[MediaWiki-commits] [Gerrit] TopFansByStat: Remove use of strencode() - change (mediawiki...SocialProfile)

Fri, 16 Oct 2015 23:58:45 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: TopFansByStat: Remove use of strencode()
......................................................................


TopFansByStat: Remove use of strencode()

All valid column names should consist of characters that do not need
to be escaped, so validate the provided column name using a regex,
though there probably should be an explicit whitelist.

Change-Id: I3b17aaf075c9018a8102aeac8b45117f22ed8737
---
M UserStats/TopFansByStat.php
1 file changed, 4 insertions(+), 2 deletions(-)

Approvals:
  Legoktm: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/UserStats/TopFansByStat.php b/UserStats/TopFansByStat.php
index ab7db80..1614669 100644
--- a/UserStats/TopFansByStat.php
+++ b/UserStats/TopFansByStat.php
@@ -37,11 +37,13 @@
 
                $dbr = wfGetDB( DB_SLAVE );
 
-               $statistic = $dbr->strencode( trim( $request->getVal( 'stat' ) 
) );
+               $statistic = trim( $request->getVal( 'stat' ) );
                $column = "stats_{$statistic}";
 
                // Error if the query string value does not match our stat 
column
-               if ( !$dbr->fieldExists( 'user_stats', $column ) ) {
+               if ( !preg_match( '/^stats_[0-9a-z_]{1,58}$/D', $column ) ||
+                       !$dbr->fieldExists( 'user_stats', $column )
+               ) {
                        $out->setPageTitle( $this->msg( 
'top-fans-bad-field-title' )->plain() );
                        $out->addHTML( $this->msg( 'top-fans-bad-field-message' 
)->plain() );
                        return false;

-- 
To view, visit https://gerrit.wikimedia.org/r/244818
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3b17aaf075c9018a8102aeac8b45117f22ed8737
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/SocialProfile
Gerrit-Branch: master
Gerrit-Owner: PleaseStand <[email protected]>
Gerrit-Reviewer: Jack Phoenix <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: Lewis Cawte <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to