From b198f44db2e2b3dbdf332053598848da1417aa75 Mon Sep 17 00:00:00 2001
From: Amir Sarabadani <Ladsgroup@gmail.com>
Date: Fri, 22 Nov 2019 11:06:38 +0100
Subject: [PATCH] SECURITY: Change regex delimiter for preg_match

Without this, we are escaping '@' but delimiting with '/'
This will make injection attacks by passing '/' to the message

Bug: T237667
Change-Id: I2b3840a95a7c5886a699deaaf459f264de89791b
---
 repo/includes/Parsers/MwTimeIsoParser.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/repo/includes/Parsers/MwTimeIsoParser.php b/repo/includes/Parsers/MwTimeIsoParser.php
index b95b5772b..88157497b 100644
--- a/repo/includes/Parsers/MwTimeIsoParser.php
+++ b/repo/includes/Parsers/MwTimeIsoParser.php
@@ -157,7 +157,7 @@ class MwTimeIsoParser extends StringValueParser {
 		$msgRegexp = $this->getRegexpFromMessageText( $msgText );
 
 		if ( preg_match(
-			'/^\s*' . $msgRegexp . '\s*$/i',
+			'@^\s*' . $msgRegexp . '\s*$@i',
 			$value,
 			$matches
 		) ) {
@@ -172,7 +172,7 @@ class MwTimeIsoParser extends StringValueParser {
 		// If the msg string ends with BCE also check for BC
 		if ( substr_compare( $msgRegexp, 'BCE', -3 ) === 0 ) {
 			if ( preg_match(
-				'/^\s*' . substr( $msgRegexp, 0, -1 ) . '\s*$/i',
+				'@^\s*' . substr( $msgRegexp, 0, -1 ) . '\s*$@i',
 				$value,
 				$matches
 			) ) {
-- 
2.17.1