From a06be89c8a36788f9be79dd89ee4582bde53cee8 Mon Sep 17 00:00:00 2001 From: DannyS712 Date: Fri, 30 Oct 2020 16:32:08 -0400 Subject: [PATCH] SECURITY: Set a dummy title for Action buttons on Special:Log If no title is set, the fallback is to use the main page, as defined by MediaWiki:Mainpage On wikis where the main page can be translated, MediaWiki:Mainpage is sometimes set to use Special:MyLanguage to redirect to the appropriate version. This is interpreted as a special page, and ACtion::getActionName forces the action to be 'view' if the title cannot be used as a WikiPage, which includes all pages in NS_SPECIAL. Set a dummy title to avoid this. The title provided is unused by the SpecialPageAction class and does not matter. Bug: T205908 Change-Id: I0f0d2e592df96c9bad9001baede900f716433cfa --- includes/specials/SpecialLog.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/includes/specials/SpecialLog.php b/includes/specials/SpecialLog.php index b1cd601dc1b..983bd5c1e80 100644 --- a/includes/specials/SpecialLog.php +++ b/includes/specials/SpecialLog.php @@ -276,6 +276,18 @@ class SpecialLog extends SpecialPage { $s .= Html::hidden( 'action', 'historysubmit' ) . "\n"; $s .= Html::hidden( 'type', 'logging' ) . "\n"; + // If no title is set, the fallback is to use the main page, as defined + // by MediaWiki:Mainpage + // On wikis where the main page can be translated, MediaWiki:Mainpage + // is sometimes set to use Special:MyLanguage to redirect to the + // appropriate version. This is interpreted as a special page, and + // Action::getActionName forces the action to be 'view' if the title + // cannot be used as a WikiPage, which includes all pages in NS_SPECIAL. + // Set a dummy title to avoid this. The title provided is unused + // by the SpecialPageAction class and does not matter. + // See T205908 + $s .= Html::hidden( 'title', 'Unused' ) . "\n"; + $buttons = ''; if ( $canRevDelete ) { $buttons .= Html::element( -- 2.28.0.windows.1