| Index: branches/REL1_17/phase3/images/.htaccess |
| — | — | @@ -1,6 +1,6 @@ |
| 2 | 2 | # Protect against bug 28235 |
| 3 | 3 | <IfModule rewrite_module> |
| 4 | 4 | RewriteEngine On |
| 5 | | - RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] |
| | 5 | + RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase] |
| 6 | 6 | RewriteRule . - [forbidden] |
| 7 | 7 | </IfModule> |
| Index: branches/REL1_17/phase3/includes/User.php |
| — | — | @@ -905,24 +905,25 @@ |
| 906 | 906 | return false; |
| 907 | 907 | } |
| 908 | 908 | |
| 909 | | - $this->mId = $sId; |
| 910 | | - if ( !$this->loadFromId() ) { |
| 911 | | - # Not a valid ID, loadFromId has switched the object to anon for us |
| | 909 | + $proposedUser = User::newFromId( $sId ); |
| | 910 | + if ( !$proposedUser->isLoggedIn() ) { |
| | 911 | + # Not a valid ID |
| | 912 | + $this->loadDefaults(); |
| 912 | 913 | return false; |
| 913 | 914 | } |
| 914 | 915 | |
| 915 | 916 | global $wgBlockDisablesLogin; |
| 916 | | - if( $wgBlockDisablesLogin && $this->isBlocked() ) { |
| | 917 | + if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { |
| 917 | 918 | # User blocked and we've disabled blocked user logins |
| 918 | 919 | $this->loadDefaults(); |
| 919 | 920 | return false; |
| 920 | 921 | } |
| 921 | 922 | |
| 922 | 923 | if ( isset( $_SESSION['wsToken'] ) ) { |
| 923 | | - $passwordCorrect = $_SESSION['wsToken'] == $this->mToken; |
| | 924 | + $passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken']; |
| 924 | 925 | $from = 'session'; |
| 925 | 926 | } else if ( $wgRequest->getCookie( 'Token' ) !== null ) { |
| 926 | | - $passwordCorrect = $this->mToken == $wgRequest->getCookie( 'Token' ); |
| | 927 | + $passwordCorrect = $proposedUser->getToken() === $wgRequest->getCookie( 'Token' ); |
| 927 | 928 | $from = 'cookie'; |
| 928 | 929 | } else { |
| 929 | 930 | # No session or persistent login cookie |
| — | — | @@ -930,7 +931,8 @@ |
| 931 | 932 | return false; |
| 932 | 933 | } |
| 933 | 934 | |
| 934 | | - if ( ( $sName == $this->mName ) && $passwordCorrect ) { |
| | 935 | + if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { |
| | 936 | + $this->loadFromUserObject( $proposedUser ); |
| 935 | 937 | $_SESSION['wsToken'] = $this->mToken; |
| 936 | 938 | wfDebug( "User: logged in from $from\n" ); |
| 937 | 939 | return true; |
| — | — | @@ -943,6 +945,18 @@ |
| 944 | 946 | } |
| 945 | 947 | |
| 946 | 948 | /** |
| | 949 | + * Load the data for this user object from another user object. |
| | 950 | + */ |
| | 951 | + protected function loadFromUserObject( $user ) { |
| | 952 | + $user->load(); |
| | 953 | + $user->loadGroups(); |
| | 954 | + $user->loadOptions(); |
| | 955 | + foreach ( self::$mCacheVars as $var ) { |
| | 956 | + $this->$var = $user->$var; |
| | 957 | + } |
| | 958 | + } |
| | 959 | + |
| | 960 | + /** |
| 947 | 961 | * Load user and user_group data from the database. |
| 948 | 962 | * $this::mId must be set, this is how the user is identified. |
| 949 | 963 | * |
| Index: branches/REL1_17/phase3/includes/WebRequest.php |
| — | — | @@ -755,7 +755,7 @@ |
| 756 | 756 | global $wgScriptExtension; |
| 757 | 757 | |
| 758 | 758 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 759 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 759 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 760 | 760 | { |
| 761 | 761 | // Bug 28235 |
| 762 | 762 | // Block only Internet Explorer, and requests with missing UA |
| Index: branches/REL1_17/phase3/img_auth.php |
| — | — | @@ -39,7 +39,7 @@ |
| 40 | 40 | |
| 41 | 41 | // Check for bug 28235: QUERY_STRING overriding the correct extension |
| 42 | 42 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 43 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 43 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 44 | 44 | { |
| 45 | 45 | wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); |
| 46 | 46 | } |