Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34481301
T284364.patch
DannyS712
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
DannyS712
Jun 5 2021, 6:28 AM
2021-06-05 06:28:00 (UTC+0)
Size
1 KB
Referenced Files
F34483252: T284364-2.patch
Jun 6 2021, 12:02 PM
2021-06-06 12:02:03 (UTC+0)
Subscribers
None
T284364.patch
View Options
From 5cc19be268b545cbbcaa97f7a72f368caeb69b56 Mon Sep 17 00:00:00 2001
From: DannyS712 <dannys712.wiki@gmail.com>
Date: Fri, 4 Jun 2021 23:24:25 -0700
Subject: [PATCH] SECURITY: Avoid database for MediaWiki:Abusefilter-blocker
fallback
If the content language is English and the message is invalid as
a username, or the content language is not English and both the
content language version and the English version are invalid, the
user in FilterUser would not be created - now, avoid the onwiki
version of the English message in the fallback, so it could only
be invalid if the default in the i18n files was invalid.
Bug: T284364
---
includes/FilterUser.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/includes/FilterUser.php b/includes/FilterUser.php
index 031b770c..329544eb 100644
--- a/includes/FilterUser.php
+++ b/includes/FilterUser.php
@@ -51,7 +51,8 @@ class FilterUser {
);
// Use the default name to avoid breaking other stuff. This should have no harm,
// aside from blocks temporarily attributed to another user.
- $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )->inLanguage( 'en' )->text();
+ // Don't use the database in case the English onwiki message is broken, T284364
+ $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )->inLanguage( 'en' )->useDatabase( false )->text();
$user = User::newSystemUser( $defaultName, [ 'steal' => true ] );
}
'@phan-var User $user';
--
2.28.0.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9090307
Default Alt Text
T284364.patch (1 KB)
Attached To
Mode
T284364: Bad english MediaWiki:Abusefilter-blocker breaks filters (CVE-2021-36126)
Attached
Detach File
Event Timeline
DannyS712
added a comment.
Jun 6 2021, 12:02 PM
2021-06-06 12:02:03 (UTC+0)
Comment Actions
Superseded by
F34483252
Log In to Comment