Log when Message::__toString has an unexpected format

Message formatting methods have a side effect on how string conversion
will work, which is a security problem waiting to happen:

    $msg = new Message( 'foo' );
    echo $msg; // parsed
    echo $msg->plain();
    echo $msg; // not parsed

This change logs Message -> string transformations which are
affected by a prior call in this way. The behavior will be removed
in a later patch (possibly replaced by something more explicit
if it turns out that something depends on it).

Bug: T146416
Change-Id: Id51cf6a5a937bc41a914f317e980ef42e4d385fb

diff --git a/includes/Message.php b/includes/Message.php
index c2c954a..c1a12aa 100644 (file)
--- a/includes/Message.php
+++ b/includes/Message.php
@@ -852,6 +852,12 @@ class Message implements MessageSpecifier, Serializable {
         * @return string
         */
        public function __toString() {
+               if ( $this->format !== 'parse' ) {
+                       $ex = new LogicException( __METHOD__ . ' using implicit format: ' . $this->format );
+                       \MediaWiki\Logger\LoggerFactory::getInstance( 'message-format' )->warning(
+                               $ex->getMessage(), [ 'exception' => $ex, 'format' => $this->format, 'key' => $this->key ] );
+               }
+
                // PHP doesn't allow __toString to throw exceptions and will
                // trigger a fatal error if it does. So, catch any exceptions.