From: Gergő Tisza <gtisza@wikimedia.org>
Date: Sat, 16 Apr 2016 17:45:39 +0000 (+0000)
Subject: Reject usernames with # as user-type API parameters
X-Git-Tag: 1.31.0-rc.0~7263^2
X-Git-Url: http://git.cyclocoop.org/data/Luca_Pacioli_%28Gemaelde%29.jpeg?a=commitdiff_plain;h=db8b70fb31850fdd5e6f67bce5a7cf5f9aaaf4af;p=lhc%2Fweb%2Fwiklou.git

Reject usernames with # as user-type API parameters

Th API handles parameters of type 'user' as page titles, which resulted
in silently dropping # characters and anything following them.
Reject such usernames explicitly instead.

Bug: T132852
Change-Id: Iba8061b20d5e25de80ff30d09eb53939c97cdaac
---

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 1c20229cca..da64c038af 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1298,7 +1298,7 @@ abstract class ApiBase extends ContextSource {
 	 */
 	private function validateUser( $value, $encParamName ) {
 		$title = Title::makeTitleSafe( NS_USER, $value );
-		if ( $title === null ) {
+		if ( $title === null || $title->hasFragment() ) {
 			$this->dieUsage(
 				"Invalid value '$value' for user parameter $encParamName",
 				"baduser_{$encParamName}"