Merge "SECURITY: Don't parse usernames as wikitext"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)
diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php

index 14f3ccd..c60b347 100644 (file)
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -210,7 +210,8 @@ class SpecialPasswordReset extends FormSpecialPage {
                 $firstUser = $users[0];
  
                 if ( !$firstUser instanceof User || !$firstUser->getID() ) {
-                       return array( array( 'nosuchuser', $data['Username'] ) );
+                       // Don't parse username as wikitext (bug 65501)
+                       return array( array( 'nosuchuser', wfEscapeWikiText( $data['Username'] ) ) );
                 }
  
                 // Check against the rate limiter
@@ -237,7 +238,7 @@ class SpecialPasswordReset extends FormSpecialPage {
                 // All the users will have the same email address
                 if ( $firstUser->getEmail() == '' ) {
                         // This won't be reachable from the email route, so safe to expose the username
-                       return array( array( 'noemail', $firstUser->getName() ) );
+                       return array( array( 'noemail', wfEscapeWikiText( $firstUser->getName() ) ) );
                 }
  
                 // We need to have a valid IP address for the hook, but per bug 18347, we should
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Thu, 29 May 2014 17:33:43 +0000 (17:33 +0000)