r81335 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81334‎ \| r81335 \| r81336 >
Date:	22:43, 1 February 2011
Author:	tstarling
Status:	ok (Comments)
Tags:
Comment:	(bug 27094) fix path traversal vulnerability
Modified paths:	/trunk/phase3/includes/StubObject.php (modified) (history) /trunk/phase3/languages/Language.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/StubObject.php
—	—	@@ -152,7 +152,7 @@
153	153	$code = strtolower( $code );
154	154
155	155	# Validate $code
156		~~- if( empty( $code ) \|\| !preg_match( '/^[a-z-]+$/', $code ) \|\| ( $code === 'qqq' ) ) {~~
	156	+ if( empty( $code ) \|\| !Language::isValidCode( $code ) \|\| ( $code === 'qqq' ) ) {
157	157	wfDebug( "Invalid user language code\n" );
158	158	$code = $wgLanguageCode;
159	159	}
Index: trunk/phase3/languages/Language.php
—	—	@@ -154,6 +154,14 @@
155	155	protected static function newFromCode( $code ) {
156	156	global $IP;
157	157	static $recursionLevel = 0;
	158	+
	159	+ // Protect against path traversal below
	160	+ if ( !Language::isValidCode( $code )
	161	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	162	+ {
	163	+ throw new MWException( "Invalid language code \"$code\"" );
	164	+ }
	165	+
158	166	if ( $code == 'en' ) {
159	167	$class = 'Language';
160	168	} else {
—	—	@@ -184,6 +192,14 @@
185	193	}
186	194
187	195	/**
	196	+ * Returns true if a language code string is of a valid form, whether or
	197	+ * not it exists.
	198	+ */
	199	+ public static function isValidCode( $code ) {
	200	+ return (bool)preg_match( '/^[a-z-]+$/', $code );
	201	+ }
	202	+
	203	+ /**
188	204	* Get the LocalisationCache instance
189	205	*/
190	206	public static function getLocalisationCache() {
—	—	@@ -2812,6 +2828,13 @@
2813	2829	* @return string $prefix . $mangledCode . $suffix
2814	2830	*/
2815	2831	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
	2832	+ // Protect against path traversal
	2833	+ if ( !Language::isValidCode( $code )
	2834	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	2835	+ {
	2836	+ throw new MWException( "Invalid language code \"$code\"" );
	2837	+ }
	2838	+
2816	2839	return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
2817	2840	}
2818	2841

Follow-up revisions

Revision	Commit summary	Author	Date
r81336	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011
r81337	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011
r81338	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011
r81576	Avoid code duplication for Language::isValidCode...	hashar	22:55, 5 February 2011

Comments

#Comment by Hashar (talk | contribs) 10:47, 2 February 2011

Please note Language::isValidCode() implementation was changed with r81340. See CR there.

Status & tagging log

22:17, 15 April 2011 Reedy (talk | contribs) changed the status of r81335 [removed: new added: ok]