Validate status codes returned from the AbortLogin hook

In case of a return value which is not in LoginForm::$statusCodes,
this results in a nicer error message instead of an array access error.

Bug: T109193
Change-Id: I64c955327c7dfc64807fa83d30538f3da66618bc

diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index de69b9d..8facb35 100644 (file)
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -783,8 +783,10 @@ class LoginForm extends SpecialPage {
                // Give general extensions, such as a captcha, a chance to abort logins
                $abort = self::ABORTED;
                if ( !Hooks::run( 'AbortLogin', array( $u, $this->mPassword, &$abort, &$msg ) ) ) {
+                       if ( !in_array( $abort, self::$statusCodes, true ) ) {
+                               throw new Exception( 'Invalid status code returned from AbortLogin hook: ' . $abort );
+                       }
                        $this->mAbortLoginErrorMsg = $msg;
-
                        return $abort;
                }