https://bugzilla.wikimedia.org/show_bug.cgi?id=26207
--- Comment #12 from Platonides <platoni...@gmail.com> 2011-05-26 21:48:07 UTC --- You are not doing it in the structured way of placing extensions into files (no problem, it's easy to add later), but things like if( ! isset( $wgMagicalLinkers ) ) are since they produce a vulnerability if the host is configured with register globals. Also, you should check that MEDIAWIKI is defined before executing anything. It makes no sense having this line: $wgMagicalLinkers = array_reverse( $wgMagicalLinkers ); Magical::createPattern() should be lazy-loaded, or done by the function if there's a function for registering magic words. Using Xml::escapeTagsOnly is worse than doing no escaping at all. With no escaping, it looks like a html injection vector but when looking at the regex it is actually secure (my previous mention to redundant calls to htmlspecialchars) http://www.mediawiki.org/wiki/Security_for_developers#Demonstrable_security Escaping with Xml::escapeTagsOnly it looks like it is secure, so that would encourage eg. changing the regex for a more insecure one, as it is escaped, but the delimiter you use is ' but escape for ". A comment on the $unsafePattern would be appropiate. It's quite clever. Note that you no longer need to use the x modifier. Also, I would use / instead of @ as it is more common. The fact that @ has to be escaped on those regex may bite some people. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
