Tweaks to r41902 "(bug 14634) Show range blocks for IPs"

* Remove the "scan range blocks" checkbox -- doing the range check is sane default behavior, and should Just Work. :)
* Paranoia SQL escaping. We may "know" that the strings will never include something escapable, but then again someone might make a mistake one day. By ensuring we escape them, we have one less thing to worry about, and one less thing to double-check every time we look at this code.

Note that a search for a particular range block currently does not turn up larger range blocks that include it, which it probably should.

diff --git a/includes/specials/SpecialIpblocklist.php b/includes/specials/SpecialIpblocklist.php
index 9e29c23..3e44f68 100644 (file)
--- a/includes/specials/SpecialIpblocklist.php
+++ b/includes/specials/SpecialIpblocklist.php
@@ -78,7 +78,6 @@ class IPUnblockForm {
                $this->hideuserblocks = $wgRequest->getBool( 'hideuserblocks' );
                $this->hidetempblocks = $wgRequest->getBool( 'hidetempblocks' );
                $this->hideaddressblocks = $wgRequest->getBool( 'hideaddressblocks' );
-               $this->scanRange = $wgRequest->getBool( 'range' );
        }
 
        /**
@@ -247,12 +246,19 @@ class IPUnblockForm {
                        $conds['ipb_id'] = substr( $this->ip, 1 );
                // Single IPs
                } elseif ( IP::isIPAddress($this->ip) && strpos($this->ip,'/') === false ) {
-                       if( $this->scanRange && $iaddr = IP::toHex($this->ip) ) {
+                       if( $iaddr = IP::toHex($this->ip) ) {
                                # Only scan ranges which start in this /16, this improves search speed
                                # Blocks should not cross a /16 boundary.
                                $range = substr( $iaddr, 0, 4 );
-                               $conds[] = "(ipb_address = '" . IP::sanitizeIP($this->ip) . "') OR 
-                                       (ipb_range_start LIKE '$range%' AND ipb_range_start <= '$iaddr' AND ipb_range_end >= '$iaddr')";
+                               // Fixme -- encapsulate this sort of query-building.
+                               $dbr = wfGetDB( DB_SLAVE );
+                               $encIp = $dbr->addQuotes( IP::sanitizeIP($this->ip) );
+                               $encRange = $dbr->addQuotes( "$range%" );
+                               $encAddr = $dbr->addQuotes( $iaddr );
+                               $conds[] = "(ipb_address = $encIp) OR 
+                                       (ipb_range_start LIKE $encRange AND
+                                       ipb_range_start <= $encAddr
+                                       AND ipb_range_end >= $encAddr)";
                        } else {
                                $conds['ipb_address'] = IP::sanitizeIP($this->ip);
                        }
@@ -308,9 +314,8 @@ class IPUnblockForm {
                                Xml::openElement( 'fieldset' ) .
                                Xml::element( 'legend', null, wfMsg( 'ipblocklist-legend' ) ) .
                                Xml::inputLabel( wfMsg( 'ipblocklist-username' ), 'ip', 'ip', /* size */ false, $this->ip ) .
-                               '<br/>' . 
-                               Xml::checkLabel( wfMsg('ipblocklist-scanrange'), 'range', 'range', $this->scanRange ) .
-                               '&nbsp;' . Xml::submitButton( wfMsg( 'ipblocklist-submit' ) ) .
+                               '&nbsp;' .
+                               Xml::submitButton( wfMsg( 'ipblocklist-submit' ) ) .
                                Xml::closeElement( 'fieldset' )
                        );
        }

diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 69ce147..e85ca0a 100644 (file)
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -2567,7 +2567,6 @@ See [[Special:IPBlockList|IP block list]] to review blocks.',
 'ipblocklist-sh-userblocks'       => '$1 account blocks',
 'ipblocklist-sh-tempblocks'       => '$1 temporary blocks',
 'ipblocklist-sh-addressblocks'    => '$1 single IP blocks',
-'ipblocklist-scanrange'           => 'For IPs, include all blocks that affect the address',
 'ipblocklist-summary'             => '', # do not translate or duplicate this message to other languages
 'ipblocklist-submit'              => 'Search',
 'blocklistline'                   => '$1, $2 blocked $3 ($4)',