[MediaWiki-commits] [Gerrit] mediawiki/core[master]: ApiBlock: Improve username validation

Anomie (Code Review) Tue, 19 Dec 2017 07:04:03 -0800

Anomie has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/399190 )


Change subject: ApiBlock: Improve username validation
......................................................................

ApiBlock: Improve username validation

The current username validation lets any invalid username through, on
the assumption that it's an IP address. We can do better: call the
backend to get the actual type and target, and reject anything with
TYPE_USER where the actual input name is invalid (regardless of
underlying mangling for stuff like T31797).

Bug: T183211
Change-Id: I676642eee1222447df22a1c32b24f55e6273bcec
---
M includes/api/ApiBlock.php
1 file changed, 3 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/90/399190/1

diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 4d37af3..366a6df 100644
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -67,12 +67,12 @@
                                $params['user'] = $username;
                        }
                } else {
-                       $target = User::newFromName( $params['user'] );
+                       list( $target, $type ) = 
SpecialBlock::getTargetAndType( $params['user'] );
 
                        // T40633 - if the target is a user (not an IP 
address), but it
                        // doesn't exist or is unusable, error.
-                       if ( $target instanceof User &&
-                               ( $target->isAnon() /* doesn't exist */ || 
!User::isUsableName( $target->getName() ) )
+                       if ( $type === Block::TYPE_USER &&
+                               ( $target->isAnon() /* doesn't exist */ || 
!User::isUsableName( $params['user'] ) )
                        ) {
                                $this->dieWithError( [ 'nosuchusershort', 
$params['user'] ], 'nosuchuser' );
                        }

-- 
To view, visit https://gerrit.wikimedia.org/r/399190
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I676642eee1222447df22a1c32b24f55e6273bcec
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Anomie <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: ApiBlock: Improve username validation

Reply via email to