From 23cd890fc909dc344c3ff48d4eeb0d30e64c5b69 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aschulz@wikimedia.org>
Date: Thu, 31 Aug 2017 14:35:17 -0700
Subject: [PATCH] Sanity check "stashedtexthash" param before checking
 memcached

The makeKey() method should do escaping and shortening, but it
is safest and clearer to not rely on that.

Change-Id: Ia4a95e0bb12074d141ddcca2089b920403cab100
---
 includes/api/ApiStashEdit.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/includes/api/ApiStashEdit.php b/includes/api/ApiStashEdit.php
index d03fca87a0..8a9de064fd 100644
--- a/includes/api/ApiStashEdit.php
+++ b/includes/api/ApiStashEdit.php
@@ -74,6 +74,9 @@ class ApiStashEdit extends ApiBase {
 		if ( strlen( $params['stashedtexthash'] ) ) {
 			// Load from cache since the client indicates the text is the same as last stash
 			$textHash = $params['stashedtexthash'];
+			if ( !preg_match( '/^[0-9a-f]{40}$/', $textHash ) ) {
+				$this->dieWithError( 'apierror-stashedit-missingtext', 'missingtext' );
+			}
 			$textKey = $cache->makeKey( 'stashedit', 'text', $textHash );
 			$text = $cache->get( $textKey );
 			if ( !is_string( $text ) ) {
-- 
2.20.1