wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-24 06:03:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix param validation in ViewEdit

Browse source 
We didn't check if the provided ID was valid. While editing an existing
filter (or creating a new one), we check the ID in SpecialAbuseFilter,
so it's guaranteed to get an integer in ViewEdit, and the case of a
non-existing filter is handled later, in buildFilterEditor.
But for links like Special:AbuseFilter/history/foobarbaz/item/1 (where
"foobarbaz" should be the filter ID), no validation was performed. This
caused a useless query to be carried out on the abuse_filter_history table (which would likely return false), then accessing properties of a non-object ('$row->afh_id'), and we ended up showing filter 1. This was spotted because we actually got notices in production.

Bug: T231632
Change-Id: I6436c7d2df8c1f0fc971f4a4079dac9118aa8209
This commit is contained in:
Daimona Eaytoy 2019-08-28 16:06:33 +02:00
parent fb1864dfa5
commit 933b791ef3
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
includes/Views/AbuseFilterViewEdit.php
View file

@ -31,6 +31,16 @@ class AbuseFilterViewEdit extends AbuseFilterView {
$out->addHelpLink( 'Extension:AbuseFilter/Rules format' );
$filter = $this->mFilter;
if ( !is_numeric( $filter ) ) {
$out->addHTML(
Xml::tags(
'p',
null,
Html::errorBox( $this->msg( 'abusefilter-edit-badfilter' )->parse() )
)
);
return;
}
$history_id = $this->mHistoryID;
if ( $this->mHistoryID ) {
$dbr = wfGetDB( DB_REPLICA );