| Index: trunk/extensions/BotQuery/query.php |
| — | — | @@ -58,6 +58,29 @@ |
| 59 | 59 | require_once( "$IP/includes/Setup.php" ); |
| 60 | 60 | } |
| 61 | 61 | |
| | 62 | +// URL safety checks |
| | 63 | +// |
| | 64 | +// See RawPage.php for details; summary is that MSIE can override the |
| | 65 | +// Content-Type if it sees a recognized extension on the URL, such as |
| | 66 | +// might be appended via PATH_INFO after 'api.php'. |
| | 67 | +// |
| | 68 | +// Some data formats can end up containing unfiltered user-provided data |
| | 69 | +// which will end up triggering HTML detection and execution, hence |
| | 70 | +// XSS injection and all that entails. |
| | 71 | +// |
| | 72 | +// Ensure that all access is through the canonical entry point... |
| | 73 | +// |
| | 74 | +if( isset( $_SERVER['SCRIPT_URL'] ) ) { |
| | 75 | + $url = $_SERVER['SCRIPT_URL']; |
| | 76 | +} else { |
| | 77 | + $url = $_SERVER['PHP_SELF']; |
| | 78 | +} |
| | 79 | +if( !preg_match( '!/query\.php$!', $url ) ) { |
| | 80 | + wfHttpError( 403, 'Forbidden', |
| | 81 | + 'API must be accessed through the primary script entry point.' ); |
| | 82 | + return; |
| | 83 | +} |
| | 84 | + |
| 62 | 85 | wfProfileIn( 'query.php' ); |
| 63 | 86 | |
| 64 | 87 | define( 'GN_FUNC', 0 ); |