From 6e81d60086a6b431c363843f91376b2bb0fb1322 Mon Sep 17 00:00:00 2001
From: Platonides <platonides@users.mediawiki.org>
Date: Mon, 29 Nov 2010 16:34:28 +0000
Subject: [PATCH] Fix potential html injection when the database server isn't
 available (bug 26164).
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Wikis which set $wgServer in their LocalSettings or are in a virtual
host would never be vulnerable.
For sites which show the wiki in the default host, it will depend on how
forgiving is their webserver and php stack for that garbled input, although
some kind of foolable proxy —moreover wrongly caching errors (or the default
output buffering is disabled and something incorrectly sent a previous text)—
would also need to be present in order to make that useful for a
potential attacker.
---
 RELEASE-NOTES            |  1 +
 includes/Exception.php   |  6 ++++--
 includes/db/Database.php | 13 ++++++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 83bbf7bf89..084cad188d 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -441,6 +441,7 @@ LocalSettings.php. The specific bugs are listed below in the general notes.
 * (bug 25451) Improved datetime representation in 32 bit php >= 5.2.
 * Show "skin does not exist error" only when the skin is inputted in the wrong
   case.
+* (bug 26164) Potential html injection when the database server isn't available
 
 === API changes in 1.17 ===
 * (bug 22738) Allow filtering by action type on query=logevent.
diff --git a/includes/Exception.php b/includes/Exception.php
index ac336bf5a3..ff5d4b196f 100644
--- a/includes/Exception.php
+++ b/includes/Exception.php
@@ -236,13 +236,15 @@ class MWException extends Exception {
 			header( 'Pragma: nocache' );
 		}
 
-		$title = $this->getPageTitle();
+		$logo = htmlspecialchars( $wgLogo, ENT_QUOTES );
+		$title = htmlspecialchars( $this->getPageTitle() );
+
 		return "<html>
 		<head>
 		<title>$title</title>
 		</head>
 		<body>
-		<h1><img src='$wgLogo' style='float:left;margin-right:1em' alt=''/>$title</h1>
+		<h1><img src='$logo' style='float:left;margin-right:1em' alt=''/>$title</h1>
 		";
 	}
 
diff --git a/includes/db/Database.php b/includes/db/Database.php
index 26d4d2b7d0..174b8f2d6b 100644
--- a/includes/db/Database.php
+++ b/includes/db/Database.php
@@ -2805,7 +2805,7 @@ class DBConnectionError extends DBError {
 	}
 
 	function searchForm() {
-		global $wgSitename, $wgServer, $wgLang, $wgInputEncoding;
+		global $wgSitename, $wgServer, $wgLang;
 
 		$usegoogle = "You can try searching via Google in the meantime.";
 		$outofdate = "Note that their indexes of our content may be out of date.";
@@ -2819,20 +2819,23 @@ class DBConnectionError extends DBError {
 
 		$search = htmlspecialchars( @$_REQUEST['search'] );
 
+		$server = htmlspecialchars( $wgServer );
+		$sitename = htmlspecialchars( $wgSitename );
+
 		$trygoogle = <<<EOT
 <div style="margin: 1.5em">$usegoogle<br />
 <small>$outofdate</small></div>
 <!-- SiteSearch Google -->
 <form method="get" action="http://www.google.com/search" id="googlesearch">
-	<input type="hidden" name="domains" value="$wgServer" />
+	<input type="hidden" name="domains" value="$server" />
 	<input type="hidden" name="num" value="50" />
-	<input type="hidden" name="ie" value="$wgInputEncoding" />
-	<input type="hidden" name="oe" value="$wgInputEncoding" />
+	<input type="hidden" name="ie" value="UTF-8" />
+	<input type="hidden" name="oe" value="UTF-8" />
 
 	<input type="text" name="q" size="31" maxlength="255" value="$search" />
 	<input type="submit" name="btnG" value="$googlesearch" />
   <div>
-	<input type="radio" name="sitesearch" id="gwiki" value="$wgServer" checked="checked" /><label for="gwiki">$wgSitename</label>
+	<input type="radio" name="sitesearch" id="gwiki" value="$server" checked="checked" /><label for="gwiki">$sitename</label>
 	<input type="radio" name="sitesearch" id="gWWW" value="" /><label for="gWWW">WWW</label>
   </div>
 </form>
-- 
2.20.1