On Tue, Dec 20, 2011 at 9:51 PM, Robin Pepermans robinp.1273@gmail.com wrote:
Thank you. I thought $language and $project wouldn't need escaping because their values are known: $project can only be one of wikipedia, wikisource, ... and $language only one of http://noc.wikimedia.org/conf/langlist
That's usually true in practice, but only because such URLs are the only ones that DNS to our IP. That's probably easy to circumvent. You're right that this isn't nearly as easy to exploit as I thought it was, but I think it's not impossible, so better safe than sorry.
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
That logic looks good to me. Your change seems to have broken it again, though, see https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
Roan