From cdf1608cab068841877ed375b1c4cfd0ab40fe5d Mon Sep 17 00:00:00 2001
From: Sam Reed <reedy@users.mediawiki.org>
Date: Sun, 15 May 2011 13:16:13 +0000
Subject: [PATCH] * (bug 27593) API: add error message when sha1/sha1base36 is
 invalid

---
 RELEASE-NOTES-1.19                 |  1 +
 includes/api/ApiQueryAllimages.php | 26 +++++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19
index 63fe431f01..30bce32c79 100644
--- a/RELEASE-NOTES-1.19
+++ b/RELEASE-NOTES-1.19
@@ -56,6 +56,7 @@ used in Tiff files.
 === API changes in 1.19 ===
 * (bug 27790) add query type for querymodules to action=paraminfo
 * (bug 28963) add langbacklinks module to api
+* (bug 27593) API: add error message when sha1/sha1base36 is invalid
 
 === Languages updated in 1.19 ===
 
diff --git a/includes/api/ApiQueryAllimages.php b/includes/api/ApiQueryAllimages.php
index f5ee4b4362..bdc561b500 100644
--- a/includes/api/ApiQueryAllimages.php
+++ b/includes/api/ApiQueryAllimages.php
@@ -109,12 +109,18 @@ class ApiQueryAllimages extends ApiQueryGeneratorBase {
 
 		$sha1 = false;
 		if ( isset( $params['sha1'] ) ) {
+			if ( !self::validateSha1Hash( $params['sha1'] ) ) {
+				$this->dieUsage( 'The SHA1 hash provided is not valid', 'invalidsha1hash' );
+			}
 			$sha1 = wfBaseConvert( $params['sha1'], 16, 36, 31 );
 		} elseif ( isset( $params['sha1base36'] ) ) {
 			$sha1 = $params['sha1base36'];
+			if ( !self::validateSha1Base36Hash( $sha1 ) ) {
+				$this->dieUsage( 'The SHA1Base36 hash provided is not valid', 'invalidsha1base36hash' );
+			}
 		}
 		if ( $sha1 ) {
-			$this->addWhere( 'img_sha1=' . $db->addQuotes( $sha1 ) );
+			$this->addWhereFld( 'img_sha1', $sha1 );
 		}
 
 		if ( !is_null( $params['mime'] ) ) {
@@ -175,6 +181,22 @@ class ApiQueryAllimages extends ApiQueryGeneratorBase {
 		}
 	}
 
+	/**
+	 * @param $hash string
+	 * @return bool
+	 */
+	public static function validateSha1Hash( $hash ) {
+		return preg_match( '/[a-f0-9]{40}/', $hash );
+	}
+
+	/**
+	 * @param $hash string
+	 * @return bool
+	 */
+	public static function validateSha1Base36Hash( $hash ) {
+		return preg_match( '/[a-z0-9]{31}/', $hash );
+	}
+
 	public function getAllowedParams() {
 		return array (
 			'from' => null,
@@ -238,6 +260,8 @@ class ApiQueryAllimages extends ApiQueryGeneratorBase {
 			array( 'code' => 'params', 'info' => 'Use "gaifilterredir=nonredirects" option instead of "redirects" when using allimages as a generator' ),
 			array( 'code' => 'unsupportedrepo', 'info' => 'Local file repository does not support querying all images' ),
 			array( 'code' => 'mimeearchdisabled', 'info' => 'MIME search disabled in Miser Mode' ),
+			array( 'code' => 'invalidsha1hash', 'info' => 'The SHA1 hash provided is not valid' ),
+			array( 'code' => 'invalidsha1base36hash', 'info' => 'The SHA1Base36 hash provided is not valid' ),
 		) );
 	}
 
-- 
2.20.1