From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 18 Sep 2017 14:14:02 +0000 (-0400)
Subject: SECURITY: Fix handling of CommentStore and insertSelect
X-Git-Tag: 1.31.0-rc.0~2050
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22calendrier%22%2C%22type=semaine%22%29%20.%20%22?a=commitdiff_plain;h=d3642413a1c589466a9fc508737ab8c6f70d8439;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Fix handling of CommentStore and insertSelect

CommentStore->insert() takes the raw comment, not quoted, and returns
fields appropriate for passing as $a to IDatabase->insert() or $values
to ->update(). Such fields need to be passed through
IDatabase->addQuotes() to be appropriate for passing in $varMap to
IDatabase->insertSelect().

Change-Id: Ie64b279ee7cf9c8c396af385e46c826e0597ab1e
---

diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php
index 4c0dea246e..fd0f3f393c 100644
--- a/includes/filerepo/file/LocalFile.php
+++ b/includes/filerepo/file/LocalFile.php
@@ -2307,7 +2307,6 @@ class LocalFileDeleteBatch {
 
 		$encTimestamp = $dbw->addQuotes( $dbw->timestamp( $now ) );
 		$encUserId = $dbw->addQuotes( $this->user->getId() );
-		$encReason = $dbw->addQuotes( $this->reason );
 		$encGroup = $dbw->addQuotes( 'deleted' );
 		$ext = $this->file->getExtension();
 		$dotExt = $ext === '' ? '' : ".$ext";
@@ -2350,7 +2349,10 @@ class LocalFileDeleteBatch {
 			];
 			$joins = [];
 
-			$fields += $commentStoreFaReason->insert( $dbw, $encReason );
+			$fields += array_map(
+				[ $dbw, 'addQuotes' ],
+				$commentStoreFaReason->insert( $dbw, $this->reason )
+			);
 
 			if ( $wgCommentTableSchemaMigrationStage <= MIGRATION_WRITE_BOTH ) {
 				$fields['fa_description'] = 'img_description';