wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-23 21:53:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

blocked domains: Make sure users can't bypass the list by using uppercase

Browse source 
Added tests too

Bug: T337431
Change-Id: Ie3406d0b3c7d82ba44c11865e493375453555664
This commit is contained in:
Amir Sarabadani 2023-06-16 00:48:05 +02:00
parent 596a36866b
commit 8b67de5bc1
2 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
includes/Hooks/Handlers/FilteredActionsHandler.php
View file

@ -213,7 +213,8 @@ class FilteredActionsHandler implements
// This saves string search in the large list of blocked domains
// making it much faster.
$domainString = '';
foreach ( array_reverse( explode( '.', $parsedUrl['host'] ) ) as $domainPiece ) {
$domainPieces = array_reverse( explode( '.', strtolower( $parsedUrl['host'] ) ) );
foreach ( $domainPieces as $domainPiece ) {
if ( !$domainString ) {
$domainString = $domainPiece;
} else {

1
tests/phpunit/integration/FilteredActionsHandlerTest.php
View file

@ -72,6 +72,7 @@ class FilteredActionsHandlerTest extends \MediaWikiIntegrationTestCase {
'blocked domain with parameters' => [ 'https://foo.com?foo=bar', false ],
'blocked domain with path and parameters' => [ 'https://foo.com/foo/?foo=bar', false ],
'blocked domain with port' => [ 'https://foo.com:9000', false ],
'blocked domain as uppercase' => [ 'https://FOO.com', false ],
'unusual protocol' => [ 'ftp://foo.com', false ],
'mailto is special' => [ 'mailto://user@foo.com', false ],
'domain not blocked' => [ 'https://foo.bar.com', true ],