dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 774ce21) | patch
Fixes to input validation and output escaping for user preferences.
authorBrion Vibber <brion@users.mediawiki.org>
Mon, 15 May 2006 09:45:14 +0000 (09:45 +0000)
committerBrion Vibber <brion@users.mediawiki.org>
Mon, 15 May 2006 09:45:14 +0000 (09:45 +0000)
commitce8edcc5657835811554ebb29186d3c6fc3de3e1
tree04775415064e9648ae02d14e118ab7f72a8bae12tree | snapshot
parent774ce214bde59816bd34c2637a1c3265078742b7commit | diff
Fixes to input validation and output escaping for user preferences.
Inserting a newline into some improperly filtered option strings could be used to overwrite other pref values, bypassing their input validation. Any newlines now get filtered out at User::setOption as a final line of defence.
There were a few HTML injection bugs, but none appear to be exploitable, as prefs can only be set if you already control the account.
Bug found by gmaxwell.
RELEASE-NOTES diff | blob | history
includes/EditPage.php diff | blob | history
includes/OutputPage.php diff | blob | history
includes/SkinTemplate.php diff | blob | history
includes/SpecialPreferences.php diff | blob | history
includes/User.php diff | blob | history
Wiklou, le Wiki du Wiklou