Update to MediaWiki 1.25.4

author: Pierre Schmitz <pierre@archlinux.de> 2015-12-18 06:00:00 +0100
committer: Pierre Schmitz <pierre@archlinux.de> 2015-12-18 06:00:00 +0100
commit: 15e69f7b20b6596b9148030acce5b59993b95a45 (patch)
tree: 7b828b8920b0e222dc2a2c97dde933c9c4864fab /includes/libs/MultiHttpClient.php
parent: 9e06a62f265e3a2aaabecc598d4bc617e06fa32d (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/includes/libs/MultiHttpClient.php b/includes/libs/MultiHttpClient.php
index fb2daa69..000d73b5 100644
--- a/includes/libs/MultiHttpClient.php
+++ b/includes/libs/MultiHttpClient.php
@@ -318,6 +318,19 @@ class MultiHttpClient {
 			);
 		} elseif ( $req['method'] === 'POST' ) {
 			curl_setopt( $ch, CURLOPT_POST, 1 );
+			// Don't interpret POST parameters starting with '@' as file uploads, because this
+			// makes it impossible to POST plain values starting with '@' (and causes security
+			// issues potentially exposing the contents of local files).
+			// The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+			// but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+			if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+				curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
+			} else if ( is_array( $req['body'] ) ) {
+				// In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+				// is an array, but not if it's a string. So convert $req['body'] to a string
+				// for safety.
+				$req['body'] = wfArrayToCgi( $req['body'] );
+			}
 			curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] );
 		} else {
 			if ( is_resource( $req['body'] ) || $req['body'] !== '' ) {
author	Pierre Schmitz <pierre@archlinux.de>	2015-12-18 06:00:00 +0100
committer	Pierre Schmitz <pierre@archlinux.de>	2015-12-18 06:00:00 +0100
commit	15e69f7b20b6596b9148030acce5b59993b95a45 (patch)
tree	7b828b8920b0e222dc2a2c97dde933c9c4864fab /includes/libs/MultiHttpClient.php
parent	9e06a62f265e3a2aaabecc598d4bc617e06fa32d (diff)