From 07f5046ede9de09729e64d5c527de32f9f38e46b Mon Sep 17 00:00:00 2001
From: Petr Pchelko <ppchelko@wikimedia.org>
Date: Fri, 9 Aug 2019 13:53:45 -0700
Subject: [PATCH] ApiFeedContributions: Throw if the username is invalid

Bug: T230239
Change-Id: I4141047c8f1ff73665b79a27a7c5eb995c52ea88
---
 includes/api/ApiFeedContributions.php         | 20 ++++++++++++++++---
 .../includes/api/ApiFeedContributionsTest.php | 19 ++++++++++++++++++
 2 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 tests/phpunit/includes/api/ApiFeedContributionsTest.php

diff --git a/includes/api/ApiFeedContributions.php b/includes/api/ApiFeedContributions.php
index 08be8e029c..28b0a4b714 100644
--- a/includes/api/ApiFeedContributions.php
+++ b/includes/api/ApiFeedContributions.php
@@ -34,6 +34,9 @@ class ApiFeedContributions extends ApiBase {
 	/** @var RevisionStore */
 	private $revisionStore;
 
+	/** @var TitleParser */
+	private $titleParser;
+
 	/**
 	 * This module uses a custom feed wrapper printer.
 	 *
@@ -45,6 +48,7 @@ class ApiFeedContributions extends ApiBase {
 
 	public function execute() {
 		$this->revisionStore = MediaWikiServices::getInstance()->getRevisionStore();
+		$this->titleParser = MediaWikiServices::getInstance()->getTitleParser();
 
 		$params = $this->extractRequestParams();
 
@@ -67,9 +71,19 @@ class ApiFeedContributions extends ApiBase {
 			' [' . $config->get( 'LanguageCode' ) . ']';
 		$feedUrl = SpecialPage::getTitleFor( 'Contributions', $params['user'] )->getFullURL();
 
-		$target = $params['user'] == 'newbies'
-			? 'newbies'
-			: Title::makeTitleSafe( NS_USER, $params['user'] )->getText();
+		$target = 'newbies';
+		if ( $params['user'] != 'newbies' ) {
+			try {
+				$target = $this->titleParser
+					->parseTitle( $params['user'], NS_USER )
+					->getText();
+			} catch ( MalformedTitleException $e ) {
+				$this->dieWithError(
+					[ 'apierror-baduser', 'user', wfEscapeWikiText( $params['user'] ) ],
+					'baduser_' . $this->encodeParamName( 'user' )
+				);
+			}
+		}
 
 		$feed = new $feedClasses[$params['feedformat']] (
 			$feedTitle,
diff --git a/tests/phpunit/includes/api/ApiFeedContributionsTest.php b/tests/phpunit/includes/api/ApiFeedContributionsTest.php
new file mode 100644
index 0000000000..f3ec5658bf
--- /dev/null
+++ b/tests/phpunit/includes/api/ApiFeedContributionsTest.php
@@ -0,0 +1,19 @@
+<?php
+
+/**
+ * @group API
+ * @group medium
+ *
+ * @covers ApiFeedContributions
+ */
+class ApiFeedContributionsTest extends ApiTestCase {
+
+	public function testInvalidExternalUser() {
+		$this->setExpectedException( ApiUsageException::class,
+			'Invalid value ">" for user parameter "user"' );
+		$this->doApiRequest( [
+			'action' => 'feedcontributions',
+			'user' => '>'
+		] );
+	}
+}
-- 
2.20.1