From 6a32107cd6c61a17bd72fcc8815a843e1c030151 Mon Sep 17 00:00:00 2001
From: Timo Tijhof <krinklemail@gmail.com>
Date: Tue, 28 Apr 2015 06:51:25 +0100
Subject: [PATCH] thumb.php: Escape $rel404 in error message

Bug: T97391
Change-Id: I363686732fe9e5636c85c267c0728fc872c3e39d
---
 thumb.php | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/thumb.php b/thumb.php
index 2ea3f07..34e27ee 100644
--- a/thumb.php
+++ b/thumb.php
@@ -167,7 +167,7 @@ function wfStreamThumb( array $params ) {
 
 	// Check if the file is hidden
 	if ( $img->isDeleted( File::DELETED_FILE ) ) {
-		wfThumbError( 404, "The source file '$fileName' does not exist." );
+		wfThumbErrorText( 404, "The source file '$fileName' does not exist." );
 		return;
 	}
 
@@ -221,10 +221,10 @@ function wfStreamThumb( array $params ) {
 		}
 
 		// If its not a redirect that has a target as a local file, give 404.
-		wfThumbError( 404, "The source file '$fileName' does not exist." );
+		wfThumbErrorText( 404, "The source file '$fileName' does not exist." );
 		return;
 	} elseif ( $img->getPath() === false ) {
-		wfThumbError( 500, "The source file '$fileName' is not locally accessible." );
+		wfThumbErrorText( 500, "The source file '$fileName' is not locally accessible." );
 		return;
 	}
 
@@ -286,7 +286,7 @@ function wfStreamThumb( array $params ) {
 			}
 			return;
 		} else {
-			wfThumbError( 404, "The given path of the specified thumbnail is incorrect;
+			wfThumbErrorText( 404, "The given path of the specified thumbnail is incorrect;
 				expected '" . $img->getThumbRel( $thumbName ) . "' but got '" .
 				rawurldecode( $rel404 ) . "'." );
 			return;
@@ -544,14 +544,26 @@ function wfExtractThumbParams( $file, $params ) {
 	return null;
 }
 
+
+/**
+ * Output a thumbnail generation error message
+ *
+ * @param int $status
+ * @param string $msg Plain text (will be html escaped)
+ * @return void
+ */
+function wfThumbErrorText( $status, $msgText ) {
+	return wfThumbError( $status, htmlspecialchars( $msgText ) );
+}
+
 /**
  * Output a thumbnail generation error message
  *
  * @param int $status
- * @param string $msg HTML
+ * @param string $msgHtml HTML
  * @return void
  */
-function wfThumbError( $status, $msg ) {
+function wfThumbError( $status, $msgHtml ) {
 	global $wgShowHostnames;
 
 	header( 'Cache-Control: no-cache' );
@@ -583,7 +595,7 @@ function wfThumbError( $status, $msg ) {
 <body>
 <h1>Error generating thumbnail</h1>
 <p>
-$msg
+$msgHtml
 </p>
 $debug
 </body>
-- 
1.8.4.5