84
In the v8 upgrade we've seen we have awaits that we do not need.
This patch removes those awaits.

Change-Id: Ie6f118e9351c192d454e64b29427768732991a91
* Update extensions/Cite from branch 'REL1_43'
  to be960c78d053fade47a477594058f816cbc1a960
  - build: Updating npm dependencies
    
    * form-data: 4.0.4 → 4.0.6
      * GHSA-hmw2-7cc7-3qxx
    * markdown-it: 14.1.1 → 14.2.0
      * GHSA-6v5v-wf23-fmfq
    
    Change-Id: I3c7445b08f0ff2fc9414d6404947c951cde9935e
Why:

- mail() failures (T383047) are logged without a recipient
  count or domain, so logs can't show whether they hit single-
  or multi-recipient sends, or cluster on a failing domain
- That split is needed to decide whether a future retry should
  run per-recipient or stay single-recipient only

What:

- Log php-mail-error / php-mail-error-unknown at warning on
  'usermailer' (was debug-only) with recipient_count and
  recipient_domains (distinct domains, not addresses) fields
- Add recipient_count and recipient_domains to the success log
  too, so failure rates can be compared by recipient count and
  domain

Assisted-by: Claude Opus 4.8
Bug: T383047
Change-Id: Ide7ebedc88144bf1923dee6e6a006bd1326fd166
* Update extensions/Echo from branch 'REL1_43'
  to 08b9ec7bf91f446f2f6c04cb648f97589dafe45c
  - build: Updating markdown-it to 14.2.0
    
    * GHSA-6v5v-wf23-fmfq
    
    Change-Id: Ie33b903643d2c7d9b862aa24d93dea3d9ceefaf9
Add a regression test for accidental conversion of block log expiry
times from relative to absolute timestamps.

Bug: T248196
Change-Id: Ie7db802c43b222260074c01bf70a3e9759cef845
(cherry picked from commit 9dc5072)
* Update extensions/SecureLinkFixer from branch 'REL1_43'
  to d6666aff448ebb4ef0aaf16c1442904c5e6351f6
  - Updating domains.php from Mozilla
    
    Change-Id: I111f2da3f09a3e1992cbf1b4361365325dc6d8c2
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
  to e3d0c1b06885eeb4237c9b0743601f4f739addf4
  - SECURITY: Escape linelinks argument before passing it on to Pygments
    
    CVE-2026-58030
    
    Bug: T427167
    Change-Id: I55db500b6dfc0dcf9539285801b82da2cfad5100
* Update extensions/AbuseFilter from branch 'REL1_43'
  to cb743f106d334e7e2dfb911c8d96cc19b939c83a
  - SECURITY: Hide hit count for private/protected filters in API
    
    CVE-2026-58027
    
    Why:
    * The QueryAbuseFilters API (action=query&list=abusefilters) returns
      the hit count for all filters, including private and protected ones,
      even when the requesting user lacks the necessary permissions. The
      Special:AbuseFilter UI correctly hides the hit count using
      canSeeLogDetailsForFilter(), but the API does not perform this check.
    
    What:
    * Gate the 'hits' field in the API response behind the same
      canSeeLogDetailsForFilter() permission check that the UI uses in
      AbuseFilterPager::formatValue().
    * Add test coverage for hit count visibility with protected and hidden
      filters for users with varying permission levels.
    
    Bug: T406954
    Change-Id: Icd1a8e01366c2e8f4ed4cf0b3fdd3fca88725266
CVE-2026-58028

This prevents user JS, sitewide JS, Gadgets, and other script modules
from being loaded on URLs like api.php?format=xmlfm&... or api.php URLs
without a format parameter specified (the default value is jsonfm).

Bug: T422306
Change-Id: I5963c6ce44a6ae3deb129d476dcc61f231e0284a
CVE-2026-58033

Bug: T427235
Change-Id: I8545f887afa4bbe15cfe3ac6f0a58733ef00cbcb
CVE-2026-58032

In formatversion=1, where the message property is called '*' both in
errorformat=html and errorformat=plaintext, we can’t know if this is
safe HTML or not; treat it as unsafe text. (Also add handling for .text,
i.e. errorformat=plaintext or errorformat=wikitext in formatversion=2.)
If this causes double-escaping for anyone, they should switch to
formatversion=2.

Bug: T426867
Change-Id: Ic06ac925baf29f92d1dffb0b3721f22d62e96cc8
…udable

CVE-2026-58026

If the original title passed to getTemplateDom() is a redirect in an
includable namespace which is pointing to a page in a non-includable
namespace, the page will still be transcluded. Fix this by also
checking isNonincludable for the title returned by
fetchTemplateAndTitle().

Bug: T299359
Change-Id: I33b6d44c23b6b965c8c61d11680c18c8d1b1dfff
CVE-2026-58024

Why:
* action=userrights API could be used to enumerate users on private
  wikis via the user@wikiid format, even if the performer has no
  special permissions. Different error codes (badtoken vs nosuchuser)
  reveal whether a user exists on the remote wiki.

What:
* If the performer has no 'userrights-interwiki' permission, block
  the cross-wiki user lookup before it reaches
  MultiFormatUserIdentityLookup, returning a generic permission
  denied error instead.
* This mirrors the fix applied to SpecialUserRights in
  Gerrit change I15306e63.

Bug: T422085
Change-Id: I2a9813eb69f714b2b96305e435271bf35d4bd7a7
CVE-2026-58029

Bug: T422676
Change-Id: I3cdfecc4d5bb5efeed989c77117ed98df03c1c71
CVE-2026-58037

In T422244 we discovered that the params are user-controlled,
and so we shouldn't allow the params to declare themselves
to be safe as raw HTML.

This is technically a breaking change, but there are no known
uses of this feature.

Bug: T422995
Change-Id: Ice6593be3adede6e70a0c1313a7e472ae457acab
CVE-2026-58025

Log entry parameters allowed unserialization of user-controlled data,
leading to a remote code execution vulnerability. Resolve this issue
by restricting which classes may be unserialized.

Users with the 'importupload' or 'import' rights (default 'sysop'
group) were able to exploit this vulnerability.

Additionally, log entry formatting code may suffer from XSS
and DOS vulnerabilities when passed user-controlled data. Mitigate
this issue by further restricting who can import log entries.
The new 'logentryimport' right is not granted to anyone by default.

Disallow importing of log entries with forbidden serialized data.
Handle formatting of existing log entries with forbidden serialized
data by displaying a custom placeholder message instead.

Bug: T422244
Change-Id: I14554d38d68a9895d094331faebd33b8109924bf
Change-Id: I4a3acb1efc003fd1012d7de68310459fb4333eeb
Tagging 1.43.9

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQQdmIZ+gpgsj+Crwl+babMQnTu3sAUCakK1lgAKCRCbabMQnTu3
# sJf1AKDzF/RQmOFDux6JTJfaVwoib9pvtwCg7sjmeG+/ZP57lFwQIVb+Uj3ldh8=
# =wBeS
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Jun 29 20:12:38 2026 CEST
# gpg:                using DSA key 1D98867E82982C8FE0ABC25F9B69B3109D3BB7B0
# gpg: Can't check signature: No public key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.