Skip to content

Commit 5146009

Browse files
committed
Merge branch 'wikimedia-REL1_45' into REL1_45
2 parents bf22004 + ea49272 commit 5146009

6 files changed

Lines changed: 34 additions & 12 deletions

File tree

RELEASE-NOTES-1.45

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ PHP 8.5 workboard: https://phabricator.wikimedia.org/tag/php_8.5_support/
88

99
== MediaWiki 1.45.1 ==
1010

11-
THIS IS NOT A RELEASE YET
11+
This is a security and maintenance release of the MediaWiki 1.45 branch.
1212

1313
=== Changes since 1.45.0 ===
1414
* Localisation updates.
@@ -20,14 +20,31 @@ THIS IS NOT A RELEASE YET
2020
* (T411968) Installer: Do not use null as array offset.
2121
* Add support for HTTP/3 in MultiHttpClient.
2222
* (T411968) EditResultBuilder: Do not use null as array offset.
23+
* Add http/3 to runMulti in MultiHttpClient
24+
* (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in
25+
Special:ApiSandbox.
26+
* (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment
27+
links.
28+
* (T405859, CVE-2025-67476) SECURITY: Do not use importers IP in case of
29+
external rev author.
30+
* (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail
31+
encoded-words.
32+
* (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide
33+
underscore in data-* attribute names.
34+
* (T401053, CVE-2025-67480) SECURITY: Check read permissions in
35+
ApiQueryRevisionsBase.
36+
* (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape
37+
'comma-separator' between multiple protection levels.
38+
* (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side
39+
messages (jqueryMsg).
2340

2441
== MediaWiki 1.45.0 ==
2542

2643
=== Changes since MediaWiki 1.45.0-rc.0 ===
2744
* Localisation updates.
2845
* (T410913) SpecialVersion: Fix "Cannot use bool as array" warning.
2946
* (T410928) resourceloader: Fix null offset in ClientHtml module sorting.
30-
* (T401987, T401995) SECURITY: Disable xslt option by default.
47+
* (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by default.
3148
* (T410934) Remove noop xml_parser_free() calls.
3249
* (T405450) session: Use fresh MW services container in CLI mode.
3350
* (T410912) MessageCache: Fix PHP 8.5 warning from ord().

includes/Defines.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
*
2121
* @since 1.35 (also backported to 1.33.3 and 1.34.1)
2222
*/
23-
define( 'MW_VERSION', '1.45.0' );
23+
define( 'MW_VERSION', '1.45.1' );
2424

2525
/** @{
2626
* Obsolete IDatabase::makeList() constants

includes/parser/CoreParserFunctions.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1363,7 +1363,9 @@ public static function padright( $parser, $string = '', $length = '0', $padding
13631363
public static function anchorencode( $parser, $text ) {
13641364
$text = $parser->killMarkers( $text );
13651365
$section = substr( $parser->guessSectionNameFromWikiText( $text ), 1 );
1366-
return Sanitizer::safeEncodeAttribute( $section );
1366+
$encodedSection = Sanitizer::safeEncodeAttribute( $section );
1367+
// decode underscores to avoid breaking templates (T407131)
1368+
return str_replace( '_', '_', $encodedSection );
13671369
}
13681370

13691371
/**

includes/parser/Sanitizer.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -501,8 +501,10 @@ public static function validateAttributes( array $attribs, array $allowed ): arr
501501
# * Ensure attribute name will be accepted by the HTML
502502
# parser; see
503503
# https://github.com/whatwg/dom/issues/849#issuecomment-1007541209
504+
# * Underscore and double-wide underscore (U+FF3F) is disallowed
505+
# here (but not in Parsoid): T407131
504506
if ( (
505-
!preg_match( '|^data-[^:= \t\r\n/>\0]*$|i', $attribute ) &&
507+
!preg_match( '|^data-[^:= \t\r\n/>\0__]*$|i', $attribute ) &&
506508
!array_key_exists( $attribute, $allowed )
507509
) || self::isReservedDataAttribute( $attribute ) ) {
508510
continue;
@@ -852,7 +854,8 @@ public static function safeEncodeAttribute( string $text ): string {
852854
'RFC' => 'RFC',
853855
'PMID' => 'PMID',
854856
'|' => '|',
855-
'__' => '__',
857+
'_' => '_',
858+
'_' => '_', // Japanese magic words
856859
] );
857860

858861
# Stupid hack

tests/parser/headings.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2391,7 +2391,7 @@ parsoid=wt2html,html2html
23912391
{| STYLE=__TOC__
23922392
!! html/php
23932393
<div class="mw-heading mw-heading2"><h2 id="a">a</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Parser_test&amp;action=edit&amp;section=1" title="Edit section: a">edit</a><span class="mw-editsection-bracket">]</span></span></div>
2394-
<table style="&#95;_TOC&#95;_">
2394+
<table style="&#95;&#95;TOC&#95;&#95;">
23952395
<tbody><tr><td></td></tr>
23962396
</tbody></table>
23972397
!! html/parsoid

tests/parser/parserTests.txt

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9437,7 +9437,7 @@ wgFragmentMode=[ "html5", "legacy" ]
94379437
!! wikitext
94389438
<span id="æ: v">byte</span>[[#æ: v|backlink]]
94399439
!! html/php
9440-
<p><span id="æ:_v">byte</span><a href="#æ:_v">backlink</a>
9440+
<p><span id="æ:&#95;v">byte</span><a href="#æ:_v">backlink</a>
94419441
</p>
94429442
!! html/parsoid
94439443
<p><span id="æ:_v" data-parsoid='{"stx":"html","a":{"id":"æ:_v"},"sa":{"id":"æ: v"}}'>byte</span><a rel="mw:WikiLink" href="./Main_Page#æ:_v" class="mw-selflink-fragment" data-parsoid='{"stx":"piped","a":{"href":"./Main_Page#æ:_v"},"sa":{"href":"#æ: v"}}'>backlink</a></p>
@@ -9450,7 +9450,7 @@ wgFragmentMode=[ "legacy" ]
94509450
!! wikitext
94519451
<span id="æ: v">byte</span>[[#æ: v|backlink]]
94529452
!! html/php
9453-
<p><span id=".C3.A6:_v">byte</span><a href="#.C3.A6:_v">backlink</a>
9453+
<p><span id=".C3.A6:&#95;v">byte</span><a href="#.C3.A6:_v">backlink</a>
94549454
</p>
94559455
!! end
94569456

@@ -9463,7 +9463,7 @@ parsoid=wt2html,html2html
94639463
!! wikitext
94649464
<br id="" /><br id="a space" />
94659465
!! html/php
9466-
<p><br /><br id="a_space" />
9466+
<p><br /><br id="a&#95;space" />
94679467
</p>
94689468
!! html/parsoid
94699469
<p><br data-parsoid='{"stx":"html","selfClose":true,"a":{"id":null},"sa":{"id":""}}'/><br id="a_space" data-parsoid='{"stx":"html","selfClose":true,"a":{"id":"a_space"},"sa":{"id":"a space"}}'/></p>
@@ -12447,7 +12447,7 @@ Id starting with underscore
1244712447
!! wikitext
1244812448
<div id="_ref"></div>
1244912449
!! html/*
12450-
<div id="_ref"></div>
12450+
<div id="&#95;ref"></div>
1245112451
!! end
1245212452

1245312453
!! test
@@ -12826,7 +12826,7 @@ HTML5 data attributes
1282612826
!! html/php
1282712827
<p><span data-foo="bar">Baz</span>
1282812828
</p>
12829-
<p data-abc-def_hij="">Quuz</p>
12829+
<p>Quuz</p>
1283012830
!! html/parsoid
1283112831
<p><span data-foo="bar" data-parsoid='{"stx":"html"}'>Baz</span></p>
1283212832
<p data-abc-def_hij="" data-parsoid='{"stx":"html"}'>Quuz</p>

0 commit comments

Comments
 (0)