r85845 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r85844‎ \| r85845 \| r85846 >
Date:	01:07, 12 April 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	MFT r85844, fix for bug 28235 (IE6 looks for the file extension in the query string)
Modified paths:	/branches/REL1_16/phase3/api.php (modified) (history) /branches/REL1_16/phase3/images/.htaccess (added) (history) /branches/REL1_16/phase3/img_auth.php (modified) (history) /branches/REL1_16/phase3/includes/RawPage.php (modified) (history) /branches/REL1_16/phase3/includes/WebRequest.php (modified) (history) /branches/REL1_16/phase3/languages/messages/MessagesEn.php (modified) (history)

Diff [purge]

Index: branches/REL1_16/phase3/images/.htaccess
—	—	@@ -0,0 +1,6 @@
	2	+# Protect against bug 28235
	3	+<IfModule rewrite_module>
	4	+ RewriteEngine On
	5	+ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
	6	+ RewriteRule . - [forbidden]
	7	+</IfModule>
Property changes on: branches/REL1_16/phase3/images/.htaccess
___________________________________________________________________
Added: svn:mergeinfo
1	8	Merged /branches/REL1_15/phase3/images/.htaccess:r51646
2	9	Merged /branches/sqlite/images/.htaccess:r58211-58321
3	10	Merged /branches/new-installer/phase3/images/.htaccess:r43664-66004
Added: svn:eol-style
4	11	+ native
Index: branches/REL1_16/phase3/includes/WebRequest.php
—	—	@@ -688,10 +688,27 @@
689	689	* but only by prefixing it with the script name and maybe some other stuff,
690	690	* the extension is not mangled. So this should be a reasonably portable
691	691	* way to perform this security check.
	692	+ *
	693	+ * Also checks for anything that looks like a file extension at the end of
	694	+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
	695	+ * if there was no dot before the question mark (bug 28235).
692	696	*/
693	697	public function isPathInfoBad() {
694	698	global $wgScriptExtension;
695	699
	700	+ if ( isset( $_SERVER['QUERY_STRING'] )
	701	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	702	+ {
	703	+ // Bug 28235
	704	+ // Block only Internet Explorer 6, and requests with missing UA
	705	+ // headers that could be IE users behind a privacy proxy.
	706	+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
	707	+ \|\| preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
	708	+ {
	709	+ return true;
	710	+ }
	711	+ }
	712	+
696	713	if ( !isset( $_SERVER['PATH_INFO'] ) ) {
697	714	return false;
698	715	}
Property changes on: branches/REL1_16/phase3/includes/WebRequest.php
___________________________________________________________________
Modified: svn:mergeinfo
699	716	Merged /trunk/phase3/includes/WebRequest.php:r85844
Index: branches/REL1_16/phase3/includes/RawPage.php
—	—	@@ -125,7 +125,7 @@
126	126	#
127	127	# Just return a 403 Forbidden and get it over with.
128	128	wfHttpError( 403, 'Forbidden',
129		~~- 'Invalid file extension found in PATH_INFO. ' .~~
	129	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
130	130	'Raw pages must be accessed through the primary script entry point.' );
131	131	return;
132	132	}
Index: branches/REL1_16/phase3/img_auth.php
—	—	@@ -37,6 +37,13 @@
38	38	wfForbidden('img-auth-accessdenied','img-auth-public');
39	39	}
40	40
	41	+// Check for bug 28235: QUERY_STRING overriding the correct extension
	42	+if ( isset( $_SERVER['QUERY_STRING'] )
	43	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	44	+{
	45	+ wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
	46	+}
	47	+
41	48	// Extract path and image information
42	49	if( !isset( $_SERVER['PATH_INFO'] ) )
43	50	wfForbidden('img-auth-accessdenied','img-auth-nopathinfo');
Index: branches/REL1_16/phase3/api.php
—	—	@@ -52,8 +52,7 @@
53	53	//
54	54	if ( $wgRequest->isPathInfoBad() ) {
55	55	wfHttpError( 403, 'Forbidden',
56		~~- 'Invalid file extension found in PATH_INFO. ' .~~
57		~~- 'The API must be accessed through the primary script entry point.' );~~
	56	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
58	57	return;
59	58	}
60	59
Property changes on: branches/REL1_16/phase3/api.php
___________________________________________________________________
Added: svn:mergeinfo
61	60	Merged /trunk/phase3/api.php:r63545-63546,63549,63643,63764,63897-63901,64876,76664,79561,85844
Index: branches/REL1_16/phase3/languages/messages/MessagesEn.php
—	—	@@ -2155,6 +2155,7 @@
2156	2156	This wiki is configured as a public wiki.
2157	2157	For optimal security, img_auth.php is disabled.',
2158	2158	'img-auth-noread' => 'User does not have access to read "$1".',
	2159	+'img-auth-bad-query-string' => 'The URL has an invalid query string.',
2159	2160
2160	2161	# HTTP errors
2161	2162	'http-invalid-url' => 'Invalid URL: $1',
Property changes on: branches/REL1_16/phase3/languages/messages/MessagesEn.php
___________________________________________________________________
Modified: svn:mergeinfo
2162	2163	Merged /trunk/phase3/languages/messages/MessagesEn.php:r85844

Follow-up revisions

Revision	Commit summary	Author	Date
r85846	MFT r85844, fix for bug 28235 (IE6 looks for the file extension in the query ...	tstarling	01:15, 12 April 2011
r85875	MFT r85871 as follow-up to r85845	raymond	12:41, 12 April 2011
r86027	(bug 28507) Fix for r85844: that revision was not actually sufficient to fix ...	tstarling	07:10, 14 April 2011
r89397	(bug 28840) If the query string hits bug 28235, redirect to a safer URL inste...	tstarling	05:32, 3 June 2011
r89558	* Added a REQUEST_URI check to the bug 28235 handling....	tstarling	11:59, 6 June 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r85844	Fix for bug 28235: IE6 looks for the file extension in the query string	tstarling	00:55, 12 April 2011

Status & tagging log

22:17, 15 April 2011 Reedy (talk | contribs) changed the status of r85845 [removed: new added: ok]