From 5d7fe3069e7c890d09ef46483fe475f543ce12d3 Mon Sep 17 00:00:00 2001 From: John Du Hart Date: Wed, 31 Aug 2011 23:15:16 +0000 Subject: [PATCH] (bug 4381) Magic quotes cleaning is not comprehensive, key strings not unescaped --- RELEASE-NOTES-1.19 | 2 ++ includes/WebRequest.php | 11 ++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19 index 2a26284a7d..872738b065 100644 --- a/RELEASE-NOTES-1.19 +++ b/RELEASE-NOTES-1.19 @@ -74,6 +74,8 @@ production. * (bug 28649) Avoiding half truncated multi-byte unicode characters when truncating log comments. * Show --batch-size option in help of maintenance scripts that support it +* (bug 4381) Magic quotes cleaning is not comprehensive, key strings not + unescaped === API changes in 1.19 === * (bug 19838) siprop=interwikimap can now use the interwiki cache. diff --git a/includes/WebRequest.php b/includes/WebRequest.php index 449de7a594..98b5eb6a05 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -239,16 +239,21 @@ class WebRequest { * used for undoing the evil that is magic_quotes_gpc. * * @param $arr array: will be modified + * @param $recursion bool Used to modify behaviour based on recursion * @return array the original array */ - private function &fix_magic_quotes( &$arr ) { + private function &fix_magic_quotes( &$arr, $recursion = false ) { + $clean = array(); foreach( $arr as $key => $val ) { if( is_array( $val ) ) { - $this->fix_magic_quotes( $arr[$key] ); + $cleanKey = !$recursion ? stripslashes( $key ) : $key; + $clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], true ); } else { - $arr[$key] = stripslashes( $val ); + $cleanKey = stripslashes( $key ); + $clean[$cleanKey] = stripslashes( $val ); } } + $arr = $clean; return $arr; } -- 2.20.1