Page MenuHomePhabricator
Files F37853164

T347726.patch
Bawolff (Brian Wolff)
Actions

Authored By
Bawolff
Sep 29 2023, 4:31 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T347726.patch
View Options

From e80741975a155d22dba798500f7480c567b9a0e6 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 29 Sep 2023 09:29:25 -0700
Subject: [PATCH] SECURITY: Ensure group name is escaped in user rights log
This fixes issue where group-*-member messages are output with
incorrect escaping.
Bug: T347726
Change-Id: Ib9f77a7c0c90c3f12c4bc543f585afda80281356
---
includes/logging/RightsLogFormatter.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/includes/logging/RightsLogFormatter.php b/includes/logging/RightsLogFormatter.php
index 95f9a24fb96..45893dca4d9 100644
--- a/includes/logging/RightsLogFormatter.php
+++ b/includes/logging/RightsLogFormatter.php
@@ -146,7 +146,7 @@ class RightsLogFormatter extends LogFormatter {
$expiryFormatted, $expiryFormattedD, $expiryFormattedT )->parse();
} else {
// the right does not expire; just insert the group name
- $permList[] = $group;
+ $permList[] = htmlspecialchars( $group );
}
next( $groups );
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11512915
Default Alt Text
T347726.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits