Brian Wolff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/396563 )
Change subject: Add a note about how it can't validate certain types of SQL ...................................................................... Add a note about how it can't validate certain types of SQL $options and $join_cond for IDatabase::select only get validated if they are directly specified as an array literal. Change-Id: I15c6d46a1b04f10bc96b6f2b7eecc6c782f19989 --- M README.md 1 file changed, 4 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/tools/phan/SecurityCheckPlugin refs/changes/63/396563/1 diff --git a/README.md b/README.md index 06fbe39..daa6b2c 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,10 @@ * The plugin won't recognize things that do custom escaping. If you have custom escaping methods, you may have to write a subclass of SecurityCheckPlugin in order for the plugin to recognize it. +* The plugin can only validate the fifth ($options) and sixth ($join_cond) + of MediaWiki's IDatabase::select() if its provided directly as an array + literal, or directly returned as an array literal from a getQueryInfo() + method. Customizing ----------- -- To view, visit https://gerrit.wikimedia.org/r/396563 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I15c6d46a1b04f10bc96b6f2b7eecc6c782f19989 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/tools/phan/SecurityCheckPlugin Gerrit-Branch: master Gerrit-Owner: Brian Wolff <bawolff...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
