Ladsgroup added a comment.

  On the lua side of things: You can reproduce this problem by setting the 
language to almost anything other than a valid one like "uselang=???" 
The good news is that I couldn't break out of the string so it's not an 
injection vulnerability AFAIK but this can be fixed rather easily in the lua 
side. I will try to make a patch.



To: Tarrow, Ladsgroup
Cc: Rosalie_WMDE, Tarrow, Agusbou2015, Ladsgroup, hoo, Jakob_WMDE, 
Liuxinyu970226, Krinkle, Addshore, WMDE-leszek, Jdforrester-WMF, Aklapper, 
Un1tY, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, Iflorez, 
darthmon_wmde, alaa_wmde, Meekrab2012, joker88john, CucyNoiD, Nandana, 
NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, 
Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, 
GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, 
LawExplorer, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, 
Jonas, Wikidata-bugs, aude, Ricordisamoa, Lydia_Pintscher, Mbch331, Rxy, Jay8g, 
Wikidata-bugs mailing list

Reply via email to