Page MenuHomePhabricator
Files F12773781

Patch for T185652
No One
Actions

Authored By
Mainframe98
Jan 24 2018, 7:58 PM
Size
1 KB
Referenced Files
None
Subscribers
None

Patch for T185652
View Options

From 7f97484dafd8e70b73ee1e1b1767399f2cd5a3e6 Mon Sep 17 00:00:00 2001
From: mainframe98 <k.s.werf@hotmail.com>
Date: Wed, 24 Jan 2018 20:51:34 +0100
Subject: [PATCH] SECURITY: Don't query API with format=php
This requires unserialization of potentially unsafe php code,
which is dangerous, even if the source is trusted.
Because the default configuration does not use https when
querying the API, this causes a security vulnerability.
Bug: T185652
---
AutoProxyBlock.body.php | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/AutoProxyBlock.body.php b/AutoProxyBlock.body.php
index 115df1d..9f2e307 100644
--- a/AutoProxyBlock.body.php
+++ b/AutoProxyBlock.body.php
@@ -112,12 +112,12 @@ class AutoProxyBlock {
}
static function requestForeignAPI( $url, $options ) {
- $url .= '?format=php';
- foreach($options as $param => $value) {
+ $url .= '?format=json';
+ foreach( $options as $param => $value ) {
$url .= '&'.$param.'='.$value;
}
- $content = Http::get($url);
- return unserialize($content);
+ $content = Http::get( $url );
+ return json_decode( $content );
}
}
--
2.16.0.windows.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5434270
Default Alt Text
Patch for T185652 (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL