This tag is used to group security bugs by their general classification. These bugs cover denial of service (DoS) vulnerabilities.
Parent project: Security-Team
This tag is used to group security bugs by their general classification. These bugs cover denial of service (DoS) vulnerabilities.
Parent project: Security-Team
In T272297#9700700, @stjn wrote:This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.
This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.
Change #1016026 merged by jenkins-bot:
[mediawiki/core@REL1_39] Use i18n strings for truncated subpage message in SpecialMovePage
Change #1016011 merged by jenkins-bot:
[mediawiki/core@master] Use i18n strings for truncated subpage message in SpecialMovePage
Change #1015685 merged by jenkins-bot:
[mediawiki/core@REL1_40] Use i18n strings for truncated subpage message in SpecialMovePage
Change #1015684 merged by jenkins-bot:
[mediawiki/core@REL1_41] Use i18n strings for truncated subpage message in SpecialMovePage
Change #1016026 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/core@REL1_39] Use i18n strings for truncated subpage message
Change #1015685 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/core@REL1_40] Use i18n strings for truncated subpage message
Change #1015684 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/core@REL1_41] Use i18n strings for truncated subpage message
Change #1016011 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):
[mediawiki/core@master] Use i18n strings for truncated subpage message
In T357760#9671830, @Reedy wrote:@Dreamy_Jazz The patches should be landing in master pretty soon. Would you mind making the followup to move the hardcoded en strings into proper i18n messages please?
No massive rush though!
Sure. I'll do that now.
Can this be made public now?
Change #1015423 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Limit subpages displayed on Special:MovePage form
@Dreamy_Jazz The patches should be landing in master pretty soon. Would you mind making the followup to move the hardcoded en strings into proper i18n messages please?
Change #1015415 merged by jenkins-bot:
[mediawiki/core@REL1_40] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015419 merged by jenkins-bot:
[mediawiki/core@REL1_41] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015410 merged by jenkins-bot:
[mediawiki/core@REL1_39] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015423 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):
[mediawiki/core@master] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015419 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):
[mediawiki/core@REL1_41] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015415 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):
[mediawiki/core@REL1_40] SECURITY: Limit subpages displayed on Special:MovePage form
Change #1015410 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):
[mediawiki/core@REL1_39] SECURITY: Limit subpages displayed on Special:MovePage form
In T357760#9661968, @Reedy wrote:Patch applies cleanly to MW-1.41-release and master.
rMWa99ec1b4fa59: Title: Use TitleArrayFromResult instead of TitleArray seems to cause the conflicts on MW-1.40-release
T357760-v2-REL1_40.patch4 KBDownloadAnd applying that patch with -3 works for MW-1.39-release (file rename)
T357760-v2-REL1_39.patch4 KBDownload
+2
In T357760#9661953, @Reedy wrote:diff --git a/includes/specials/SpecialMovePage.php b/includes/specials/SpecialMovePage.php index d35999b190c..eed3e74a1d7 100644 --- a/includes/specials/SpecialMovePage.php +++ b/includes/specials/SpecialMovePage.php @@ -1030,7 +1030,7 @@ class SpecialMovePage extends UnlistedSpecialPage { // having the i18n rebuilt for all deployments due to this security patch. $out->addWikiTextAsInterface( "The first $maximumMovedPages {{PLURAL:$maximumMovedPages|subpage|subpages}} " . - ( $noSubpageMsg ? 'for the corresponding talk page' : 'for this page' ) . ' are shown below.' + ( $noSubpageMsg ? 'for this page' : 'for the corresponding talk page' ) . ' are shown below.' ); } else { $out->addWikiMsg( $wikiMsg, $this->getLanguage()->formatNum( $pagecount ) );T357760-v2.patch4 KBDownload
+2
Patch applies cleanly to MW-1.41-release and master.
diff --git a/includes/specials/SpecialMovePage.php b/includes/specials/SpecialMovePage.php index d35999b190c..eed3e74a1d7 100644 --- a/includes/specials/SpecialMovePage.php +++ b/includes/specials/SpecialMovePage.php @@ -1030,7 +1030,7 @@ class SpecialMovePage extends UnlistedSpecialPage { // having the i18n rebuilt for all deployments due to this security patch. $out->addWikiTextAsInterface( "The first $maximumMovedPages {{PLURAL:$maximumMovedPages|subpage|subpages}} " . - ( $noSubpageMsg ? 'for the corresponding talk page' : 'for this page' ) . ' are shown below.' + ( $noSubpageMsg ? 'for this page' : 'for the corresponding talk page' ) . ' are shown below.' ); } else { $out->addWikiMsg( $wikiMsg, $this->getLanguage()->formatNum( $pagecount ) );
In T357760#9598730, @Dreamy_Jazz wrote:In T357760#9598683, @Mstyles wrote:Thanks. I've been able to verify that this patch works as expected and prevents the request timeout.
There is one bug I didn't find when testing. The hard-coded message is switched around (so the message for the talk pages is above the non-talk pages and vice. versa.). That isn't a major problem IMO and could be fixed once this is uploaded to gerrit.
In T357760#9599310, @Mstyles wrote:@Dreamy_Jazz I'm glad that the patch works. I think adding the hard-coded message once this uploaded is fine. There was an issue with deployment which I wanted to note here: https://phabricator.wikimedia.org/T276237#9598800
@Dreamy_Jazz I'm glad that the patch works. I think adding the hard-coded message once this uploaded is fine. There was an issue with deployment which I wanted to note here: https://phabricator.wikimedia.org/T276237#9598800
In T357760#9598683, @Mstyles wrote:
In T357760#9553901, @Dreamy_Jazz wrote:Proposed patch:
T357760.patch4 KBDownloadNote: Due to https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Guidelines_for_creating_patches, this patch has a hardcoded message which is used when the list of subpages is truncated.
In T357760#9584799, @mmartorana wrote:From a security perspective, there doesn't seem to be any concern with this patch.
From a security perspective, there doesn't seem to be any concern with this patch.
Proposed patch: