Page MenuHomePhabricator
Create Task
Maniphest T25024

Special:ListFiles doesn't escape filenames
Closed, ResolvedPublic
Actions

Description

patch for includes/specials/SpecialListfiles.php

If the wiki includes an uploaded file whose name includes, say, '&', the output of Special:ListFiles fails to parse when output as XHTML. This is because it outputs the filename without passing through htmlspecialchars.

Version: 1.16.x
Severity: normal

Attached:

listfiles.patch691 BDownload

Details

Reference
bz23024

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:06 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz23024.
bzimport added a subscriber: Unknown Object (MLST).
Worden.lee created this task.Apr 1 2010, 9:34 PM
Bawolff added a comment.Apr 2 2010, 1:21 AM

Added keywords patch, needs-review

IAlex added a comment.Apr 2 2010, 7:09 AM

Fixed in r64516.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL