SECURITY: Fix handling of CommentStore and insertSelect

CommentStore->insert() takes the raw comment, not quoted, and returns
fields appropriate for passing as $a to IDatabase->insert() or $values
to ->update(). Such fields need to be passed through
IDatabase->addQuotes() to be appropriate for passing in $varMap to
IDatabase->insertSelect().

Change-Id: Ie64b279ee7cf9c8c396af385e46c826e0597ab1e

diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php
index 4c0dea2..fd0f3f3 100644 (file)
--- a/includes/filerepo/file/LocalFile.php
+++ b/includes/filerepo/file/LocalFile.php
@@ -2307,7 +2307,6 @@ class LocalFileDeleteBatch {
 
                $encTimestamp = $dbw->addQuotes( $dbw->timestamp( $now ) );
                $encUserId = $dbw->addQuotes( $this->user->getId() );
-               $encReason = $dbw->addQuotes( $this->reason );
                $encGroup = $dbw->addQuotes( 'deleted' );
                $ext = $this->file->getExtension();
                $dotExt = $ext === '' ? '' : ".$ext";
@@ -2350,7 +2349,10 @@ class LocalFileDeleteBatch {
                        ];
                        $joins = [];
 
-                       $fields += $commentStoreFaReason->insert( $dbw, $encReason );
+                       $fields += array_map(
+                               [ $dbw, 'addQuotes' ],
+                               $commentStoreFaReason->insert( $dbw, $this->reason )
+                       );
 
                        if ( $wgCommentTableSchemaMigrationStage <= MIGRATION_WRITE_BOTH ) {
                                $fields['fa_description'] = 'img_description';