r40948 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r40947‎ | r40948 | r40949 >
Date:07:42, 17 September 2008
Author:siebrand
Status:old
Tags:
Comment:
Backport r40946: Work around misconfiguration by requiring strict comparisons for in_array in User::isAllowed().

See http://lists.wikimedia.org/pipermail/wikitech-l/2008-September/039449.html for details.
Modified paths:
  • /branches/REL1_12/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_12/phase3/includes/User.php (modified) (history)

Diff [purge]

Index: branches/REL1_12/phase3/includes/User.php
@@ -1762,7 +1762,11 @@
17631763 // In the spirit of DWIM
17641764 return true;
17651765
1766 - return in_array( $action, $this->getRights() );
 1766+ // PHP is stupid.
 1767+ // > $f = array( 'foo', 'bar', 'baz', 0, 'anne' );
 1768+ // > print in_array( 'blah', $f );
 1769+ // 1
 1770+ return in_array( $action, $this->getRights(), true );
17671771 }
17681772
17691773 /**
Index: branches/REL1_12/phase3/RELEASE-NOTES
@@ -4,8 +4,9 @@
55 setting since version 1.2.0. If you have it on, turn it *off* if you can.
66
77 == MediaWiki 1.12.1 ==
 8+* Security: Work around misconfiguration by requiring strict comparisons for
 9+ in_array in User::isAllowed().
810
9 -
1011 Changes since 1.12.0:
1112
1213 * (bug 13522) Fix fatal error in Parser::extractTagsAndParams

Follow-up revisions

RevisionCommit summaryAuthorDate
r41050More descriptive comment for r40948/r40949tstarling03:50, 20 September 2008

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r40946Work around misconfiguration by requiring strict comparisons for in_array in ...werdna07:26, 17 September 2008