r48485 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r48484‎ | r48485 | r48486 >
Date:13:18, 17 March 2009
Author:werdna
Status:ok
Tags:
Comment:
Prevent leaking of hidden filters through history interface.
Modified paths:
  • /trunk/extensions/AbuseFilter/AbuseFilter.class.php (modified) (history)
  • /trunk/extensions/AbuseFilter/AbuseFilter.i18n.php (modified) (history)
  • /trunk/extensions/AbuseFilter/Views/AbuseFilterViewHistory.php (modified) (history)

Diff [purge]

Index: trunk/extensions/AbuseFilter/Views/AbuseFilterViewHistory.php
@@ -21,9 +21,17 @@
2222 $wgOut->setPageTitle( wfMsg( 'abusefilter-history', $filter ) );
2323 else
2424 $wgOut->setPageTitle( wfMsg( 'abusefilter-filter-log' ) );
 25+
 26+ ## Check perms
 27+ if ( $filter &&
 28+ !$wgUser->isAllowed( 'abusefilter-modify' ) &&
 29+ AbuseFilter::filterHidden( $filter ) ) {
 30+ $wgOut->addWikiMsg( 'abusefilter-history-error-hidden' );
 31+ return;
 32+ }
2533
 34+ ## Useful links
2635 $sk = $wgUser->getSkin();
27 -
2836 $links = array();
2937 if ($filter)
3038 $links['abusefilter-history-backedit'] = $this->getTitle( $filter );
@@ -35,12 +43,14 @@
3644 $backlinks = $wgLang->pipeList( $links );
3745 $wgOut->addHTML( Xml::tags( 'p', null, $backlinks ) );
3846
 47+ ## For user
3948 $user = $wgRequest->getText( 'user' );
4049 if ($user) {
4150 $wgOut->setSubtitle(
4251 wfMsg(
4352 'abusefilter-history-foruser',
44 - $sk->userLink( 1 /* We don't really need to get a user ID */, $user )
 53+ $sk->userLink( 1 /* We don't really need to get a user ID */, $user ),
 54+ $user // For GENDER
4555 )
4656 );
4757 }
@@ -187,31 +197,47 @@
188198
189199 function getQueryInfo() {
190200 $info = array(
191 - 'tables' => 'abuse_filter_history',
 201+ 'tables' => array( 'abuse_filter_history', 'abuse_filter' ),
192202 'fields' => array(
193 - 'afh_filter',
194 - 'afh_timestamp',
195 - 'afh_user_text',
196 - 'afh_public_comments',
197 - 'afh_flags',
198 - 'afh_comments',
199 - 'afh_actions',
200 - 'afh_id',
201 - 'afh_user',
202 - 'afh_changed_fields',
203 - 'afh_pattern',
204 - 'afh_id' ),
 203+ 'afh_filter',
 204+ 'afh_timestamp',
 205+ 'afh_user_text',
 206+ 'afh_public_comments',
 207+ 'afh_flags',
 208+ 'afh_comments',
 209+ 'afh_actions',
 210+ 'afh_id',
 211+ 'afh_user',
 212+ 'afh_changed_fields',
 213+ 'afh_pattern',
 214+ 'afh_id',
 215+ 'af_hidden'
 216+ ),
205217 'conds' => array(),
 218+ 'join_conds' => array(
 219+ 'abuse_filter' =>
 220+ array(
 221+ 'LEFT JOIN',
 222+ 'afh_filter=af_id',
 223+ ),
 224+ ),
206225 );
207226
208 - global $wgRequest;
 227+ global $wgRequest, $wgUser;
 228+
209229 if ($this->mUser) {
210230 $info['conds']['afh_user_text'] = $this->mUser;
211231 }
 232+
212233 if ( $this->mFilter ) {
213234 $info['conds']['afh_filter'] = $this->mFilter;
214235 }
215236
 237+ if ( !$wgUser->isAllowed( 'abusefilter-modify' ) ) {
 238+ // Hide data the user can't see.
 239+ $info['conds']['af_hidden'] = 0;
 240+ }
 241+
216242 return $info;
217243 }
218244
Index: trunk/extensions/AbuseFilter/AbuseFilter.class.php
@@ -202,6 +202,16 @@
203203
204204 return strval($row->af_pattern);
205205 }
 206+
 207+ public static function filterHidden( $filter ) {
 208+ $dbr = wfGetDB( DB_SLAVE );
 209+ $hidden = $dbr->selectField( 'abuse_filter',
 210+ 'af_hidden',
 211+ array( 'af_id' => $filter ),
 212+ __METHOD__
 213+ );
 214+ return $hidden ? true : false;
 215+ }
206216
207217 public static function ajaxCheckFilterWithVars( $filter, $vars ) {
208218 global $wgUser;
Index: trunk/extensions/AbuseFilter/AbuseFilter.i18n.php
@@ -301,6 +301,7 @@
302302 'abusefilter-history-select-user' => 'User:',
303303 'abusefilter-history-select-submit' => 'Refine',
304304 'abusefilter-history-diff' => 'Changes',
 305+ 'abusefilter-history-error-hidden' => 'The filter you requested is hidden, and you cannot view its history.',
305306
306307 // Exceptions
307308 'abusefilter-exception-unexpectedatend' => 'Unexpected "$2" at character $1.',

Status & tagging log