Merge pull request #27 from Wikia/REL1_39-security-UGC-6024

UGC-6024 | Security patches - Cargo (cherry-picks)

includes/CargoFieldDescription.php

@@ -362,6 +362,11 @@ public function prepareAndValidateValue( $fieldValue ) {
 		return $valueArray;
 	}
 
+	public function prettyPrintAllowedValues() {
+		$escapedAllowedValues = array_map( 'htmlspecialchars', $this->mAllowedValues );
+		return implode( ' · ', $escapedAllowedValues );
+	}
+
 	public function prettyPrintType() {
 		$typeDesc = Html::element( 'tt', null, $this->mType );
 		if ( $this->mIsList ) {

includes/specials/CargoPageValues.php

@@ -76,7 +76,7 @@ public function execute( $subpage = null ) {
 			$tableLink = $this->getTableLink( $tableName );
 
 			$tableSectionHeader = $this->msg( 'cargo-pagevalues-tablevalues' )->rawParams( $tableLink )->escaped();
-			$tableSectionTocDisplay = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->text();
+			$tableSectionTocDisplay = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->escaped();
 			$tableSectionAnchor = $this->msg( 'cargo-pagevalues-tablevalues', $tableName )->escaped();
 			$tableSectionAnchor = Sanitizer::escapeIdForAttribute( $tableSectionAnchor );
 
@@ -153,7 +153,7 @@ private function getInfoForAllFields( $tableName ) {
 		foreach ( $fieldDescriptions as $fieldName => $fieldDescription ) {
 			$fieldInfo[$fieldName]['field type'] = $fieldDescription->prettyPrintType();
 			if ( is_array( $fieldDescription->mAllowedValues ) ) {
-				$fieldInfo[$fieldName]['allowed values'] = implode( ' · ', $fieldDescription->mAllowedValues );
+				$fieldInfo[$fieldName]['allowed values'] = $fieldDescription->prettyPrintAllowedValues();
 			} else {
 				$fieldInfo[$fieldName]['allowed values'] = '';
 			}

includes/specials/SpecialDeleteCargoTable.php

@@ -55,6 +55,7 @@ public function execute( $subpage = false ) {
 
 		$out = $this->getOutput();
 		$req = $this->getRequest();
+		$csrfTokenSet = $this->getContext()->getCsrfTokenSet();
 
 		$out->enableOOUI();
 
@@ -87,7 +88,7 @@ public function execute( $subpage = false ) {
 		$fieldTables = unserialize( $row['field_tables'] );
 		$fieldHelperTables = unserialize( $row['field_helper_tables'] );
 
-		if ( $this->getRequest()->getCheck( 'delete' ) ) {
+		if ( $req->wasPosted() && $req->getCheck( 'delete' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
 			self::deleteTable( $tableName, $fieldTables, $fieldHelperTables );
 			$text = Html::rawElement( 'p', null, $this->msg( 'cargo-deletetable-success', $tableName )->escaped() ) . "\n";
 			$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),

includes/specials/SpecialSwitchCargoTable.php

@@ -86,6 +86,9 @@ public function execute( $subpage = false ) {
 		$this->checkPermissions();
 
 		$out = $this->getOutput();
+		$req = $this->getRequest();
+		$csrfTokenSet = $this->getContext()->getCsrfTokenSet();
+
 		$tableName = $subpage;
 		$out->enableOOUI();
 
@@ -116,7 +119,7 @@ public function execute( $subpage = false ) {
 		$fieldTables = unserialize( $row['field_tables'] );
 		$fieldHelperTables = unserialize( $row['field_helper_tables'] );
 
-		if ( $this->getRequest()->getCheck( 'switch' ) ) {
+		if ( $req->wasPosted() && $req->getCheck( 'switch' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
 			self::switchInTableReplacement( $tableName, $fieldTables, $fieldHelperTables, $this->getUser() );
 			$text = Html::element( 'p', null, $this->msg( 'cargo-switchtables-success', $tableName )->parse() ) . "\n";
 			$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),