From: Roan Kattouw Date: Thu, 24 Jan 2008 13:12:03 +0000 (+0000) Subject: No need to revert r30078: HTML-formatting the data is enough. Attacks like api.php... X-Git-Tag: 1.31.0-rc.0~49800 X-Git-Url: http://git.cyclocoop.org/%28?a=commitdiff_plain;h=d2cb8c025e0191a49fd68524c10b40c78a11ed6c;p=lhc%2Fweb%2Fwiklou.git No need to revert r30078: HTML-formatting the data is enough. Attacks like api.php?action=paraminfo&modules=%3Cscript%3Ealert('Owned');%3C/script%3E&format=txt don't work anymore now. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d17735ecba..8ea891ce27 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -465,6 +465,7 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API * Added apfilterlanglinks parameter to list=allpages, replacing query.php?what=nolanglinks * (bug 12718) Added action=paraminfo module that provides information about API modules and their parameters * Added iiurlwidth and iiurlheight parameters to prop=imageinfo +* Added format=txt and format=dbg, imported from query.php * Added uiprop=editcount to meta=userinfo === Languages updated in 1.12 === diff --git a/includes/AutoLoader.php b/includes/AutoLoader.php index 8509c618e2..e3d3b9ef38 100644 --- a/includes/AutoLoader.php +++ b/includes/AutoLoader.php @@ -320,6 +320,8 @@ function __autoload($className) { 'ApiFormatPhp' => 'includes/api/ApiFormatPhp.php', 'ApiFormatWddx' => 'includes/api/ApiFormatWddx.php', 'ApiFormatXml' => 'includes/api/ApiFormatXml.php', + 'ApiFormatTxt' => 'includes/api/ApiFormatTxt.php', + 'ApiFormatDbg' => 'includes/api/ApiFormatDbg.php', 'Spyc' => 'includes/api/ApiFormatYaml_spyc.php', 'ApiFormatYaml' => 'includes/api/ApiFormatYaml.php', 'ApiHelp' => 'includes/api/ApiHelp.php', diff --git a/includes/api/ApiFormatDbg.php b/includes/api/ApiFormatDbg.php new file mode 100644 index 0000000000..98e94c6532 --- /dev/null +++ b/includes/api/ApiFormatDbg.php @@ -0,0 +1,56 @@ +.@home.nl + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * http://www.gnu.org/copyleft/gpl.html + */ + +if (!defined('MEDIAWIKI')) { + // Eclipse helper - will be ignored in production + require_once ('ApiFormatBase.php'); +} + +/** + * @addtogroup API + */ +class ApiFormatDbg extends ApiFormatBase { + + public function __construct($main, $format) { + parent :: __construct($main, $format); + } + + public function getMimeType() { + return 'text/html'; + } + + public function execute() { + $this->printText($this->formatHTML(var_export($this->getResultData(), true))); + } + + protected function getDescription() { + return 'Output data in PHP\'s var_export() format' . parent :: getDescription(); + } + + public function getVersion() { + return __CLASS__ . ': $Id: ApiFormatPhp.php 23531 2007-06-29 01:19:14Z simetrical $'; + } +} + diff --git a/includes/api/ApiFormatTxt.php b/includes/api/ApiFormatTxt.php new file mode 100644 index 0000000000..819ae88a2c --- /dev/null +++ b/includes/api/ApiFormatTxt.php @@ -0,0 +1,56 @@ +.@home.nl + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * http://www.gnu.org/copyleft/gpl.html + */ + +if (!defined('MEDIAWIKI')) { + // Eclipse helper - will be ignored in production + require_once ('ApiFormatBase.php'); +} + +/** + * @addtogroup API + */ +class ApiFormatTxt extends ApiFormatBase { + + public function __construct($main, $format) { + parent :: __construct($main, $format); + } + + public function getMimeType() { + return 'text/html'; + } + + public function execute() { + $this->printText($this->formatHTML(print_r($this->getResultData(), true))); + } + + protected function getDescription() { + return 'Output data in PHP\'s print_r() format' . parent :: getDescription(); + } + + public function getVersion() { + return __CLASS__ . ': $Id: ApiFormatPhp.php 23531 2007-06-29 01:19:14Z simetrical $'; + } +} + diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index ce69502ca3..e60cf25c45 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -89,7 +89,9 @@ class ApiMain extends ApiBase { 'xmlfm' => 'ApiFormatXml', 'yaml' => 'ApiFormatYaml', 'yamlfm' => 'ApiFormatYaml', - 'rawfm' => 'ApiFormatJson' + 'rawfm' => 'ApiFormatJson', + 'txt' => 'ApiFormatTxt', + 'dbg' => 'ApiFormatDbg' ); private $mPrinter, $mModules, $mModuleNames, $mFormats, $mFormatNames;