[MediaWiki-commits] [Gerrit] mediawiki...ReadingLists[master]: Validate titles

Wed, 08 Nov 2017 13:41:03 -0800 

Gergő Tisza has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/390134 )

Change subject: Validate titles
......................................................................

Validate titles

Change-Id: I4be37788670209fb6a912daf558402d26368bdd1
---
M src/Api/ApiReadingListsCreateEntry.php
1 file changed, 12 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/ReadingLists 
refs/changes/34/390134/1

diff --git a/src/Api/ApiReadingListsCreateEntry.php 
b/src/Api/ApiReadingListsCreateEntry.php
index 0570562..8a82070 100644
--- a/src/Api/ApiReadingListsCreateEntry.php
+++ b/src/Api/ApiReadingListsCreateEntry.php
@@ -4,6 +4,7 @@
 
 use ApiBase;
 use Message;
+use Title;
 
 /**
  * API module for all write operations.
@@ -26,6 +27,17 @@
                $project = $this->getParameter( 'project' );
                $title = $this->getParameter( 'title' );
 
+               // Lists can contain titles from other wikis, and we have no 
idea of the exact title
+               // validation rules used there; but in practice it's unlikely 
the rules would differ,
+               // and allowing things like <> or # in the title could result 
in vulnerabilities in
+               // clients that assume they are getting something sane. So 
let's validate anyway.
+               //
+               // We do not normalize, that would contain too much local logic 
(e.g. title case), and
+               // clients are expected to submit already normalized titles 
(that they got from the API) anyway.
+               if ( !Title::newFromText( $title ) ) {
+                       $this->dieWithError( 'apierror-invalidtitle', 
wfEscapeWikiText( $title ) );
+               }
+
                $entryId = $this->getReadingListRepository( $this->getUser() )
                        ->addListEntry( $listId, $project, $title );
                $this->getResult()->addValue( null, $this->getModuleName(), [ 
'id' => $entryId ] );

-- 
To view, visit https://gerrit.wikimedia.org/r/390134
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4be37788670209fb6a912daf558402d26368bdd1
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/ReadingLists
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to