* @return void
*/
private function performRequest() {
- global $wgServer, $wgUsePathInfo;
+ global $wgServer, $wgUsePathInfo, $wgTitle;
wfProfileIn( __METHOD__ );
$output->setPrintable();
}
- wfRunHooks( 'BeforeInitialize',
- array( &$title, null, &$output, &$user, $request, $this ) );
+ $unused = null; // To pass it by reference
+ wfRunHooks( 'BeforeInitialize', array( &$title, &$unused, &$output, &$user, $request, $this ) );
// Invalid titles. Bug 21776: The interwikis must redirect even if the page name is empty.
if ( is_null( $title ) || ( $title->getDBkey() == '' && $title->getInterwiki() == '' ) ||
// We will check again in Article::view().
$permErrors = $title->getUserPermissionsErrors( 'read', $user );
if ( count( $permErrors ) ) {
+ // Bug 32276: allowing the skin to generate output with $wgTitle or
+ // $this->context->title set to the input title would allow anonymous users to
+ // determine whether a page exists, potentially leaking private data. In fact, the
+ // curid and oldid request parameters would allow page titles to be enumerated even
+ // when they are not guessable. So we reset the title to Special:Badtitle before the
+ // permissions error is displayed.
+ //
+ // The skin mostly uses $this->context->getTitle() these days, but some extensions
+ // still use $wgTitle.
+
+ $badTitle = SpecialPage::getTitleFor( 'Badtitle' );
+ $this->context->setTitle( $badTitle );
+ $wgTitle = $badTitle;
+
wfProfileOut( __METHOD__ );
throw new PermissionsError( 'read', $permErrors );
}
* @return Article object
*/
public static function articleFromTitle( $title, IContextSource $context ) {
+ wfDeprecated( __METHOD__, '1.18' );
return Article::newFromTitle( $title, $context );
}
* @param $article Article
*/
private function performAction( Page $article ) {
- global $wgSquidMaxage, $wgUseExternalEditor;
+ global $wgSquidMaxage;
wfProfileIn( __METHOD__ );
# Set title from request parameters
$wgTitle = $this->getTitle();
$action = $this->getAction();
- $user = $this->context->getUser();
# Send Ajax requests to the Ajax dispatcher.
if ( $wgUseAjax && $action == 'ajax' ) {
return;
}
- if ( $wgUseFileCache && $wgTitle->getNamespace() >= 0 ) {
+ if ( $wgUseFileCache && $this->getTitle()->getNamespace() >= 0 ) {
wfProfileIn( 'main-try-filecache' );
if ( HTMLFileCache::useFileCache( $this->context ) ) {
/* Try low-level file cache hit */
- $cache = HTMLFileCache::newFromTitle( $wgTitle, $action );
+ $cache = HTMLFileCache::newFromTitle( $this->getTitle(), $action );
if ( $cache->isCacheGood( /* Assume up to date */ ) ) {
/* Check incoming headers to see if client has this cached */
$timestamp = $cache->cacheTimestamp();
$cache->loadFromFileCache( $this->context );
}
# Do any stats increment/watchlist stuff
- $article = WikiPage::factory( $wgTitle );
- $article->doViewUpdates( $user );
+ $page = WikiPage::factory( $this->getTitle() );
+ $page->doViewUpdates( $this->context->getUser() );
# Tell OutputPage that output is taken care of
$this->context->getOutput()->disable();
wfProfileOut( 'main-try-filecache' );
dépôts / lhc / web / wiklou.git / blobdiff