[MediaWiki-CVS] SVN: [56429] trunk/extensions/Collection

Wed, 16 Sep 2009 11:43:06 -0700 

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/56429

Revision: 56429
Author:   brion
Date:     2009-09-16 18:42:58 +0000 (Wed, 16 Sep 2009)

Log Message:
-----------
Security fix: validate $oldid input parameter and escape it on output when 
generating JavaScript code to put into HTML fragments in AJAX responses

Modified Paths:
--------------
    trunk/extensions/Collection/Collection.hooks.php
    trunk/extensions/Collection/Collection.php

Modified: trunk/extensions/Collection/Collection.hooks.php
===================================================================
--- trunk/extensions/Collection/Collection.hooks.php    2009-09-16 18:27:43 UTC 
(rev 56428)
+++ trunk/extensions/Collection/Collection.hooks.php    2009-09-16 18:42:58 UTC 
(rev 56429)
@@ -400,14 +400,16 @@
                                $captionMsg = 'coll-add_this_page';
                                $tooltipMsg = 'coll-add_page_tooltip';
                                $query = array( 'bookcmd' => 'add_article', 
'arttitle' => $ptext, 'oldid' => $oldid );
-                               $onclick = "collectionCall('AddArticle', 
['removearticle', wgNamespaceNumber, wgTitle, $oldid]); return false;";
+                               $onclick = "collectionCall('AddArticle', 
['removearticle', wgNamespaceNumber, wgTitle, " .
+                                       Xml::encodeJsVar( $oldid ) . "]); 
return false;";
                        } else {
                                $id = 'coll-remove_article';
                                $icon = 'silk-remove.png';
                                $captionMsg = 'coll-remove_this_page';
                                $tooltipMsg = 'coll-remove_page_tooltip';
                                $query = array( 'bookcmd' => 'remove_article', 
'arttitle' => $ptext, 'oldid' => $oldid );
-                               $onclick = "collectionCall('RemoveArticle', 
['addarticle', wgNamespaceNumber, wgTitle, $oldid]); return false;";
+                               $onclick = "collectionCall('RemoveArticle', 
['addarticle', wgNamespaceNumber, wgTitle, " .
+                                       Xml::encodeJsVar( $oldid ) . "]); 
return false;";
                        }
                }
 

Modified: trunk/extensions/Collection/Collection.php
===================================================================
--- trunk/extensions/Collection/Collection.php  2009-09-16 18:27:43 UTC (rev 
56428)
+++ trunk/extensions/Collection/Collection.php  2009-09-16 18:42:58 UTC (rev 
56429)
@@ -207,6 +207,9 @@
 $wgAjaxExportList[] = 'wfAjaxCollectionAddCategory';
 
 function wfAjaxCollectionGetBookCreatorBoxContent( $ajaxHint='', $oldid=null ) 
{
+       if( !is_null( $oldid ) ) {
+               $oldid = intval( $oldid );
+       }
        return CollectionHooks::getBookCreatorBoxContent( $ajaxHint, $oldid );
 }
 



_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to