From: Brian Wolff <bawolff+wn@gmail.com>
Date: Thu, 18 Apr 2013 19:02:29 +0000 (-0300)
Subject: Only allow fields from isFieldSortable to be sorted on.
X-Git-Tag: 1.31.0-rc.0~19941
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/cotisations/rappels.php?a=commitdiff_plain;h=59624e535edc6a3690e67ba341812cf8b34c6e88;p=lhc%2Fweb%2Fwiklou.git

Only allow fields from isFieldSortable to be sorted on.

Prevents people from doing stupid things like:
https://commons.wikimedia.org/w/index.php?title=Special%3AListFiles&limit=50&user=bawolff&sort=img_description&asc=&desc=1
Which don't have indexes.

Change-Id: I7aeb89032e89283dd7dfe5d7bf12872203ca5520
---

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 5c6de79c12..86cdf21b64 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -41,6 +41,7 @@ production.
   is now non-significant and not preserved in the HTML output.
 * (bug 47218) Special:BlockList now handles correctly user names with spaces
   when passed as subpage.
+* Pager's properly validate which fields are allowed to be sorted on.
 
 === API changes in 1.22 ===
 * (bug 46626) xmldoublequote parameter was removed. Because of a bug, the
diff --git a/includes/Pager.php b/includes/Pager.php
index 56b5d489dd..8058c090c9 100644
--- a/includes/Pager.php
+++ b/includes/Pager.php
@@ -904,7 +904,9 @@ abstract class TablePager extends IndexPager {
 		}
 
 		$this->mSort = $this->getRequest()->getText( 'sort' );
-		if ( !array_key_exists( $this->mSort, $this->getFieldNames() ) ) {
+		if ( !array_key_exists( $this->mSort, $this->getFieldNames() )
+			|| !$this->isFieldSortable( $this->mSort )
+		) {
 			$this->mSort = $this->getDefaultSort();
 		}
 		if ( $this->getRequest()->getBool( 'asc' ) ) {