From: Tim Starling <tstarling@users.mediawiki.org>
Date: Tue, 27 Jul 2010 02:39:32 +0000 (+0000)
Subject: * Rewrote r69952, profileinfo.php XSS fix. It was probably safe, but it seemed very... 
X-Git-Tag: 1.31.0-rc.0~35898
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/%7B%7B%20url_for%28%27vote%27%2C%20idvote=vote.voteid%29%20%7D%7D?a=commitdiff_plain;h=f21fdea9e5d519b75826806f859bd2cba2f76e18;p=lhc%2Fweb%2Fwiklou.git

* Rewrote r69952, profileinfo.php XSS fix. It was probably safe, but it seemed very confused about the order of escaping operations. The whole MediaWiki framework is available, including wfArrayToCGI(), there's no need for unconventional code.
* Renamed makeurl() to something more descriptive and less likely to conflict with extensions.
---

diff --git a/profileinfo.php b/profileinfo.php
index 9ef91a4411..3ee5880c59 100644
--- a/profileinfo.php
+++ b/profileinfo.php
@@ -103,7 +103,7 @@ class profile_point {
 		else	$ex = false;
 		if ( !$ex ) {
 			if ( count( $this->children ) ) {
-				$url = makeurl( false, false, $expand + array( $this->name() => true ) );
+				$url = getEscapedProfileUrl( false, false, $expand + array( $this->name() => true ) );
 				$extet = " <a href=\"$url\">[+]</a>";
 			} else $extet = '';
 		} else {
@@ -112,7 +112,7 @@ class profile_point {
 				if ( $name != $this->name() )
 					$e += array( $name => $ep );
 
-			$extet = " <a href=\"" . makeurl( false, false, $e ) . "\">[–]</a>";
+			$extet = " <a href=\"" . getEscapedProfileUrl( false, false, $e ) . "\">[–]</a>";
 		}
 		?>
 		<tr>
@@ -231,31 +231,35 @@ else
 
 <table cellspacing="0" border="1">
 <tr id="top">
-<th><a href="<?php echo makeurl( false, 'name' ) ?>">Name</a></th>
-<th><a href="<?php echo makeurl( false, 'time' ) ?>">Time (%)</a></th>
-<th><a href="<?php echo makeurl( false, 'memory' ) ?>">Memory (%)</a></th>
-<th><a href="<?php echo makeurl( false, 'count' ) ?>">Count</a></th>
-<th><a href="<?php echo makeurl( false, 'calls_per_req' ) ?>">Calls/req</a></th>
-<th><a href="<?php echo makeurl( false, 'time_per_call' ) ?>">ms/call</a></th>
-<th><a href="<?php echo makeurl( false, 'memory_per_call' ) ?>">kb/call</a></th>
-<th><a href="<?php echo makeurl( false, 'time_per_req' ) ?>">ms/req</a></th>
-<th><a href="<?php echo makeurl( false, 'memory_per_req' ) ?>">kb/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'name' ) ?>">Name</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time' ) ?>">Time (%)</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory' ) ?>">Memory (%)</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'count' ) ?>">Count</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'calls_per_req' ) ?>">Calls/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time_per_call' ) ?>">ms/call</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory_per_call' ) ?>">kb/call</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'time_per_req' ) ?>">ms/req</a></th>
+<th><a href="<?php echo getEscapedProfileUrl( false, 'memory_per_req' ) ?>">kb/req</a></th>
 </tr>
 <?php
 $totaltime = 0.0;
 $totalcount = 0;
 $totalmemory = 0.0;
 
-function makeurl( $_filter = false, $_sort = false, $_expand = false ) {
+function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) {
 	global $filter, $sort, $expand;
 
 	if ( $_expand === false )
 		$_expand = $expand;
 
-	$nfilter = $_filter ? htmlspecialchars( $_filter ) : htmlspecialchars( $filter );
-	$nsort = $_sort ? htmlspecialchars( $_sort ) : htmlspecialchars( $sort );
-	$exp = urlencode( implode( ',', array_keys( $_expand ) ) );
-	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
+	return htmlspecialchars(
+		'?' . 
+		wfArrayToCGI( array(
+			'filter' => $_filter ? $_filter : $filter,
+			'sort' => $_sort ? $_sort : $sort,
+			'expand' => implode( ',', array_keys( $_expand ) ) 
+		) )
+	);
 }
 
 $points = array();