Page MenuHomePhabricator

Daimona
Musician

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
May 18 2017, 10:49 AM (113 w, 12 h)
Availability
Available
IRC Nick
Daimona
LDAP User
Daimona Eaytoy
MediaWiki User
Daimona Eaytoy [ Global Accounts ]

Babel: it-N, en-3, fr-1

Recent Activity

Today

Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

A little update: xdebug says that there's a cycle, which is where the slowness happens. (UnionType|GenericArrayType)::hasTemplateTypeRecursive is called like 5 million times for my simplified scratch, and that's obviously super-heavy. The call triggering the loop happens in UnionTypeVisitor::analyzeProp (obviously for the $info prop). For some reason, that prop's type_set is a deeply nested array of types (I suspect it has 5 million nesting levels looking at the code, but I didn't check), and thus the long recursion.
As for why the type_set is this crazy, I (still) don't know.

Thu, Jul 18, 5:10 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a comment to T228155: Add phan to PageForms.

@hashar Being a static analysis tool, it wouldn't make any difference. We only need SMW to provide phan with all of the classes/methods definitions, as it would otherwise fail. My actual doubt is whether we can install SMW before doing the analysis, since AFAIK it's not hosted on gerrit.

Thu, Jul 18, 4:13 PM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona added a comment to T227843: Deprecate AbuseFilter's support for Zero.

@Trizek-WMF I'd say in the next T/N. It could take some time for people to fix affected filters, so the sooner the better.

Thu, Jul 18, 4:09 PM · User-notice, WikimediaMessages, Technical-Debt, AbuseFilter
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

I continued digging the code, but TBH I'm not getting anywhere. I managed to reproduce the issue with a version of the plugin having only 250 lines of visitor, but still nothing. This seems to be a combination of several factors. Almost surely, it has to do with the insane nesting level inside the $info property (which is bad practice anyway, but nvm), and class/method reanalysis for dependent method/vars. Also, xdebug doesn't help much due to some phan dark magic.
So if someone wants to continue investigating, feel free to; I won't mostly be around for the next week.

Thu, Jul 18, 2:41 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a project to T227843: Deprecate AbuseFilter's support for Zero: User-notice.

OK, so, first of all I'd like to announce it on Tech News. We should inform people that wpzero support will be removed, and thus update their filters accordingly. Then let's see how many of those are fixed, and decide how to move on.

Thu, Jul 18, 9:30 AM · User-notice, WikimediaMessages, Technical-Debt, AbuseFilter
Daimona added a comment to T227843: Deprecate AbuseFilter's support for Zero.

Thanks @Legoktm I'm going to take a look at those. Although I have to say, this is more than I expected. And without a global abusefilter-manager group in place, it'll be even harder to fix all of those filters. That said, these filters won't be straightforward to fix (like it was e.g. in T209565). Every filter has its own fix, and sometimes the filter just has to be deleted. Actually, I don't even know if I'd do that with global AF-manager rights.

Thu, Jul 18, 6:39 AM · User-notice, WikimediaMessages, Technical-Debt, AbuseFilter
Daimona added a comment to T227595: AbuseFilter's filters could be wiki pages.

! In T227595#5344447, @Legoktm wrote:
Yeah, this. There's a reason AbuseFilter filters aren't wiki pages, because having private ones isn't possible in MediaWiki.

Thu, Jul 18, 6:35 AM · Epic, User-Daimona, User-DannyS712, AbuseFilter

Yesterday

Daimona edited P8769 getid3.
Wed, Jul 17, 10:11 PM
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

P8769 is the minimum I could find for now in the getid3 class. Inside the extension, you'll only need the following:

Wed, Jul 17, 10:06 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona created P8769 getid3.
Wed, Jul 17, 10:03 PM
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

So, for now, I managed to get this down to the ID3Handler class in TMH, and part of the getid3.php file in the library. I suspect this has to do with the $info property inside getid3, but I'm still unsure. Apparently it needs several methods in getid3 to exist, in order to remain stalled. I'll probably continue investigating tomorrow.

Wed, Jul 17, 9:47 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

The reason that we couldn't reproduce it locally was because we probably didn't have that library installed.

Wed, Jul 17, 8:14 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona created T228303: Redis exception connecting to "/var/run/nutcracker/redis_eqiad.sock": read error on connection.
Wed, Jul 17, 4:47 PM · MW-1.34-notes (1.34.0-wmf.15; 2019-07-23), serviceops, Operations, Performance-Team, MediaWiki-Cache, Wikimedia-production-error
Daimona added a project to T227595: AbuseFilter's filters could be wiki pages: Epic.
Wed, Jul 17, 3:33 PM · Epic, User-Daimona, User-DannyS712, AbuseFilter
Daimona added a comment to T227822: AbuseFilter emitting 1000s of non-object property access errors.

Is there anything actionable here?

Wed, Jul 17, 3:32 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), AbuseFilter, Wikimedia-production-error
Daimona triaged T228284: SpecialCheckUser: Call to a member function userCan() on a non-object (null) as High priority.

Not setting UBN until the exact impact is determined.

Wed, Jul 17, 2:42 PM · User-Urbanecm, CheckUser, Wikimedia-production-error
Daimona updated the task description for T228284: SpecialCheckUser: Call to a member function userCan() on a non-object (null).
Wed, Jul 17, 2:37 PM · User-Urbanecm, CheckUser, Wikimedia-production-error
Daimona created T228284: SpecialCheckUser: Call to a member function userCan() on a non-object (null).
Wed, Jul 17, 2:36 PM · User-Urbanecm, CheckUser, Wikimedia-production-error
Daimona closed T203535: PHP Error "Undefined index: 1 in AbuseFilter.php on line 928", a subtask of T203587: Major overhaul for "throttle" action in AbuseFilter, as Resolved.
Wed, Jul 17, 1:46 PM · Core Platform Team (Code Health (TEC13)), User-Daimona, Patch-For-Review, Technical-Debt, AbuseFilter
Daimona closed T203535: PHP Error "Undefined index: 1 in AbuseFilter.php on line 928" as Resolved.
Wed, Jul 17, 1:46 PM · Core Platform Team Backlog (Watching / External), Core Platform Team (Security, stability, performance and scalability (TEC1)), AbuseFilter, Wikimedia-production-error
Daimona updated the task description for T203587: Major overhaul for "throttle" action in AbuseFilter.
Wed, Jul 17, 1:46 PM · Core Platform Team (Code Health (TEC13)), User-Daimona, Patch-For-Review, Technical-Debt, AbuseFilter
Daimona closed T215787: PHP Warning: "count(): Parameter must be an array or an object that implements Countable" on AbuseFilter history with PHP7, a subtask of T203587: Major overhaul for "throttle" action in AbuseFilter, as Resolved.
Wed, Jul 17, 1:45 PM · Core Platform Team (Code Health (TEC13)), User-Daimona, Patch-For-Review, Technical-Debt, AbuseFilter
Daimona closed T215787: PHP Warning: "count(): Parameter must be an array or an object that implements Countable" on AbuseFilter history with PHP7 as Resolved.
Wed, Jul 17, 1:45 PM · User-Daimona, AbuseFilter
Daimona closed T209565: Dry run for normalizeThrottleParameters.php, a subtask of T203336: Fatal exception when editing an abuse filter: Error: 1048 Column 'afa_parameters' cannot be null, as Resolved.
Wed, Jul 17, 1:44 PM · Core Platform Team Backlog (Watching / External), MW-1.32-release, Wikimedia-production-error, AbuseFilter
Daimona closed T209565: Dry run for normalizeThrottleParameters.php, a subtask of T203584: Throttle groups may be empty or include unknown stuff, as Resolved.
Wed, Jul 17, 1:44 PM · Technical-Debt, AbuseFilter
Daimona closed T209565: Dry run for normalizeThrottleParameters.php, a subtask of T203585: Throttle parameters may have an undesired comma inside, as Resolved.
Wed, Jul 17, 1:44 PM · MW-1.34-notes (1.34.0-wmf.15; 2019-07-23), MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Technical-Debt, AbuseFilter
Daimona closed T209565: Dry run for normalizeThrottleParameters.php, a subtask of T215787: PHP Warning: "count(): Parameter must be an array or an object that implements Countable" on AbuseFilter history with PHP7, as Resolved.
Wed, Jul 17, 1:44 PM · User-Daimona, AbuseFilter
Daimona closed T209565: Dry run for normalizeThrottleParameters.php as Resolved.

Yay!

Wed, Jul 17, 1:44 PM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter
Daimona closed T203585: Throttle parameters may have an undesired comma inside, a subtask of T203587: Major overhaul for "throttle" action in AbuseFilter, as Resolved.
Wed, Jul 17, 1:43 PM · Core Platform Team (Code Health (TEC13)), User-Daimona, Patch-For-Review, Technical-Debt, AbuseFilter
Daimona closed T203585: Throttle parameters may have an undesired comma inside as Resolved.
Wed, Jul 17, 1:43 PM · MW-1.34-notes (1.34.0-wmf.15; 2019-07-23), MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Technical-Debt, AbuseFilter
Daimona closed T203584: Throttle groups may be empty or include unknown stuff, a subtask of T203587: Major overhaul for "throttle" action in AbuseFilter, as Resolved.
Wed, Jul 17, 1:43 PM · Core Platform Team (Code Health (TEC13)), User-Daimona, Patch-For-Review, Technical-Debt, AbuseFilter
Daimona closed T203584: Throttle groups may be empty or include unknown stuff as Resolved.
Wed, Jul 17, 1:43 PM · Technical-Debt, AbuseFilter
Daimona removed a project from T203336: Fatal exception when editing an abuse filter: Error: 1048 Column 'afa_parameters' cannot be null: Patch-For-Review.
Wed, Jul 17, 1:40 PM · Core Platform Team Backlog (Watching / External), MW-1.32-release, Wikimedia-production-error, AbuseFilter
Daimona added a comment to T209565: Dry run for normalizeThrottleParameters.php.

cawiki and trwiki communities have been notified of the change, so now we can really close this task (and related ones) as soon as r459245 is merged. Again, thanks to everyone involved for the huge help!

Wed, Jul 17, 12:50 PM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter
Daimona added a comment to T209565: Dry run for normalizeThrottleParameters.php.

Confirming that everything was fixed correctly! So this task can be considered resolved. To be precise, there's still https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/AbuseFilter/+/459245/ awaiting for review.

Wed, Jul 17, 12:38 PM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter
Daimona edited P8764 Masterwork From Distant Lands.
Wed, Jul 17, 12:26 PM
Daimona edited P8759 Masterwork From Distant Lands.
Wed, Jul 17, 11:59 AM
Daimona claimed T228257: Upgrade phan/phan for our config.
Wed, Jul 17, 9:09 AM · Patch-For-Review, phan
Daimona updated the task description for T228257: Upgrade phan/phan for our config.
Wed, Jul 17, 9:09 AM · Patch-For-Review, phan
Daimona created T228257: Upgrade phan/phan for our config.
Wed, Jul 17, 9:08 AM · Patch-For-Review, phan
Daimona closed T228254: Spam as Invalid.
Wed, Jul 17, 8:50 AM · Trash
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

Does maybe ci have less memory available? (When i used to test on my old laptop with low ram when ram ran out things slowed to a crawl (presumably lot of swapping)

Wed, Jul 17, 8:03 AM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a comment to T226851: Drop abuse_filter_log.afl_log_id in production.

Thanks for confirming. I am removing the Blocked-on-schema-change tag as there is nothing blocked on this removal (please correct me if I am wrong).

Wed, Jul 17, 7:33 AM · AbuseFilter, DBA

Tue, Jul 16

Daimona added a comment to T123978: Bring back abuse_filter_history view.

Ah, ok, so the afh_pattern and afh_comments cols are of the most concern here.

Tue, Jul 16, 7:33 PM · Security-Team, Patch-For-Review, Data-Services
Daimona added a comment to T123978: Bring back abuse_filter_history view.

I'd definitely be fine with hiding the whole row if afh_flags contains 'hidden'

I'm a little ignorant on parts of this, but is that feasible within maintain-views.yaml? Seems not to support conditional logic like this on its face. So where would we need to control this?

Tue, Jul 16, 7:17 PM · Security-Team, Patch-For-Review, Data-Services
Daimona added a comment to T123978: Bring back abuse_filter_history view.

@bd808 - there'd been some long-running (and kind of incomplete) work on this here, I believe: T103011, particularly T103011#3536648. And some more work here: T169097. Regarding r498773, specifically, it looks like @Bawolff had labeled that Safe to replicate but requires view-based redaction. I'll plan to book some time today or tomorrow with @JFishback_WMF to further review.

Tue, Jul 16, 7:05 PM · Security-Team, Patch-For-Review, Data-Services
Daimona added a project to T218149: Abuse filter support for depicts and statements: AbuseFilter.

Tagging, and CC'ing myself in case any help is needed with AF.

Tue, Jul 16, 5:22 PM · AbuseFilter, CommRel-Specialists-Support (Jul-Sep-2019), Wikidata, SDC General, Multimedia
Daimona added a comment to T212730: Change the syntax for non-decimal numbers.

Some data has started to flow to logstash for group0, and we have another example: testwiki filter 176, using the variable "db", evaluated to the number "b" in base 2. So well, we really need this change.

Tue, Jul 16, 4:36 PM · User-Daimona, AbuseFilter
Daimona closed T228057: Decide and document backwards compatibility policy for PageForms, a subtask of T228155: Add phan to PageForms, as Resolved.
Tue, Jul 16, 4:26 PM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona closed T228057: Decide and document backwards compatibility policy for PageForms as Resolved.

Oh, okay - I knew about that "compatibility policy" parameter, but never went through all of my extensions' pages to make sure it's there. I just added "compatibility policy=master" to the Page Forms extension's main page. (The compatibility policy is "master" for all of my extensions.)

Tue, Jul 16, 4:26 PM · MediaWiki-extensions-Page_Forms
Daimona added a comment to T228155: Add phan to PageForms.

Oh, okay. That's too bad.

Tue, Jul 16, 4:24 PM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona added a comment to T228155: Add phan to PageForms.

Hi,

Unfortunately, phan will complain about undefined classes if SMW is not installed in the test environment,

Are you sure about this? Page Forms always checks whether SMW classes exist before using any of them, as far as I know.

Tue, Jul 16, 4:16 PM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona added a comment to T228057: Decide and document backwards compatibility policy for PageForms.

Hi - I don't know if this is a good title for this task either, since, whatever you think of Page Forms' current compatibility policy, it is clearly stated on the extension's main wiki page, where it says that "MW 1.23+" is supported:

Tue, Jul 16, 3:54 PM · MediaWiki-extensions-Page_Forms
Daimona added a comment to T228155: Add phan to PageForms.

@Daimona - thanks for putting this together, and of course for your work on the actual patch, which looks like it will make a lot of improvements to the code. Just to clarify one thing: Page Forms doesn't require Semantic MediaWiki, and is often used without SMW, so SMW doesn't need to be loaded for any testing.

Tue, Jul 16, 3:48 PM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona added a comment to T228158: Increase TTL of failed builds.

[...] Most of the time that is sufficient since people would either fix the issue right away or fill a task or the issue is still reproducible after the artifacts have been discarded.

Tue, Jul 16, 3:41 PM · Jenkins, Continuous-Integration-Infrastructure
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

Are you testing natively on your computer or through the Wikimedia CI docker image?

Tue, Jul 16, 3:34 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

OK So this is more complicated than it seems. I ran seccheck 2.0.1 on TMH master (with ast 1.0.1, PHP 7.3.4), and it completed in normal time. Ran it again, same result. I've also added a line to print the runtime and ran it 3 more times, taking respectively 73, 51 and 51 seconds. My machine is pretty powerful, but not so much to explain the 18 minutes of runtime of the change above. I also note that zuul is a little busy right now, but again, not so much to explain all this slowness: see for instance here. It started 6 minutes after the TMH one and finished in 12 seconds.

Tue, Jul 16, 3:09 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a comment to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class.

Uhm, I'd like to use xdebug for this, but phan would get way slower (around 5x), and doing that on an already-slow extension could be painful. So I think I'll just start removing pieces from the extension and see what's causing the slowness.

Tue, Jul 16, 2:39 PM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona awarded Blog Post: Changes and improvements to PHPUnit testing in MediaWiki a Mountain of Wealth token.
Tue, Jul 16, 1:12 PM · MediaWiki-Core-Testing, Test-Coverage, Code-Health
Daimona created T228158: Increase TTL of failed builds.
Tue, Jul 16, 12:51 PM · Jenkins, Continuous-Integration-Infrastructure
Daimona closed T212726: "ex" evaluates to 14 in AbuseFilterParser, a subtask of T212730: Change the syntax for non-decimal numbers, as Resolved.
Tue, Jul 16, 12:28 PM · User-Daimona, AbuseFilter
Daimona closed T212726: "ex" evaluates to 14 in AbuseFilterParser as Resolved.

This is done, for the rest we have the parent task.

Tue, Jul 16, 12:28 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), AbuseFilter
Daimona added a parent task for T228057: Decide and document backwards compatibility policy for PageForms: T228155: Add phan to PageForms.
Tue, Jul 16, 11:55 AM · MediaWiki-extensions-Page_Forms
Daimona added a subtask for T228155: Add phan to PageForms: T228057: Decide and document backwards compatibility policy for PageForms.
Tue, Jul 16, 11:55 AM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona created T228155: Add phan to PageForms.
Tue, Jul 16, 11:55 AM · Patch-For-Review, MediaWiki-extensions-Page_Forms, Continuous-Integration-Config
Daimona updated the task description for T225325: LibraryUpgrader CI normalisation tasks, June/July 2019.
Tue, Jul 16, 11:51 AM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, LibUp, Continuous-Integration-Config
Daimona added a comment to T228057: Decide and document backwards compatibility policy for PageForms.

Yeah, I'm sorry, I sort of changed my mind while writing the description and didn't update the title accordingly. Nevertheless, what I wrote in the description is what this task should be about.

Tue, Jul 16, 11:50 AM · MediaWiki-extensions-Page_Forms
Daimona added a project to T228137: phan-taint-check is taking 15+ minutes on TimedMediaHandler due to the ID3Handler class: User-Daimona.

Will investigate.

Tue, Jul 16, 11:44 AM · Patch-For-Review, User-Daimona, TimedMediaHandler, phan-taint-check-plugin
Daimona added a project to T224351: mwext-php70-phan-seccheck-docker times out for CommonsMetadata extension: User-Daimona.
Tue, Jul 16, 11:43 AM · User-Daimona, Continuous-Integration-Infrastructure, phan-taint-check-plugin
Daimona reopened T224351: mwext-php70-phan-seccheck-docker times out for CommonsMetadata extension as "Open".

I didn't read T224351#5227653 carefully enough. I still have to determine whether this still happens, and how to fix.

Tue, Jul 16, 11:42 AM · User-Daimona, Continuous-Integration-Infrastructure, phan-taint-check-plugin
Daimona closed T189371: phan and taint/sec for CentralAuth, a subtask of T224783: Enable mediawiki/mediawiki-phan-config on all Wikimedia-deployed repositories, as Resolved.
Tue, Jul 16, 11:30 AM · Release-Engineering-Team (Unit & Int & System Tooling), Release-Engineering-Team-TODO, Epic, Wikimedia-General-or-Unknown, phan
Daimona closed T189371: phan and taint/sec for CentralAuth as Resolved.

Phan was added, and taint-check done in the subtask.

Tue, Jul 16, 11:30 AM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), MW-1.32-notes (WMF-deploy-2018-05-22 (1.32.0-wmf.5)), MediaWiki-extensions-CentralAuth
Daimona added a comment to T209565: Dry run for normalizeThrottleParameters.php.

@Billinghurst Thanks! However, I'd suggest not to fix them manually. I'd like to see if the script is working properly, and if it's safe for use outside WMF wikis.

Tue, Jul 16, 11:23 AM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter

Mon, Jul 15

Daimona added a comment to T228089: Logstash down for MediaWiki.

Huh, when I first reported I thought someone already knew about this. Anyway. Looking at this I see there has been a spike around 12:20-30, which is right before data stopped to flow. It's also interesting to note that, apparently, there hasn't been any drop in the amount of data, which was in fact replaced by these errors. So something is wrong with Elastic (?).

Mon, Jul 15, 7:00 PM · Wikimedia-Incident, observability, Operations, Wikimedia-Logstash
Daimona added a comment to T228057: Decide and document backwards compatibility policy for PageForms.

Is this a task, or what?

Mon, Jul 15, 4:44 PM · MediaWiki-extensions-Page_Forms
Daimona closed T205972: Fixup taint-check-plugin errors in SecurePoll as Resolved.
Mon, Jul 15, 3:39 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), MW-1.33-notes (1.33.0-wmf.4; 2018-11-13), phan-taint-check-plugin, MediaWiki-extensions-SecurePoll
Daimona added a comment to T228049: PHP Notice: Undefined variable: values at PageForms/includes/PF_FormField.php:354.

Operations-wise, log spam is the main issue we are having with this extension currently.

Mon, Jul 15, 2:20 PM · MediaWiki-extensions-Page_Forms
Daimona added a comment to T228057: Decide and document backwards compatibility policy for PageForms.

@Aklapper Yeah, I'm sorry, I only quickly mentioned it in T228049#5333127. This extension uses methods removed from core several versions ago (like ApiBase::dieUsage or OutputPage::addWikitext - T228048). Depending on the compat policy, we should either add back-compat code or just replace them. Such methods seem to cause several issues reported by phan in https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/3431/console, that's why I first wanted to know what to do with them.
That said, I definitely can start fixing unrelated stuff, and no doubt I'll find something to fix.

Mon, Jul 15, 2:19 PM · MediaWiki-extensions-Page_Forms
Daimona created T228057: Decide and document backwards compatibility policy for PageForms.
Mon, Jul 15, 1:47 PM · MediaWiki-extensions-Page_Forms
Daimona added a comment to T228049: PHP Notice: Undefined variable: values at PageForms/includes/PF_FormField.php:354.

Eeeeeek, this error suggested me to add phan to PageForms, in order to catch this kind of stupid mistakes early on during development. Then I saw https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/3431/console, and it frightened me. This extension tries to use methods removed from core in 1.32, and that's just the first line of a huge report. Plus, T149869 scares me a little bit.
I'm unsure about what to do here. First of all, the extension claims to support MW 1.23+ at https://www.mediawiki.org/wiki/Extension:Page_Forms, although extension.json says 1.27+. Either way, those are way too old to kept compatibility with them without tons of back-compat code etc.
I'll probably open another task for that, although given all of the above, I think the undefined variable could be the least of the problems this extension has.

Mon, Jul 15, 1:38 PM · MediaWiki-extensions-Page_Forms
Daimona added a comment to T209565: Dry run for normalizeThrottleParameters.php.

Wednesday would work more

Mon, Jul 15, 1:28 PM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter
Daimona added a comment to T216348: Suppress or fix non-double escape phan-taint-check warnings for MW core.

Current warnings list is here:

1<?xml version="1.0" encoding="ISO-8859-15"?>
2<checkstyle version="6.5">
3 <file name="includes/CategoryViewer.php">
4 <error line="184" severity="warning" message="Calling method \CategoryViewer::generateLink() in \CategoryViewer::addSubcategoryObject that outputs using tainted argument $[arg #4]. (Caused by: includes/CategoryViewer.php +203)" source="SecurityCheck-DoubleEscaped"/>
5 <error line="416" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getSubcategorySection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +191; includes/CategoryViewer.php +275)" source="SecurityCheck-DoubleEscaped"/>
6 <error line="446" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getPagesSection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +268; includes/CategoryViewer.php +279)" source="SecurityCheck-DoubleEscaped"/>
7 <error line="474" severity="warning" message="Calling method \CategoryViewer::formatList() in \CategoryViewer::getImageSection that outputs using tainted argument $[arg #2]. (Caused by: includes/CategoryViewer.php +534) (Caused by: includes/CategoryViewer.php +253; includes/CategoryViewer.php +283)" source="SecurityCheck-DoubleEscaped"/>
8 </file>
9 <file name="includes/Linker.php">
10 <error line="858" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Linker.php +858)" source="SecurityCheck-DoubleEscaped"/>
11 <error line="1760" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Linker.php +1760)" source="SecurityCheck-DoubleEscaped"/>
12 </file>
13 <file name="includes/OutputPage.php">
14 <error line="2561" severity="warning" message="Echoing expression that was not html escaped (Caused by: includes/OutputPage.php +1573; includes/OutputPage.php +1551; includes/OutputPage.php +1560; includes/OutputPage.php +1939; includes/OutputPage.php +2653; includes/OutputPage.php +3960; includes/OutputPage.php +2843; includes/OutputPage.php +2730; i...)" source="SecurityCheck-XSS"/>
15 <error line="3165" severity="warning" message="Calling method \ResourceLoader::makeConfigSetScript() in \OutputPage::getBottomScripts that outputs using tainted argument $[arg #1]. (Caused by: includes/resourceloader/ResourceLoader.php +1537) (Caused by: includes/OutputPage.php +1890)" source="SecurityCheck-DoubleEscaped"/>
16 <error line="3166" severity="warning" message="Calling method \ResourceLoader::makeConfigSetScript() in \OutputPage::getBottomScripts that outputs using tainted argument $[arg #1]. (Caused by: includes/resourceloader/ResourceLoader.php +1537) (Caused by: includes/OutputPage.php +1890)" source="SecurityCheck-DoubleEscaped"/>
17 <error line="3816" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/OutputPage.php +3812)" source="SecurityCheck-DoubleEscaped"/>
18 </file>
19 <file name="includes/Rest/ResponseFactory.php">
20 <error line="234" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/Rest/ResponseFactory.php +234)" source="SecurityCheck-DoubleEscaped"/>
21 </file>
22 <file name="includes/actions/HistoryAction.php">
23 <error line="415" severity="warning" message="Calling method \FeedItem::__construct() in \HistoryAction::feedEmpty that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: Builtin-\Message::parseAsBlock; includes/language/Message.php +981)" source="SecurityCheck-DoubleEscaped"/>
24 <error line="457" severity="warning" message="Calling method \FeedItem::__construct() in \HistoryAction::feedItem that outputs using tainted argument $text. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/actions/HistoryAction.php +436)" source="SecurityCheck-DoubleEscaped"/>
25 </file>
26 <file name="includes/actions/RawAction.php">
27 <error line="127" severity="warning" message="Calling method \HttpError::__construct() in \RawAction::onView that outputs using tainted argument $msg. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/actions/RawAction.php +126)" source="SecurityCheck-DoubleEscaped"/>
28 <error line="152" severity="warning" message="Calling method \HttpError::__construct() in \RawAction::onView that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270)" source="SecurityCheck-DoubleEscaped"/>
29 </file>
30 <file name="includes/api/ApiCSPReport.php">
31 <error line="188" severity="warning" message="Calling method \ApiCSPReport::error() in \ApiCSPReport::getReport that outputs using tainted argument $msg. (Caused by: includes/api/ApiCSPReport.php +252) (Caused by: includes/api/ApiCSPReport.php +184)" source="SecurityCheck-DoubleEscaped"/>
32 </file>
33 <file name="includes/api/ApiFeedContributions.php">
34 <error line="148" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedContributions::feedItem that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/api/ApiFeedContributions.php +197; includes/api/ApiFeedContributions.php +177)" source="SecurityCheck-DoubleEscaped"/>
35 </file>
36 <file name="includes/api/ApiFeedWatchlist.php">
37 <error line="157" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedWatchlist::execute that outputs using tainted argument $errorTitle. (Caused by: includes/changes/FeedItem.php +119) (Caused by: includes/api/ApiFeedWatchlist.php +155)" source="SecurityCheck-DoubleEscaped"/>
38 <error line="164" severity="warning" message="Calling method \FeedItem::__construct() in \ApiFeedWatchlist::execute that outputs using tainted argument $errorTitle. (Caused by: includes/changes/FeedItem.php +119) (Caused by: includes/api/ApiFeedWatchlist.php +162)" source="SecurityCheck-DoubleEscaped"/>
39 </file>
40 <file name="includes/api/ApiFormatJson.php">
41 <error line="112" severity="warning" message="Calling method \ApiFormatJson::printText() in \ApiFormatJson::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/api/ApiFormatJson.php +112; includes/api/ApiFormatJson.php +109)" source="SecurityCheck-XSS"/>
42 </file>
43 <file name="includes/api/ApiHelp.php">
44 <error line="293" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $headerContent. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +269; includes/api/ApiHelp.php +293)" source="SecurityCheck-DoubleEscaped"/>
45 <error line="571" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/api/ApiHelp.php +571)" source="SecurityCheck-DoubleEscaped"/>
46 <error line="807" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +317; includes/api/ApiHelp.php +808; includes/api/ApiHelp.php +807)" source="SecurityCheck-DoubleEscaped"/>
47 <error line="808" severity="warning" message="Calling method \Html::element() in \ApiHelp::getHelpInternal that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::element) (Caused by: includes/api/ApiHelp.php +317; includes/api/ApiHelp.php +808)" source="SecurityCheck-DoubleEscaped"/>
48 </file>
49 <file name="includes/api/ApiQueryBacklinks.php">
50 <error line="450" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/api/ApiQueryBacklinks.php +173; includes/api/ApiQueryBacklinks.php +295; includes/api/ApiQueryBacklinks.php +250; includes/api/ApiQueryBacklinks.php +294; includes/api/ApiQueryBacklinks.php +287)" source="SecurityCheck-DoubleEscaped"/>
51 </file>
52 <file name="includes/block/DatabaseBlock.php">
53 <error line="321" severity="error" message="Calling method \Wikimedia\Rdbms\Database::select() in \MediaWiki\Block\DatabaseBlock::newLoad that outputs using tainted argument $conds. (Caused by: Builtin-\Wikimedia\Rdbms\Database::select) (Caused by: includes/block/DatabaseBlock.php +299; includes/block/DatabaseBlock.php +295; includes/block/DatabaseBlock.php +303; includes/block/DatabaseBlock.php +305; includes/block/DatabaseBlock.php +310; includes/block/DatabaseBlock.php +312)" source="SecurityCheck-SQLInjection"/>
54 </file>
55 <file name="includes/changes/ChangesFeed.php">
56 <error line="115" severity="warning" message="Calling method \FeedItem::__construct() in \ChangesFeed::buildItems that outputs using tainted argument $[arg #5]. (Caused by: includes/changes/FeedItem.php +182) (Caused by: Builtin-\Message::escaped; includes/language/Message.php +994)" source="SecurityCheck-DoubleEscaped"/>
57 </file>
58 <file name="includes/changes/EnhancedChangesList.php">
59 <error line="756" severity="warning" message="Calling method \Html::rawElement() in \EnhancedChangesList::recentChangesBlockLine that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/changes/EnhancedChangesList.php +755)" source="SecurityCheck-DoubleEscaped"/>
60 </file>
61 <file name="includes/changes/FeedItem.php">
62 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157)" source="SecurityCheck-DoubleEscaped"/>
63 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157; includes/api/ApiFeedWatchlist.php +164; includes/actions/HistoryAction.php +457)" source="SecurityCheck-DoubleEscaped"/>
64 <error line="119" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getTitle that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +119; includes/api/ApiFeedContributions.php +148; includes/changes/ChangesFeed.php +115; includes/api/ApiFeedWatchlist.php +157; includes/api/ApiFeedWatchlist.php +164; includes/actions/HistoryAction.php +457; includes/...)" source="SecurityCheck-DoubleEscaped"/>
65 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145)" source="SecurityCheck-DoubleEscaped"/>
66 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457)" source="SecurityCheck-DoubleEscaped"/>
67 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457; includes/actions/HistoryAction.php +415)" source="SecurityCheck-DoubleEscaped"/>
68 <error line="145" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getDescription that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/api/ApiFeedContributions.php +148; includes/changes/FeedItem.php +145; includes/actions/HistoryAction.php +457; includes/actions/HistoryAction.php +415; includes/specials/SpecialNewpages.php +490)" source="SecurityCheck-DoubleEscaped"/>
69 <error line="182" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getAuthor that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +182; includes/changes/ChangesFeed.php +115)" source="SecurityCheck-DoubleEscaped"/>
70 <error line="182" severity="warning" message="Calling method \FeedItem::xmlEncode() in \FeedItem::getAuthor that outputs using tainted argument $[arg #1]. (Caused by: includes/changes/FeedItem.php +78) (Caused by: includes/changes/FeedItem.php +182; includes/changes/ChangesFeed.php +115; includes/specials/SpecialNewpages.php +490)" source="SecurityCheck-DoubleEscaped"/>
71 </file>
72 <file name="includes/exception/HttpError.php">
73 <error line="122" severity="warning" message="Calling method \htmlspecialchars() in \HttpError::getHTML that outputs using tainted argument $[arg #1]. (Caused by: includes/exception/HttpError.php +122; includes/actions/RawAction.php +127)" source="SecurityCheck-DoubleEscaped"/>
74 <error line="122" severity="warning" message="Calling method \htmlspecialchars() in \HttpError::getHTML that outputs using tainted argument $[arg #1]. (Caused by: includes/exception/HttpError.php +122; includes/actions/RawAction.php +127; includes/actions/RawAction.php +152; includes/linkeddata/PageDataRequestHandler.php +75; includes/linkeddata/PageDataRequestHandler.php +92; includes/linkeddata/PageDataRequ...)" source="SecurityCheck-DoubleEscaped"/>
75 </file>
76 <file name="includes/htmlform/fields/HTMLFormFieldCloner.php">
77 <error line="391" severity="warning" message="Calling method \Html::rawElement() in \HTMLFormFieldCloner::getInputHTML that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/htmlform/fields/HTMLFormFieldCloner.php +390)" source="SecurityCheck-DoubleEscaped"/>
78 <error line="471" severity="warning" message="Calling method \Html::rawElement() in \HTMLFormFieldCloner::getInputOOUI that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Html::rawElement) (Caused by: includes/htmlform/fields/HTMLFormFieldCloner.php +470)" source="SecurityCheck-DoubleEscaped"/>
79 </file>
80 <file name="includes/installer/DatabaseInstaller.php">
81 <error line="643" severity="warning" message="Calling method \DatabaseInstaller::getPasswordBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +545) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
82 <error line="643" severity="warning" message="Calling method \DatabaseInstaller::getTextBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
83 <error line="645" severity="warning" message="Calling method \DatabaseInstaller::getTextBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
84 <error line="651" severity="warning" message="Calling method \DatabaseInstaller::getPasswordBox() in \DatabaseInstaller::getInstallUserBox that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +545) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
85 </file>
86 <file name="includes/installer/DatabaseUpdater.php">
87 <error line="227" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/installer/DatabaseUpdater.php +227)" source="SecurityCheck-DoubleEscaped"/>
88 </file>
89 <file name="includes/installer/MssqlInstaller.php">
90 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getPasswordBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
91 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
92 <error line="92" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
93 <error line="100" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
94 <error line="102" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
95 <error line="104" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
96 <error line="109" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
97 <error line="127" severity="warning" message="Calling method \MssqlInstaller::getTextBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
98 <error line="133" severity="warning" message="Calling method \MssqlInstaller::getPasswordBox() in \MssqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
99 <error line="325" severity="error" message="Calling method \Wikimedia\Rdbms\Database::query() in \MssqlInstaller::canCreateAccounts that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query)" source="SecurityCheck-SQLInjection"/>
100 <error line="368" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getSettingsForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
101 <error line="375" severity="warning" message="Calling method \MssqlInstaller::getRadioSet() in \MssqlInstaller::getSettingsForm that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
102 </file>
103 <file name="includes/installer/MysqlInstaller.php">
104 <error line="82" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
105 <error line="90" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
106 <error line="92" severity="warning" message="Calling method \MysqlInstaller::getTextBox() in \MysqlInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
107 </file>
108 <file name="includes/installer/OracleInstaller.php">
109 <error line="67" severity="warning" message="Calling method \OracleInstaller::getTextBox() in \OracleInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
110 <error line="77" severity="warning" message="Calling method \OracleInstaller::getTextBox() in \OracleInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
111 </file>
112 <file name="includes/installer/PostgresInstaller.php">
113 <error line="64" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
114 <error line="73" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
115 <error line="79" severity="warning" message="Calling method \PostgresInstaller::getTextBox() in \PostgresInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
116 </file>
117 <file name="includes/installer/PostgresUpdater.php">
118 <error line="1071" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::dropFkey that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1070; includes/installer/PostgresUpdater.php +1066; includes/installer/PostgresUpdater.php +1062; includes/installer/PostgresUpdater.php +1068)" source="SecurityCheck-SQLInjection"/>
119 <error line="1093" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \PostgresUpdater::changeFkeyDeferrable that outputs using tainted argument $command. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query) (Caused by: includes/installer/PostgresUpdater.php +1092; includes/installer/PostgresUpdater.php +1089; includes/installer/PostgresUpdater.php +1080; includes/installer/PostgresUpdater.php +1088)" source="SecurityCheck-SQLInjection"/>
120 </file>
121 <file name="includes/installer/SqliteInstaller.php">
122 <error line="88" severity="warning" message="Calling method \SqliteInstaller::getTextBox() in \SqliteInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
123 <error line="93" severity="warning" message="Calling method \SqliteInstaller::getTextBox() in \SqliteInstaller::getConnectForm that outputs using tainted argument $[arg #4]. (Caused by: includes/installer/DatabaseInstaller.php +518) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
124 </file>
125 <file name="includes/installer/WebInstallerName.php">
126 <error line="58" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
127 <error line="58" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
128 <error line="58" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
129 <error line="58" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
130 <error line="59" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
131 <error line="59" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
132 <error line="59" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
133 <error line="59" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
134 <error line="67" severity="warning" message="Calling method \WebInstaller::getRadioSet() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +970) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
135 <error line="82" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
136 <error line="95" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
137 <error line="103" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
138 <error line="108" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerName::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932) (Caused by: includes/installer/WebInstaller.php +692; includes/installer/WebInstallerName.php +56)" source="SecurityCheck-DoubleEscaped"/>
139 </file>
140 <file name="includes/installer/WebInstallerOptions.php">
141 <error line="127" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
142 <error line="128" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
143 <error line="129" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstallerOptions.php +125; includes/installer/WebInstallerOptions.php +121) (1092280 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
144 <error line="145" severity="warning" message="Calling method \WebInstallerOptions::addHTML() in \WebInstallerOptions::execute that outputs using tainted argument $skinHtml. (Caused by: includes/installer/WebInstallerOptions.php +108; includes/installer/WebInstallerOptions.php +127; includes/installer/WebInstallerOptions.php +114; includes/installer/WebInstallerOptions.php +138; includes/installer/WebInstallerOptions.php +143; incl...)" source="SecurityCheck-XSS"/>
145 <error line="246" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
146 <error line="246" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
147 <error line="248" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
148 <error line="248" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
149 <error line="249" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
150 <error line="256" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
151 <error line="263" severity="warning" message="Calling method \WebInstaller::getTextBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +805) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
152 <error line="270" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
153 <error line="271" severity="warning" message="Calling method \WebInstaller::getCheckBox() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +934; includes/installer/WebInstaller.php +932; includes/installer/WebInstallerName.php +58) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
154 <error line="298" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
155 <error line="300" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
156 <error line="314" severity="warning" message="Calling method \WebInstaller::getTextArea() in \WebInstallerOptions::execute that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstaller.php +852) (Caused by: includes/installer/WebInstaller.php +692)" source="SecurityCheck-DoubleEscaped"/>
157 </file>
158 <file name="includes/jobqueue/utils/BacklinkJobUtils.php">
159 <error line="102" severity="error" message="Calling method \BacklinkCache::partition() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +441) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
160 <error line="112" severity="error" message="Calling method \BacklinkCache::getLinks() in \BacklinkJobUtils::partitionBacklinkJob that outputs using tainted argument $[arg #1]. (Caused by: includes/cache/BacklinkCache.php +172) (Caused by: includes/jobqueue/utils/BacklinkJobUtils.php +90)" source="SecurityCheck-SQLInjection"/>
161 </file>
162 <file name="includes/language/Message.php">
163 <error line="1396" severity="warning" message="Calling method \Message::extractParam() in \Message::formatListParam that outputs using tainted argument $[arg #1]. (Caused by: includes/language/Message.php +1204)" source="SecurityCheck-DoubleEscaped"/>
164 <error line="1396" severity="warning" message="Calling method \Message::extractParam() in \Message::formatListParam that outputs using tainted argument $[arg #1]. (Caused by: includes/language/Message.php +1204; includes/language/Message.php +1245)" source="SecurityCheck-DoubleEscaped"/>
165 </file>
166 <file name="includes/libs/rdbms/database/DatabasePostgres.php">
167 <error line="874" severity="error" message="Calling method \Wikimedia\Rdbms\DatabasePostgres::query() in \Wikimedia\Rdbms\DatabasePostgres::resetSequenceForTable that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::query)" source="SecurityCheck-SQLInjection"/>
168 </file>
169 <file name="includes/linkeddata/PageDataRequestHandler.php">
170 <error line="75" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270)" source="SecurityCheck-DoubleEscaped"/>
171 <error line="92" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270; includes/linkeddata/PageDataRequestHandler.php +84)" source="SecurityCheck-DoubleEscaped"/>
172 <error line="98" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::handleRequest that outputs using tainted argument $[arg #2]. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/GlobalFunctions.php +1270; includes/linkeddata/PageDataRequestHandler.php +84; includes/linkeddata/PageDataRequestHandler.php +96)" source="SecurityCheck-DoubleEscaped"/>
173 <error line="147" severity="warning" message="Calling method \HttpError::__construct() in \PageDataRequestHandler::httpContentNegotiation that outputs using tainted argument $msg. (Caused by: includes/exception/HttpError.php +122) (Caused by: includes/linkeddata/PageDataRequestHandler.php +146)" source="SecurityCheck-DoubleEscaped"/>
174 </file>
175 <file name="includes/logging/BlockLogFormatter.php">
176 <error line="74" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/logging/BlockLogFormatter.php +32; includes/logging/BlockLogFormatter.php +59)" source="SecurityCheck-DoubleEscaped"/>
177 </file>
178 <file name="includes/media/ExifBitmapHandler.php">
179 <error line="66" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/media/ExifBitmapHandler.php +44; includes/media/ExifBitmapHandler.php +58; includes/media/ExifBitmapHandler.php +67; includes/media/ExifBitmapHandler.php +66) (1049600 &amp;lt;- 567976)" source="SecurityCheckMulti"/>
180 </file>
181 <file name="includes/media/FormatMetadata.php">
182 <error line="164" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/media/FormatMetadata.php +164)" source="SecurityCheck-DoubleEscaped"/>
183 <error line="941" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $val. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
184 <error line="952" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $val. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
185 <error line="974" severity="warning" message="Calling method \htmlspecialchars() in \FormatMetadata::makeFormattedData that outputs using tainted argument $[arg #1]. (Caused by: includes/media/FormatMetadata.php +168; includes/media/FormatMetadata.php +183; includes/media/FormatMetadata.php +205; includes/media/FormatMetadata.php +223; includes/media/FormatMetadata.php +235; includes/media/FormatMetadata.php +248; includes/...)" source="SecurityCheck-DoubleEscaped"/>
186 </file>
187 <file name="includes/page/ImagePage.php">
188 <error line="165" severity="warning" message="Calling method \OutputPage::addHTML() in \ImagePage::view that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: includes/page/ImagePage.php +725; includes/page/ImagePage.php +701)" source="SecurityCheck-XSS"/>
189 </file>
190 <file name="includes/parser/PPFrame_DOM.php">
191 <error line="127" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_DOM::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_DOM.php +125)" source="SecurityCheck-DoubleEscaped"/>
192 <error line="130" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_DOM::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_DOM.php +125)" source="SecurityCheck-DoubleEscaped"/>
193 </file>
194 <file name="includes/parser/PPFrame_Hash.php">
195 <error line="119" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_Hash::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_Hash.php +117)" source="SecurityCheck-DoubleEscaped"/>
196 <error line="122" severity="warning" message="Calling method \wfEscapeWikiText() in \PPFrame_Hash::newChild that outputs using tainted argument $name. (Caused by: includes/GlobalFunctions.php +1549) (Caused by: includes/parser/PPFrame_Hash.php +117)" source="SecurityCheck-DoubleEscaped"/>
197 </file>
198 <file name="includes/parser/Parser.php">
199 <error line="555" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +555)" source="SecurityCheck-DoubleEscaped"/>
200 <error line="762" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +762)" source="SecurityCheck-DoubleEscaped"/>
201 <error line="1428" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +1428)" source="SecurityCheck-DoubleEscaped"/>
202 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
203 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
204 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
205 <error line="1442" severity="warning" message="Calling method \Parser::doTableStuff() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1449) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442)" source="SecurityCheck-DoubleEscaped"/>
206 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
207 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
208 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
209 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
210 <error line="1449" severity="warning" message="Calling method \Parser::replaceInternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2239) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449)" source="SecurityCheck-DoubleEscaped"/>
211 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
212 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
213 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
214 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
215 <error line="1451" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::internalParse that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +1428; includes/parser/Parser.php +1442; includes/parser/Parser.php +1444; includes/parser/Parser.php +1449; includes/parser/Parser.php +1451)" source="SecurityCheck-DoubleEscaped"/>
216 <error line="1996" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +1994)" source="SecurityCheck-DoubleEscaped"/>
217 <error line="2018" severity="warning" message="Calling method \LanguageConverter::markNoConversion() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1728) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2018)" source="SecurityCheck-DoubleEscaped"/>
218 <error line="2027" severity="warning" message="Calling method \Linker::makeExternalLink() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/Linker.php +844) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2018; includes/parser/Parser.php +2027)" source="SecurityCheck-DoubleEscaped"/>
219 <error line="2027" severity="warning" message="Calling method \Linker::makeExternalLink() in \Parser::replaceExternalLinks that outputs using tainted argument $text. (Caused by: includes/Linker.php +844) (Caused by: includes/parser/Parser.php +1994; includes/parser/Parser.php +1996; includes/parser/Parser.php +2027)" source="SecurityCheck-DoubleEscaped"/>
220 <error line="2238" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks that outputs using tainted argument $s. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
221 <error line="2369" severity="warning" message="Calling method \Parser::maybeDoSubpageLink() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/Linker.php +1384) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
222 <error line="2421" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
223 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +2482)" source="SecurityCheck-DoubleEscaped"/>
224 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/parser/Parser.php +2609; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
225 <error line="2482" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/parser/Parser.php +2369; includes/parser/Parser.php +3338; includes/parser/Parser.php +3338; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
226 <error line="2482" severity="warning" message="Calling method \Parser::replaceExternalLinks() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +1994) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
227 <error line="2483" severity="warning" message="Calling method \Parser::replaceInternalLinks2() in \Parser::replaceInternalLinks2 that outputs using tainted argument $text. (Caused by: includes/parser/Parser.php +2482) (Caused by: includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/parser/Parser.php +2483; includes/parser/Parser.php +2482; includes/pa...)" source="SecurityCheck-DoubleEscaped"/>
228 <error line="3492" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3489; includes/parser/Parser.php +3492)" source="SecurityCheck-DoubleEscaped"/>
229 <error line="3507" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +3489; includes/parser/Parser.php +3492; includes/parser/Parser.php +3500)" source="SecurityCheck-XSS"/>
230 <error line="6187" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Parser.php +6187)" source="SecurityCheck-DoubleEscaped"/>
231 </file>
232 <file name="includes/parser/Preprocessor_DOM.php">
233 <error line="99" severity="warning" message="Calling method \UtfNormal\Validator::cleanUp() in \Preprocessor_DOM::newPartNodeArray that outputs using tainted argument $xml. (Caused by: includes/media/DjVuImage.php +302) (Caused by: includes/parser/Preprocessor_DOM.php +83; includes/parser/Preprocessor_DOM.php +86; includes/parser/Preprocessor_DOM.php +91; includes/parser/Preprocessor_DOM.php +99)" source="SecurityCheck-DoubleEscaped"/>
234 <error line="176" severity="warning" message="Calling method \UtfNormal\Validator::cleanUp() in \Preprocessor_DOM::preprocessToObj that outputs using tainted argument $xml. (Caused by: includes/media/DjVuImage.php +302) (Caused by: includes/parser/Preprocessor_DOM.php +155)" source="SecurityCheck-DoubleEscaped"/>
235 </file>
236 <file name="includes/parser/Sanitizer.php">
237 <error line="1438" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/parser/Sanitizer.php +1438)" source="SecurityCheck-DoubleEscaped"/>
238 </file>
239 <file name="includes/preferences/DefaultPreferencesFactory.php">
240 <error line="351" severity="warning" message="HTMLForm label key escapes its input (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
241 <error line="707" severity="warning" message="HTMLForm option label needs escaping (Maybe false positive as could not determine if it was key or value that is unescaped) (Caused by: includes/preferences/DefaultPreferencesFactory.php +704)" source="SecurityCheck-XSS"/>
242 </file>
243 <file name="includes/specials/SpecialExpandTemplates.php">
244 <error line="130" severity="warning" message="Calling method \SpecialExpandTemplates::makeOutput() in \SpecialExpandTemplates::execute that outputs using tainted argument $rawhtml. (Caused by: includes/specials/SpecialExpandTemplates.php +227) (Caused by: includes/specials/SpecialExpandTemplates.php +128)" source="SecurityCheck-DoubleEscaped"/>
245 </file>
246 <file name="includes/specials/SpecialNewpages.php">
247 <error line="490" severity="warning" message="Calling method \FeedItem::__construct() in \SpecialNewpages::feedItem that outputs using tainted argument $[arg #2]. (Caused by: includes/changes/FeedItem.php +145) (Caused by: includes/specials/SpecialNewpages.php +519)" source="SecurityCheck-DoubleEscaped"/>
248 </file>
249 <file name="includes/specials/SpecialRecentChanges.php">
250 <error line="476" severity="warning" message="Calling method \Xml::tags() in \SpecialRecentChanges::doHeader that outputs using tainted argument $[arg #2]. (Caused by: Builtin-\Xml::tags) (Caused by: includes/specials/SpecialRecentChanges.php +469)" source="SecurityCheck-DoubleEscaped"/>
251 <error line="819" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785)" source="SecurityCheck-DoubleEscaped"/>
252 <error line="916" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
253 <error line="919" severity="warning" message="Calling method \SpecialRecentChanges::makeOptionsLink() in \SpecialRecentChanges::optionsPanel that outputs using tainted argument $[arg #1]. (Caused by: includes/specials/SpecialRecentChanges.php +785) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
254 </file>
255 <file name="includes/specials/SpecialStatistics.php">
256 <error line="277" severity="warning" message="Calling method \Language::formatNum() in \SpecialStatistics::getOtherStats that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstallerOptions.php +333)" source="SecurityCheck-DoubleEscaped"/>
257 <error line="279" severity="warning" message="Calling method \Language::formatNum() in \SpecialStatistics::getOtherStats that outputs using tainted argument $[arg #1]. (Caused by: includes/installer/WebInstallerOptions.php +333)" source="SecurityCheck-DoubleEscaped"/>
258 </file>
259 <file name="includes/specials/SpecialVersion.php">
260 <error line="100" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +100)" source="SecurityCheck-DoubleEscaped"/>
261 <error line="124" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +124)" source="SecurityCheck-DoubleEscaped"/>
262 <error line="578" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserTags that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
263 <error line="584" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserTags that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
264 <error line="593" severity="warning" message="Assigning a tainted value to a variable that later does something unsafe with it (Caused by: includes/specials/SpecialVersion.php +593)" source="SecurityCheck-DoubleEscaped"/>
265 <error line="619" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserFunctionHooks that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
266 <error line="625" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getParserFunctionHooks that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844) (Caused by: Builtin-\Message::parse; includes/language/Message.php +945)" source="SecurityCheck-DoubleEscaped"/>
267 <error line="776" severity="warning" message="Calling method \Linker::makeExternalLink() in \SpecialVersion::getCreditsForExtension that outputs using tainted argument $[arg #2]. (Caused by: includes/Linker.php +844)" source="SecurityCheck-DoubleEscaped"/>
268 </file>
269 <file name="includes/specials/SpecialWhatLinksHere.php">
270 <error line="460" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $prev. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +452)" source="SecurityCheck-DoubleEscaped"/>
271 <error line="464" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $next. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +453)" source="SecurityCheck-DoubleEscaped"/>
272 <error line="472" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getPrevNext that outputs using tainted argument $prettyLimit. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +470)" source="SecurityCheck-DoubleEscaped"/>
273 <error line="566" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getFilterPanel that outputs using tainted argument $msg. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +564; includes/specials/SpecialWhatLinksHere.php +547; includes/specials/SpecialWhatLinksHere.php +548)" source="SecurityCheck-DoubleEscaped"/>
274 <error line="567" severity="warning" message="Calling method \SpecialWhatLinksHere::makeSelfLink() in \SpecialWhatLinksHere::getFilterPanel that outputs using tainted argument $msg. (Caused by: includes/specials/SpecialWhatLinksHere.php +442) (Caused by: includes/specials/SpecialWhatLinksHere.php +564; includes/specials/SpecialWhatLinksHere.php +547; includes/specials/SpecialWhatLinksHere.php +548)" source="SecurityCheck-DoubleEscaped"/>
275 </file>
276 <file name="includes/specials/forms/UploadForm.php">
277 <error line="135" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +253)" source="SecurityCheck-XSS"/>
278 <error line="301" severity="warning" message="HTMLForm info field in raw mode needs to escape default key (Caused by: includes/specials/SpecialUpload.php +253)" source="SecurityCheck-XSS"/>
279 </file>
280 <file name="includes/specials/pagers/AllMessagesTablePager.php">
281 <error line="264" severity="warning" message="Calling method \MediaWiki\Linker\LinkRenderer::makeKnownLink() in \AllMessagesTablePager::formatValue that outputs using tainted argument $talkLink. (Caused by: Builtin-\MediaWiki\Linker\LinkRenderer::makeKnownLink) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +253)" source="SecurityCheck-DoubleEscaped"/>
282 <error line="266" severity="warning" message="Calling method \MediaWiki\Linker\LinkRenderer::makeBrokenLink() in \AllMessagesTablePager::formatValue that outputs using tainted argument $talkLink. (Caused by: includes/linker/LinkRenderer.php +357) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +253)" source="SecurityCheck-DoubleEscaped"/>
283 <error line="302" severity="warning" message="Calling method \Html::element() in \AllMessagesTablePager::formatRow that outputs using tainted argument $formatted. (Caused by: Builtin-\Html::element) (Caused by: includes/specials/pagers/AllMessagesTablePager.php +296)" source="SecurityCheck-DoubleEscaped"/>
284 </file>
285 <file name="includes/specials/pagers/UsersPager.php">
286 <error line="177" severity="warning" message="Calling method \Linker::userLink() in \UsersPager::formatRow that outputs using tainted argument $userName. (Caused by: includes/Linker.php +918) (Caused by: includes/specials/pagers/UsersPager.php +175; includes/EditPage.php +3851; includes/EditPage.php +3878; includes/user/UserRightsProxy.php +130)" source="SecurityCheck-DoubleEscaped"/>
287 </file>
288 <file name="includes/user/User.php">
289 <error line="4519" severity="warning" message="Calling method \User::sendMail() in \User::sendConfirmationMail that outputs using tainted argument $[arg #4]. (Caused by: includes/user/User.php +4544) (Caused by: includes/user/User.php +4497)" source="SecurityCheck-XSS"/>
290 <error line="4776" severity="error" message="Calling method \Wikimedia\Rdbms\Database::selectField() in \User::getEditTimestamp that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\Database::selectField) (Caused by: includes/user/User.php +4772)" source="SecurityCheck-SQLInjection"/>
291 <error line="5047" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::selectField() in \User::initEditCountInternal that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::selectField) (Caused by: includes/user/User.php +5046)" source="SecurityCheck-SQLInjection"/>
292 </file>
293 <file name="languages/Language.php">
294 <error line="4240" severity="warning" message="Calling method \htmlspecialchars() in \Language::convertHtml that outputs using tainted argument $[arg #1]. (Caused by: languages/Language.php +4185; languages/Language.php +4185; languages/Language.php +4240)" source="SecurityCheck-DoubleEscaped"/>
295 </file>
296 <file name="maintenance/convertLinks.php">
297 <error line="221" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::query() in \ConvertLinks::execute that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::query) (Caused by: maintenance/convertLinks.php +209; maintenance/convertLinks.php +205; maintenance/convertLinks.php +204; maintenance/convertLinks.php +158)" source="SecurityCheck-SQLInjection"/>
298 </file>
299 <file name="maintenance/populateContentTables.php">
300 <error line="219" severity="error" message="Calling method \Wikimedia\Rdbms\IDatabase::select() in \PopulateContentTables::populateTable that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IDatabase::select) (Caused by: maintenance/populateContentTables.php +218; maintenance/populateContentTables.php +217; maintenance/populateContentTables.php +201)" source="SecurityCheck-SQLInjection"/>
301 </file>
302 <file name="maintenance/refreshExternallinksIndex.php">
303 <error line="73" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \RefreshExternallinksIndex::doDBUpdates that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: maintenance/refreshExternallinksIndex.php +71; maintenance/populateContentTables.php +201; maintenance/refreshExternallinksIndex.php +59)" source="SecurityCheck-SQLInjection"/>
304 </file>
305 <file name="maintenance/storage/compressOld.php">
306 <error line="331" severity="error" message="Calling method \Wikimedia\Rdbms\IMaintainableDatabase::select() in \CompressOld::compressWithConcat that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Wikimedia\Rdbms\IMaintainableDatabase::select) (Caused by: includes/Title.php +3562; includes/Title.php +3562)" source="SecurityCheck-SQLInjection"/>
307 </file>
308</checkstyle>

Mon, Jul 15, 11:20 AM · MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Patch-For-Review, Security-Team, MediaWiki-Core-Testing, phan-taint-check-plugin
Daimona created P8746 taint-check on core.
Mon, Jul 15, 11:17 AM
Daimona closed T227870: mediawiki-core-php72-phan-seccheck-docker runs in extension mode as Resolved.

Another thing I noticed is that with check experimental, CI also runs a separate job for extensions, mwext-php72-phan-seccheck-docker (see https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/522419/), which fails hard. But that's another story.

Mon, Jul 15, 11:15 AM · phan-taint-check-plugin, Continuous-Integration-Config
Daimona added a comment to T175221: Replace and split $wgAbuseFilterRestrictions responsibility with more verbose variable names. .

(Note that I changed my mind and removed DangerousActions. The actions being disabled upon throttling are not something people are supposed to change, I believe)

Mon, Jul 15, 10:21 AM · Patch-For-Review, User-Daimona, AbuseFilter
Daimona moved T203344: phan-taint-check should warn about unnecessary @suppress tags from Waiting to Under review on the User-Daimona board.
Mon, Jul 15, 9:26 AM · Patch-For-Review, User-Daimona, phan-taint-check-plugin
Daimona added a comment to T209565: Dry run for normalizeThrottleParameters.php.

@Urbanecm Just checking in - would tomorrow after EU SWAT be fine for you? The T/N is going out now, and I think tomorrow is fine; plus I probably won't be available since the end of the week.

Mon, Jul 15, 8:00 AM · MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), User-Urbanecm, MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), User-notice, MW-1.32-release, Core Platform Team (Security, stability, performance and scalability (TEC1)), Wikimedia-maintenance-script-run, AbuseFilter

Sun, Jul 14

Daimona claimed T133664: Statically analyse MinervaNeue codebases with Phan.
Sun, Jul 14, 2:53 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), Patch-For-Review, Readers-Web-Backlog (Tracking), Technical-Debt (RW-Tech-Debt), MobileFrontend
Daimona claimed T205972: Fixup taint-check-plugin errors in SecurePoll.

Note that I had to suppress some DoubleEscaped warnings: the label passed to Xml::radio is indeed double escaped. However, it comes from a long chain of calls to SecurePoll_Context/getMessage/parse etc., which seems to be copying what Message::parse does. And I'm not touching that chain.

Sun, Jul 14, 2:28 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), MW-1.33-notes (1.33.0-wmf.4; 2018-11-13), phan-taint-check-plugin, MediaWiki-extensions-SecurePoll
Daimona added a comment to T216254: taint-check does not checks undeclared class properties.

I guess this has to do with the methods used to retrieve properties etc. For a future fix, a sample test case:

Sun, Jul 14, 1:48 PM · phan-taint-check-plugin
Daimona claimed T189227: taint-checks for CentralAuth failing.

Now passing with taint-check 2.0.2.

Sun, Jul 14, 1:44 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), MW-1.32-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), Patch-For-Review, phan-taint-check-plugin, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Daimona closed T224758: Add phan to ProofreadPage extension, a subtask of T224783: Enable mediawiki/mediawiki-phan-config on all Wikimedia-deployed repositories, as Resolved.
Sun, Jul 14, 1:25 PM · Release-Engineering-Team (Unit & Int & System Tooling), Release-Engineering-Team-TODO, Epic, Wikimedia-General-or-Unknown, phan
Daimona closed T224758: Add phan to ProofreadPage extension as Resolved.
Sun, Jul 14, 1:25 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), ProofreadPage, phan
Daimona claimed T224775: Use mediawiki/mediawiki-phan-config in extension WikibaseLexeme .
Sun, Jul 14, 1:21 PM · Patch-For-Review, Lexicographical data, Wikidata, phan
Daimona claimed T214674: Short circuit fails with assignments.
Sun, Jul 14, 9:50 AM · Patch-For-Review, User-Daimona, AbuseFilter

Sat, Jul 13

Daimona closed T203882: phan-taint-check false positive in Sudo extension as Resolved.
Sat, Jul 13, 7:26 PM · MediaWiki-extensions-Other, phan-taint-check-plugin
Daimona added a comment to T227569: Find a way to run phan PerfCheck plugin as non-voting in CI.

@Smalyshev Thanks a lot for your precious feedback! Before replying point-by-point, I'd like to remark that despite the name "PerfCheck", and one of its goal being to micro-optimize code, it also tries to improve readability; actually, it prefers readability over performance. So for some of the issues the performance gain could be very small, and even unnoticeable (unless for hotspots), but the readability should always be improved.

Sat, Jul 13, 8:18 AM · Patch-For-Review, Continuous-Integration-Config, phan

Fri, Jul 12

Daimona updated the task description for T227406: Release taint-check 2.0.2 and 2.1.0.
Fri, Jul 12, 3:09 PM · phan-taint-check-plugin
Daimona removed a project from T216974: Update phan-taint-check-plugin to a newer phan (1.3.2): Patch-For-Review.
Fri, Jul 12, 3:01 PM · phan-taint-check-plugin
Daimona closed T204094: Minerva taint error: Calling method \BaseTemplate::set() in \SkinMinerva::prepareHeaderAndFooter that outputs using tainted argument as Resolved.
Fri, Jul 12, 2:17 PM · Readers-Web-Backlog (Tracking), Continuous-Integration-Config, MinervaNeue, phan-taint-check-plugin