r86697 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r86696‎ \| r86697 \| r86698 >
Date:	10:47, 22 April 2011
Author:	catrope
Status:	resolved (Comments)
Tags:
Comment:	(bug 26603) Followup r82232: fix double-escaping of returnto and returntoquery. Was caused by using two sources ($this->thisurl and $wgRequest) where one was already escaped and the other wasn't, then unconditionally escaping the result.
Modified paths:	/trunk/phase3/includes/SkinTemplate.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/SkinTemplate.php
—	—	@@ -566,10 +566,26 @@
567	567
568	568	/* set up the default links for the personal toolbar */
569	569	$personal_urls = array();
570		~~- $page = $wgRequest->getVal( 'returnto', $this->thisurl );~~
571		~~- $query = $wgRequest->getVal( 'returntoquery', $this->thisquery );~~
572		~~- $returnto = wfArrayToCGI( array( 'returnto' => $page ) );~~
573		~~- if( $this->thisquery != '' ) {~~
	570	+
	571	+ // Get the returnto and returntoquery parameters from the query string
	572	+ // or fall back on $this->thisurl or $this->thisquery
	573	+ // We can't use getVal()'s default value feature here because
	574	+ // stuff from $wgRequest needs to be escaped, but thisurl and thisquery
	575	+ // are already escaped.
	576	+ $page = $wgRequest->getVal( 'returnto' );
	577	+ if ( !is_null( $page ) ) {
	578	+ $page = wfUrlencode( $page );
	579	+ } else {
	580	+ $page = $this->thisurl;
	581	+ }
	582	+ $query = $wgRequest->getVal( 'returntoquery' );
	583	+ if ( !is_null( $query ) ) {
	584	+ $query = wfUrlencode( $query );
	585	+ } else {
	586	+ $query = $this->thisquery;
	587	+ }
	588	+ $returnto = "returnto=$page";
	589	+ if( $query != '' ) {
574	590	$returnto .= "&returntoquery=$query";
575	591	}
576	592	if( $this->loggedin ) {

Revision	Commit summary	Author	Date
r92765	Address fixme on r86697: simplify the code a lot by not escaping thisquery an...	catrope	18:22, 21 July 2011

Revision	Commit summary	Author	Date
r82232	(bug 26603) returnto parameter in login link not escaped when viewed on Speci...	catrope	11:28, 16 February 2011

#Comment by Brion VIBBER (talk | contribs) 00:38, 15 June 2011

It might be easier to not escape thisurl and thisquery in the first place if we're just going to replace them later and escape again...

#Comment by Catrope (talk | contribs) 10:20, 15 June 2011

Maybe, but I was too lazy to track down the other places that use thisurl/thisquery and assume they're escaped.

#Comment by Brion VIBBER (talk | contribs) 16:09, 15 June 2011

That's the only place they're used. :)

#Comment by Catrope (talk | contribs) 18:55, 21 July 2011

Confirmed that with some grepping. Unescaped them in r92765.

17:29, 5 August 2011 😂 (talk | contribs) changed the status of r86697 [removed: new added: resolved]
19:05, 21 July 2011 Catrope (talk | contribs) changed the status of r86697 [removed: fixme added: new]
00:38, 15 June 2011 Brion VIBBER (talk | contribs) changed the status of r86697 [removed: new added: fixme]