Sanity check "stashedtexthash" param before checking memcached

The makeKey() method should do escaping and shortening, but it
is safest and clearer to not rely on that.

Change-Id: Ia4a95e0bb12074d141ddcca2089b920403cab100

diff --git a/includes/api/ApiStashEdit.php b/includes/api/ApiStashEdit.php
index d03fca8..8a9de06 100644 (file)
--- a/includes/api/ApiStashEdit.php
+++ b/includes/api/ApiStashEdit.php
@@ -74,6 +74,9 @@ class ApiStashEdit extends ApiBase {
                if ( strlen( $params['stashedtexthash'] ) ) {
                        // Load from cache since the client indicates the text is the same as last stash
                        $textHash = $params['stashedtexthash'];
+                       if ( !preg_match( '/^[0-9a-f]{40}$/', $textHash ) ) {
+                               $this->dieWithError( 'apierror-stashedit-missingtext', 'missingtext' );
+                       }
                        $textKey = $cache->makeKey( 'stashedit', 'text', $textHash );
                        $text = $cache->get( $textKey );
                        if ( !is_string( $text ) ) {