r85844 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r85843‎ \| r85844 \| r85845 >
Date:	00:55, 12 April 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	Fix for bug 28235: IE6 looks for the file extension in the query string
Modified paths:	/trunk/phase3/api.php (modified) (history) /trunk/phase3/images/.htaccess (added) (history) /trunk/phase3/img_auth.php (modified) (history) /trunk/phase3/includes/RawPage.php (modified) (history) /trunk/phase3/includes/WebRequest.php (modified) (history) /trunk/phase3/languages/messages/MessagesEn.php (modified) (history) /trunk/phase3/load.php (modified) (history)

Diff [purge]

Index: trunk/phase3/images/.htaccess
—	—	@@ -0,0 +1,6 @@
	2	+# Protect against bug 28235
	3	+<IfModule rewrite_module>
	4	+ RewriteEngine On
	5	+ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
	6	+ RewriteRule . - [forbidden]
	7	+</IfModule>
Property changes on: trunk/phase3/images/.htaccess
___________________________________________________________________
Added: svn:eol-style
1	8	+ native
Index: trunk/phase3/includes/WebRequest.php
—	—	@@ -776,10 +776,27 @@
777	777	* but only by prefixing it with the script name and maybe some other stuff,
778	778	* the extension is not mangled. So this should be a reasonably portable
779	779	* way to perform this security check.
	780	+ *
	781	+ * Also checks for anything that looks like a file extension at the end of
	782	+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
	783	+ * if there was no dot before the question mark (bug 28235).
780	784	*/
781	785	public function isPathInfoBad() {
782	786	global $wgScriptExtension;
783	787
	788	+ if ( isset( $_SERVER['QUERY_STRING'] )
	789	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	790	+ {
	791	+ // Bug 28235
	792	+ // Block only Internet Explorer 6, and requests with missing UA
	793	+ // headers that could be IE users behind a privacy proxy.
	794	+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
	795	+ \|\| preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
	796	+ {
	797	+ return true;
	798	+ }
	799	+ }
	800	+
784	801	if ( !isset( $_SERVER['PATH_INFO'] ) ) {
785	802	return false;
786	803	}
Index: trunk/phase3/includes/RawPage.php
—	—	@@ -132,7 +132,7 @@
133	133	#
134	134	# Just return a 403 Forbidden and get it over with.
135	135	wfHttpError( 403, 'Forbidden',
136		~~- 'Invalid file extension found in PATH_INFO. ' .~~
	136	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
137	137	'Raw pages must be accessed through the primary script entry point.' );
138	138	return;
139	139	}
Index: trunk/phase3/img_auth.php
—	—	@@ -38,6 +38,13 @@
39	39	wfForbidden('img-auth-accessdenied','img-auth-public');
40	40	}
41	41
	42	+// Check for bug 28235: QUERY_STRING overriding the correct extension
	43	+if ( isset( $_SERVER['QUERY_STRING'] )
	44	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	45	+{
	46	+ wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
	47	+}
	48	+
42	49	$matches = WebRequest::getPathInfo();
43	50	$path = $matches['title'];
44	51	$filename = realpath( $wgUploadDirectory . $path );
Index: trunk/phase3/api.php
—	—	@@ -55,8 +55,7 @@
56	56	//
57	57	if ( $wgRequest->isPathInfoBad() ) {
58	58	wfHttpError( 403, 'Forbidden',
59		~~- 'Invalid file extension found in PATH_INFO. ' .~~
60		~~- 'The API must be accessed through the primary script entry point.' );~~
	59	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
61	60	return;
62	61	}
63	62
Index: trunk/phase3/load.php
—	—	@@ -37,11 +37,8 @@
38	38	//
39	39	if ( $wgRequest->isPathInfoBad() ) {
40	40	wfHttpError( 403, 'Forbidden',
41		~~- 'Invalid file extension found in PATH_INFO. ' .~~
42		~~- 'The resource loader must be accessed through the primary script entry point.' );~~
	41	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
43	42	return;
44		~~- // FIXME: Doesn't this execute the rest of the request anyway?~~
45		~~- // Was taken from api.php so I guess it's maybe OK but it doesn't look good.~~
46	43	}
47	44
48	45	// Respond to resource loading request
Index: trunk/phase3/languages/messages/MessagesEn.php
—	—	@@ -2261,6 +2261,7 @@
2262	2262	This wiki is configured as a public wiki.
2263	2263	For optimal security, img_auth.php is disabled.',
2264	2264	'img-auth-noread' => 'User does not have access to read "$1".',
	2265	+'img-auth-bad-query-string' => 'The URL has an invalid query string.',
2265	2266
2266	2267	# HTTP errors
2267	2268	'http-invalid-url' => 'Invalid URL: $1',

Follow-up revisions

Revision	Commit summary	Author	Date
r85845	MFT r85844, fix for bug 28235 (IE6 looks for the file extension in the query ...	tstarling	01:07, 12 April 2011
r85846	MFT r85844, fix for bug 28235 (IE6 looks for the file extension in the query ...	tstarling	01:15, 12 April 2011
r85848	MFT r85844 via REL1_17 85846: IE 6 XSS fix	tstarling	01:23, 12 April 2011
r85871	Add new message key from r85844 to maintenance file	raymond	12:05, 12 April 2011
r86027	(bug 28507) Fix for r85844: that revision was not actually sufficient to fix ...	tstarling	07:10, 14 April 2011
r87482	* Fix for bug 28534: IE 6 content type detection again...	tstarling	05:29, 5 May 2011
r89397	(bug 28840) If the query string hits bug 28235, redirect to a safer URL inste...	tstarling	05:32, 3 June 2011
r89558	* Added a REQUEST_URI check to the bug 28235 handling....	tstarling	11:59, 6 June 2011

Status & tagging log

22:17, 15 April 2011 Reedy (talk | contribs) changed the status of r85844 [removed: new added: ok]