From 6f95c290c055473b044e1bdfea77d5b162e11893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= Date: Thu, 14 Jul 2022 01:52:27 +0200 Subject: HTMLUserTextField: Fix validation When 'exists' was false (the default), other validation was skipped. Change the default 'iprangelimits' to allow any range, to avoid issues with code that relied on the previous broken behavior. Bug: T177329 Bug: T311948 Change-Id: I55cad7a5395da70105e20ce33e3a8e3834a4f4ad --- includes/htmlform/fields/HTMLUserTextField.php | 55 +++++++++++++++----------- 1 file changed, 31 insertions(+), 24 deletions(-) (limited to 'includes/htmlform') diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php index 378d05173abc..7520c0ef1c39 100644 --- a/includes/htmlform/fields/HTMLUserTextField.php +++ b/includes/htmlform/fields/HTMLUserTextField.php @@ -12,7 +12,6 @@ use Wikimedia\IPUtils; * 'ipallowed' - Whether an IP address is interpreted as "valid" * 'iprange' - Whether an IP address range is interpreted as "valid" * 'iprangelimits' - Specifies the valid IP ranges for IPv4 and IPv6 in an array. - * defaults to IPv4 => 16; IPv6 => 32. * * @stable to extend * @since 1.26 @@ -28,8 +27,8 @@ class HTMLUserTextField extends HTMLTextField { 'ipallowed' => false, 'iprange' => false, 'iprangelimits' => [ - 'IPv4' => '16', - 'IPv6' => '32', + 'IPv4' => 0, + 'IPv6' => 0, ], ] ); @@ -48,24 +47,32 @@ class HTMLUserTextField extends HTMLTextField { return parent::validate( $value, $alldata ); } - // check, if a user exists with the given username - $user = User::newFromName( $value, false ); - $rangeError = null; - - if ( !$user ) { - return $this->msg( 'htmlform-user-not-valid', $value ); - } elseif ( - // check, if the user exists, if requested - ( $this->mParams['exists'] && !$user->isRegistered() ) && - // check, if the username is a valid IP address, otherwise save the error message - !( $this->mParams['ipallowed'] && IPUtils::isValid( $value ) ) && - // check, if the username is a valid IP range, otherwise save the error message - !( $this->mParams['iprange'] && ( $rangeError = $this->isValidIPRange( $value ) ) === true ) - ) { - if ( is_string( $rangeError ) ) { - return $rangeError; + // check if the input is a valid username + $user = User::newFromName( $value ); + if ( $user ) { + // check if the user exists, if requested + if ( $this->mParams['exists'] && !$user->isRegistered() ) { + return $this->msg( 'htmlform-user-not-exists', $user->getName() ); + } + } else { + // not a valid username + $valid = false; + // check if the input is a valid IP address + if ( $this->mParams['ipallowed'] && IPUtils::isValid( $value ) ) { + $valid = true; + } + // check if the input is a valid IP range + if ( $this->mParams['iprange'] ) { + $rangeError = $this->isValidIPRange( $value ); + if ( $rangeError === true ) { + $valid = true; + } elseif ( $rangeError !== false ) { + return $rangeError; + } + } + if ( !$valid ) { + return $this->msg( 'htmlform-user-not-valid', $value ); } - return $this->msg( 'htmlform-user-not-exists', $user->getName() ); } return parent::validate( $value, $alldata ); @@ -85,7 +92,7 @@ class HTMLUserTextField extends HTMLTextField { ( IPUtils::isIPv6( $ip ) && $cidrIPRanges['IPv6'] == 128 ) ) { // Range block effectively disabled - return $this->msg( 'ip_range_toolow' )->parse(); + return $this->msg( 'ip_range_toolow' ); } if ( @@ -93,15 +100,15 @@ class HTMLUserTextField extends HTMLTextField { ( IPUtils::isIPv6( $ip ) && $range > 128 ) ) { // Dodgy range - return $this->msg( 'ip_range_invalid' )->parse(); + return $this->msg( 'ip_range_invalid' ); } if ( IPUtils::isIPv4( $ip ) && $range < $cidrIPRanges['IPv4'] ) { - return $this->msg( 'ip_range_exceeded', $cidrIPRanges['IPv4'] )->parse(); + return $this->msg( 'ip_range_exceeded', $cidrIPRanges['IPv4'] ); } if ( IPUtils::isIPv6( $ip ) && $range < $cidrIPRanges['IPv6'] ) { - return $this->msg( 'ip_range_exceeded', $cidrIPRanges['IPv6'] )->parse(); + return $this->msg( 'ip_range_exceeded', $cidrIPRanges['IPv6'] ); } return true; -- cgit v1.2.3