Update to MediaWiki 1.26.1

1 files changed, 13 insertions, 0 deletions

diff --git a/includes/libs/MultiHttpClient.php b/includes/libs/MultiHttpClient.php
index 6af3ed51..5555cbcb 100644
--- a/includes/libs/MultiHttpClient.php
+++ b/includes/libs/MultiHttpClient.php
@@ -335,6 +335,19 @@ class MultiHttpClient {
 			);
 		} elseif ( $req['method'] === 'POST' ) {
 			curl_setopt( $ch, CURLOPT_POST, 1 );
+			// Don't interpret POST parameters starting with '@' as file uploads, because this
+			// makes it impossible to POST plain values starting with '@' (and causes security
+			// issues potentially exposing the contents of local files).
+			// The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+			// but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+			if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+				curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
+			} else if ( is_array( $req['body'] ) ) {
+				// In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+				// is an array, but not if it's a string. So convert $req['body'] to a string
+				// for safety.
+				$req['body'] = wfArrayToCgi( $req['body'] );
+			}
 			curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] );
 		} else {
 			if ( is_resource( $req['body'] ) || $req['body'] !== '' ) {