From: Brad Jorsch Date: Tue, 19 Dec 2017 14:56:16 +0000 (-0500) Subject: ApiBlock: Improve username validation X-Git-Tag: 1.31.0-rc.0~1142^2 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/membres/fiche.php?a=commitdiff_plain;h=162af2aba0a60c29a5a1262208f1a9a22740c299;p=lhc%2Fweb%2Fwiklou.git ApiBlock: Improve username validation The current username validation lets any invalid username through, on the assumption that it's an IP address. We can do better: call the backend to get the actual type and target, and reject anything with TYPE_USER where the actual input name is invalid (regardless of underlying mangling for stuff like T31797). Bug: T183211 Change-Id: I676642eee1222447df22a1c32b24f55e6273bcec --- diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index 4d37af3162..366a6df98f 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -67,12 +67,12 @@ class ApiBlock extends ApiBase { $params['user'] = $username; } } else { - $target = User::newFromName( $params['user'] ); + list( $target, $type ) = SpecialBlock::getTargetAndType( $params['user'] ); // T40633 - if the target is a user (not an IP address), but it // doesn't exist or is unusable, error. - if ( $target instanceof User && - ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $target->getName() ) ) + if ( $type === Block::TYPE_USER && + ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $params['user'] ) ) ) { $this->dieWithError( [ 'nosuchusershort', $params['user'] ], 'nosuchuser' ); }