From f21fdea9e5d519b75826806f859bd2cba2f76e18 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Tue, 27 Jul 2010 02:39:32 +0000
Subject: [PATCH] * Rewrote r69952, profileinfo.php XSS fix. It was probably
 safe, but it seemed very confused about the order of escaping operations. The
 whole MediaWiki framework is available, including wfArrayToCGI(), there's no
 need for unconventional code. * Renamed makeurl() to something more
 descriptive and less likely to conflict with extensions.

---
 profileinfo.php | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/profileinfo.php b/profileinfo.php
index 9ef91a4411..3ee5880c59 100644
--- a/profileinfo.php
+++ b/profileinfo.php
@@ -103,7 +103,7 @@ class profile_point {
 		else	$ex = false;
 		if ( !$ex ) {
 			if ( count( $this->children ) ) {
-				$url = makeurl( false, false, $expand + array( $this->name() => true ) );
+				$url = getEscapedProfileUrl( false, false, $expand + array( $this->name() => true ) );
 				$extet = " <a href=\"$url\">[+]</a>";
 			} else $extet = '';
 		} else {
@@ -112,7 +112,7 @@ class profile_point {
 				if ( $name != $this->name() )
 					$e += array( $name => $ep );
 
-			$extet = " <a href=\"" . makeurl( false, false, $e ) . "\">[–]</a>";
+			$extet = " <a href=\"" . getEscapedProfileUrl( false, false, $e ) . "\">[–]</a>";
 		}
 		?>
 		<tr>
@@ -231,31 +231,35 @@ else
 
 <table cellspacing="0" border="1">
 <tr id="top">
-<th><a href="<?php echo makeurl( false, 'name' ) ?>">Name</a></th>
-<th><a href="<?php echo makeurl( false, 'time' ) ?>">Time (%)</a></th>
-<th><a href="<?php echo makeurl( false, 'memory' ) ?>">Memory (%)</a></th>
-<th><a href="<?php echo makeurl( false, 'count' ) ?>">Count</a></th>
-<th><a href="<?php echo makeurl( false, 'calls_per_req' ) ?>">Calls/req</a></th>
-<th><a href="<?php echo makeurl( false, 'time_per_call' ) ?>">ms/call</a></th>
-<th><a href="<?php echo makeurl( false, 'memory_per_call' ) ?>">kb/call</a></th>
-<th><a href="<?php echo makeurl( false, 'time_per_req' ) ?>">ms/req</a></th>
-<th><a href="<?php echo makeurl( false, 'memory_per_req' ) ?>">kb/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'name' ) ?>">Name</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time' ) ?>">Time (%)</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory' ) ?>">Memory (%)</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'count' ) ?>">Count</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'calls_per_req' ) ?>">Calls/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time_per_call' ) ?>">ms/call</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory_per_call' ) ?>">kb/call</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time_per_req' ) ?>">ms/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory_per_req' ) ?>">kb/req</a></th>
 </tr>
 <?php
 $totaltime = 0.0;
 $totalcount = 0;
 $totalmemory = 0.0;
 
-function makeurl( $_filter = false, $_sort = false, $_expand = false ) {
+function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) {
 	global $filter, $sort, $expand;
 
 	if ( $_expand === false )
 		$_expand = $expand;
 
-	$nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
-	$nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
-	$exp = urlencode( implode( ',', array_keys( $_expand ) ) );
-	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
+	return htmlspecialchars(
+		'?' . 
+		wfArrayToCGI( array(
+			'filter' => $_filter ? $_filter : $filter,
+			'sort' => $_sort ? $_sort : $sort,
+			'expand' => implode( ',', array_keys( $_expand ) ) 
+		) )
+	);
 }
 
 $points = array();
-- 
2.20.1