r95921 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r95920‎ \| r95921 \| r95922 >
Date:	23:15, 31 August 2011
Author:	johnduhart
Status:	ok (Comments)
Tags:
Comment:	(bug 4381) Magic quotes cleaning is not comprehensive, key strings not unescaped
Modified paths:	/trunk/phase3/RELEASE-NOTES-1.19 (modified) (history) /trunk/phase3/includes/WebRequest.php (modified) (history)

Diff [purge]

Index: trunk/phase3/RELEASE-NOTES-1.19
—	—	@@ -74,6 +74,8 @@
75	75	* (bug 28649) Avoiding half truncated multi-byte unicode characters when
76	76	truncating log comments.
77	77	* Show --batch-size option in help of maintenance scripts that support it
	78	+* (bug 4381) Magic quotes cleaning is not comprehensive, key strings not
	79	+ unescaped
78	80
79	81	=== API changes in 1.19 ===
80	82	* (bug 19838) siprop=interwikimap can now use the interwiki cache.
Index: trunk/phase3/includes/WebRequest.php
—	—	@@ -239,16 +239,21 @@
240	240	* used for undoing the evil that is magic_quotes_gpc.
241	241	*
242	242	* @param $arr array: will be modified
	243	+ * @param $recursion bool Used to modify behaviour based on recursion
243	244	* @return array the original array
244	245	*/
245		~~- private function &fix_magic_quotes( &$arr ) {~~
	246	+ private function &fix_magic_quotes( &$arr, $recursion = false ) {
	247	+ $clean = array();
246	248	foreach( $arr as $key => $val ) {
247	249	if( is_array( $val ) ) {
248		~~- $this->fix_magic_quotes( $arr[$key] );~~
	250	+ $cleanKey = !$recursion ? stripslashes( $key ) : $key;
	251	+ $clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], true );
249	252	} else {
250		~~- $arr[$key] = stripslashes( $val );~~
	253	+ $cleanKey = stripslashes( $key );
	254	+ $clean[$cleanKey] = stripslashes( $val );
251	255	}
252	256	}
	257	+ $arr = $clean;
253	258	return $arr;
254	259	}
255	260

Revision	Commit summary	Author	Date
r98440	Followup r95921, clearer PHPDoc and better variable names per CR	johnduhart	20:21, 29 September 2011

#Comment by Nikerabbit (talk | contribs) 07:11, 1 September 2011

#Comment by Johnduhart (talk | contribs) 20:38, 7 September 2011

Could you please expand on this? What's wrong with the current implementation? (Keep in mind this is a private function only used once)

#Comment by Nikerabbit (talk | contribs) 07:39, 8 September 2011

Code is written once, but read many times. Currently it is difficult to understand.

Used to modify behaviour

What behavior? And "Used to" is ambiguous construction.

Would it be clearer to swap this condition:

-!$recursion ? stripslashes( $key ) : $key;
+ $recursion ? $key : stripslashes( $key );

Although I still don't understand why the key doesn't need to be stripped always.

Maybe examples and tests could help?

#Comment by Johnduhart (talk | contribs) 14:29, 8 September 2011

It's my understanding that with magic_quotes in PHP5 the non-top level array keys are not escaped. See this comment http://www.php.net/manual/en/function.get-magic-quotes-gpc.php#49612 and the original bug report

I'll fix the other things you brought up.

22:23, 2 November 2011 Aaron Schulz (talk | contribs) changed the status of r95921 [removed: new added: ok]
20:22, 29 September 2011 Johnduhart (talk | contribs) changed the status of r95921 [removed: fixme added: new]
07:11, 1 September 2011 Nikerabbit (talk | contribs) changed the status of r95921 [removed: new added: fixme]