From 804deee936326251285da7fa7176bb4a8d7511d0 Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Mon, 22 Sep 2008 14:37:05 +0000 Subject: [PATCH] rev_deleted security improvements as well as fix for rawpages --- includes/Linker.php | 8 ++++---- includes/Revision.php | 18 ++++++++++++------ includes/api/ApiParse.php | 2 +- includes/diff/DifferenceEngine.php | 2 +- includes/specials/SpecialUndelete.php | 4 ++-- 5 files changed, 20 insertions(+), 14 deletions(-) diff --git a/includes/Linker.php b/includes/Linker.php index 54f5633dad..8e87fbf0e8 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1113,7 +1113,7 @@ class Linker { if( $rev->isDeleted( Revision::DELETED_USER ) && $isPublic ) { $link = wfMsgHtml( 'rev-deleted-user' ); } else if( $rev->userCan( Revision::DELETED_USER ) ) { - $link = $this->userLink( $rev->getRawUser(), $rev->getRawUserText() ); + $link = $this->userLink( $rev->getUser(false), $rev->getUserText(false) ); } else { $link = wfMsgHtml( 'rev-deleted-user' ); } @@ -1133,8 +1133,8 @@ class Linker { if( $rev->isDeleted( Revision::DELETED_USER ) && $isPublic ) { $link = wfMsgHtml( 'rev-deleted-user' ); } else if( $rev->userCan( Revision::DELETED_USER ) ) { - $link = $this->userLink( $rev->getRawUser(), $rev->getRawUserText() ) . - ' ' . $this->userToolLinks( $rev->getRawUser(), $rev->getRawUserText() ); + $link = $this->userLink( $rev->getUser(false), $rev->getUserText(false) ) . + ' ' . $this->userToolLinks( $rev->getUser(false), $rev->getUserText(false) ); } else { $link = wfMsgHtml( 'rev-deleted-user' ); } @@ -1340,7 +1340,7 @@ class Linker { if( $rev->isDeleted( Revision::DELETED_COMMENT ) && $isPublic ) { $block = " " . wfMsgHtml( 'rev-deleted-comment' ) . ""; } else if( $rev->userCan( Revision::DELETED_COMMENT ) ) { - $block = $this->commentBlock( $rev->getRawComment(), $rev->getTitle(), $local ); + $block = $this->commentBlock( $rev->getComment(false), $rev->getTitle(), $local ); } else { $block = " " . wfMsgHtml( 'rev-deleted-comment' ) . ""; } diff --git a/includes/Revision.php b/includes/Revision.php index 79aa20f0a0..8d1200685d 100644 --- a/includes/Revision.php +++ b/includes/Revision.php @@ -430,8 +430,10 @@ class Revision { * Fetch revision's user id if it's available to all users * @return int */ - public function getUser() { - if( $this->isDeleted( self::DELETED_USER ) ) { + public function getUser( $isPublic = true ) { + if( $isPublic && $this->isDeleted( self::DELETED_USER ) ) { + return 0; + } else if( !$this->userCan( self::DELETED_USER ) ) { return 0; } else { return $this->mUser; @@ -450,8 +452,10 @@ class Revision { * Fetch revision's username if it's available to all users * @return string */ - public function getUserText() { - if( $this->isDeleted( self::DELETED_USER ) ) { + public function getUserText( $isPublic = true ) { + if( $isPublic && $this->isDeleted( self::DELETED_USER ) ) { + return ""; + } else if( !$this->userCan( self::DELETED_USER ) ) { return ""; } else { return $this->mUserText; @@ -470,8 +474,10 @@ class Revision { * Fetch revision comment if it's available to all users * @return string */ - function getComment() { - if( $this->isDeleted( self::DELETED_COMMENT ) ) { + function getComment( $isPublic = true ) { + if( $isPublic && $this->isDeleted( self::DELETED_COMMENT ) ) { + return ""; + } else if( !$this->userCan( self::DELETED_COMMENT ) ) { return ""; } else { return $this->mComment; diff --git a/includes/api/ApiParse.php b/includes/api/ApiParse.php index 71cf0f9ffb..7151300b7b 100644 --- a/includes/api/ApiParse.php +++ b/includes/api/ApiParse.php @@ -63,7 +63,7 @@ class ApiParse extends ApiBase { $this->dieUsage("There is no revision ID $oldid", 'missingrev'); if(!$rev->userCan(Revision::DELETED_TEXT)) $this->dieUsage("You don't have permission to view deleted revisions", 'permissiondenied'); - $text = $rev->getRawText(); + $text = $rev->getText(false); $titleObj = $rev->getTitle(); $p_result = $wgParser->parse($text, $titleObj, $popts); } diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php index 958af1babf..a185b0a8b8 100644 --- a/includes/diff/DifferenceEngine.php +++ b/includes/diff/DifferenceEngine.php @@ -176,7 +176,7 @@ CONTROL; $change = RecentChange::newFromConds( array( // Add redundant user,timestamp condition so we can use the existing index - 'rc_user_text' => $this->mNewRev->getRawUserText(), + 'rc_user_text' => $this->mNewRev->getUserText(false), 'rc_timestamp' => $db->timestamp( $this->mNewRev->getTimestamp() ), 'rc_this_oldid' => $this->mNewid, 'rc_last_oldid' => $this->mOldid, diff --git a/includes/specials/SpecialUndelete.php b/includes/specials/SpecialUndelete.php index effa45ceae..c802fd72f2 100644 --- a/includes/specials/SpecialUndelete.php +++ b/includes/specials/SpecialUndelete.php @@ -1223,8 +1223,8 @@ class UndeleteForm { if( !$file->userCan(File::DELETED_USER) ) { return '' . wfMsgHtml( 'rev-deleted-user' ) . ''; } else { - $link = $sk->userLink( $file->getRawUser(), $file->getRawUserText() ) . - $sk->userToolLinks( $file->getRawUser(), $file->getRawUserText() ); + $link = $sk->userLink( $file->getUser(false), $file->getUserText(false) ) . + $sk->userToolLinks( $file->getUser(false), $file->getUserText(false) ); if( $file->isDeleted(File::DELETED_USER) ) $link = '' . $link . ''; return $link; -- 2.20.1