SECURITY: Don't parse usernames as wikitext

author csteipp <csteipp@wikimedia.org>

Mon, 19 May 2014 19:00:57 +0000 (12:00 -0700)

committer mglaser <glaser@hallowelt.biz>

Thu, 29 May 2014 17:03:59 +0000 (19:03 +0200)
author csteipp <csteipp@wikimedia.org>
Mon, 19 May 2014 19:00:57 +0000 (12:00 -0700)
committer mglaser <glaser@hallowelt.biz>
Thu, 29 May 2014 17:03:59 +0000 (19:03 +0200)
diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php

index 14f3ccd..c60b347 100644 (file)
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -210,7 +210,8 @@ class SpecialPasswordReset extends FormSpecialPage {
                 $firstUser = $users[0];
  
                 if ( !$firstUser instanceof User || !$firstUser->getID() ) {
-                       return array( array( 'nosuchuser', $data['Username'] ) );
+                       // Don't parse username as wikitext (bug 65501)
+                       return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) );
                 }
  
                 // Check against the rate limiter
@@ -237,7 +238,7 @@ class SpecialPasswordReset extends FormSpecialPage {
                 // All the users will have the same email address
                 if ( $firstUser->getEmail() == '' ) {
                         // This won't be reachable from the email route, so safe to expose the username
-                       return array( array( 'noemail', $firstUser->getName() ) );
+                       return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) );
                 }
  
                 // We need to have a valid IP address for the hook, but per bug 18347, we should
author	csteipp <csteipp@wikimedia.org>
	Mon, 19 May 2014 19:00:57 +0000 (12:00 -0700)
committer	mglaser <glaser@hallowelt.biz>
	Thu, 29 May 2014 17:03:59 +0000 (19:03 +0200)