Skip to content

Commit

Permalink
Fix for b50a5a0 for Special:Drilldown
Browse files Browse the repository at this point in the history 
Change-Id: Ia6e4c73353f8c0f9046d2940d6b6d9d4de3dffd2
  • Loading branch information
@yaronkoren @mszabo-wikia
yaronkoren authored and mszabo-wikia committed Feb 3, 2024
1 parent 916ba8d commit f8fa23d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
2 changes: 1 addition & 1 deletion drilldown/CargoDrilldownPage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1871,7 +1871,7 @@ public function getQueryInfo() {
$offsetStr = $this->offset;
$this->sqlQuery =
CargoSQLQuery::newFromValues( $tablesStr, $fieldsStr, $whereStr, $joinOnStr,
$groupByStr, $havingStr, $orderByStr, $limitStr, $offsetStr );
$groupByStr, $havingStr, $orderByStr, $limitStr, $offsetStr, true );

// @HACK - the result set may contain both pages and files that
// match the search term. So how do we know, for each result
Expand Down
12 changes: 8 additions & 4 deletions includes/CargoSQLQuery.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public function __construct() {
* object can be created without any values.
*/
public static function newFromValues( $tablesStr, $fieldsStr, $whereStr, $joinOnStr, $groupByStr,
$havingStr, $orderByStr, $limitStr, $offsetStr ) {
$havingStr, $orderByStr, $limitStr, $offsetStr, $allowFieldEscaping = false ) {
global $wgCargoDefaultQueryLimit, $wgCargoMaxQueryLimit;

// "table(s)" is the only mandatory value.
Expand All @@ -53,7 +53,7 @@ public static function newFromValues( $tablesStr, $fieldsStr, $whereStr, $joinOn
}

self::validateValues( $tablesStr, $fieldsStr, $whereStr, $joinOnStr, $groupByStr,
$havingStr, $orderByStr, $limitStr, $offsetStr );
$havingStr, $orderByStr, $limitStr, $offsetStr, $allowFieldEscaping );

$sqlQuery = new CargoSQLQuery();
$sqlQuery->mCargoDB = CargoUtils::getDB();
Expand Down Expand Up @@ -106,7 +106,7 @@ public static function newFromValues( $tablesStr, $fieldsStr, $whereStr, $joinOn
* "fields=" parameter.
*/
public static function validateValues( $tablesStr, $fieldsStr, $whereStr, $joinOnStr, $groupByStr,
$havingStr, $orderByStr, $limitStr, $offsetStr ) {
$havingStr, $orderByStr, $limitStr, $offsetStr, $allowFieldEscaping ) {
// Remove quoted strings from "where" parameter, to avoid
// unnecessary false positives from words like "from"
// being included in string comparisons.
Expand Down Expand Up @@ -145,8 +145,12 @@ public static function validateValues( $tablesStr, $fieldsStr, $whereStr, $joinO
'/\-\-/' => '--',
'/\/\*/' => '/*',
'/#/' => '#',
'/`/' => '`',
];
// Bypass this particular check, for Special:Drilldown and possibly
// other query locations.
if ( !$allowFieldEscaping ) {
$regexps['/`/'] = '`';
}
foreach ( $regexps as $regexp => $displayString ) {
if ( preg_match( $regexp, $tablesStr ) ||
preg_match( $regexp, $noQuotesFieldsStr ) ||
Expand Down

0 comments on commit f8fa23d

Please sign in to comment.