Summary: if for one reason or another a spooky entry exists in table "image" (file with a blank name), the sort function http://server/wiki/index.php?title=Special:ListFiles&sort=img_name&limit=500 throws a FATAL ERROR as explained. This should be fixed for security reasons.
I noticed a buggy behaviour of $IP/includes/specials/SpecialListfiles.php -- only under certain circumstances which require code review:
IF a spooky "file" exists in the database table "image" - in my case this was a consequence from a failed/aborted file upload in a very old REL_1.4 MediaWiki from 2005 ...
THEN when clicking on the page header NAME on the file list on Special:Listfiles because I wanted to change the sort order
I received a reproducible Fatal error: Call to a member function getURL() on a non-object in /.../includes/specials/SpecialListfiles.php on line 138 (MediaWiki 1.15.1)
Fixed this by changing line 138 from
$url = $image->getURL();
to
if ($value !== 0 && $value != '') $url = $image->getURL();
and found the reason: a file in the table with an empty filename (not ok) and 0 Byte (not ok), upload date (ok.), uploader name (ok.)
Summary: if for one reason or another a spooky entry exists in table "image" (file with a blank name), the sort function http://server/wiki/index.php?title=Special:ListFiles&sort=img_name&limit=500 throws a FATAL ERROR as explained. This should be fixed for security reasons.
P.S. I deleted the spooky file by
- manually changing the emtpy filename in the database to a dummy name dummy.jpg
- over-uploading a second file dummy.jpg through the wiki
- deleting the file through the wiki using action=delete
I intentionally assigned 1.16-svn because reviewing the SVN I found that the bug might still be present.
Version: 1.16.x
Severity: major