BreadCrumbs2 - What's wrong with it?

Jump to: navigation, search

Ack! An extension I'm using has been marked as a "Code Injection" risk.

http://www.mediawiki.org/wiki/Extension:BreadCrumbs2

Why was it marked and how do I fix it?

Also, is it an issue of the wiki or the MediaWiki:Breadcrumbs page are read-only to all but Administrators?

70.95.182.24902:14, 3 April 2012

The hole is due to the use of preg_replace's /e flag.

Frankly the whole code of the extension is a poorly coded mess. The extension is all over the place with bad string comparisons instead of using Title methods, hardcoded url building, etc...

Daniel Friesen (Dantman) (talk)02:22, 3 April 2012

I have fixed the code injection issue with BreadCrumbs2. Please review the changes.

Tback (talk)19:54, 13 April 2012
 
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:User_talk:Dantman/BreadCrumbs2_-_What%27s_wrong_with_it%3F#BreadCrumbs2_-_What.27s_wrong_with_it.3F_14398"