Page MenuHomePhabricator

api list=deletedrevs errors when drlimit given a float value
Open, Needs TriagePublic


causes an SQL query with a fractional LIMIT. The limit should be better validated before putting into SQL (I already verified you can't do anything evil with this, so its not a high priority)

Event Timeline

Bawolff created this task.Dec 5 2018, 7:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2018, 7:25 AM
Anomie moved this task from Unsorted to Needs Code on the MediaWiki-API board.Dec 5 2018, 3:36 PM
Anomie added a subscriber: Anomie.

In the short term, ApiBase::validateLimit() should probably include $value = (int)$value; at the top.

Longer term, should do it (or should be made to do it if it doesn't already).

It looks like ApiQueryAllRevisions, ApiQueryDeletedRevisions, and ApiQueryRevisions are affected too, BTW.