On Tue, Dec 20, 2011 at 9:51 PM, Robin Pepermans <robinp.1273(a)gmail.com> wrote:
Thank you.
I thought $language and $project wouldn't need escaping because their
values are known: $project can only be one of wikipedia, wikisource, ...
and $language only one of
http://noc.wikimedia.org/conf/langlist
That's usually true in practice, but only because such URLs are the
only ones that DNS to our IP. That's probably easy to circumvent.
You're right that this isn't nearly as easy to exploit as I thought it
was, but I think it's not impossible, so better safe than sorry.
I tried to address URLs like /w/index.php?title= in
r106857 but I'm not
sure it is the correct way. It's difficult to test.
If no /wiki/Page or $_GET['title'] defined, it will default to the Main
Page.
That logic looks good to me. Your change seems to have broken it
again, though, see
https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
Roan