r40949 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r40948‎ | r40949 | r40950 >
Date:07:42, 17 September 2008
Author:siebrand
Status:old
Tags:
Comment:
Backport r40946: Work around misconfiguration by requiring strict comparisons for in_array in User::isAllowed().

See http://lists.wikimedia.org/pipermail/wikitech-l/2008-September/039449.html for details.
Modified paths:
  • /branches/REL1_13/phase3/RELEASE-NOTES (modified) (history)
  • /branches/REL1_13/phase3/includes/User.php (modified) (history)

Diff [purge]

Index: branches/REL1_13/phase3/includes/User.php
@@ -1859,7 +1859,11 @@
18601860 // In the spirit of DWIM
18611861 return true;
18621862
1863 - return in_array( $action, $this->getRights() );
 1863+ // PHP is stupid.
 1864+ // > $f = array( 'foo', 'bar', 'baz', 0, 'anne' );
 1865+ // > print in_array( 'blah', $f );
 1866+ // 1
 1867+ return in_array( $action, $this->getRights(), true );
18641868 }
18651869
18661870 /**
Index: branches/REL1_13/phase3/RELEASE-NOTES
@@ -3,6 +3,10 @@
44 Security reminder: MediaWiki does not require PHP's register_globals
55 setting since version 1.2.0. If you have it on, turn it *off* if you can.
66
 7+== MediaWiki 1.13.2 ==
 8+* Security: Work around misconfiguration by requiring strict comparisons for
 9+ in_array in User::isAllowed().
 10+
711 == MediaWiki 1.13.1 ==
812
913 September 6, 2008

Follow-up revisions

RevisionCommit summaryAuthorDate
r41050More descriptive comment for r40948/r40949tstarling03:50, 20 September 2008

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r40946Work around misconfiguration by requiring strict comparisons for in_array in ...werdna07:26, 17 September 2008