https://bugzilla.wikimedia.org/show_bug.cgi?id=19646
Brion Vibber <br...@wikimedia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |br...@wikimedia.org
--- Comment #3 from Brion Vibber <br...@wikimedia.org> 2009-07-11 02:28:03 UTC
---
Couple quick notes:
First, the first parameter to wfForbidden() seems to always be the "access
forbidden" message; it's probably cleaner to just call that from the function.
:)
The debug log messages shouldn't be localized; those are internal messages
which should be consistently readable by site administrators in a multilingual
environment so they can debug issues.
With $wgImgAuthDetails on, input filenames are being passed into HTML error
messages without validation or escaping; this is a script injection vuln.
wfMsgHTML() escapes the text of the message, then replaces in your parameters
-- the expectation being that your parameters are formatted HTML such as links.
Also we'd generally want config vars like this defined in DefaultSettings.php
so they can be consistently located.
I'm a little vague on what the hook accomplishes; if meant for alternate file
repository types, it'll fail as we've already dropped out a 403 result due to
the file not existing in $wgUploadDirectory... It looks like the only thing it
could do is reject access to local files which would otherwise have been
allowed.
Probably if alternate source backends are desired here (say, database storage
or a WebDAV storage backend), they'd need their own implementation on the
repository class for checking path validity and doing the output streaming.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
