01-T278365.patch
dduvall (Dan Duvall)
Actions

Authored By

	dduvall
	Feb 14 2023, 6:12 PM

Size

1 KB

Referenced Files

None

Subscribers

None

01-T278365.patch
View Options

	From f9cb69d8c83935245db3118f068cfafe258830ec Mon Sep 17 00:00:00 2001
	From: Dreamy Jazz <dreamyjazzwikipedia@gmail.com>
	Date: Sun, 29 Jan 2023 22:55:29 +0000
	Subject: [PATCH] SECURITY: Security: Make the target safe before running a
	check in the API

	Make the target safe by passing it through Title::makeSafe before
	running a check in the API. This is needed because the CheckUserLog
	will throw an error if a title with unsafe characters is used (such
	as the underscore).

	Bug: T278365
	Change-Id: Iee67d24a1f1bf1e044b95cdb0cf9bd66b44c085a
	---
	src/Api/ApiQueryCheckUser.php \| 4 ++++
	1 file changed, 4 insertions(+)

	diff --git a/src/Api/ApiQueryCheckUser.php b/src/Api/ApiQueryCheckUser.php
	index 7058786f..dcaa21eb 100644
	--- a/src/Api/ApiQueryCheckUser.php
	+++ b/src/Api/ApiQueryCheckUser.php
	@@ -13,6 +13,7 @@ use MediaWiki\MediaWikiServices;
	use MediaWiki\Revision\RevisionLookup;
	use MediaWiki\Revision\RevisionRecord;
	use MediaWiki\User\UserIdentityLookup;
	+use Title;
	use Wikimedia\IPUtils;
	use Wikimedia\ParamValidator\ParamValidator;
	use Wikimedia\ParamValidator\TypeDef\IntegerDef;
	@@ -82,6 +83,9 @@ class ApiQueryCheckUser extends ApiQueryBase {
	$this->dieWithError( 'apierror-checkuser-timelimit', 'invalidtime' );
	}

	+ $targetTitle = Title::makeTitleSafe( NS_USER, $target );
	+ $target = $targetTitle ? $targetTitle->getText() : '';
	+
	$commentQuery = $this->commentStore->getJoin( 'cuc_comment' );

	$this->addTables( [ 'cu_changes', 'actor_cuc_user' => 'actor' ] );
	--
	2.20.1