| Index: trunk/phase3/api.php |
| — | — | @@ -37,6 +37,29 @@ |
| 38 | 38 | |
| 39 | 39 | wfProfileIn('api.php'); |
| 40 | 40 | |
| | 41 | +// URL safety checks |
| | 42 | +// |
| | 43 | +// See RawPage.php for details; summary is that MSIE can override the |
| | 44 | +// Content-Type if it sees a recognized extension on the URL, such as |
| | 45 | +// might be appended via PATH_INFO after 'api.php'. |
| | 46 | +// |
| | 47 | +// Some data formats can end up containing unfiltered user-provided data |
| | 48 | +// which will end up triggering HTML detection and execution, hence |
| | 49 | +// XSS injection and all that entails. |
| | 50 | +// |
| | 51 | +// Ensure that all access is through the canonical entry point... |
| | 52 | +// |
| | 53 | +if( isset( $_SERVER['SCRIPT_URL'] ) ) { |
| | 54 | + $url = $_SERVER['SCRIPT_URL']; |
| | 55 | +} else { |
| | 56 | + $url = $_SERVER['PHP_SELF']; |
| | 57 | +} |
| | 58 | +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { |
| | 59 | + wfHttpError( 403, 'Forbidden', |
| | 60 | + 'API must be accessed through the primary script entry point.' ); |
| | 61 | + return; |
| | 62 | +} |
| | 63 | + |
| 41 | 64 | // Verify that the API has not been disabled |
| 42 | 65 | if (!$wgEnableAPI) { |
| 43 | 66 | echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; |
| Index: trunk/phase3/RELEASE-NOTES |
| — | — | @@ -334,6 +334,7 @@ |
| 335 | 335 | mystery failures when using $wgThumbnailScriptPath. |
| 336 | 336 | * (bug 12327) Comma in username no longer disrupts mail headers |
| 337 | 337 | * (bug 6436) Localization of Special:Import XML parser Error message(s). |
| | 338 | +* Security fix for API on MSIE |
| 338 | 339 | |
| 339 | 340 | |
| 340 | 341 | == Parser changes in 1.12 == |