r101329 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r101328‎ | r101329 | r101330 >
Date:00:09, 31 October 2011
Author:cryptocoryne
Status:resolved (Comments)
Tags:
Comment:
Fixing and improvement code of CheckUser API module
Modified paths:
  • /trunk/extensions/CheckUser/api/ApiQueryCheckUser.php (modified) (history)
  • /trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php (modified) (history)

Diff [purge]

Index: trunk/extensions/CheckUser/api/ApiQueryCheckUser.php
@@ -13,21 +13,19 @@
1414
1515 $db = $this->getDB( DB_SLAVE );
1616 $params = $this->extractRequestParams();
 17+ extract( $params );
1718
1819 if ( !$wgUser->isAllowed( 'checkuser' ) ) {
1920 $this->dieUsage( 'You need the checkuser right', 'permissionerror' );
2021 }
2122
22 - if ( $wgCheckUserForceSummary && is_null( $params['reason'] ) ) {
23 - $this->dieUsage( 'You need define reason for check', 'missingdata' );
 23+ if ( $wgCheckUserForceSummary && is_null( $reason ) ) {
 24+ $this->dieUsage( 'You must define reason for check', 'missingdata' );
2425 }
2526
26 - $limit = $params['limit'];
27 - $target = $params['target'];
28 - $reason = wfMsgForContent( 'checkuser-reason-api', $params['reason'] );
 27+ $reason = wfMsgForContent( 'checkuser-reason-api', $reason );
2928 $time = wfTimestamp( TS_MW,
30 - strtotime( 'now' ) - ( strtotime( $params['timecond'] ? $params['timecond'] : '2 weeks' ) - strtotime( 'now'
31 - ) )
 29+ strtotime( 'now' ) - ( strtotime( $timecond ? $timecond : '2 weeks' ) - strtotime( 'now' ) )
3230 );
3331 if ( !$time ) {
3432 $this->dieUsage( 'You need use correct time limit (like "2 weeks")', 'invalidtime' );
@@ -38,7 +36,7 @@
3937 $this->addOption( 'ORDER BY', 'cuc_timestamp DESC' );
4038 $this->addWhere( "cuc_timestamp > $time" );
4139
42 - switch ( $params['request'] ) {
 40+ switch ( $request ) {
4341 case 'userips':
4442 $user_id = User::idFromName( $target );
4543 if ( !$user_id ) {
@@ -77,7 +75,7 @@
7876 break;
7977
8078 case 'edits':
81 - if ( IP::isIPAddress( $target ) && isset( $params['xff'] ) ) {
 79+ if ( IP::isIPAddress( $target ) && isset( $xff ) ) {
8280 $cond = CheckUser::getIpConds( $db, $target, true );
8381 if ( !$cond ) {
8482 $this->dieUsage( 'IP or range is invalid', 'invalidip' );
@@ -100,7 +98,8 @@
10199 $log_type = array( 'useredits', 'user' );
102100 }
103101
104 - $this->addFields( array( 'cuc_namespace', 'cuc_title', 'cuc_user_text', 'cuc_actiontext', 'cuc_comment', 'cuc_minor', 'cuc_timestamp', 'cuc_ip', 'cuc_xff', 'cuc_agent' )
 102+ $this->addFields( array( 'cuc_namespace', 'cuc_title', 'cuc_user_text', 'cuc_actiontext',
 103+ 'cuc_comment', 'cuc_minor', 'cuc_timestamp', 'cuc_ip', 'cuc_xff', 'cuc_agent' )
105104 );
106105
107106 $res = $this->select( __METHOD__ );
@@ -130,13 +129,13 @@
131130 $edits[] = $edit;
132131 }
133132
134 - CheckUser::addLogEntry( $log_type[0], $log_type[1], $target, $reason, $user_id ? $user_id : '0' );
 133+ CheckUser::addLogEntry( $log_type[0], $log_type[1], $target, $reason, isset($user_id) ? $user_id : '0' );
135134 $result->addValue( array( 'query', $this->getModuleName() ), 'edits', $edits );
136135 $result->setIndexedTagName_internal( array( 'query', $this->getModuleName(), 'edits' ), 'action' );
137136 break;
138137
139138 case 'ipusers':
140 - if ( IP::isIPAddress( $target ) && isset( $params['xff'] ) ) {
 139+ if ( IP::isIPAddress( $target ) && isset( $xff ) ) {
141140 $cond = CheckUser::getIpConds( $db, $target, true );
142141 $this->addWhere( $cond );
143142 } elseif ( IP::isIPAddress( $target ) ) {
@@ -205,7 +204,7 @@
206205 public function getAllowedParams() {
207206 return array(
208207 'request' => array(
209 - ApiBase::PARAM_REQUIRED => false,
 208+ ApiBase::PARAM_REQUIRED => true,
210209 ApiBase::PARAM_TYPE => array(
211210 'userips',
212211 'edits',
@@ -224,6 +223,7 @@
225224 ApiBase::PARAM_MAX2 => 5000,
226225 ),
227226 'timecond' => null,
 227+ 'xff' => null,
228228 );
229229 }
230230
@@ -239,6 +239,7 @@
240240 'reason' => 'Reason to check',
241241 'limit' => 'Limit of rows',
242242 'timecond' => 'Time limit of user data (like "2 weeks")',
 243+ 'xff' => 'Use xff data instead of IP',
243244 );
244245 }
245246
@@ -261,7 +262,7 @@
262263 public function getExamples() {
263264 return array(
264265 'api.php?action=query&list=checkuser&curequest=userips&cutarget=Jimbo_Wales',
265 - 'api.php?action=query&list=checkuser&curequest=edits&cutarget=127.0.0.1/16/xff&cureason=Some_check',
 266+ 'api.php?action=query&list=checkuser&curequest=edits&cutarget=127.0.0.1/16&xff=1&cureason=Some_check',
266267 );
267268 }
268269
Index: trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php
@@ -16,17 +16,12 @@
1717 if ( !$wgUser->isAllowed( 'checkuser-log' ) ) {
1818 $this->dieUsage( 'You need the checkuser-log right', 'permissionerror' );
1919 }
 20+
 21+ extract( $params );
2022
21 - $user = $params['user'];
22 - $limit = $params['limit'];
23 - $target = $params['target'];
24 - $from = $params['from'];
25 - $to = $params['to'];
26 -
2723 $this->addTables( 'cu_log' );
2824 $this->addOption( 'LIMIT', $limit + 1 );
2925 $this->addWhereRange( 'cul_timestamp', 'older', $from, $to );
30 -
3126 $this->addFields( array( 'cul_timestamp', 'cul_user_text', 'cul_reason', 'cul_type', 'cul_target_text' ) );
3227
3328 if ( isset( $user ) ) {

Follow-up revisions

RevisionCommit summaryAuthorDate
r101524fixed potential vulnerability and bad codecryptocoryne20:43, 1 November 2011

Comments

#Comment by Nikerabbit (talk | contribs)   06:36, 31 October 2011

I wouldn't call using extract() as an improvement.

#Comment by Cryptocoryne (talk | contribs)   13:02, 1 November 2011

Ok, better solution in this code is simple reverting extract()'s calls or add a prefix with EXTR_PREFIX_ALL (probably, this prevents potential vulnerabilities)?

I see using extract() in CheckUserHooks, where there is no user input.

#Comment by Cryptocoryne (talk | contribs)   20:44, 1 November 2011

Fixed in r101524.

Status & tagging log