From db8b70fb31850fdd5e6f67bce5a7cf5f9aaaf4af Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Sat, 16 Apr 2016 17:45:39 +0000
Subject: [PATCH] Reject usernames with # as user-type API parameters

Th API handles parameters of type 'user' as page titles, which resulted
in silently dropping # characters and anything following them.
Reject such usernames explicitly instead.

Bug: T132852
Change-Id: Iba8061b20d5e25de80ff30d09eb53939c97cdaac
---
 includes/api/ApiBase.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 1c20229cca..da64c038af 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1298,7 +1298,7 @@ abstract class ApiBase extends ContextSource {
 	 */
 	private function validateUser( $value, $encParamName ) {
 		$title = Title::makeTitleSafe( NS_USER, $value );
-		if ( $title === null ) {
+		if ( $title === null || $title->hasFragment() ) {
 			$this->dieUsage(
 				"Invalid value '$value' for user parameter $encParamName",
 				"baduser_{$encParamName}"
-- 
2.20.1