From 9347bafd6080a3e87a367b3476498e93fc54b538 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Fri, 3 Oct 2025 21:24:19 +0200
Subject: [PATCH] SECURITY: Escape user input in SQL queries

This fixes two SQL injection vulnerabilities through
Special:ClearPendingReviews.

Bug: T406380
Change-Id: I6c0018713e0fe0a2ec3610508ea3581e2c8035e4
---
 specials/SpecialClearPendingReviews.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/specials/SpecialClearPendingReviews.php b/specials/SpecialClearPendingReviews.php
index 1d07ad9..60ee10f 100644
--- a/specials/SpecialClearPendingReviews.php
+++ b/specials/SpecialClearPendingReviews.php
@@ -114,10 +114,11 @@ class SpecialClearPendingReviews extends SpecialPage {
 		$conditions = '';
 
 		if ( $category ) {
-			$conditions .= "c.cl_to='$category' AND ";
+			$quotedCategory = $dbw->addQuotes( $category );
+			$conditions .= "c.cl_to=$quotedCategory AND ";
 		}
 		if ( $page ) {
-			$conditions .= "w.wl_title LIKE '$page%' AND ";
+			$conditions .= 'w.wl_title ' . $dbw->buildLike( $page, $dbw->anyString() ) . ' AND ';
 		}
 
 		$tables = [ 'w' => 'watchlist', 'p' => 'page', 'c' => 'categorylinks' ];
-- 
2.51.0