Revert "Merge pull request #127 from Wikia/REL1_43_1-upgrade"

RELEASE-NOTES-1.43

@@ -7,86 +7,13 @@ PHP 8.4 workboard: https://phabricator.wikimedia.org/tag/php_8.4_support/
 
 == MediaWiki 1.43.1 ==
 
-This is a security and maintenance release of the MediaWiki 1.42 branch.
+THIS IS NOT A RELEASE YET
+
+=== Changes since MediaWiki 1.43.1 ===
 
-=== Changes since MediaWiki 1.43.0 ===
 * Localisation updates.
-* (T375707) exception: Convert E_STRICT errors to E_USER_NOTICE.
-* (T380755) session: Do not set session.use_trans_sid.
 * (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment
   in the "Configuration changes for system administrators" section.
-* (T383037) MimeMap: add gltf and glb mime types.
-* (T383037) MimeAnalyzer: detect magic number for gltf binary.
-* Commit swagger-ui's NOTICE.
-* (T382484) dumps: Use proc_close() to close proc_open() subprocess.
-* (T375707) MWExceptionHandler: Add error suppression to constant( 'E_STRICT' ).
-* (T384879) FormatMetadata: Prevent running preg_match() on null.
-* (T384995) specialpage: Improve handling of invalid lang codes on login/signup.
-* (T385055) resourceloader: Fix hash computation for virtual files with
-  versionFilePath.
-* (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string.
-* (T385567) parser: Gracefully handle invalid ParsoidRenderID keys.
-* (T385568) rest: Return a 400 for invalid render IDs.
-* (T383646) installer: Simplify the information box.
-* (T384524) installer: Fix conflation between warning and info messages.
-* (T376711) language: Use fallback chain to create NumberFormatter.
-* (T384524) installer: Restore success messages.
-* (T384524) installer: Restore "complete" success message.
-* (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8.
-* (T386891) Revert "maintenance: Use DatabaseSqlite for type-hinting instead of
-  DBConnRef".
-* (T381205) Add explanation text for "Allow emails from brand-new users".
-* (T380880) ExternalLinks: fix mailto: links reversal.
-* (T381033) RateLimiter: Fix peek mode.
-* initEditCount: Join from user to actor to revision.
-* (T387130,CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.20.2.
-* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error.
-* (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in
-  value if applicable.
-* (T388296) ImportImages: Exit with non-zero code if import fails.
-* Request: Improve log message when headers already sent.
-* (T386368, T387397) REST page metadata endpoints: handle supressed data
-  gracefully.
-* (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints.
-* (T388171) HttpError: Cast Message to string.
-* (T384197) permissions: Avoid potential infinite loop if BlockDisablesLogin =
-  true.
-* (T388255) ApiLogin: Don't break BotPasswords if password or user is blank,
-  just error.
-* (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/
-  preg_replace.
-* (T388944) Html: Fix "substr(): Passing null to parameter #1 ($string) of type
-  string is deprecated".
-* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same
-  anti-null fix as 270499b.
-* (T387690) upload: Suppress warnings from iconv().
-* (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
-* (T315573) Fix GREATEST usage in site_stats.
-* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert
-  action.
-* (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
-  Differentiate between cascading protection of file content and file pages.
-* (T387507) ResourceLoader: update wikimedia/minify from 2.8.0 to 2.8.1.
-* (T388273, T388335) Upgrading pear/net_url2 (v2.2.2 => v2.2.3).
-* (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0.
-* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1
-  ($haystack).
-* (T378622) Parameterize ChangeTags::buildTagFilterSelector to support various
-  tag sets.
-* (T344352) ChangeTags: Optimize label and description parsing.
-* In .htaccess deny files, use "Satisfy All".
-* (T322672, T387478) REST: Remove unused setUseParserCache() as potential
-  footgun.
-* (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK().
-* (T388807) LanguageConverter: Only set mTablesLoaded once they're really
-  loaded.
-* RestrictionStore: Remove short-circuit mode when fetching cascading sources.
-* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
-  functions do not correctly enforce suppression restrictions.
-* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
-  enabled by Unicode normalization in Action API.
-* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
-  HTMLMultiSelectField when sections are used.
 
 == MediaWiki 1.43.0 ==
 
@@ -319,7 +246,7 @@ For notes on 1.42.x and older releases, see HISTORY.
 * Updated wikimedia/at-ease from 2.1.0 to 3.0.0.
 * Updated wikimedia/json-codec from 3.0.1 to 3.0.3.
 * Updated wikimedia/less.php from 4.2.1 to 5.1.2.
-* Updated wikimedia/minify from 2.7.0 to 2.9.0.
+* Updated wikimedia/minify from 2.7.0 to 2.8.0.
 * Updated wikimedia/normalized-exception from 1.0.1 to 2.0.0.
 * Updated wikimedia/php-session-serializer from 2.0.1 to 3.0.0.
 * Updated wikimedia/purtle from 1.0.8 to 2.0.0.

autoload.php

@@ -1873,7 +1873,6 @@
 	'MediaWiki\\OutputTransform\\Stages\\HandleParsoidSectionLinks' => __DIR__ . '/includes/OutputTransform/Stages/HandleParsoidSectionLinks.php',
 	'MediaWiki\\OutputTransform\\Stages\\HandleSectionLinks' => __DIR__ . '/includes/OutputTransform/Stages/HandleSectionLinks.php',
 	'MediaWiki\\OutputTransform\\Stages\\HandleTOCMarkers' => __DIR__ . '/includes/OutputTransform/Stages/HandleTOCMarkers.php',
-	'MediaWiki\\OutputTransform\\Stages\\HardenNFC' => __DIR__ . '/includes/OutputTransform/Stages/HardenNFC.php',
 	'MediaWiki\\OutputTransform\\Stages\\HydrateHeaderPlaceholders' => __DIR__ . '/includes/OutputTransform/Stages/HydrateHeaderPlaceholders.php',
 	'MediaWiki\\OutputTransform\\Stages\\ParsoidLocalization' => __DIR__ . '/includes/OutputTransform/Stages/ParsoidLocalization.php',
 	'MediaWiki\\OutputTransform\\Stages\\RenderDebugInfo' => __DIR__ . '/includes/OutputTransform/Stages/RenderDebugInfo.php',

cache/.htaccess

@@ -1,2 +1 @@
 Require all denied
-Satisfy All

composer.json

@@ -66,10 +66,10 @@
 		"wikimedia/ip-utils": "5.0.0",
 		"wikimedia/json-codec": "3.0.3",
 		"wikimedia/less.php": "5.1.2",
-		"wikimedia/minify": "2.9.0",
+		"wikimedia/minify": "2.8.0",
 		"wikimedia/normalized-exception": "2.0.0",
 		"wikimedia/object-factory": "5.0.1",
-		"wikimedia/parsoid": "0.20.2",
+		"wikimedia/parsoid": "0.20.1",
 		"wikimedia/php-session-serializer": "3.0.0",
 		"wikimedia/purtle": "2.0.0",
 		"wikimedia/relpath": "4.0.1",

includes/.htaccess

@@ -1,2 +1 @@
 Require all denied
-Satisfy All

includes/Defines.php

@@ -34,7 +34,7 @@
  *
  * @since 1.35 (also backported to 1.33.3 and 1.34.1)
  */
-define( 'MW_VERSION', '1.43.1' );
+define( 'MW_VERSION', '1.43.0' );
 
 /** @{
  * Obsolete IDatabase::makeList() constants

includes/ExternalLinks/LinkFilter.php

@@ -271,11 +271,11 @@ public static function reverseIndexes( $domainIndex ) {
 			$mailparts = explode( '@', $bits['path'], 2 );
 			if ( count( $mailparts ) === 2 ) {
 				$domainpart = rtrim( self::reverseDomain( $mailparts[0] ), '.' );
-				$bits['host'] = $mailparts[1] . '@' . $domainpart;
 			} else {
 				// No @, assume it's a local part with no domain
-				$bits['host'] = $mailparts[0];
+				$domainpart = '';
 			}
+			$bits['host'] = $mailparts[1] . '@' . $domainpart;
 		} else {
 			$bits['host'] = rtrim( self::reverseDomain( $bits['host'] ), '.' );
 		}

includes/Feed/AtomFeed.php

@@ -100,7 +100,7 @@ public function outItem( $item ) {
 			"url" => $this->xmlEncode(
 				$this->urlUtils->expand( $item->getUrlUnescaped(), PROTO_CURRENT ) ?? ''
 			),
-			"date" => $this->xmlEncodeNullable( $this->formatTime( $item->getDate() ) ),
+			"date" => $this->xmlEncode( $this->formatTime( $item->getDate() ) ),
 			"description" => $item->getDescription(),
 			"author" => $item->getAuthor()
 		];

includes/Feed/FeedItem.php

@@ -100,15 +100,6 @@ public function xmlEncode( $string ) {
 		return htmlspecialchars( $string );
 	}
 
-	/**
-	 * Encode $string so that it can be safely embedded in a XML document,
-	 * returning `null` if $string was `null`.
-	 * @since 1.44 (also backported to 1.39.12, 1.42.6 and 1.43.1)
-	 */
-	public function xmlEncodeNullable( ?string $string ): ?string {
-		return $string !== null ? $this->xmlEncode( $string ) : null;
-	}
-
 	/**
 	 * Get the unique id of this item; already xml-encoded
 	 *

includes/Feed/RSSFeed.php

@@ -78,7 +78,7 @@ public function outItem( $item ) {
 			"permalink" => $item->rssIsPermalink,
 			"uniqueID" => $item->getUniqueID(),
 			"description" => $item->getDescription(),
-			"date" => $this->xmlEncodeNullable( $this->formatTime( $item->getDate() ) ),
+			"date" => $this->xmlEncode( $this->formatTime( $item->getDate() ) ),
 			"author" => $item->getAuthor()
 		];
 		$comments = $item->getCommentsUnescaped();

includes/Html/Html.php

@@ -28,7 +28,6 @@
 use MediaWiki\Json\FormatJson;
 use MediaWiki\MainConfigNames;
 use MediaWiki\MediaWikiServices;
-use MediaWiki\Parser\Sanitizer;
 use MediaWiki\Request\ContentSecurityPolicy;
 use UnexpectedValueException;
 
@@ -194,7 +193,6 @@ public static function rawElement( $element, $attribs = [], $contents = '' ) {
 		if ( isset( self::$voidElements[$element] ) ) {
 			return $start;
 		} else {
-			$contents = Sanitizer::escapeCombiningChar( $contents ?? '' );
 			return $start . $contents . self::closeElement( $element );
 		}
 	}
@@ -849,7 +847,7 @@ public static function hidden( $name, $value, array $attribs = [] ) {
 	public static function textarea( $name, $value = '', array $attribs = [] ) {
 		$attribs['name'] = $name;
 
-		if ( substr( $value ?? '', 0, 1 ) == "\n" ) {
+		if ( substr( $value, 0, 1 ) == "\n" ) {
 			// Workaround for T14130: browsers eat the initial newline
 			// assuming that it's just for show, but they do keep the later
 			// newlines, which we may want to preserve during editing.

includes/Html/HtmlHelperTrait.php

@@ -3,7 +3,6 @@
 namespace MediaWiki\Html;
 
 use Wikimedia\Assert\Assert;
-use Wikimedia\RemexHtml\Serializer\HtmlFormatter;
 use Wikimedia\RemexHtml\Serializer\SerializerNode;
 
 /**
@@ -24,9 +23,6 @@ public function __construct( $options, callable $shouldModifyCallback, callable
 		parent::__construct( $options );
 		$this->shouldModifyCallback = $shouldModifyCallback;
 		$this->modifyCallback = $modifyCallback;
-		// Escape U+0338 (T387130)
-		'@phan-var HtmlFormatter $this';
-		$this->textEscapes["\u{0338}"] = '̸';
 	}
 
 	public function element( SerializerNode $parent, SerializerNode $node, $contents ) {

includes/Message/Message.php

@@ -34,7 +34,6 @@
 use MediaWiki\Page\PageReferenceValue;
 use MediaWiki\Parser\Parser;
 use MediaWiki\Parser\ParserOutput;
-use MediaWiki\Parser\Sanitizer;
 use MediaWiki\StubObject\StubUserLang;
 use MediaWiki\Title\Title;
 use RuntimeException;
@@ -1043,7 +1042,7 @@ private function format( string $format ): string {
 			// '⧼' is used instead of '<' to side-step any
 			// double-escaping issues.
 			// (Keep synchronised with mw.Message#toString in JS.)
-			return '⧼' . Sanitizer::escapeCombiningChar( htmlspecialchars( $this->key ) ) . '⧽';
+			return '⧼' . htmlspecialchars( $this->key ) . '⧽';
 		}
 
 		if ( in_array( $this->getLanguage()->getCode(), [ 'qqx', 'x-xss' ] ) ) {
@@ -1079,7 +1078,6 @@ private function format( string $format ): string {
 		} elseif ( $format === self::FORMAT_ESCAPED ) {
 			$string = $this->transformText( $string );
 			$string = htmlspecialchars( $string, ENT_QUOTES, 'UTF-8', false );
-			$string = Sanitizer::escapeCombiningChar( $string );
 		}
 
 		# Raw parameter replacement
@@ -1593,7 +1591,7 @@ protected function formatPlaintext( $plaintext, $format ) {
 			case self::FORMAT_BLOCK_PARSE:
 			case self::FORMAT_ESCAPED:
 			default:
-				return Sanitizer::escapeCombiningChar( htmlspecialchars( $plaintext, ENT_QUOTES ) );
+				return htmlspecialchars( $plaintext, ENT_QUOTES );
 		}
 	}
 

includes/OutputTransform/DefaultOutputPipelineFactory.php

@@ -14,7 +14,6 @@
 use MediaWiki\OutputTransform\Stages\HandleParsoidSectionLinks;
 use MediaWiki\OutputTransform\Stages\HandleSectionLinks;
 use MediaWiki\OutputTransform\Stages\HandleTOCMarkers;
-use MediaWiki\OutputTransform\Stages\HardenNFC;
 use MediaWiki\OutputTransform\Stages\HydrateHeaderPlaceholders;
 use MediaWiki\OutputTransform\Stages\ParsoidLocalization;
 use MediaWiki\OutputTransform\Stages\RenderDebugInfo;
@@ -99,10 +98,6 @@ class DefaultOutputPipelineFactory {
 		'HydrateHeaderPlaceholders' => [
 			'class' => HydrateHeaderPlaceholders::class,
 		],
-		# This should be last, in order to ensure final output is hardened
-		'HardenNFC' => [
-			'class' => HardenNFC::class,
-		],
 	];
 
 	public function __construct(