T284364.patch
DannyS712
Actions

Authored By

	DannyS712
	Jun 5 2021, 6:28 AM

Size

1 KB

Referenced Files

	F34483252: T284364-2.patch
	Jun 6 2021, 12:02 PM

Subscribers

None

T284364.patch
View Options

	From 5cc19be268b545cbbcaa97f7a72f368caeb69b56 Mon Sep 17 00:00:00 2001
	From: DannyS712 <dannys712.wiki@gmail.com>
	Date: Fri, 4 Jun 2021 23:24:25 -0700
	Subject: [PATCH] SECURITY: Avoid database for MediaWiki:Abusefilter-blocker
	fallback

	If the content language is English and the message is invalid as
	a username, or the content language is not English and both the
	content language version and the English version are invalid, the
	user in FilterUser would not be created - now, avoid the onwiki
	version of the English message in the fallback, so it could only
	be invalid if the default in the i18n files was invalid.

	Bug: T284364
	---
	includes/FilterUser.php \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/includes/FilterUser.php b/includes/FilterUser.php
	index 031b770c..329544eb 100644
	--- a/includes/FilterUser.php
	+++ b/includes/FilterUser.php
	@@ -51,7 +51,8 @@ class FilterUser {
	);
	// Use the default name to avoid breaking other stuff. This should have no harm,
	// aside from blocks temporarily attributed to another user.
	- $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )->inLanguage( 'en' )->text();
	+ // Don't use the database in case the English onwiki message is broken, T284364
	+ $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )->inLanguage( 'en' )->useDatabase( false )->text();
	$user = User::newSystemUser( $defaultName, [ 'steal' => true ] );
	}
	'@phan-var User $user';
	--
	2.28.0.windows.1

Attached To	Mode
T284364: Bad english MediaWiki:Abusefilter-blocker breaks filters (CVE-2021-36126)	Attached	Detach File

Superseded by F34483252