From d3642413a1c589466a9fc508737ab8c6f70d8439 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 18 Sep 2017 10:14:02 -0400
Subject: [PATCH] SECURITY: Fix handling of CommentStore and insertSelect

CommentStore->insert() takes the raw comment, not quoted, and returns
fields appropriate for passing as $a to IDatabase->insert() or $values
to ->update(). Such fields need to be passed through
IDatabase->addQuotes() to be appropriate for passing in $varMap to
IDatabase->insertSelect().

Change-Id: Ie64b279ee7cf9c8c396af385e46c826e0597ab1e
---
 includes/filerepo/file/LocalFile.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/includes/filerepo/file/LocalFile.php b/includes/filerepo/file/LocalFile.php
index 4c0dea246e..fd0f3f393c 100644
--- a/includes/filerepo/file/LocalFile.php
+++ b/includes/filerepo/file/LocalFile.php
@@ -2307,7 +2307,6 @@ class LocalFileDeleteBatch {
 
 		$encTimestamp = $dbw->addQuotes( $dbw->timestamp( $now ) );
 		$encUserId = $dbw->addQuotes( $this->user->getId() );
-		$encReason = $dbw->addQuotes( $this->reason );
 		$encGroup = $dbw->addQuotes( 'deleted' );
 		$ext = $this->file->getExtension();
 		$dotExt = $ext === '' ? '' : ".$ext";
@@ -2350,7 +2349,10 @@ class LocalFileDeleteBatch {
 			];
 			$joins = [];
 
-			$fields += $commentStoreFaReason->insert( $dbw, $encReason );
+			$fields += array_map(
+				[ $dbw, 'addQuotes' ],
+				$commentStoreFaReason->insert( $dbw, $this->reason )
+			);
 
 			if ( $wgCommentTableSchemaMigrationStage <= MIGRATION_WRITE_BOTH ) {
 				$fields['fa_description'] = 'img_description';
-- 
2.20.1