From 162af2aba0a60c29a5a1262208f1a9a22740c299 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 19 Dec 2017 09:56:16 -0500 Subject: [PATCH] ApiBlock: Improve username validation The current username validation lets any invalid username through, on the assumption that it's an IP address. We can do better: call the backend to get the actual type and target, and reject anything with TYPE_USER where the actual input name is invalid (regardless of underlying mangling for stuff like T31797). Bug: T183211 Change-Id: I676642eee1222447df22a1c32b24f55e6273bcec --- includes/api/ApiBlock.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index 4d37af3162..366a6df98f 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -67,12 +67,12 @@ class ApiBlock extends ApiBase { $params['user'] = $username; } } else { - $target = User::newFromName( $params['user'] ); + list( $target, $type ) = SpecialBlock::getTargetAndType( $params['user'] ); // T40633 - if the target is a user (not an IP address), but it // doesn't exist or is unusable, error. - if ( $target instanceof User && - ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $target->getName() ) ) + if ( $type === Block::TYPE_USER && + ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $params['user'] ) ) ) { $this->dieWithError( [ 'nosuchusershort', $params['user'] ], 'nosuchuser' ); } -- 2.20.1