X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2Fapi%2FApiQueryCategoryMembers.php;h=a6fc223d4c86fc3f8bef9835632cc60a2f4e87bd;hb=2086cd118020f6388d7b6952ac2d9e2b55e6ef1f;hp=5b4a7667440a4d97213285c5de5bc70277b67d52;hpb=ad225f501c095a154bf015978e0c3263f0f1fa3f;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/api/ApiQueryCategoryMembers.php b/includes/api/ApiQueryCategoryMembers.php
index 5b4a766744..a6fc223d4c 100644
--- a/includes/api/ApiQueryCategoryMembers.php
+++ b/includes/api/ApiQueryCategoryMembers.php
@@ -47,6 +47,15 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase {
 		$this->run( $resultPageSet );
 	}
 
+	/**
+	 * @param string $hexSortkey
+	 * @return bool
+	 */
+	private function validateHexSortkey( $hexSortkey ) {
+		// A hex sortkey has an unbound number of 2 letter pairs
+		return preg_match( '/^(?:[a-fA-F0-9]{2})*$/', $hexSortkey );
+	}
+
 	/**
 	 * @param ApiPageSet $resultPageSet
 	 * @return void
@@ -128,6 +137,7 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase {
 				$queryTypes = array_slice( $queryTypes, $contTypeIndex );
 
 				// Add a WHERE clause for sortkey and from
+				$this->dieContinueUsageIf( !$this->validateHexSortkey( $cont[1] ) );
 				// pack( "H*", $foo ) is used to convert hex back to binary
 				$escSortkey = $this->getDB()->addQuotes( pack( 'H*', $cont[1] ) );
 				$from = intval( $cont[2] );
@@ -143,6 +153,9 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase {
 				if ( $params['startsortkeyprefix'] !== null ) {
 					$startsortkey = Collation::singleton()->getSortkey( $params['startsortkeyprefix'] );
 				} elseif ( $params['starthexsortkey'] !== null ) {
+					if ( !$this->validateHexSortkey( $params['starthexsortkey'] ) ) {
+						$this->dieUsage( 'The starthexsortkey provided is not valid', 'bad_starthexsortkey' );
+					}
 					$startsortkey = pack( 'H*', $params['starthexsortkey'] );
 				} else {
 					$this->logFeatureUsage( 'list=categorymembers&cmstartsortkey' );
@@ -151,6 +164,9 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase {
 				if ( $params['endsortkeyprefix'] !== null ) {
 					$endsortkey = Collation::singleton()->getSortkey( $params['endsortkeyprefix'] );
 				} elseif ( $params['endhexsortkey'] !== null ) {
+					if ( !$this->validateHexSortkey( $params['endhexsortkey'] ) ) {
+						$this->dieUsage( 'The endhexsortkey provided is not valid', 'bad_endhexsortkey' );
+					}
 					$endsortkey = pack( 'H*', $params['endhexsortkey'] );
 				} else {
 					$this->logFeatureUsage( 'list=categorymembers&cmendsortkey' );
@@ -363,7 +379,7 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase {
 		return $ret;
 	}
 
-	public function getExamplesMessages() {
+	protected function getExamplesMessages() {
 		return array(
 			'action=query&list=categorymembers&cmtitle=Category:Physics'
 				=> 'apihelp-query+categorymembers-example-simple',