r103745 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r103744‎ | r103745 | r103746 >
Date:10:55, 20 November 2011
Author:catrope
Status:ok
Tags:
Comment:
(bug 26854) Invalid user names go unchecked. Applied most of the patch submitted by Søren Løvborg, checking for null return values from User::newFromName()
Modified paths:
  • /trunk/phase3/CREDITS (modified) (history)
  • /trunk/phase3/includes/Article.php (modified) (history)
  • /trunk/phase3/includes/EditPage.php (modified) (history)
  • /trunk/phase3/includes/Skin.php (modified) (history)
  • /trunk/phase3/includes/WikiPage.php (modified) (history)
  • /trunk/phase3/includes/api/ApiBase.php (modified) (history)
  • /trunk/phase3/includes/job/DoubleRedirectJob.php (modified) (history)
  • /trunk/phase3/includes/job/EnotifNotifyJob.php (modified) (history)
  • /trunk/phase3/includes/specials/SpecialBlockme.php (modified) (history)
  • /trunk/phase3/maintenance/changePassword.php (modified) (history)
  • /trunk/phase3/maintenance/cleanupSpam.php (modified) (history)
  • /trunk/phase3/maintenance/deleteBatch.php (modified) (history)
  • /trunk/phase3/maintenance/deleteDefaultMessages.php (modified) (history)
  • /trunk/phase3/maintenance/moveBatch.php (modified) (history)
  • /trunk/phase3/maintenance/protect.php (modified) (history)
  • /trunk/phase3/maintenance/reassignEdits.php (modified) (history)
  • /trunk/phase3/maintenance/undelete.php (modified) (history)

Diff [purge]

Index: trunk/phase3/maintenance/protect.php
@@ -47,6 +47,10 @@
4848 }
4949
5050 $wgUser = User::newFromName( $userName );
 51+ if ( !$wgUser ) {
 52+ $this->error( "Invalid username", true );
 53+ }
 54+
5155 $restrictions = array( 'edit' => $protection, 'move' => $protection );
5256
5357 $t = Title::newFromText( $this->getArg() );
Index: trunk/phase3/maintenance/undelete.php
@@ -44,6 +44,9 @@
4545 $this->error( "Invalid title", true );
4646 }
4747 $wgUser = User::newFromName( $user );
 48+ if ( !$wgUser ) {
 49+ $this->error( "Invalid username", true );
 50+ }
4851 $archive = new PageArchive( $title );
4952 $this->output( "Undeleting " . $title->getPrefixedDBkey() . '...' );
5053 $archive->undelete( array(), $reason );
Index: trunk/phase3/maintenance/moveBatch.php
@@ -67,6 +67,9 @@
6868 $this->error( "Unable to read file, exiting", true );
6969 }
7070 $wgUser = User::newFromName( $user );
 71+ if ( !$wgUser ) {
 72+ $this->error( "Invalid username", true );
 73+ }
7174
7275 # Setup complete, now start
7376 $dbw = wfGetDB( DB_MASTER );
Index: trunk/phase3/maintenance/changePassword.php
@@ -43,7 +43,7 @@
4444 } else {
4545 $this->error( "A \"user\" or \"userid\" must be set to change the password for" , true );
4646 }
47 - if ( !$user->getId() ) {
 47+ if ( !$user || !$user->getId() ) {
4848 $this->error( "No such user: " . $this->getOption( 'user' ), true );
4949 }
5050 try {
Index: trunk/phase3/maintenance/deleteBatch.php
@@ -63,6 +63,9 @@
6464 $this->error( "Unable to read file, exiting", true );
6565 }
6666 $wgUser = User::newFromName( $user );
 67+ if ( !$wgUser ) {
 68+ $this->error( "Invalid username", true );
 69+ }
6770 $dbw = wfGetDB( DB_MASTER );
6871
6972 # Handle each entry
Index: trunk/phase3/maintenance/deleteDefaultMessages.php
@@ -56,6 +56,9 @@
5757 # in order to hide it in RecentChanges.
5858 global $wgUser;
5959 $wgUser = User::newFromName( $user );
 60+ if ( !$wgUser ) {
 61+ $this->error( "Invalid username", true );
 62+ }
6063 $wgUser->addGroup( 'bot' );
6164
6265 # Handle deletion
Index: trunk/phase3/maintenance/reassignEdits.php
@@ -160,6 +160,9 @@
161161 $user->setName( $username );
162162 } else {
163163 $user = User::newFromName( $username );
 164+ if ( !$user ) {
 165+ $this->error( "Invalid username", true );
 166+ }
164167 }
165168 $user->load();
166169 return $user;
Index: trunk/phase3/maintenance/cleanupSpam.php
@@ -36,6 +36,9 @@
3737
3838 $username = wfMsg( 'spambot_username' );
3939 $wgUser = User::newFromName( $username );
 40+ if ( !$wgUser ) {
 41+ $this->error( "Invalid username", true );
 42+ }
4043 // Create the user if necessary
4144 if ( !$wgUser->getId() ) {
4245 $wgUser->addToDatabase();
Index: trunk/phase3/CREDITS
@@ -163,6 +163,7 @@
164164 * Scott Colcord
165165 * Simon Walker
166166 * Solitarius
 167+* Søren Løvborg
167168 * Stefano Codari
168169 * Str4nd
169170 * svip
Index: trunk/phase3/includes/Article.php
@@ -928,7 +928,7 @@
929929 $user = User::newFromName( $rootPart, false /* allow IP users*/ );
930930 $ip = User::isIP( $rootPart );
931931
932 - if ( !$user->isLoggedIn() && !$ip ) { # User does not exist
 932+ if ( !($user && $user->isLoggedIn()) && !$ip ) { # User does not exist
933933 $wgOut->wrapWikiMsg( "<div class=\"mw-userpage-userdoesnotexist error\">\n\$1\n</div>",
934934 array( 'userpage-userdoesnotexist-view', wfEscapeWikiText( $rootPart ) ) );
935935 } elseif ( $user->isBlocked() ) { # Show log extract if the user is currently blocked
Index: trunk/phase3/includes/EditPage.php
@@ -1475,7 +1475,7 @@
14761476 $username = $parts[0];
14771477 $user = User::newFromName( $username, false /* allow IP users*/ );
14781478 $ip = User::isIP( $username );
1479 - if ( !$user->isLoggedIn() && !$ip ) { # User does not exist
 1479+ if ( !($user && $user->isLoggedIn()) && !$ip ) { # User does not exist
14801480 $wgOut->wrapWikiMsg( "<div class=\"mw-userpage-userdoesnotexist error\">\n$1\n</div>",
14811481 array( 'userpage-userdoesnotexist', wfEscapeWikiText( $username ) ) );
14821482 } elseif ( $user->isBlocked() ) { # Show log extract if the user is currently blocked
Index: trunk/phase3/includes/api/ApiBase.php
@@ -1301,7 +1301,7 @@
13021302 public function getWatchlistUser( $params ) {
13031303 if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) {
13041304 $user = User::newFromName( $params['owner'], false );
1305 - if ( !$user->getId() ) {
 1305+ if ( !($user && $user->getId()) ) {
13061306 $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
13071307 }
13081308 $token = $user->getOption( 'watchlisttoken' );
Index: trunk/phase3/includes/job/DoubleRedirectJob.php
@@ -180,6 +180,7 @@
181181 function getUser() {
182182 if ( !self::$user ) {
183183 self::$user = User::newFromName( wfMsgForContent( 'double-redirect-fixer' ), false );
 184+ # FIXME: newFromName could return false on a badly configured wiki.
184185 if ( !self::$user->isLoggedIn() ) {
185186 self::$user->addToDatabase();
186187 }
Index: trunk/phase3/includes/job/EnotifNotifyJob.php
@@ -24,6 +24,7 @@
2525 $editor = User::newFromId( $this->params['editorID'] );
2626 // B/C, only the name might be given.
2727 } else {
 28+ # FIXME: newFromName could return false on a badly configured wiki.
2829 $editor = User::newFromName( $this->params['editor'], false );
2930 }
3031 $enotif->actuallyNotifyOnPageChange(
Index: trunk/phase3/includes/WikiPage.php
@@ -2322,7 +2322,9 @@
23232323 # User talk pages
23242324 if ( $title->getNamespace() == NS_USER_TALK ) {
23252325 $user = User::newFromName( $title->getText(), false );
2326 - $user->setNewtalk( false );
 2326+ if ( $user ) {
 2327+ $user->setNewtalk( false );
 2328+ }
23272329 }
23282330
23292331 # Image redirects
Index: trunk/phase3/includes/specials/SpecialBlockme.php
@@ -45,6 +45,7 @@
4646 }
4747
4848 $user = User::newFromName( wfMsgForContent( 'proxyblocker' ) );
 49+ # FIXME: newFromName could return false on a badly configured wiki.
4950 if ( !$user->isLoggedIn() ) {
5051 $user->addToDatabase();
5152 }
Index: trunk/phase3/includes/Skin.php
@@ -269,7 +269,7 @@
270270 $this->mRelevantUser = User::newFromName( $rootUser, false );
271271 } else {
272272 $user = User::newFromName( $rootUser, false );
273 - if ( $user->isLoggedIn() ) {
 273+ if ( $user && $user->isLoggedIn() ) {
274274 $this->mRelevantUser = $user;
275275 }
276276 }

Follow-up revisions

RevisionCommit summaryAuthorDate
r103751In the spirit of r103745, guard against invalid user names in SpecialContribu...catrope11:29, 20 November 2011

Status & tagging log