r81336 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r81335‎ \| r81336 \| r81337 >
Date:	22:44, 1 February 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	(bug 27094) fix path traversal vulnerability
Modified paths:	/branches/REL1_17/phase3/includes/StubObject.php (modified) (history) /branches/REL1_17/phase3/languages/Language.php (modified) (history)

Diff [purge]

Index: branches/REL1_17/phase3/includes/StubObject.php
—	—	@@ -152,7 +152,7 @@
153	153	$code = strtolower( $code );
154	154
155	155	# Validate $code
156		~~- if( empty( $code ) \|\| !preg_match( '/^[a-z-]+$/', $code ) \|\| ( $code === 'qqq' ) ) {~~
	156	+ if( empty( $code ) \|\| !Language::isValidCode( $code ) \|\| ( $code === 'qqq' ) ) {
157	157	wfDebug( "Invalid user language code\n" );
158	158	$code = $wgLanguageCode;
159	159	}
Index: branches/REL1_17/phase3/languages/Language.php
—	—	@@ -150,6 +150,14 @@
151	151	protected static function newFromCode( $code ) {
152	152	global $IP;
153	153	static $recursionLevel = 0;
	154	+
	155	+ // Protect against path traversal below
	156	+ if ( !Language::isValidCode( $code )
	157	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	158	+ {
	159	+ throw new MWException( "Invalid language code \"$code\"" );
	160	+ }
	161	+
154	162	if ( $code == 'en' ) {
155	163	$class = 'Language';
156	164	} else {
—	—	@@ -180,6 +188,14 @@
181	189	}
182	190
183	191	/**
	192	+ * Returns true if a language code string is of a valid form, whether or
	193	+ * not it exists.
	194	+ */
	195	+ public static function isValidCode( $code ) {
	196	+ return (bool)preg_match( '/^[a-z-]+$/', $code );
	197	+ }
	198	+
	199	+ /**
184	200	* Get the LocalisationCache instance
185	201	*/
186	202	public static function getLocalisationCache() {
—	—	@@ -2789,6 +2805,13 @@
2790	2806	* @return string $prefix . $mangledCode . $suffix
2791	2807	*/
2792	2808	static function getFileName( $prefix = 'Language', $code, $suffix = '.php' ) {
	2809	+ // Protect against path traversal
	2810	+ if ( !Language::isValidCode( $code )
	2811	+ \|\| strcspn( $code, "/\\\000" ) !== strlen( $code ) )
	2812	+ {
	2813	+ throw new MWException( "Invalid language code \"$code\"" );
	2814	+ }
	2815	+
2793	2816	return $prefix . str_replace( '-', '_', ucfirst( $code ) ) . $suffix;
2794	2817	}
2795	2818

Follow-up revisions

Revision	Commit summary	Author	Date
r81337	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011
r81338	(bug 27094) fix path traversal vulnerability	tstarling	22:44, 1 February 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r81335	(bug 27094) fix path traversal vulnerability	tstarling	22:43, 1 February 2011

Status & tagging log

22:52, 2 March 2011 Reedy (talk | contribs) changed the status of r81336 [removed: new added: ok]