r112534 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r112533‎ | r112534 | r112535 >
Date:22:41, 27 February 2012
Author:catrope
Status:ok
Tags:
Comment:
In ResourceLoaderContext, normalize invalid skin names to $wgDefaultSkin . This should help a lot with the pollution of the module_deps table, which is currently littered with invalid skin names from people trying to hack the site. I found 3,897 (!!) distinct values for md_skin

Sample from the query result:

| md_module | md_skin |
|-----------------------------|----------------------------------|
| ext.vector.collapsibleNav | vector' |
| ext.vector.collapsibleNav | vector' and 1=1-- |
| ext.vector.collapsibleNav | vector' and 1=2-- |
| ext.vector.collapsibleNav | vector')waitfor delay'0:0:20'-- |
| ext.vector.collapsibleNav | vector',0)waitfor delay'0:0:20'- |
| ext.vector.collapsibleNav | vector',0,0)waitfor delay'0:0:20 |
| ext.vector.collapsibleNav | vector',0,0,0)waitfor delay'0:0: |
| ext.vector.collapsibleNav | vector'waitfor delay'0:0:20'-- |
| ext.vector.collapsibleNav | vector../../../../../../../../.. |
[...]
| ext.vector.sectionEditLinks | vector<script src= |
| ext.vector.sectionEditLinks | vector?.tri.co.id/ |
| ext.vector.sectionEditLinks | vector??id=jCustomerWAPProv |
| ext.vector.sectionEditLinks | vector??id=wap.mauj.com.... |
| ext.vector.sectionEditLinks | vector?id=202.87.41.147.... |
| ext.vector.sectionEditLinks | vector?java |
| ext.vector.sectionEditLinks | vector?m.vuclip.com/ |
| ext.vector.sectionEditLinks | vector?toyota.co.id |
| ext.vector.sectionEditLinks | vectorGET |
| ext.vector.sectionEditLinks | vector]]>> |
| ext.vector.sectionEditLinks | vector`ping -c 20 127.0.0.1` |
| ext.vector.sectionEditLinks | vector|echo 9e7f7fd5750593ab cef |
| ext.vector.sectionEditLinks | vector|ping -c 20 127.0.0.1||x |
Modified paths:
  • /trunk/phase3/includes/resourceloader/ResourceLoaderContext.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/resourceloader/ResourceLoaderContext.php
@@ -63,7 +63,9 @@
6464 $this->only = $request->getVal( 'only' );
6565 $this->version = $request->getVal( 'version' );
6666
67 - if ( !$this->skin ) {
 67+ $skinnames = Skin::getSkinNames();
 68+ // If no skin is specified, or we don't recognize the skin, use the default skin
 69+ if ( !$this->skin || !isset( $skinnames[$this->skin] ) ) {
6870 $this->skin = $wgDefaultSkin;
6971 }
7072 }

Sign-offs

UserFlagDate
Nikerabbitinspected07:18, 28 February 2012

Follow-up revisions

RevisionCommit summaryAuthorDate
r112564MFT r112563, r112533, r112534aaron02:09, 28 February 2012
r112647MFT r112384, r112400, r112408, r112451, r112456, r112474, r112526, r112533, r...reedy21:21, 28 February 2012

Status & tagging log