Page MenuHomePhabricator

T284364-2.patch

Authored By
DannyS712
Jun 6 2021, 12:00 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T284364-2.patch

From 3581719f9fe64c526eac4252081ae99a5b496700 Mon Sep 17 00:00:00 2001
From: DannyS712 <dannys712.wiki@gmail.com>
Date: Sun, 6 Jun 2021 04:58:31 -0700
Subject: [PATCH] SECURITY: Avoid database for MediaWiki:Abusefilter-blocker
fallback
If the content language is English and the message is invalid as
a username, or the content language is not English and both the
content language version and the English version are invalid, the
user in FilterUser would not be created - now, avoid the onwiki
version of the English message in the fallback, so it could only
be invalid if the default in the i18n files was invalid.
Bug: T284364
---
includes/FilterUser.php | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/includes/FilterUser.php b/includes/FilterUser.php
index 031b770c..8a14e72a 100644
--- a/includes/FilterUser.php
+++ b/includes/FilterUser.php
@@ -51,7 +51,11 @@ class FilterUser {
);
// Use the default name to avoid breaking other stuff. This should have no harm,
// aside from blocks temporarily attributed to another user.
- $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )->inLanguage( 'en' )->text();
+ // Don't use the database in case the English onwiki message is broken, T284364
+ $defaultName = $this->messageLocalizer->msg( 'abusefilter-blocker' )
+ ->inLanguage( 'en' )
+ ->useDatabase( false )
+ ->text();
$user = User::newSystemUser( $defaultName, [ 'steal' => true ] );
}
'@phan-var User $user';
--
2.28.0.windows.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9091665
Default Alt Text
T284364-2.patch (1 KB)

Event Timeline