[MediaWiki-commits] [Gerrit] SECURITY: Don't parse usernames as wikitext - change (mediawiki/core)

Mglaser (Code Review) Thu, 29 May 2014 10:42:24 -0700

Mglaser has submitted this change and it was merged.

Change subject: SECURITY: Don't parse usernames as wikitext
......................................................................



SECURITY: Don't parse usernames as wikitext

On Special:PasswordReset, don't parse the username as wikitext since
the wikitext is parsed according to the wiki's configuration (might
include wgRawHtml), and the wiki may be private.

Bug: 65501
Change-Id: Ic3e5d42e1be5acc42ba89ae853c5ecbfec04fa91
---
M includes/specials/SpecialPasswordReset.php
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Mglaser: Verified; Looks good to me, approved



diff --git a/includes/specials/SpecialPasswordReset.php 
b/includes/specials/SpecialPasswordReset.php
index 082eed0..96cda7a 100644
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -210,7 +210,8 @@
                $firstUser = $users[0];
 
                if ( !$firstUser instanceof User || !$firstUser->getID() ) {
-                       return array( array( 'nosuchuser', $data['Username'] ) 
);
+                       // Don't parse username as wikitext (bug 65501)
+                       return array( array( 'nosuchuser', wfEscapeWikiText( 
$data['Username'] ) ) );
                }
 
                // Check against the rate limiter
@@ -237,7 +238,7 @@
                // All the users will have the same email address
                if ( $firstUser->getEmail() == '' ) {
                        // This won't be reachable from the email route, so 
safe to expose the username
-                       return array( array( 'noemail', $firstUser->getName() ) 
);
+                       return array( array( 'noemail', wfEscapeWikiText( 
$firstUser->getName() ) ) );
                }
 
                // We need to have a valid IP address for the hook, but per bug 
18347, we should

-- 
To view, visit https://gerrit.wikimedia.org/r/136133
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ic3e5d42e1be5acc42ba89ae853c5ecbfec04fa91
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Mglaser <gla...@hallowelt.biz>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Mglaser <gla...@hallowelt.biz>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] SECURITY: Don't parse usernames as wikitext - change (mediawiki/core)

Reply via email to