Upgrade to 1.43.9#156
Open
harnash wants to merge 511 commits into
Open
Conversation
* Update extensions/AbuseFilter from branch 'REL1_43' to 2e670e614142db737fc94d111ffb2cae1adee7ef - Localisation updates from https://translatewiki.net. Change-Id: Ia00b32454ab45cf76e792ee190b0a5c7514f792d
* Update extensions/CiteThisPage from branch 'REL1_43' to 860b96a8d12e8fe1ea9d23b431a78c8ac2dc550a - Localisation updates from https://translatewiki.net. Change-Id: Ia438e75b8de604ce607c12f515d3d9a902fef17f
* Update extensions/Cite from branch 'REL1_43' to 222c4adbc1a04a16482ebe8142dc9d756a866edc - Localisation updates from https://translatewiki.net. Change-Id: Ib395ba2da57a79eea98f8f8e2430462b91ebd206
* Update extensions/ConfirmEdit from branch 'REL1_43' to f56adade85b7da6c198bc2e6bb6f83b22696df8a - Localisation updates from https://translatewiki.net. Change-Id: Iff1c245e71da31fc3d0c83aa830f6cba5de7518e
* Update extensions/Echo from branch 'REL1_43' to 13cf926adaf0507d5629b46b5cb9da86fa90302c - Localisation updates from https://translatewiki.net. Change-Id: Ie6ef44ef8bd264664e5b5f1605ce372615ba2fa4
* Update extensions/DiscussionTools from branch 'REL1_43' to b2db82d79e691e93799f82e39783ef7f4ed16604 - Localisation updates from https://translatewiki.net. Change-Id: Iec160dfeee3dd3a9b243cf809ec09c7b69895af5
* Update extensions/Gadgets from branch 'REL1_43' to 5a33ad77b009a660f7903474bc4110a47eb38082 - Localisation updates from https://translatewiki.net. Change-Id: Id266390b65aac9453c23804df8367f4870d738ac
* Update extensions/InputBox from branch 'REL1_43' to 0ff45ea7ad60b7a3bde962a79a06a954304e10af - Localisation updates from https://translatewiki.net. Change-Id: Ie79676098c68b30ad0859c4f6f17d8c9edd1389d
* Update extensions/Math from branch 'REL1_43' to bbcdbd94865c6246408958687ed9370e0de3c64a - Localisation updates from https://translatewiki.net. Change-Id: Ibf8079e2bc189bf61561dd75891457335326dcb6
* Update extensions/OATHAuth from branch 'REL1_43' to 604b49a027822d6594c23732f014a217248ad814 - Localisation updates from https://translatewiki.net. Change-Id: Iab9a6232c52500c6065bb06fb3604ea6589acbc1
* Update extensions/Linter from branch 'REL1_43' to 1457a7c46a3d53019886ca83f86480f1931ae21d - Localisation updates from https://translatewiki.net. Change-Id: I9f12625e651f03bbc1a3f683bf97c3dee165d0b7
* Update extensions/Scribunto from branch 'REL1_43' to cb61d6efa0a86a2f2147f34e1f7a915b2f98cea2 - Localisation updates from https://translatewiki.net. Change-Id: I02228d5261f3304f71d2281dbb486ac5ae166027
* Update extensions/TemplateData from branch 'REL1_43' to ed8e4d304129f7a2660b5416fb03421258010723 - Localisation updates from https://translatewiki.net. Change-Id: Ic45339da23f032e0cf012ca551670aab97ff1ce1
* Update extensions/PageImages from branch 'REL1_43' to 51afd35e7b1197659207ced64fdc9b7816036b86 - Localisation updates from https://translatewiki.net. Change-Id: I96139bb159e4d0c89fe9963dd836ff3b7f2fc922
* Update extensions/ParserFunctions from branch 'REL1_43' to 55c8cbcdc7b3b47833bc735f3f3f5446549b6fb2 - Localisation updates from https://translatewiki.net. Change-Id: I8886259e74774f1595fbd2ab2b583f0cff189a1f
* Update extensions/PdfHandler from branch 'REL1_43' to b950f28f1f7785d7ea613faa0d9f87c7956744f4 - Localisation updates from https://translatewiki.net. Change-Id: I9739c7a769aeb59e6b4591347328ae559806097d
* Update extensions/ReplaceText from branch 'REL1_43' to 34ea544ef716a59ffab212cb7fcd88226a35fc4b - Localisation updates from https://translatewiki.net. Change-Id: Ic5cbe7884ada73a7b11b8732de2602dacf74355f
* Update extensions/VisualEditor from branch 'REL1_43' to a70d62011f1bec9a77648765fb81a0264d282f2c - Localisation updates from https://translatewiki.net. Change-Id: Id88515621e4964e54aec6e96e9e33bb38240139d
* Update extensions/WikiEditor from branch 'REL1_43' to 523a175952fe117c5e9a12760742112a9965fec1 - Localisation updates from https://translatewiki.net. Change-Id: I7db3d2efa5cb7fef211330b4531caee89df7a825
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43' to 8ed28d35ef8b1ba3ef24eb5424783ab2547c8974 - Localisation updates from https://translatewiki.net. Change-Id: I7e52137a33a0b5bdeb2d4bc823e850914d79f561
* Update skins/MinervaNeue from branch 'REL1_43' to e906f935042c966535724a3c64f45acbc77d2883 - Localisation updates from https://translatewiki.net. Change-Id: I186d83a42dca9a242d5ee081df3ece7c515c2f56
* Update skins/Timeless from branch 'REL1_43' to 08db2051c8ad0495a1091729e4443cd529841aad - Localisation updates from https://translatewiki.net. Change-Id: Iaad68c72ef78105c69412d032f1121a3640e0697
* Update skins/Vector from branch 'REL1_43' to bdbbfdd18815d1e2d2604b48e921dc3e50f7fbf3 - Localisation updates from https://translatewiki.net. Change-Id: I28f2257dfade47c627c2f758f8db82c05ef7a751
* Improve docs * Add some pointers * Link test case for T424114 to that task Bug: T424114 Change-Id: I3885cb7a1d67366a28a9da60e5c9da6061195de0
Same as SpecialChangeEmail Change-Id: I24aed19877e9530e7399d7b8ba460558d311e522 (cherry picked from commit d260740)
Only output to structured logging, but may be useful for short term tracking of changes of this sort Change-Id: I19df7ecdc25cfe836a7776a1c1ddcf6ee73b3492 (cherry picked from commit 8d466a7)
Change-Id: If7fdeb88811cc95e5c3d82a5df54e7b731d8bee1 (cherry picked from commit 9b7ecab)
… change Change-Id: I57d61a957725d655413bb813c9a22c2d4a44a723 (cherry picked from commit 6668a5f)
* Update skins/MinervaNeue from branch 'REL1_43'
to 3383326e7426d576317d0e5d823b13812bb500f5
- build: Updating fast-uri to 3.1.2
* GHSA-q3j6-qgpj-74h6
* GHSA-v39h-62p7-jpjc
Change-Id: I6492aeab13f218fe7975538fc4d58f50878889b4
* Update skins/MonoBook from branch 'REL1_43'
to 89dbb3b84c0a5e7904f91b23c89b5eafe1df98ae
- build: Updating fast-uri to 3.1.2
* GHSA-q3j6-qgpj-74h6
* GHSA-v39h-62p7-jpjc
Change-Id: Icea418755691e6e046e59a81f1c457223dfff3b8
* Update skins/MinervaNeue from branch 'REL1_43' to b4b36b50330c4a9c24c4eceb27a008df7349c5a6 - Localisation updates from https://translatewiki.net. Change-Id: Ib618935c6665f983b3b0d39d43004a67aad9e02c
* Update skins/Vector from branch 'REL1_43' to f3fa365c7a653f8eeffb625b9cb2dfdd169b876a - Localisation updates from https://translatewiki.net. Change-Id: Ic50fb69fa183f17920dca11b4dd686945ba3f6c1
* Update vendor from branch 'REL1_43'
to fc5527cd236ad5628e53390ab0ef443be37d7d1c
- Upgrade guzzlehttp/*
- Upgrading guzzlehttp/guzzle (7.12.1 => 7.12.3)
- Upgrading guzzlehttp/psr7 (2.12.1 => 2.12.3)
Bug: T429965
Change-Id: I12587800b14be67ebebd6dd151f05bf5845d3e71
Bug: T429965 Depends-On: I12587800b14be67ebebd6dd151f05bf5845d3e71 Change-Id: I1a702ade97efcfbda81cb5518ec64add772f71e7 (cherry picked from commit 75af966)
Add a library providing date/time formatting according to the user's preferred time zone and date preference. I tested formatting of an example date with all defined formats in all languages, and I found that it gives identical output to PHP in about 90% of our ~500 languages. Resolve some of the outstanding issues by aliasing the problematic date formats on the client side, so that the user will see the date in another acceptable format for the same language. The remaining issues mostly relate to the use of a fallback language to display weekdays and non-Gregorian month names. Details: * Add Language::getJsDateFormats(), which converts existing date formats to an options array that can be interpreted by the client. * In Messages*.php, add $numberingSystem, which is the CLDR numbering system ID. I set it for all languages that had overriden $digitTransformTable. This is sent to the client in the library's JSON config and is used as the default numberingSystem option when formatting dates. * In Messages*.php, add $jsDateFormats, which overrides the automatically generated date format options. Bug: T389161 Change-Id: Ib6bc8ebd4d01317aaf32225c6006ea2dc7a1b39e
Bug: T382781 Change-Id: I0b3a253b401995b44600f9f23fe8b2f9124ccb49 (cherry picked from commit c13f73e)
PHP 8.4 adds a 'native' translation to arabic numerals for apc, so we need to add entries to the digitTransformTable to map them back. Bug: T382781 Change-Id: I827b6979064bb5a440ed6c72a3d0e6e586bafeba (cherry picked from commit 33006d7)
Not sure if this is relevant at all to the cases causing us to not get any error messages in production, but it's one of the ways I can imagine not getting an error message, and seems a harmless change. Bug: T383047 Change-Id: Ie10e7ccf2352c3f140f9fae719f12a3ac4eda906 (cherry picked from commit 5ea0f7d)
Change-Id: I732e5b27acbc59f497252c2e7a9a6fc79ffb4196
Change-Id: Ieaff55b4ed9635284b3e1a20b00b0d0babc78af5 Follows-Up: I732e5b27acbc59f497252c2e7a9a6fc79ffb4196
Why: - Prep for wrapping the mail() path in a retry loop (T383047) What: - Move the PHP mail() branch of send() into a private helper - No behaviour change; the SMTP branch ($wgSMTP), which uses symfony/mailer, is left untouched Assisted-by: Claude Opus 4.8 Bug: T383047 Change-Id: Ia2d8359f3e844231667103693a2ee2ef9c0c5b84
In the v8 upgrade we've seen we have awaits that we do not need. This patch removes those awaits. Change-Id: Ie6f118e9351c192d454e64b29427768732991a91
* Update extensions/Cite from branch 'REL1_43'
to be960c78d053fade47a477594058f816cbc1a960
- build: Updating npm dependencies
* form-data: 4.0.4 → 4.0.6
* GHSA-hmw2-7cc7-3qxx
* markdown-it: 14.1.1 → 14.2.0
* GHSA-6v5v-wf23-fmfq
Change-Id: I3c7445b08f0ff2fc9414d6404947c951cde9935e
Why: - mail() failures (T383047) are logged without a recipient count or domain, so logs can't show whether they hit single- or multi-recipient sends, or cluster on a failing domain - That split is needed to decide whether a future retry should run per-recipient or stay single-recipient only What: - Log php-mail-error / php-mail-error-unknown at warning on 'usermailer' (was debug-only) with recipient_count and recipient_domains (distinct domains, not addresses) fields - Add recipient_count and recipient_domains to the success log too, so failure rates can be compared by recipient count and domain Assisted-by: Claude Opus 4.8 Bug: T383047 Change-Id: Ide7ebedc88144bf1923dee6e6a006bd1326fd166
* Update extensions/Echo from branch 'REL1_43'
to 08b9ec7bf91f446f2f6c04cb648f97589dafe45c
- build: Updating markdown-it to 14.2.0
* GHSA-6v5v-wf23-fmfq
Change-Id: Ie33b903643d2c7d9b862aa24d93dea3d9ceefaf9
Add a regression test for accidental conversion of block log expiry times from relative to absolute timestamps. Bug: T248196 Change-Id: Ie7db802c43b222260074c01bf70a3e9759cef845 (cherry picked from commit 9dc5072)
* Update extensions/SecureLinkFixer from branch 'REL1_43'
to d6666aff448ebb4ef0aaf16c1442904c5e6351f6
- Updating domains.php from Mozilla
Change-Id: I111f2da3f09a3e1992cbf1b4361365325dc6d8c2
* Update extensions/SyntaxHighlight_GeSHi from branch 'REL1_43'
to e3d0c1b06885eeb4237c9b0743601f4f739addf4
- SECURITY: Escape linelinks argument before passing it on to Pygments
CVE-2026-58030
Bug: T427167
Change-Id: I55db500b6dfc0dcf9539285801b82da2cfad5100
* Update extensions/AbuseFilter from branch 'REL1_43'
to cb743f106d334e7e2dfb911c8d96cc19b939c83a
- SECURITY: Hide hit count for private/protected filters in API
CVE-2026-58027
Why:
* The QueryAbuseFilters API (action=query&list=abusefilters) returns
the hit count for all filters, including private and protected ones,
even when the requesting user lacks the necessary permissions. The
Special:AbuseFilter UI correctly hides the hit count using
canSeeLogDetailsForFilter(), but the API does not perform this check.
What:
* Gate the 'hits' field in the API response behind the same
canSeeLogDetailsForFilter() permission check that the UI uses in
AbuseFilterPager::formatValue().
* Add test coverage for hit count visibility with protected and hidden
filters for users with varying permission levels.
Bug: T406954
Change-Id: Icd1a8e01366c2e8f4ed4cf0b3fdd3fca88725266
CVE-2026-58028 This prevents user JS, sitewide JS, Gadgets, and other script modules from being loaded on URLs like api.php?format=xmlfm&... or api.php URLs without a format parameter specified (the default value is jsonfm). Bug: T422306 Change-Id: I5963c6ce44a6ae3deb129d476dcc61f231e0284a
CVE-2026-58033 Bug: T427235 Change-Id: I8545f887afa4bbe15cfe3ac6f0a58733ef00cbcb
CVE-2026-58032 In formatversion=1, where the message property is called '*' both in errorformat=html and errorformat=plaintext, we can’t know if this is safe HTML or not; treat it as unsafe text. (Also add handling for .text, i.e. errorformat=plaintext or errorformat=wikitext in formatversion=2.) If this causes double-escaping for anyone, they should switch to formatversion=2. Bug: T426867 Change-Id: Ic06ac925baf29f92d1dffb0b3721f22d62e96cc8
…udable CVE-2026-58026 If the original title passed to getTemplateDom() is a redirect in an includable namespace which is pointing to a page in a non-includable namespace, the page will still be transcluded. Fix this by also checking isNonincludable for the title returned by fetchTemplateAndTitle(). Bug: T299359 Change-Id: I33b6d44c23b6b965c8c61d11680c18c8d1b1dfff
CVE-2026-58024 Why: * action=userrights API could be used to enumerate users on private wikis via the user@wikiid format, even if the performer has no special permissions. Different error codes (badtoken vs nosuchuser) reveal whether a user exists on the remote wiki. What: * If the performer has no 'userrights-interwiki' permission, block the cross-wiki user lookup before it reaches MultiFormatUserIdentityLookup, returning a generic permission denied error instead. * This mirrors the fix applied to SpecialUserRights in Gerrit change I15306e63. Bug: T422085 Change-Id: I2a9813eb69f714b2b96305e435271bf35d4bd7a7
CVE-2026-58029 Bug: T422676 Change-Id: I3cdfecc4d5bb5efeed989c77117ed98df03c1c71
CVE-2026-58037 In T422244 we discovered that the params are user-controlled, and so we shouldn't allow the params to declare themselves to be safe as raw HTML. This is technically a breaking change, but there are no known uses of this feature. Bug: T422995 Change-Id: Ice6593be3adede6e70a0c1313a7e472ae457acab
CVE-2026-58025 Log entry parameters allowed unserialization of user-controlled data, leading to a remote code execution vulnerability. Resolve this issue by restricting which classes may be unserialized. Users with the 'importupload' or 'import' rights (default 'sysop' group) were able to exploit this vulnerability. Additionally, log entry formatting code may suffer from XSS and DOS vulnerabilities when passed user-controlled data. Mitigate this issue by further restricting who can import log entries. The new 'logentryimport' right is not granted to anyone by default. Disallow importing of log entries with forbidden serialized data. Handle formatting of existing log entries with forbidden serialized data by displaying a custom placeholder message instead. Bug: T422244 Change-Id: I14554d38d68a9895d094331faebd33b8109924bf
Change-Id: I4a3acb1efc003fd1012d7de68310459fb4333eeb
Tagging 1.43.9 # -----BEGIN PGP SIGNATURE----- # # iF0EABECAB0WIQQdmIZ+gpgsj+Crwl+babMQnTu3sAUCakK1lgAKCRCbabMQnTu3 # sJf1AKDzF/RQmOFDux6JTJfaVwoib9pvtwCg7sjmeG+/ZP57lFwQIVb+Uj3ldh8= # =wBeS # -----END PGP SIGNATURE----- # gpg: Signature made Mon Jun 29 20:12:38 2026 CEST # gpg: using DSA key 1D98867E82982C8FE0ABC25F9B69B3109D3BB7B0 # gpg: Can't check signature: No public key
peterdevpl
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Link: https://fandom.atlassian.net/browse/PLATFORM-11848