ApiBlock: Improve username validation

The current username validation lets any invalid username through, on
the assumption that it's an IP address. We can do better: call the
backend to get the actual type and target, and reject anything with
TYPE_USER where the actual input name is invalid (regardless of
underlying mangling for stuff like T31797).

Bug: T183211
Change-Id: I676642eee1222447df22a1c32b24f55e6273bcec

diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 4d37af3..366a6df 100644 (file)
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -67,12 +67,12 @@ class ApiBlock extends ApiBase {
                                $params['user'] = $username;
                        }
                } else {
-                       $target = User::newFromName( $params['user'] );
+                       list( $target, $type ) = SpecialBlock::getTargetAndType( $params['user'] );
 
                        // T40633 - if the target is a user (not an IP address), but it
                        // doesn't exist or is unusable, error.
-                       if ( $target instanceof User &&
-                               ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $target->getName() ) )
+                       if ( $type === Block::TYPE_USER &&
+                               ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $params['user'] ) )
                        ) {
                                $this->dieWithError( [ 'nosuchusershort', $params['user'] ], 'nosuchuser' );
                        }