Endpoints which do not need to authenticate users should set MW_NO_SESSION
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• Tgr
	Feb 17 2016, 8:53 PM

Description

The old MediaWiki session logic only loaded the session when $wgUser was unstubbed, which could cause problems due to hook calls executing unexpectedly early or late. SessionManager moved session initialization into Setup.php; this means that the session is set up even if $wgUser is never needed. While setting up the session is relatively cheap, there is no reason not to skip it in the cases where we know by the time of calling Setup.php (ie. from the choice of endpoint) that authentication won't be needed.

Endpoints that look like they should not need sessions are: load.php, static.php, opensearch_desc.php, profileinfo.php. Probably also thumb.php which does per-user limiting of thumbnailing attempts, but doing that on a per-IP instead of per-username basis does not seem like much of a loss, and for most MediaWiki installations that's what's happening anyway since thumbnails are served from a different domain.

MW_NO_SESSION has not been used before in web requests, so such a change might trigger new bugs and should be tested cautiously.

Details

Subject	Repo	Branch	Lines /-
Limit language logic when displaying exceptions / outage messages	mediawiki/core	master	6 -0
Enforce no-session constraint in static.php	operations/mediawiki-config	master	5 -1
Enforce no-session constraint in opensearch_desc.php and profileinfo.php	mediawiki/core	master	4 -6
Warn on session access in profileinfo.php and opensearch_desc.php	mediawiki/core	master	10 -0
Enforce load.php's no-session constraint	mediawiki/core	master	2 -3
resourceloader: Avoid Title::newMainPage() to support $wgForceUIMsgAsContentMsg	mediawiki/core	master	10 -2
Check User::isSafeToLoad() in LanguageConverter	mediawiki/core	wmf/1.27.0-wmf.16	4 -1
Check User::isSafeToLoad() in LanguageConverter	mediawiki/core	master	4 -1
HttpFunctions: Log in English	mediawiki/core	master	1 -1
Log a backtrace with "sessions are supposed to be disabled" message	mediawiki/core	wmf/1.27.0-wmf.16	3 -1
Log a backtrace with "sessions are supposed to be disabled" message	mediawiki/core	master	3 -1
Log violations of load.php's no-session constraint	mediawiki/core	master	5 -0
Use RL context language in MFResourceLoaderParsedMessageModule	mediawiki/extensions/MobileFrontend	wmf/1.27.0-wmf.15	5 -4
Use RL context language in MFResourceLoaderParsedMessageModule	mediawiki/extensions/MobileFrontend	master	5 -4
Pass language to SpecialVersion::getVersion()	mediawiki/extensions/Scribunto	master	4 -1
Do not vary on session cookies when the session is disabled	mediawiki/core	master	6 -0
User::isSafeToLoad() should return false if MW_NO_SESSION	mediawiki/core	master	14 -4
Add $lang parameter to SpecialVersion::getVersion	mediawiki/core	master	7 -2
Enforce MW_NO_SESSION, add MW_NO_SESSION_HANDLER	mediawiki/core	wmf/1.27.0-wmf.14	68 -20
resourceloader: Remove $wgUser optimization that uses session	mediawiki/core	wmf/1.27.0-wmf.14	1 -7
Enforce MW_NO_SESSION, add MW_NO_SESSION_HANDLER	mediawiki/core	wmf/1.27.0-wmf.13	73 -21
resourceloader: Remove $wgUser optimization that uses session	mediawiki/core	master	1 -7
Enforce MW_NO_SESSION, add MW_NO_SESSION_HANDLER	mediawiki/core	master	68 -20

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		• Deskana	T75616 Tracking: API/backend issues blocking Wikipedia app development
Resolved		Anomie	T32788 Allow triggering of user password reset email via the API
Open		None	T90925 General authentication improvements for MediaWiki
Resolved		Anomie	T48179 Allow a challenge stage during authentication
Open		None	T5709 Refactoring to make external authentication and identity systems easier
Resolved		• Tgr	T43201 UserLoadFromSession considered evil
Resolved		Anomie	T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
Open	Feature	None	T55156 Provide option to force a login session to end within a certain time
Open		None	T89459 Modernize MediaWiki authentication system (AuthManager)
Resolved		Anomie	T123451 Deploy SessionManager and bot passwords
Resolved		• Tgr	T127233 Endpoints which do not need to authenticate users should set MW_NO_SESSION
Resolved		Jdlrobson	T127860 MobileFrontend using ResourceLoaderGetConfigVars hook with User dependent data
Resolved		bd808	T127864 CitoidDataModule depends on request data
Resolved		None	T127866 WikimediaMessagesHooks::onMobileLicenseLink() unstubs $wgUser during ResourceLoaderGetConfigVars hook
Resolved		• Tgr	T127870 QuickSurveys\Hooks::onResourceLoaderRegisterModules() depends on request data
Resolved		None	T127871 MobileFrontendSkinHooks::getPluralLicenseInfo() unstubs $wgUser during ResourceLoaderGetConfigVars hook
Resolved		None	T127872 Wikibase\SitesModule depends on request data
Resolved		bd808	T127916 CiteDataModule depends on request data
Resolved		Legoktm	T129397 FlowHooks::onMessageCacheGet() may be called during load.php and depends on the session user language
Declined		Anomie	T130720 Have load.php set $wgLang and the RequestContext language
Resolved		Legoktm	T131176 Wikibase\Repo\Hooks\LinkBeginHookHandler unstubs $wgLang unnecessarily during LinkBegin hook
Declined		None	T134562 SMW triggers "Sessions are disabled for this entry point"
Resolved		Anomie	T135389 opensearch_desc calls Title::getLocalURL which unstubs wgUser on wikis with a variant

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 273372 had a related patch set uploaded (by Anomie):
Log violations of load.php's no-session constraint

https://gerrit.wikimedia.org/r/273372

Change 273373 had a related patch set uploaded (by Anomie):
Enforce load.php's no-session constraint

https://gerrit.wikimedia.org/r/273373

Rical subscribed.Feb 26 2016, 11:19 AM

Change 275617 had a related patch set uploaded (by Anomie):
Use RL context language in MFResourceLoaderParsedMessageModule

https://gerrit.wikimedia.org/r/275617

Change 275617 merged by jenkins-bot:
Use RL context language in MFResourceLoaderParsedMessageModule

https://gerrit.wikimedia.org/r/275617

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-03-08_(1.27.0-wmf.16)).Mar 7 2016, 10:00 PM

Change 275683 had a related patch set uploaded (by Gergő Tisza):
Use RL context language in MFResourceLoaderParsedMessageModule

https://gerrit.wikimedia.org/r/275683

Change 275683 abandoned by Gergő Tisza:
Use RL context language in MFResourceLoaderParsedMessageModule

Reason:
On second thought not really needed as the "flag" in https://gerrit.wikimedia.org/r/#/c/273372/ will go out with the train.

https://gerrit.wikimedia.org/r/275683

Change 273372 merged by jenkins-bot:
Log violations of load.php's no-session constraint

https://gerrit.wikimedia.org/r/273372

• mmodell subscribed.Mar 7 2016, 11:21 PM

Change 276207 had a related patch set uploaded (by Anomie):
Log a backtrace with "sessions are supposed to be disabled" message

https://gerrit.wikimedia.org/r/276207

Change 276207 merged by jenkins-bot:
Log a backtrace with "sessions are supposed to be disabled" message

https://gerrit.wikimedia.org/r/276207

Change 276231 had a related patch set uploaded (by Anomie):
HttpFunctions: Log in the wiki's content language

https://gerrit.wikimedia.org/r/276231

Change 276232 had a related patch set uploaded (by Anomie):
Log a backtrace with "sessions are supposed to be disabled" message

https://gerrit.wikimedia.org/r/276232

Change 276232 merged by jenkins-bot:
Log a backtrace with "sessions are supposed to be disabled" message

https://gerrit.wikimedia.org/r/276232

Change 276246 had a related patch set uploaded (by Anomie):
Check User::isSafeToLoad() in LanguageConverter

https://gerrit.wikimedia.org/r/276246

Anomie created subtask T129397: FlowHooks::onMessageCacheGet() may be called during load.php and depends on the session user language.Mar 9 2016, 8:12 PM

Here's a fun one: $wgForceUIMsgAsContentMsg makes Message::inContentLanguage() do nothing, and some wikis have 'mainpage' in that list so Title::newMainPage() will blow up. I think T127920 is our only hope of dealing with that craziness.

Change 276246 merged by jenkins-bot:
Check User::isSafeToLoad() in LanguageConverter

https://gerrit.wikimedia.org/r/276246

Change 276231 merged by jenkins-bot:
HttpFunctions: Log in English

https://gerrit.wikimedia.org/r/276231

Change 276467 had a related patch set uploaded (by Anomie):
Check User::isSafeToLoad() in LanguageConverter

https://gerrit.wikimedia.org/r/276467

Anomie mentioned this in T127920: Message class should use appropiate default language based on request context.Mar 10 2016, 8:43 PM

Change 276467 merged by jenkins-bot:
Check User::isSafeToLoad() in LanguageConverter

https://gerrit.wikimedia.org/r/276467

https://gerrit.wikimedia.org/r/276467 has been deployed

Change 276891 had a related patch set uploaded (by Krinkle):
Use context language instead of global wfMessage()

https://gerrit.wikimedia.org/r/276891

Krinkle removed projects: MW-1.27-release (WMF-deploy-2016-03-08_(1.27.0-wmf.16)), MW-1.27-release (WMF-deploy-2016-02-16_(1.27.0-wmf.14)), MW-1.27-release (WMF-deploy-2016-02-09_(1.27.0-wmf.13)), MW-1.27-release (WMF-deploy-2016-03-01_(1.27.0-wmf.15)).Mar 11 2016, 10:32 PM

ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2016-03-15_(1.27.0-wmf.17)), MW-1.27-release (WMF-deploy-2016-03-08_(1.27.0-wmf.16)).Mar 14 2016, 8:02 PM

Krinkle closed subtask T127920: Message class should use appropiate default language based on request context as Resolved.Mar 23 2016, 4:50 AM

Krinkle removed projects: MW-1.27-release (WMF-deploy-2016-03-08_(1.27.0-wmf.16)), MW-1.27-release (WMF-deploy-2016-03-15_(1.27.0-wmf.17)), Patch-For-Review.Mar 23 2016, 5:05 AM

Rical unsubscribed.Mar 23 2016, 10:39 AM

Anomie created subtask T130720: Have load.php set $wgLang and the RequestContext language.Mar 23 2016, 3:03 PM

Anomie removed a subtask: T127920: Message class should use appropiate default language based on request context.

Anomie created subtask T131176: Wikibase\Repo\Hooks\LinkBeginHookHandler unstubs $wgLang unnecessarily during LinkBegin hook.Mar 29 2016, 6:04 PM

Change 280267 had a related patch set uploaded (by Anomie):
ResourceLoader: Don't call Title::newMainPage() when 'mainpage' is in $wgForceUIMsgAsContentMsg

https://gerrit.wikimedia.org/r/280267

gerritbot added a project: Patch-For-Review.Mar 29 2016, 6:19 PM

Legoktm closed subtask T129397: FlowHooks::onMessageCacheGet() may be called during load.php and depends on the session user language as Resolved.Mar 31 2016, 2:55 AM

Change 280267 merged by jenkins-bot:
resourceloader: Avoid Title::newMainPage() to support $wgForceUIMsgAsContentMsg

https://gerrit.wikimedia.org/r/280267

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)).Apr 2 2016, 1:00 AM

Anomie removed a project: Patch-For-Review.Apr 2 2016, 6:53 AM

hoo closed subtask T131176: Wikibase\Repo\Hooks\LinkBeginHookHandler unstubs $wgLang unnecessarily during LinkBegin hook as Resolved.Apr 6 2016, 10:34 PM

Anomie closed subtask T130720: Have load.php set $wgLang and the RequestContext language as Declined.Apr 18 2016, 8:55 PM

Change 273373 merged by jenkins-bot:
Enforce load.php's no-session constraint

https://gerrit.wikimedia.org/r/273373

Change 287100 had a related patch set uploaded (by Anomie):
Warn on session access in profileinfo.php and opensearch_desc.php

https://gerrit.wikimedia.org/r/287100

gerritbot added a project: Patch-For-Review.May 5 2016, 3:36 PM

Change 287100 merged by jenkins-bot:
Warn on session access in profileinfo.php and opensearch_desc.php

https://gerrit.wikimedia.org/r/287100

Ricordisamoa subscribed.May 5 2016, 4:26 PM

Nikerabbit created subtask T134562: SMW triggers "Sessions are disabled for this entry point".May 6 2016, 10:41 AM

https://gerrit.wikimedia.org/r/#/c/273373/
That will give third parties about six months to fix/upgrade extensions.

Rather, it forces third parties such as translatewiki.net to report issues in extensions they do not maintain and revert this patch locally.

Why was no testing done with the most popular extensions and their developers notified so that they can start fixing the issue early?

In T127233#2269563, @Nikerabbit wrote:

Rather, it forces third parties such as translatewiki.net to report issues in extensions they do not maintain and revert this patch locally.

Why was no testing done with the most popular extensions and their developers notified so that they can start fixing the issue early?

Apologies if this caused problems. A notification was sent when the patch was merged, although I guess that's not much help for sites which use the master branch. Invalid use of sessions has raised warnings for a couple months now, but we did fail to adequately notify people about the importance of that.

The current reality is the the WMF is not committing development resources for extensions it itself does not use, so testing the most popular extensions is not an option (unless someone volunteers). Parties interested in changing that should probably work on T127312 or something similar.

If you want to identify further problematic extensions on your site, look for warning-level log events in the session channel with the text Sessions are supposed to be disabled for this entry point. If you have enabled structured logging, the log message will also contain a stack trace of there the session access happened.

I have been updating code quite regularly [1] but the warnings only started happening today. I also reverted 40accc9733a0998610d856874d84c8aec6f64c82 but that did not stop the warnings from showing up in error_log. What am I missing? It would also be helpful if $wgDevelopmentWarnings = true would forward these to error_log so I could possibly notice them in my development instance.

[1]

[13:23:27] -rakkaus:#mediawiki-i18n- [nike] updating translatewiki.net from b20e48d 2016-05-04 13:33:00  0200 (2 days ago)...
[13:25:43] -rakkaus:#mediawiki-i18n- [nike] updated translatewiki.net to 1b4fbb4 2016-05-06 12:24:16  0200 (2 minutes ago)

The warnings used to be sent to the session log channel. You can create a custom log handler that turns them into proper PHP warnings.

There are some endpoints that still log such warnings and will be turned into exceptions soon (opensearch_desc.php, profileinfo.php). That is unlikely to break third-party sites though as extensions don't hook into those endpoints.

I also reverted 40accc9733a0998610d856874d84c8aec6f64c82 but that did not stop the warnings from showing up in error_log.

That's weird. Do you have an example of such warnings?

The only other endpoint that throws exceptions currently is static.php which is part of the multiwiki setup and probably not used outside the WMF.

Since the error did not make sense, I restarted HHVM just in case and now the error does not appear anymore. Sorry for the noise.

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-05-10_(1.28.0-wmf.1)).May 10 2016, 1:02 PM

Krinkle unsubscribed.May 16 2016, 1:18 PM

• Tgr added a subtask: T135389: opensearch_desc calls Title::getLocalURL which unstubs wgUser on wikis with a variant.May 16 2016, 2:31 PM

phuedx mentioned this in T134955: Search overlay drops 1px when you type into input.Jun 14 2016, 9:05 AM

• Tgr closed subtask T134562: SMW triggers "Sessions are disabled for this entry point" as Declined.Nov 22 2016, 4:11 AM

Anomie mentioned this in T134562: SMW triggers "Sessions are disabled for this entry point".Nov 22 2016, 4:02 PM

• Tgr closed subtask T135389: opensearch_desc calls Title::getLocalURL which unstubs wgUser on wikis with a variant as Resolved.Nov 22 2016, 10:25 PM

There is a single instance of the Sessions are disabled for this entry point error in the last 30 days, on wikitech:
https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-2016.10.28/mediawiki/?id=AVgL2K3tcJvqzGkjW53i

/srv/mediawiki/php-1.28.0-wmf.23/includes/session/SessionManager.php:308
/srv/mediawiki/php-1.28.0-wmf.23/includes/session/SessionManager.php:242
/srv/mediawiki/php-1.28.0-wmf.23/includes/session/SessionManager.php:192
/srv/mediawiki/php-1.28.0-wmf.23/includes/WebRequest.php:735
/srv/mediawiki/php-1.28.0-wmf.23/includes/user/User.php:1199
/srv/mediawiki/php-1.28.0-wmf.23/includes/user/User.php:404
/srv/mediawiki/php-1.28.0-wmf.23/includes/user/User.php:5125
/srv/mediawiki/php-1.28.0-wmf.23/includes/user/User.php:2768
/srv/mediawiki/php-1.28.0-wmf.23/includes/context/RequestContext.php:364
/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:364
/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:1188
/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:802
/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:902
/srv/mediawiki/php-1.28.0-wmf.23/includes/exception/MWExceptionRenderer.php:249
/srv/mediawiki/php-1.28.0-wmf.23/includes/exception/MWExceptionRenderer.php:334
/srv/mediawiki/php-1.28.0-wmf.23/includes/exception/MWExceptionRenderer.php:46
/srv/mediawiki/php-1.28.0-wmf.23/includes/exception/MWExceptionHandler.php:71
/srv/mediawiki/php-1.28.0-wmf.23/includes/exception/MWExceptionHandler.php:137
{
  "function": "handleException",
  "class": "MWExceptionHandler",
  "type": "::",
  "args": [
    {
      "class": "DBConnectionError",
      "message": "Cannot access the database: Can't connect to MySQL server on '208.80.154.136' (111) (208.80.154.136)",
      "code": 0,
      "file": "/srv/mediawiki/php-1.28.0-wmf.23/includes/libs/rdbms/database/Database.php:748",
      "trace": [
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/libs/rdbms/loadbalancer/LoadBalancer.php:897",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/libs/rdbms/loadbalancer/LoadBalancer.php:572",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/GlobalFunctions.php:3073",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:444",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:403",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:325",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:927",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:858",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:826",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/cache/MessageCache.php:767",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:1188",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:802",
        "/srv/mediawiki/php-1.28.0-wmf.23/includes/Message.php:902",
        "/srv/mediawiki/php-1.28.0-wmf.23/opensearch_desc.php:63",
        "/srv/mediawiki/w/opensearch_desc.php:3"
      ]
    }
  ]
}

Change 323057 had a related patch set uploaded (by Gergő Tisza):
Use content language when displaying exceptions / outage messages

https://gerrit.wikimedia.org/r/323057

Anomie mentioned this in T155314: Varnish does not cache Action API responses when logged in.Jan 17 2017, 6:09 PM

Anomie mentioned this in T66214: Define an official thumb API.Jan 27 2017, 4:32 PM

FYI when I reviewed the throttling code for porting over to Thumbor I also thought that the per-user thing was overkill and did it per-IP instead. It would make complete sense to simplify Mediawiki the same way and switch to per-IP throttling.

• Tgr added a project: User-Tgr.May 2 2017, 12:24 PM

FYI https://gerrit.wikimedia.org/r/#/c/394032/ (merged) is related to this task.

Oetterer mentioned this in T187769: "Sessions are disabled for this entry point" triggered by User->loadFromSession() despite MW_NO_SESSION.Feb 20 2018, 10:34 AM

Kghbln mentioned this in T187794: Arrays extension: BadMethodCallException from line 847 of /../w/includes/session/SessionManager.php: Sessions are disabled for this entry point.Feb 20 2018, 3:52 PM

Kghbln mentioned this in T187796: NumerAlpha extension: BadMethodCallException from line 847 of /../w/includes/session/SessionManager.php: Sessions are disabled for this entry point.Feb 20 2018, 4:00 PM

All subtasks appear to be resolved. Is this task ready to be closed as well?

Endpoints that look like they should not need sessions are: load.php, static.php, opensearch_desc.php, profileinfo.php. Probably also thumb.php

Done for load.php, still in "warn" mode for static.php, opensearch_desc.php, profileinfo.php. Not done for thumb.php and probably not easily doable as sessions are used for rate limiting and in some cases even for authentication, I think. So at least the three warn endpoints should be promoted to a full ban (after checking that there are no warnings).

I see no log entries in the past 60 days. Let's do it.

Change 464390 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] Enforce no-session constraint in opensearch_desc.php and profileinfo.php

https://gerrit.wikimedia.org/r/464390

Change 464391 had a related patch set uploaded (by Anomie; owner: Anomie):
[operations/mediawiki-config@master] Enforce no-session constraint in static.php

https://gerrit.wikimedia.org/r/464391

Change 464390 merged by jenkins-bot:
[mediawiki/core@master] Enforce no-session constraint in opensearch_desc.php and profileinfo.php

https://gerrit.wikimedia.org/r/464390

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)).Oct 4 2018, 10:00 PM

Change 464391 merged by jenkins-bot:
[operations/mediawiki-config@master] Enforce no-session constraint in static.php

https://gerrit.wikimedia.org/r/464391

Mentioned in SAL (#wikimedia-operations) [2018-10-11T02:25:09Z] <krinkle@deploy1001> Synchronized w/static.php: T127233 - Ic6acb70 (duration: 00m 49s)

Tagging with MW-1.32-release. (Hopeful).

This is probably something that'd be better for end-users if it changes at once in the 1.32 cycle rather than spanning multiple cycles.

In T127233#4657355, @Krinkle wrote:

(Hopeful).

Isn't this task done? All the patches have been merged and all the subtasks have been resolved. thumb.php still uses sessions, but it's unclear if we even want to change that, and if we do, we need to support its use cases in some other way, and hard-deprecate, that's two more release cycles at least.

Yes, let's call this done. thumb.php currently does use the session data as noted above, changing that can be filed as a separate task if someone wants to follow up on it.

Wikimedia-specific endpoints were done in rOMWC9787bd822a9d: Set MW_NO_SESSION for various entry points in w/ and rOMWC0b0768521747: Fully set MW_NO_SESSION for browser metadata endpoints.

Krinkle awarded a token.Jul 7 2020, 7:54 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM

Change 323057 merged by jenkins-bot:

[mediawiki/core@master] Limit language logic when displaying exceptions / outage messages

https://gerrit.wikimedia.org/r/323057

Krinkle reassigned this task from Anomie to • Tgr.Feb 9 2024, 12:08 PM

Krinkle edited projects, added MediaWiki-Platform-Team; removed MW-1.32-release, MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)), Patch-For-Review, MW-1.27-release-notes.

Krinkle added a subscriber: Anomie.