Reject usernames with # as user-type API parameters

Th API handles parameters of type 'user' as page titles, which resulted
in silently dropping # characters and anything following them.
Reject such usernames explicitly instead.

Bug: T132852
Change-Id: Iba8061b20d5e25de80ff30d09eb53939c97cdaac

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 1c20229..da64c03 100644 (file)
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1298,7 +1298,7 @@ abstract class ApiBase extends ContextSource {
         */
        private function validateUser( $value, $encParamName ) {
                $title = Title::makeTitleSafe( NS_USER, $value );
-               if ( $title === null ) {
+               if ( $title === null || $title->hasFragment() ) {
                        $this->dieUsage(
                                "Invalid value '$value' for user parameter $encParamName",
                                "baduser_{$encParamName}"