Fix external link queries to escape LIKE metacharacters, avoiding massive table scans

author Brion Vibber <brion@users.mediawiki.org>

Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)

committer Brion Vibber <brion@users.mediawiki.org>

Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)
author Brion Vibber <brion@users.mediawiki.org>
Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)
committer Brion Vibber <brion@users.mediawiki.org>
Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)
diff --git a/includes/LinkFilter.php b/includes/LinkFilter.php

index ee668f0..ced76d7 100644 (file)
--- a/includes/LinkFilter.php
+++ b/includes/LinkFilter.php
@@ -51,6 +51,7 @@ class LinkFilter {
          * @param $prot        String: protocol
          */
          public static function makeLike( $filterEntry , $prot = 'http://' ) {
+               $db = wfGetDB( DB_MASTER );
                 if ( substr( $filterEntry, 0, 2 ) == '*.' ) {
                         $subdomains = true;
                         $filterEntry = substr( $filterEntry, 2 );
@@ -83,23 +84,23 @@ class LinkFilter {
                         $mailparts = explode( '@', $host );
                         $domainpart = strtolower( implode( '.', array_reverse( explode( '.', $mailparts[1] ) ) ) );
                         $host = $domainpart . '@' . $mailparts[0];
-                       $like = "$prot$host%";
+                       $like = $db->escapeLike( "$prot$host" ) . "%";
                 } elseif ( $prot == 'mailto:' ) {
                         // domainpart of email adress only. do not add '.'
                         $host = strtolower( implode( '.', array_reverse( explode( '.', $host ) ) ) );   
-                       $like = "$prot$host%";                  
+                       $like = $db->escapeLike( "$prot$host" ) . "%";                  
                 } else {
                         $host = strtolower( implode( '.', array_reverse( explode( '.', $host ) ) ) );   
                         if ( substr( $host, -1, 1 ) !== '.' ) {
                                 $host .= '.';
                         }
-                       $like = "$prot$host";
+                       $like = $db->escapeLike( "$prot$host" );
  
                         if ( $subdomains ) {
                                 $like .= '%';
                         }
                         if ( !$subdomains || $path !== '/' ) {
-                               $like .= $path . '%';
+                               $like .= $db->escapeLike( $path ) . '%';
                         }
                 }
                 return $like;
author	Brion Vibber <brion@users.mediawiki.org>
	Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)
committer	Brion Vibber <brion@users.mediawiki.org>
	Tue, 18 Sep 2007 20:14:25 +0000 (20:14 +0000)