From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 23 Mar 2018 13:31:31 +0000 (-0400)
Subject: SECURITY: Fix variable usage in ApiQueryUserContributions
X-Git-Tag: 1.31.0-rc.0~299^2
X-Git-Url: http://git.cyclocoop.org/%24dirpuce/puce%24spip_lang_rtl.gif?a=commitdiff_plain;h=ccfca1fe64ae4c231fdb1b7de9089b1496dfcb8f;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Fix variable usage in ApiQueryUserContributions

$from was being used instead of $fromName in the handling for
ucuserprefix, causing broken SQL.

Bug: T190507
Change-Id: I0759637ea5f35853271167ca0aaaabd3b7ab69f9
---

diff --git a/includes/api/ApiQueryUserContributions.php b/includes/api/ApiQueryUserContributions.php
index bb4a2ef07e..816c56c160 100644
--- a/includes/api/ApiQueryUserContributions.php
+++ b/includes/api/ApiQueryUserContributions.php
@@ -82,19 +82,20 @@ class ApiQueryContributions extends ApiQueryBase {
 			$userIter = call_user_func( function () use ( $dbSecondary, $sort, $op, $fname ) {
 				global $wgActorTableSchemaMigrationStage;
 
-				$from = $fromName = false;
+				$fromName = false;
 				if ( !is_null( $this->params['continue'] ) ) {
 					$continue = explode( '|', $this->params['continue'] );
 					$this->dieContinueUsageIf( count( $continue ) != 4 );
 					$this->dieContinueUsageIf( $continue[0] !== 'name' );
 					$fromName = $continue[1];
-					$from = "$op= " . $dbSecondary->addQuotes( $fromName );
 				}
 				$like = $dbSecondary->buildLike( $this->params['userprefix'], $dbSecondary->anyString() );
 
 				$limit = 501;
 
 				do {
+					$from = $fromName ? "$op= " . $dbSecondary->addQuotes( $fromName ) : false;
+
 					// For the new schema, pull from the actor table. For the
 					// old, pull from rev_user. For migration a FULL [OUTER]
 					// JOIN would be what we want, except MySQL doesn't support
@@ -158,15 +159,15 @@ class ApiQueryContributions extends ApiQueryBase {
 					}
 
 					$count = 0;
-					$from = null;
+					$fromName = false;
 					foreach ( $res as $row ) {
 						if ( ++$count >= $limit ) {
-							$from = $row->user_name;
+							$fromName = $row->user_name;
 							break;
 						}
 						yield User::newFromRow( $row );
 					}
-				} while ( $from !== null );
+				} while ( $fromName !== false );
 			} );
 			// Do the actual sorting client-side, because otherwise
 			// prepareQuery might try to sort by actor and confuse everything.