Revision: 43624
Author: brion
Date: 2008-11-17 18:58:57 +0000 (Mon, 17 Nov 2008)
Log Message:
-----------
* Improved input validation on Special:Import form
Applying Tim's fixes
Modified Paths:
--------------
trunk/phase3/RELEASE-NOTES
trunk/phase3/includes/specials/SpecialImport.php
trunk/phase3/languages/messages/MessagesEn.php
Modified: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES 2008-11-17 18:54:55 UTC (rev 43623)
+++ trunk/phase3/RELEASE-NOTES 2008-11-17 18:58:57 UTC (rev 43624)
@@ -348,6 +348,7 @@
formatting and path exposure.
* Less verbose errors from profileinfo.php when not configured
* Blacklist redirects via Special:Filepath, hard to use.
+* Improved input validation on Special:Import form
=== API changes in 1.14 ===
Modified: trunk/phase3/includes/specials/SpecialImport.php
===================================================================
--- trunk/phase3/includes/specials/SpecialImport.php 2008-11-17 18:54:55 UTC
(rev 43623)
+++ trunk/phase3/includes/specials/SpecialImport.php 2008-11-17 18:58:57 UTC
(rev 43624)
@@ -43,26 +43,30 @@
if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) ==
'submit') {
$isUpload = false;
$namespace = $wgRequest->getIntOrNull( 'namespace' );
+ $sourceName = $wgRequest->getVal( "source" );
- switch( $wgRequest->getVal( "source" ) ) {
- case "upload":
+ if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'editToken'
) ) ) {
+ $source = new WikiErrorMsg( 'import-token-mismatch' );
+ } elseif ( $sourceName == 'upload' ) {
$isUpload = true;
if( $wgUser->isAllowed( 'importupload' ) ) {
$source = ImportStreamSource::newFromUpload(
"xmlimport" );
} else {
return $wgOut->permissionRequired(
'importupload' );
}
- break;
- case "interwiki":
+ } elseif ( $sourceName == "interwiki" ) {
$interwiki = $wgRequest->getVal( 'interwiki' );
- $history = $wgRequest->getCheck( 'interwikiHistory' );
- $frompage = $wgRequest->getText( "frompage" );
- $source = ImportStreamSource::newFromInterwiki(
- $interwiki,
- $frompage,
- $history );
- break;
- default:
+ if ( !in_array( $interwiki, $wgImportSources ) ) {
+ $source = new WikiErrorMsg(
"import-invalid-interwiki" );
+ } else {
+ $history = $wgRequest->getCheck(
'interwikiHistory' );
+ $frompage = $wgRequest->getText( "frompage" );
+ $source = ImportStreamSource::newFromInterwiki(
+ $interwiki,
+ $frompage,
+ $history );
+ }
+ } else {
$source = new WikiErrorMsg( "importunknownsource" );
}
@@ -106,6 +110,7 @@
Xml::hidden( 'action', 'submit' ) .
Xml::hidden( 'source', 'upload' ) .
Xml::input( 'xmlimport', 50, '', array( 'type' =>
'file' ) ) . ' ' .
+ Xml::hidden( 'editToken', $wgUser->editToken() ) .
Xml::submitButton( wfMsg( 'uploadbtn' ) ) .
Xml::closeElement( 'form' ) .
Xml::closeElement( 'fieldset' )
@@ -124,6 +129,7 @@
wfMsgExt( 'import-interwiki-text', array( 'parse' ) ) .
Xml::hidden( 'action', 'submit' ) .
Xml::hidden( 'source', 'interwiki' ) .
+ Xml::hidden( 'editToken', $wgUser->editToken() ) .
Xml::openElement( 'table', array( 'id' =>
'mw-import-table' ) ) .
"<tr>
<td>" .
Modified: trunk/phase3/languages/messages/MessagesEn.php
===================================================================
--- trunk/phase3/languages/messages/MessagesEn.php 2008-11-17 18:54:55 UTC
(rev 43623)
+++ trunk/phase3/languages/messages/MessagesEn.php 2008-11-17 18:58:57 UTC
(rev 43624)
@@ -2803,6 +2803,8 @@
'import-nonewrevisions' => 'All revisions were previously imported.',
'xml-error-string' => '$1 at line $2, col $3 (byte $4): $5',
'import-upload' => 'Upload XML data',
+'import-token-mismatch' => 'Loss of session data. Please try again.',
+'import-invalid-interwiki' => 'Cannot import from the specified wiki.',
# Import log
'importlogpage' => 'Import log',
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
