Merge "Revert "Adding sanity check to Title::isRedirect().""

[lhc/web/wiklou.git] / includes / api / ApiQueryBlocks.php

diff --git a/includes/api/ApiQueryBlocks.php b/includes/api/ApiQueryBlocks.php
index 1ac7835..8c287d6 100644 (file)
--- a/includes/api/ApiQueryBlocks.php
+++ b/includes/api/ApiQueryBlocks.php
@@ -77,6 +77,9 @@ class ApiQueryBlocks extends ApiQueryBase {
 
                $this->addOption( 'LIMIT', $params['limit'] + 1 );
                $this->addTimestampWhereRange( 'ipb_timestamp', $params['dir'], $params['start'], $params['end'] );
+
+               $db = $this->getDB();
+
                if ( isset( $params['ids'] ) ) {
                        $this->addWhereFld( 'ipb_id', $params['ids'] );
                }
@@ -100,11 +103,15 @@ class ApiQueryBlocks extends ApiQueryBase {
                        }
                        $prefix = substr( $lower, 0, 4 );
 
-                       $db = $this->getDB();
+                       # Fairly hard to make a malicious SQL statement out of hex characters,
+                       # but it is good practice to add quotes
+                       $lower = $db->addQuotes( $lower );
+                       $upper = $db->addQuotes( $upper );
+
                        $this->addWhere( array(
                                'ipb_range_start' . $db->buildLike( $prefix, $db->anyString() ),
-                               "ipb_range_start <= '$lower'",
-                               "ipb_range_end >= '$upper'",
+                               'ipb_range_start <= ' . $lower,
+                               'ipb_range_end >= ' . $upper,
                                'ipb_auto' => 0
                        ) );
                }
@@ -339,7 +346,7 @@ class ApiQueryBlocks extends ApiQueryBase {
        }
 
        public function getHelpUrls() {
-               return 'http://www.mediawiki.org/wiki/API:Blocks';
+               return 'https://www.mediawiki.org/wiki/API:Blocks';
        }
 
        public function getVersion() {