[Bug 22227] New: SpecialListfiles.php throws a fatal abort when a spooky file File: exisits (for one reason or another)

Fri, 22 Jan 2010 10:32:50 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=22227

           Summary: SpecialListfiles.php throws a fatal abort when a
                    spooky file File: exisits (for one reason or another)
           Product: MediaWiki
           Version: 1.16-svn
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: Normal
         Component: Special pages
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Summary: if for one reason or another a spooky entry exists in table "image"
(file with a blank name), the sort function
http://server/wiki/index.php?title=Special:ListFiles&sort=img_name&limit=500
throws a FATAL ERROR as explained. This should be fixed for security reasons.

I noticed a buggy behaviour of $IP/includes/specials/SpecialListfiles.php --
only under certain circumstances which require code review:

IF a spooky "file" exists in the database table "image" - in my case this was a
consequence from a failed/aborted file upload in a very old  REL_1.4 MediaWiki
from 2005 ...

THEN when clicking on the page header NAME on the file list on
Special:Listfiles because I wanted to change the sort order

I received a reproducible Fatal error: Call to a member function getURL() on a
non-object in /.../includes/specials/SpecialListfiles.php on line 138
(MediaWiki 1.15.1)

Fixed this by changing line 138 from
$url = $image->getURL(); 
to 
if ($value !== 0 && $value != '') $url = $image->getURL();

and found the reason: a file in the table with an empty filename (not ok) and 0
Byte (not ok), upload date (ok.), uploader name (ok.)

Summary: if for one reason or another a spooky entry exists in table "image"
(file with a blank name), the sort function
http://server/wiki/index.php?title=Special:ListFiles&sort=img_name&limit=500
throws a FATAL ERROR as explained. This should be fixed for security reasons.


P.S. I deleted the spooky file by 
- manually changing the emtpy filename in the database to a dummy name
dummy.jpg
- over-uploading a second file dummy.jpg through the wiki
- deleting the file through the wiki using action=delete

I intentionally assigned 1.16-svn because reviewing the SVN I found that the
bug might still be present.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to