summaryrefslogtreecommitdiff
path: root/includes/Wiki.php
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2011-12-03 09:20:55 +0100
committerPierre Schmitz <pierre@archlinux.de>2011-12-03 09:20:55 +0100
commita22fbfc60f36f5f7ee10d5ae6fe347340c2ee67c (patch)
tree31882fdc36540fecfd62e5011fc38515e504a3db /includes/Wiki.php
parent6ca0c5e0a943b64b4e3d0a11a80c5679f7252e64 (diff)
Update to MediaWiki 1.17.1
Diffstat (limited to 'includes/Wiki.php')
-rw-r--r--includes/Wiki.php11
1 files changed, 11 insertions, 0 deletions
diff --git a/includes/Wiki.php b/includes/Wiki.php
index b2cb1eb0..4c3af0f7 100644
--- a/includes/Wiki.php
+++ b/includes/Wiki.php
@@ -149,10 +149,21 @@ class MediaWiki {
* @return boolean true if successful
*/
function preliminaryChecks( &$title, &$output ) {
+ global $wgTitle;
// If the user is not logged in, the Namespace:title of the article must be in
// the Read array in order for the user to see it. (We have to check here to
// catch special pages etc. We check again in Article::view())
if( !is_null( $title ) && !$title->userCanRead() ) {
+ // Bug 32276: allowing the skin to generate output with $wgTitle
+ // set to the input title would allow anonymous users to
+ // determine whether a page exists, potentially leaking private data. In fact, the
+ // curid and oldid request parameters would allow page titles to be enumerated even
+ // when they are not guessable. So we reset the title to Special:Badtitle before the
+ // permissions error is displayed.
+ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
+ $output->setTitle( $badtitle );
+ $wgTitle = $badtitle;
+
$output->loginToUse();
$this->finalCleanup( $output );
$output->disable();