r69952 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r69951‎ \| r69952 \| r69953 >
Date:	17:41, 26 July 2010
Author:	platonides
Status:	resolved
Tags:
Comment:	Close the web page when it is disabled. Fix XSS in filter parameter. Normal setups (with $wgEnableProfileInfo = false) are not affected.
Modified paths:	/trunk/phase3/profileinfo.php (modified) (history)

Diff [purge]

Index: trunk/phase3/profileinfo.php
—	—	@@ -65,7 +65,8 @@
66	66	<?php
67	67
68	68	if ( !$wgEnableProfileInfo ) {
69		~~- echo "disabled\n";~~
	69	+ echo "<p>Disabled</p>\n";
	70	+ echo "</body></html>";
70	71	exit( 1 );
71	72	}
72	73
—	—	@@ -251,8 +252,8 @@
252	253	if ( $_expand === false )
253	254	$_expand = $expand;
254	255
255		~~- $nfilter = $_filter ? $_filter : $filter;~~
256		~~- $nsort = $_sort ? $_sort : $sort;~~
	256	+ $nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
	257	+ $nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
257	258	$exp = urlencode( implode( ',', array_keys( $_expand ) ) );
258	259	return "?filter=$nfilter&sort=$nsort&expand=$exp";
259	260	}

Revision	Commit summary	Author	Date
r69953	MFT r69952 + RELEASE-NOTES	platonides	17:45, 26 July 2010
r69984	* Rewrote r69952, profileinfo.php XSS fix. It was probably safe, but it seeme...	tstarling	02:39, 27 July 2010
r69989	MFT r69952, r69984: profileinfo.php fixes. With release notes.	tstarling	07:56, 27 July 2010

08:40, 27 July 2010 Tim Starling (talk | contribs) changed the tags for r69952 [removed: 1.15]
02:40, 27 July 2010 Tim Starling (talk | contribs) changed the status of r69952 [removed: new added: resolved]
17:45, 26 July 2010 Platonides (talk | contribs) changed the tags for r69952 [added: 1.15]