r43624 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r43623‎ \| r43624 \| r43625 >
Date:	18:58, 17 November 2008
Author:	brion
Status:	ok
Tags:
Comment:	* Improved input validation on Special:Import form Applying Tim's fixes
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/specials/SpecialImport.php (modified) (history) /trunk/phase3/languages/messages/MessagesEn.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/specials/SpecialImport.php
—	—	@@ -43,26 +43,30 @@
44	44	if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') {
45	45	$isUpload = false;
46	46	$namespace = $wgRequest->getIntOrNull( 'namespace' );
	47	+ $sourceName = $wgRequest->getVal( "source" );
47	48
48		~~- switch( $wgRequest->getVal( "source" ) ) {~~
49		~~- case "upload":~~
	49	+ if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'editToken' ) ) ) {
	50	+ $source = new WikiErrorMsg( 'import-token-mismatch' );
	51	+ } elseif ( $sourceName == 'upload' ) {
50	52	$isUpload = true;
51	53	if( $wgUser->isAllowed( 'importupload' ) ) {
52	54	$source = ImportStreamSource::newFromUpload( "xmlimport" );
53	55	} else {
54	56	return $wgOut->permissionRequired( 'importupload' );
55	57	}
56		~~- break;~~
57		~~- case "interwiki":~~
	58	+ } elseif ( $sourceName == "interwiki" ) {
58	59	$interwiki = $wgRequest->getVal( 'interwiki' );
59		~~- $history = $wgRequest->getCheck( 'interwikiHistory' );~~
60		~~- $frompage = $wgRequest->getText( "frompage" );~~
61		~~- $source = ImportStreamSource::newFromInterwiki(~~
62		~~- $interwiki,~~
63		~~- $frompage,~~
64		~~- $history );~~
65		~~- break;~~
66		~~- default:~~
	60	+ if ( !in_array( $interwiki, $wgImportSources ) ) {
	61	+ $source = new WikiErrorMsg( "import-invalid-interwiki" );
	62	+ } else {
	63	+ $history = $wgRequest->getCheck( 'interwikiHistory' );
	64	+ $frompage = $wgRequest->getText( "frompage" );
	65	+ $source = ImportStreamSource::newFromInterwiki(
	66	+ $interwiki,
	67	+ $frompage,
	68	+ $history );
	69	+ }
	70	+ } else {
67	71	$source = new WikiErrorMsg( "importunknownsource" );
68	72	}
69	73
—	—	@@ -106,6 +110,7 @@
107	111	Xml::hidden( 'action', 'submit' ) .
108	112	Xml::hidden( 'source', 'upload' ) .
109	113	Xml::input( 'xmlimport', 50, '', array( 'type' => 'file' ) ) . ' ' .
	114	+ Xml::hidden( 'editToken', $wgUser->editToken() ) .
110	115	Xml::submitButton( wfMsg( 'uploadbtn' ) ) .
111	116	Xml::closeElement( 'form' ) .
112	117	Xml::closeElement( 'fieldset' )
—	—	@@ -124,6 +129,7 @@
125	130	wfMsgExt( 'import-interwiki-text', array( 'parse' ) ) .
126	131	Xml::hidden( 'action', 'submit' ) .
127	132	Xml::hidden( 'source', 'interwiki' ) .
	133	+ Xml::hidden( 'editToken', $wgUser->editToken() ) .
128	134	Xml::openElement( 'table', array( 'id' => 'mw-import-table' ) ) .
129	135	"<tr>
130	136	<td>" .
Index: trunk/phase3/languages/messages/MessagesEn.php
—	—	@@ -2803,6 +2803,8 @@
2804	2804	'import-nonewrevisions' => 'All revisions were previously imported.',
2805	2805	'xml-error-string' => '$1 at line $2, col $3 (byte $4): $5',
2806	2806	'import-upload' => 'Upload XML data',
	2807	+'import-token-mismatch' => 'Loss of session data. Please try again.',
	2808	+'import-invalid-interwiki' => 'Cannot import from the specified wiki.',
2807	2809
2808	2810	# Import log
2809	2811	'importlogpage' => 'Import log',
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -348,6 +348,7 @@
349	349	formatting and path exposure.
350	350	* Less verbose errors from profileinfo.php when not configured
351	351	* Blacklist redirects via Special:Filepath, hard to use.
	352	+* Improved input validation on Special:Import form
352	353
353	354
354	355	=== API changes in 1.14 ===

Follow-up revisions

Revision	Commit summary	Author	Date
r43626	Update messages.inc per r43624	siebrand	19:01, 17 November 2008
r43669	Backported r43621, r43622, r43623, r43624, r43625, r43627, r43660, r43661. Ne...	tstarling	11:36, 18 November 2008

Status & tagging log

22:14, 17 November 2008 Aaron Schulz (talk | contribs) changed the status of r43624 [removed: new added: ok]