r100306 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r100305‎ \| r100306 \| r100307 >
Date:	00:45, 20 October 2011
Author:	johnduhart
Status:	ok
Tags:
Comment:	Followup r100165, fix SQL injections and conditions
Modified paths:	/trunk/extensions/CheckUser/api/ApiQueryCheckUser.php (modified) (history) /trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php (modified) (history)

Diff [purge]

Index: trunk/extensions/CheckUser/api/ApiQueryCheckUser.php
—	—	@@ -46,7 +46,7 @@
47	47	}
48	48
49	49	$this->addFields( array( 'cuc_timestamp', 'cuc_ip', 'cuc_xff' ) );
50		~~- $this->addWhere( "cuc_user_text = '$target'" );~~
	50	+ $this->addWhereFld( 'cuc_user_text', $target );
51	51	$res = $this->select( __METHOD__ );
52	52	$result = $this->getResult();
53	53
—	—	@@ -84,21 +84,21 @@
85	85	if ( !$cond ) {
86	86	$this->dieUsage( 'IP or range is invalid', 'invalidip' );
87	87	}
88		~~- $this->addWhere( "$cond" );~~
	88	+ $this->addWhere( $cond );
89	89	$log_type = array( 'ipedits-xff', 'ip' );
90	90	} elseif ( IP::isIPAddress( $target ) ) {
91	91	$cond = CheckUser::getIpConds( $db, $target );
92	92	if ( !$cond ) {
93	93	$this->dieUsage( 'IP or range is invalid', 'invalidip' );
94	94	}
95		~~- $this->addWhere( "$cond" );~~
	95	+ $this->addWhere( $cond );
96	96	$log_type = array( 'ipedits', 'ip' );
97	97	} else {
98	98	$user_id = User::idFromName( $target );
99	99	if ( !$user_id ) {
100	100	$this->dieUsage( 'Target user is not exists', 'nosuchuser' );
101	101	}
102		~~- $this->addWhere( "cuc_user_text = '$target'" );~~
	102	+ $this->addWhereFld( 'cuc_user_text', $target );
103	103	$log_type = array( 'useredits', 'user' );
104	104	}
105	105
Index: trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php
—	—	@@ -25,24 +25,16 @@
26	26
27	27	$this->addTables( 'cu_log' );
28	28	$this->addOption( 'LIMIT', $limit + 1 );
29		~~- $this->addOption( 'ORDER BY', 'cul_timestamp DESC' );~~
	29	+ $this->addWhereRange( 'cul_timestamp', 'older', $from, $to );
30	30
31	31	$this->addFields( array( 'cul_timestamp', 'cul_user_text', 'cul_reason', 'cul_type', 'cul_target_text' ) );
32	32
33	33	if ( isset( $user ) ) {
34		~~- $this->addWhere( "cul_user_text = '$user'" );~~
	34	+ $this->addWhereFld( 'cul_user_text', $user );
35	35	}
36	36	if ( isset( $target ) ) {
37		~~- $this->addWhere( "cul_target_text = '$target'" );~~
	37	+ $this->addWhereFld( 'cul_target_text', $target );
38	38	}
39		~~- if ( isset( $from ) && isset( $to ) ) {~~
40		~~- $this->addWhere( "cul_timestamp BETWEEN '$from' AND '$to'" );~~
41		~~- unset( $from, $to );~~
42		~~- } elseif ( isset( $from ) ) {~~
43		~~- $this->addWhere( "cul_timestamp < $from" );~~
44		~~- } elseif ( isset( $to ) ) {~~
45		~~- $this->addWhere( "cul_timestamp > $to" );~~
46		~~- }~~
47	39
48	40	$res = $this->select( __METHOD__ );
49	41	$result = $this->getResult();

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r100165	Adds API Module by cryptocoryne...	johnduhart	21:37, 18 October 2011

Status & tagging log

16:27, 21 December 2011 Catrope (talk | contribs) changed the status of r100306 [removed: new added: ok]