From 71cbed60fbd6e35dadea84765e10b79e14e9eb1d Mon Sep 17 00:00:00 2001 From: Piotr Miazga Date: Tue, 25 Sep 2018 17:52:08 +0200 Subject: [PATCH] Create $returntoquery variable properly The $returntoquery variable is created only when request wasn't posted, but the variable can be accessed on POSTed request. To fix that issue we need to always define $returntoquery as an empty array. This is done in order to prevent leak of any sensitive data sent by POST request. The sample error from fatalmonitor: Undefined variable: returntoquery in skins/MinervaNeue/includes/skins/SkinMinerva.php on line 701 Bug: T205449 Change-Id: I20e5955ddcb99c110a3dc03fb3b56c1904601453 --- includes/skins/SkinMinerva.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/includes/skins/SkinMinerva.php b/includes/skins/SkinMinerva.php index adac179..5e5c739 100644 --- a/includes/skins/SkinMinerva.php +++ b/includes/skins/SkinMinerva.php @@ -661,6 +661,8 @@ class SkinMinerva extends SkinTemplate { */ protected function insertLogInOutMenuItem( MenuBuilder $menu ) { $query = []; + $returntoquery = []; + if ( !$this->getRequest()->wasPosted() ) { $returntoquery = $this->getRequest()->getValues(); unset( $returntoquery['title'] );