From 13769342a1a8006b09d73a1c803fd85402f8004e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Mon, 17 Aug 2015 23:08:00 +0000
Subject: [PATCH] Validate status codes returned from the AbortLogin hook

In case of a return value which is not in LoginForm::$statusCodes,
this results in a nicer error message instead of an array access error.

Bug: T109193
Change-Id: I64c955327c7dfc64807fa83d30538f3da66618bc
---
 includes/specials/SpecialUserlogin.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index de69b9d021..8facb35c41 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -783,8 +783,10 @@ class LoginForm extends SpecialPage {
 		// Give general extensions, such as a captcha, a chance to abort logins
 		$abort = self::ABORTED;
 		if ( !Hooks::run( 'AbortLogin', array( $u, $this->mPassword, &$abort, &$msg ) ) ) {
+			if ( !in_array( $abort, self::$statusCodes, true ) ) {
+				throw new Exception( 'Invalid status code returned from AbortLogin hook: ' . $abort );
+			}
 			$this->mAbortLoginErrorMsg = $msg;
-
 			return $abort;
 		}
 
-- 
2.20.1