From 81f62b9ff836ac97844c847d24bc8607f6dbc034 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Sat, 19 Jul 2008 07:50:14 +0000
Subject: [PATCH] Security fix for API blocks query -- ipb_anon field wasn't
 being loaded when querying for usernames but not flags, but this field is
 needed to tell whether a given row is an autoblock and needs the IP
 suppressed.

---
 includes/api/ApiQueryBlocks.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiQueryBlocks.php b/includes/api/ApiQueryBlocks.php
index f634565fc6..f509d938ec 100644
--- a/includes/api/ApiQueryBlocks.php
+++ b/includes/api/ApiQueryBlocks.php
@@ -72,6 +72,8 @@ class ApiQueryBlocks extends ApiQueryBase {
 			$this->addFields('ipb_id');
 		if($fld_user)
 			$this->addFields(array('ipb_address', 'ipb_user'));
+		if($fld_user || $fld_flags)
+			$this->addFields('ipb_auto');
 		if($fld_by)
 		{
 			$this->addTables('user');
@@ -87,7 +89,7 @@ class ApiQueryBlocks extends ApiQueryBase {
 		if($fld_range)
 			$this->addFields(array('ipb_range_start', 'ipb_range_end'));
 		if($fld_flags)
-			$this->addFields(array('ipb_auto', 'ipb_anon_only', 'ipb_create_account', 'ipb_enable_autoblock', 'ipb_block_email', 'ipb_deleted'));
+			$this->addFields(array('ipb_anon_only', 'ipb_create_account', 'ipb_enable_autoblock', 'ipb_block_email', 'ipb_deleted'));
 
 		$this->addOption('LIMIT', $params['limit'] + 1);
 		$this->addWhereRange('ipb_timestamp', $params['dir'], $params['start'], $params['end']);
-- 
2.20.1