r69989 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r69988‎ \| r69989 \| r69990 >
Date:	07:56, 27 July 2010
Author:	tstarling
Status:	ok
Tags:
Comment:	MFT r69952, r69984: profileinfo.php fixes. With release notes.
Modified paths:	/branches/REL1_15/phase3/RELEASE-NOTES (modified) (history) /branches/REL1_15/phase3/profileinfo.php (modified) (history)

Diff [purge]

Index: branches/REL1_15/phase3/profileinfo.php
—	—	@@ -69,7 +69,8 @@
70	70	<?php
71	71
72	72	if (!$wgEnableProfileInfo) {
73		~~- echo "disabled\n";~~
	73	+ echo "<p>Disabled</p>\n";
	74	+ echo "</body></html>";
74	75	exit( 1 );
75	76	}
76	77
—	—	@@ -113,7 +114,7 @@
114	115	else $ex = false;
115	116	if (!$ex) {
116	117	if (count($this->children)) {
117		~~- $url = makeurl(false, false, $expand + array($this->name() => true));~~
	118	+ $url = getEscapedProfileUrl(false, false, $expand + array($this->name() => true));
118	119	$extet = " <a href=\"$url\">[+]</a>";
119	120	} else $extet = '';
120	121	} else {
—	—	@@ -122,7 +123,7 @@
123	124	if ($name != $this->name())
124	125	$e += array($name => $ep);
125	126
126		~~- $extet = " <a href=\"" . makeurl(false, false, $e) . "\">[–]</a>";~~
	127	+ $extet = " <a href=\"" . getEscapedProfileUrl(false, false, $e) . "\">[–]</a>";
127	128	}
128	129	?>
129	130	<tr>
—	—	@@ -244,31 +245,35 @@
245	246
246	247	<table cellspacing="0" border="1">
247	248	<tr id="top">
248		~~-<th><a href="<?php echo makeurl(false, "name") ?>">Name</a></th>~~
249		~~-<th><a href="<?php echo makeurl(false, "time") ?>">Time (%)</a></th>~~
250		~~-<th><a href="<?php echo makeurl(false, "memory") ?>">Memory (%)</a></th>~~
251		~~-<th><a href="<?php echo makeurl(false, "count") ?>">Count</a></th>~~
252		~~-<th><a href="<?php echo makeurl(false, "calls_per_req") ?>">Calls/req</a></th>~~
253		~~-<th><a href="<?php echo makeurl(false, "time_per_call") ?>">ms/call</a></th>~~
254		~~-<th><a href="<?php echo makeurl(false, "memory_per_call") ?>">kb/call</a></th>~~
255		~~-<th><a href="<?php echo makeurl(false, "time_per_req") ?>">ms/req</a></th>~~
256		~~-<th><a href="<?php echo makeurl(false, "memory_per_req") ?>">kb/req</a></th>~~
	249	+<th><a href="<?php echo getEscapedProfileUrl(false, "name") ?>">Name</a></th>
	250	+<th><a href="<?php echo getEscapedProfileUrl(false, "time") ?>">Time (%)</a></th>
	251	+<th><a href="<?php echo getEscapedProfileUrl(false, "memory") ?>">Memory (%)</a></th>
	252	+<th><a href="<?php echo getEscapedProfileUrl(false, "count") ?>">Count</a></th>
	253	+<th><a href="<?php echo getEscapedProfileUrl(false, "calls_per_req") ?>">Calls/req</a></th>
	254	+<th><a href="<?php echo getEscapedProfileUrl(false, "time_per_call") ?>">ms/call</a></th>
	255	+<th><a href="<?php echo getEscapedProfileUrl(false, "memory_per_call") ?>">kb/call</a></th>
	256	+<th><a href="<?php echo getEscapedProfileUrl(false, "time_per_req") ?>">ms/req</a></th>
	257	+<th><a href="<?php echo getEscapedProfileUrl(false, "memory_per_req") ?>">kb/req</a></th>
257	258	</tr>
258	259	<?php
259	260	$totaltime = 0.0;
260	261	$totalcount = 0;
261	262	$totalmemory = 0.0;
262	263
263		~~-function makeurl($_filter = false, $_sort = false, $_expand = false) {~~
	264	+function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) {
264	265	global $filter, $sort, $expand;
265	266
266		~~- if ($_expand === false)~~
	267	+ if ( $_expand === false )
267	268	$_expand = $expand;
268	269
269		~~- $nfilter = $_filter ? $_filter : $filter;~~
270		~~- $nsort = $_sort ? $_sort : $sort;~~
271		~~- $exp = urlencode(implode(',', array_keys($_expand)));~~
272		~~- return "?filter=$nfilter&sort=$nsort&expand=$exp";~~
	270	+ return htmlspecialchars(
	271	+ '?' .
	272	+ wfArrayToCGI( array(
	273	+ 'filter' => $_filter ? $_filter : $filter,
	274	+ 'sort' => $_sort ? $_sort : $sort,
	275	+ 'expand' => implode( ',', array_keys( $_expand ) )
	276	+ ) )
	277	+ );
273	278	}
274	279
275	280	$points = array();
Property changes on: branches/REL1_15/phase3/profileinfo.php
___________________________________________________________________
Added: svn:mergeinfo
276	281	Merged /trunk/phase3/profileinfo.php:r48814,48836,48886,48892,48909,48989,48992,49002,49051,49068,49086,49191-49192,49212,49682,49685,49730,49775,49954,49956,49999,50041,50054,50070,50132,50134,50169,50215,50218,50328,50470,50580,51587,54828,58941,69952
Index: branches/REL1_15/phase3/RELEASE-NOTES
—	—	@@ -25,6 +25,8 @@
26	26	same HTTP proxy as a logged-in user.
27	27	* Fixed a minor cookie header parsing issue causing incorrect Cache-Control
28	28	headers to be sent.
	29	+* Fixed an XSS vulnerability in profileinfo.php for installations with
	30	+ $wgEnableProfileInfo = true (false by default)
29	31
30	32	== Changes since 1.15.3 ==
31	33

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r69952	Close the web page when it is disabled....	platonides	17:41, 26 July 2010
r69984	* Rewrote r69952, profileinfo.php XSS fix. It was probably safe, but it seeme...	tstarling	02:39, 27 July 2010

Status & tagging log

12:16, 27 July 2010 Platonides (talk | contribs) changed the status of r69989 [removed: new added: ok]