| Index: branches/wmf/1.17wmf1/includes/User.php |
| — | — | @@ -902,24 +902,25 @@ |
| 903 | 903 | return false; |
| 904 | 904 | } |
| 905 | 905 | |
| 906 | | - $this->mId = $sId; |
| 907 | | - if ( !$this->loadFromId() ) { |
| 908 | | - # Not a valid ID, loadFromId has switched the object to anon for us |
| | 906 | + $proposedUser = User::newFromId( $sId ); |
| | 907 | + if ( !$proposedUser->isLoggedIn() ) { |
| | 908 | + # Not a valid ID |
| | 909 | + $this->loadDefaults(); |
| 909 | 910 | return false; |
| 910 | 911 | } |
| 911 | 912 | |
| 912 | 913 | global $wgBlockDisablesLogin; |
| 913 | | - if( $wgBlockDisablesLogin && $this->isBlocked() ) { |
| | 914 | + if( $wgBlockDisablesLogin && $proposedUser->isBlocked() ) { |
| 914 | 915 | # User blocked and we've disabled blocked user logins |
| 915 | 916 | $this->loadDefaults(); |
| 916 | 917 | return false; |
| 917 | 918 | } |
| 918 | 919 | |
| 919 | 920 | if ( isset( $_SESSION['wsToken'] ) ) { |
| 920 | | - $passwordCorrect = $_SESSION['wsToken'] == $this->mToken; |
| | 921 | + $passwordCorrect = $proposedUser->getToken() === $_SESSION['wsToken']; |
| 921 | 922 | $from = 'session'; |
| 922 | 923 | } else if ( $wgRequest->getCookie( 'Token' ) !== null ) { |
| 923 | | - $passwordCorrect = $this->mToken == $wgRequest->getCookie( 'Token' ); |
| | 924 | + $passwordCorrect = $proposedUser->getToken() === $wgRequest->getCookie( 'Token' ); |
| 924 | 925 | $from = 'cookie'; |
| 925 | 926 | } else { |
| 926 | 927 | # No session or persistent login cookie |
| — | — | @@ -927,7 +928,8 @@ |
| 928 | 929 | return false; |
| 929 | 930 | } |
| 930 | 931 | |
| 931 | | - if ( ( $sName == $this->mName ) && $passwordCorrect ) { |
| | 932 | + if ( ( $sName === $proposedUser->getName() ) && $passwordCorrect ) { |
| | 933 | + $this->loadFromUserObject( $proposedUser ); |
| 932 | 934 | $_SESSION['wsToken'] = $this->mToken; |
| 933 | 935 | wfDebug( "User: logged in from $from\n" ); |
| 934 | 936 | return true; |
| — | — | @@ -940,6 +942,18 @@ |
| 941 | 943 | } |
| 942 | 944 | |
| 943 | 945 | /** |
| | 946 | + * Load the data for this user object from another user object. |
| | 947 | + */ |
| | 948 | + protected function loadFromUserObject( $user ) { |
| | 949 | + $user->load(); |
| | 950 | + $user->loadGroups(); |
| | 951 | + $user->loadOptions(); |
| | 952 | + foreach ( self::$mCacheVars as $var ) { |
| | 953 | + $this->$var = $user->$var; |
| | 954 | + } |
| | 955 | + } |
| | 956 | + |
| | 957 | + /** |
| 944 | 958 | * Load user and user_group data from the database. |
| 945 | 959 | * $this::mId must be set, this is how the user is identified. |
| 946 | 960 | * |
| Property changes on: branches/wmf/1.17wmf1/includes/User.php |
| ___________________________________________________________________ |
| Modified: svn:mergeinfo |
| 947 | 961 | Merged /branches/REL1_17/phase3/includes/User.php:r87483 |
| Index: branches/wmf/1.17wmf1/includes/WebRequest.php |
| — | — | @@ -755,7 +755,7 @@ |
| 756 | 756 | global $wgScriptExtension; |
| 757 | 757 | |
| 758 | 758 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 759 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 759 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 760 | 760 | { |
| 761 | 761 | // Bug 28235 |
| 762 | 762 | // Block only Internet Explorer, and requests with missing UA |
| Property changes on: branches/wmf/1.17wmf1/includes/WebRequest.php |
| ___________________________________________________________________ |
| Modified: svn:mergeinfo |
| 763 | 763 | Merged /branches/REL1_17/phase3/includes/WebRequest.php:r87483 |
| Index: branches/wmf/1.17wmf1/img_auth.php |
| — | — | @@ -39,7 +39,7 @@ |
| 40 | 40 | |
| 41 | 41 | // Check for bug 28235: QUERY_STRING overriding the correct extension |
| 42 | 42 | if ( isset( $_SERVER['QUERY_STRING'] ) |
| 43 | | - && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| | 43 | + && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
| 44 | 44 | { |
| 45 | 45 | wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); |
| 46 | 46 | } |
| Property changes on: branches/wmf/1.17wmf1/img_auth.php |
| ___________________________________________________________________ |
| Modified: svn:mergeinfo |
| 47 | 47 | Merged /branches/REL1_17/phase3/img_auth.php:r87483 |