From: Brad Jorsch Date: Fri, 14 Feb 2014 21:48:53 +0000 (-0500) Subject: SECURITY: API: Don't find links in the middle of api.php links X-Git-Tag: 1.31.0-rc.0~16799^2 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/operations/?a=commitdiff_plain;h=55cd620157d884af855459f1f7903b0427c992ce;p=lhc%2Fweb%2Fwiklou.git SECURITY: API: Don't find links in the middle of api.php links Bug: 61362 Change-Id: Idf985e4e69c2f11778a8a90503914678441cb3fb --- diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 63a55024b3..49a02feff7 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -271,12 +271,22 @@ See the complete documentation, // encode all comments or tags as safe blue strings $text = str_replace( '<', '<', $text ); $text = str_replace( '>', '>', $text ); + // identify requests to api.php - $text = preg_replace( "#api\\.php\\?[^ <\n\t]+#", '\\0', $text ); + $text = preg_replace( '#^(\s*)(api\.php\?[^ <\n\t]+)$#m', '\1\2', $text ); if ( $this->mHelp ) { // make strings inside * bold $text = preg_replace( "#\\*[^<>\n]+\\*#", '\\0', $text ); } + + // Armor links (bug 61362) + $masked = array(); + $text = preg_replace_callback( '##', function ( $matches ) use ( &$masked ) { + $sha = sha1( $matches[0] ); + $masked[$sha] = $matches[0]; + return "<$sha>"; + }, $text ); + // identify URLs $protos = wfUrlProtocolsWithoutProtRel(); // This regex hacks around bug 13218 (" included in the URL) @@ -286,6 +296,12 @@ See the complete documentation, $text ); + // Unarmor links + $text = preg_replace_callback( '#<([0-9a-f]{40})>#', function ( $matches ) use ( &$masked ) { + $sha = $matches[1]; + return isset( $masked[$sha] ) ? $masked[$sha] : $matches[0]; + }, $text ); + /** * Temporary fix for bad links in help messages. As a special case, * XML-escaped metachars are de-escaped one level in the help message