r84313 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r84312‎ | r84313 | r84314 >
Date:06:32, 19 March 2011
Author:neilk
Status:deferred (Comments)
Tags:
Comment:
fix bug 26209 - disallow colons in filenames. Also trap every case where we might get an unparseable filename, from local filesystem or from API results.
Modified paths:
  • /trunk/extensions/UploadWizard/UploadWizard.i18n.php (modified) (history)
  • /trunk/extensions/UploadWizard/UploadWizardHooks.php (modified) (history)
  • /trunk/extensions/UploadWizard/resources/mw.UploadWizard.js (modified) (history)
  • /trunk/extensions/UploadWizard/resources/mw.UploadWizardDetails.js (modified) (history)
  • /trunk/extensions/UploadWizard/resources/mw.UploadWizardUploadInterface.js (modified) (history)

Diff [purge]

Index: trunk/extensions/UploadWizard/UploadWizardHooks.php
@@ -266,7 +266,8 @@
267267 'mwe-upwiz-thanks-caption',
268268 'mwe-upwiz-help-popup',
269269 'mwe-upwiz-help-popup-title',
270 - 'mwe-upwiz-thumbnail-failed'
 270+ 'mwe-upwiz-thumbnail-failed',
 271+ 'mwe-upwiz-unparseable-filename'
271272 ),
272273 'group' => 'ext.uploadWizard'
273274 ),
Index: trunk/extensions/UploadWizard/UploadWizard.i18n.php
@@ -211,8 +211,8 @@
212212 'mwe-upwiz-thanks-caption' => 'Add caption here',
213213 'mwe-upwiz-help-popup' => 'Help',
214214 'mwe-upwiz-help-popup-title' => 'Title',
215 - 'mwe-upwiz-thumbnail-failed' => 'The upload succeeded, but the server could not get a preview thumbnail'
216 -
 215+ 'mwe-upwiz-thumbnail-failed' => 'The upload succeeded, but the server could not get a preview thumbnail',
 216+ 'mwe-upwiz-unparseable-filename' => 'Could not understand the file name "$1"'
217217
218218 );
219219
Index: trunk/extensions/UploadWizard/resources/mw.UploadWizardUploadInterface.js
@@ -290,7 +290,22 @@
291291 // visible filename
292292 $j( _this.form ).find( '.mwe-upwiz-visible-file-filename-text' ).html( path );
293293
294 - _this.upload.title = new mw.Title( mw.UploadWizardUtil.getBasename( path ), 'file' );
 294+ var filename = mw.UploadWizardUtil.getBasename( path );
 295+ try {
 296+ _this.upload.title = new mw.Title( filename, 'file' );
 297+ } catch ( e ) {
 298+ $( '<div>' )
 299+ .msg( 'mwe-upwiz-unparseable-filename', filename )
 300+ .dialog({
 301+ width: 500,
 302+ zIndex: 200000,
 303+ autoOpen: true,
 304+ modal: true
 305+ });
 306+ _this.$fileInputCtrl.val();
 307+ return;
 308+ }
 309+
295310 $j( _this.filenameCtrl ).val( _this.upload.title.getMain() );
296311
297312 if ( ! _this.isFilled ) {
Index: trunk/extensions/UploadWizard/resources/mw.UploadWizard.js
@@ -97,12 +97,24 @@
9898 return;
9999 }
100100
 101+ // default error state
 102+ var code = 'unknown';
 103+ var info = 'unknown';
 104+
101105 if ( result.upload && result.upload.warnings && result.upload.warnings.exists ) {
102 - var fileTitle = new mw.Title( result.upload.warnings.exists, 'file' ).toString();
103 - var fileUri = new mw.Uri( document.URL );
104 - fileUri.path = wgScript;
105 - fileUri.query = { title: fileTitle, action: 'view' };
106 - _this.setError( 'duplicate', fileUri.toString() );
 106+ var duplicateName = result.upload.warnings.exists;
 107+ try {
 108+ var fileTitle = new mw.Title( duplicateName, 'file' ).toString();
 109+ var fileUri = new mw.Uri( document.URL );
 110+ fileUri.path = wgScript;
 111+ fileUri.query = { title: fileTitle, action: 'view' };
 112+ code = 'duplicate';
 113+ info = fileUri.toString();
 114+ } catch ( e ) {
 115+ code = 'unknown';
 116+ info = 'Warned about duplicate but filename is unparseable: "' + duplicateName + "'";
 117+ }
 118+ _this.setError( code, info );
107119 } else if ( result.upload && result.upload.result === 'Success' ) {
108120 if ( result.upload.imageinfo ) {
109121 // success
@@ -127,8 +139,6 @@
128140 _this.setError( 'noimageinfo' );
129141 }
130142 } else {
131 - var code = 'unknown';
132 - var info = 'unknown';
133143 if ( result.error ) {
134144 if ( result.error.code ) {
135145 code = result.error.code;
@@ -147,11 +157,16 @@
148158 * Called when the file is entered into the file input
149159 * Get as much data as possible -- maybe exif, even thumbnail maybe
150160 */
151 - extractLocalFileInfo: function( localFilename ) {
 161+ extractLocalFileInfo: function( filename ) {
152162 if ( false ) { // FileAPI, one day
153163 this.transportWeight = getFileSize();
154164 }
155 - this.title = new mw.Title( mw.UploadWizardUtil.getBasename( localFilename ), 'file' );
 165+ // XXX sanitize filename
 166+ try {
 167+ this.title = new mw.Title( mw.UploadWizardUtil.getBasename( filename ).replace( /:/g, '_' ), 'file' );
 168+ } catch ( e ) {
 169+ this.setError( 'mwe-upwiz-unparseable-filename', filename );
 170+ }
156171 },
157172
158173 /**
@@ -188,6 +203,7 @@
189204 }
190205
191206 if ( _this.title.getExtension() === null ) {
 207+ 1;
192208 // TODO v1.1 what if we don't have an extension? Should be impossible as it is currently impossible to upload without extension, but you
193209 // never know... theoretically there is no restriction on extensions if we are uploading to the stash, but the check is performed anyway.
194210 /*
Index: trunk/extensions/UploadWizard/resources/mw.UploadWizardDetails.js
@@ -316,7 +316,14 @@
317317 $j( _this.titleInput ).data( 'valid', false );
318318
319319 // result is NOT unique
320 - var title = new mw.Title( result.title ).setNamespace( 'file' ).getNameText();
 320+ var title;
 321+ try {
 322+ title = new mw.Title( result.title ).setNamespace( 'file' ).getNameText();
 323+ } catch ( e ) {
 324+ // unparseable result from unique test?
 325+ title = '[unparseable name]';
 326+ }
 327+
321328 /* var img = result.img;
322329 var href = result.href; */
323330

Comments

#Comment by Bryan (talk | contribs)   09:16, 19 March 2011

The normal behaviour of MediaWiki is to replace colons with dashes instead of underscores. See wfStripIllegalFilenameChars()

Status & tagging log