[MediaWiki-commits] [Gerrit] mediawiki/core[master]: Log when Message::__toString has an unexpected format

Fri, 23 Sep 2016 08:18:51 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: Log when Message::__toString has an unexpected format
......................................................................


Log when Message::__toString has an unexpected format

Message formatting methods have a side effect on how string conversion
will work, which is a security problem waiting to happen:

    $msg = new Message( 'foo' );
    echo $msg; // parsed
    echo $msg->plain();
    echo $msg; // not parsed

This change logs Message -> string transformations which are
affected by a prior call in this way. The behavior will be removed
in a later patch (possibly replaced by something more explicit
if it turns out that something depends on it).

Bug: T146416
Change-Id: Id51cf6a5a937bc41a914f317e980ef42e4d385fb
---
M includes/Message.php
1 file changed, 6 insertions(+), 0 deletions(-)

Approvals:
  Anomie: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/Message.php b/includes/Message.php
index c2c954a..c1a12aa 100644
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -852,6 +852,12 @@
         * @return string
         */
        public function __toString() {
+               if ( $this->format !== 'parse' ) {
+                       $ex = new LogicException( __METHOD__ . ' using implicit 
format: ' . $this->format );
+                       \MediaWiki\Logger\LoggerFactory::getInstance( 
'message-format' )->warning(
+                               $ex->getMessage(), [ 'exception' => $ex, 
'format' => $this->format, 'key' => $this->key ] );
+               }
+
                // PHP doesn't allow __toString to throw exceptions and will
                // trigger a fatal error if it does. So, catch any exceptions.
 

-- 
To view, visit https://gerrit.wikimedia.org/r/312401
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id51cf6a5a937bc41a914f317e980ef42e4d385fb
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Nikerabbit <niklas.laxst...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to