| Index: branches/REL1_17/phase3/images/.htaccess |
| — | — | @@ -0,0 +1,6 @@ |
| | 2 | +# Protect against bug 28235 |
| | 3 | +<IfModule rewrite_module> |
| | 4 | + RewriteEngine On |
| | 5 | + RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase] |
| | 6 | + RewriteRule . - [forbidden] |
| | 7 | +</IfModule> |
| Property changes on: branches/REL1_17/phase3/images/.htaccess |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 1 | 8 | Merged /branches/REL1_15/phase3/images/.htaccess:r51646 |
| 2 | 9 | Merged /branches/sqlite/images/.htaccess:r58211-58321 |
| 3 | 10 | Merged /branches/new-installer/phase3/images/.htaccess:r43664-66004 |
| Added: svn:eol-style |
| 4 | 11 | + native |
| Index: branches/REL1_17/phase3/includes/WebRequest.php |
| — | — | @@ -746,10 +746,27 @@ |
| 747 | 747 | * but only by prefixing it with the script name and maybe some other stuff, |
| 748 | 748 | * the extension is not mangled. So this should be a reasonably portable |
| 749 | 749 | * way to perform this security check. |
| | 750 | + * |
| | 751 | + * Also checks for anything that looks like a file extension at the end of |
| | 752 | + * QUERY_STRING, since IE 6 and earlier will use this to get the file type |
| | 753 | + * if there was no dot before the question mark (bug 28235). |
| 750 | 754 | */ |
| 751 | 755 | public function isPathInfoBad() { |
| 752 | 756 | global $wgScriptExtension; |
| 753 | 757 | |
| | 758 | + if ( isset( $_SERVER['QUERY_STRING'] ) |
| | 759 | + && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) |
| | 760 | + { |
| | 761 | + // Bug 28235 |
| | 762 | + // Block only Internet Explorer 6, and requests with missing UA |
| | 763 | + // headers that could be IE users behind a privacy proxy. |
| | 764 | + if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) |
| | 765 | + || preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) ) |
| | 766 | + { |
| | 767 | + return true; |
| | 768 | + } |
| | 769 | + } |
| | 770 | + |
| 754 | 771 | if ( !isset( $_SERVER['PATH_INFO'] ) ) { |
| 755 | 772 | return false; |
| 756 | 773 | } |
| Property changes on: branches/REL1_17/phase3/includes/WebRequest.php |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 757 | 774 | Merged /branches/REL1_15/phase3/includes/WebRequest.php:r51646 |
| 758 | 775 | Merged /branches/sqlite/includes/WebRequest.php:r58211-58321 |
| 759 | 776 | Merged /trunk/phase3/includes/WebRequest.php:r82845,82847-82848,85844 |
| 760 | 777 | Merged /branches/new-installer/phase3/includes/WebRequest.php:r43664-66004 |
| 761 | 778 | Merged /branches/wmf-deployment/includes/WebRequest.php:r53381 |
| Index: branches/REL1_17/phase3/includes/RawPage.php |
| — | — | @@ -132,7 +132,7 @@ |
| 133 | 133 | # |
| 134 | 134 | # Just return a 403 Forbidden and get it over with. |
| 135 | 135 | wfHttpError( 403, 'Forbidden', |
| 136 | | - 'Invalid file extension found in PATH_INFO. ' . |
| | 136 | + 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' . |
| 137 | 137 | 'Raw pages must be accessed through the primary script entry point.' ); |
| 138 | 138 | return; |
| 139 | 139 | } |
| Property changes on: branches/REL1_17/phase3/includes/RawPage.php |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 140 | 140 | Merged /branches/REL1_15/phase3/includes/RawPage.php:r51646 |
| 141 | 141 | Merged /branches/sqlite/includes/RawPage.php:r58211-58321 |
| 142 | 142 | Merged /trunk/phase3/includes/RawPage.php:r82845,82847-82848,85844 |
| 143 | 143 | Merged /branches/new-installer/phase3/includes/RawPage.php:r43664-66004 |
| 144 | 144 | Merged /branches/wmf-deployment/includes/RawPage.php:r53381 |
| Index: branches/REL1_17/phase3/img_auth.php |
| — | — | @@ -37,6 +37,13 @@ |
| 38 | 38 | wfForbidden('img-auth-accessdenied','img-auth-public'); |
| 39 | 39 | } |
| 40 | 40 | |
| | 41 | +// Check for bug 28235: QUERY_STRING overriding the correct extension |
| | 42 | +if ( isset( $_SERVER['QUERY_STRING'] ) |
| | 43 | + && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) |
| | 44 | +{ |
| | 45 | + wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); |
| | 46 | +} |
| | 47 | + |
| 41 | 48 | // Extract path and image information |
| 42 | 49 | if( !isset( $_SERVER['PATH_INFO'] ) ) { |
| 43 | 50 | $path = $wgRequest->getText( 'path' ); |
| Property changes on: branches/REL1_17/phase3/img_auth.php |
| ___________________________________________________________________ |
| Modified: svn:mergeinfo |
| 44 | 51 | Merged /branches/REL1_16/phase3/img_auth.php:r85845 |
| Index: branches/REL1_17/phase3/api.php |
| — | — | @@ -55,8 +55,7 @@ |
| 56 | 56 | // |
| 57 | 57 | if ( $wgRequest->isPathInfoBad() ) { |
| 58 | 58 | wfHttpError( 403, 'Forbidden', |
| 59 | | - 'Invalid file extension found in PATH_INFO. ' . |
| 60 | | - 'The API must be accessed through the primary script entry point.' ); |
| | 59 | + 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); |
| 61 | 60 | return; |
| 62 | 61 | } |
| 63 | 62 | |
| Property changes on: branches/REL1_17/phase3/api.php |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 64 | 63 | Merged /branches/sqlite/api.php:r58211-58321 |
| 65 | 64 | Merged /trunk/phase3/api.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,81657,81833,82845,82847-82849,85844 |
| 66 | 65 | Merged /branches/new-installer/phase3/api.php:r43664-66004 |
| 67 | 66 | Merged /branches/REL1_15/phase3/api.php:r51646 |
| Index: branches/REL1_17/phase3/load.php |
| — | — | @@ -37,11 +37,8 @@ |
| 38 | 38 | // |
| 39 | 39 | if ( $wgRequest->isPathInfoBad() ) { |
| 40 | 40 | wfHttpError( 403, 'Forbidden', |
| 41 | | - 'Invalid file extension found in PATH_INFO. ' . |
| 42 | | - 'The resource loader must be accessed through the primary script entry point.' ); |
| | 41 | + 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); |
| 43 | 42 | return; |
| 44 | | - // FIXME: Doesn't this execute the rest of the request anyway? |
| 45 | | - // Was taken from api.php so I guess it's maybe OK but it doesn't look good. |
| 46 | 43 | } |
| 47 | 44 | |
| 48 | 45 | // Respond to resource loading request |
| Property changes on: branches/REL1_17/phase3/load.php |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 49 | 46 | Merged /branches/new-installer/phase3/load.php:r43664-66004 |
| 50 | 47 | Merged /branches/REL1_15/phase3/load.php:r51646 |
| 51 | 48 | Merged /branches/sqlite/load.php:r58211-58321 |
| 52 | 49 | Merged /trunk/phase3/load.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,81657,81833,82845,82847-82849,85844 |
| Index: branches/REL1_17/phase3/languages/messages/MessagesEn.php |
| — | — | @@ -2202,6 +2202,7 @@ |
| 2203 | 2203 | This wiki is configured as a public wiki. |
| 2204 | 2204 | For optimal security, img_auth.php is disabled.', |
| 2205 | 2205 | 'img-auth-noread' => 'User does not have access to read "$1".', |
| | 2206 | +'img-auth-bad-query-string' => 'The URL has an invalid query string.', |
| 2206 | 2207 | |
| 2207 | 2208 | # HTTP errors |
| 2208 | 2209 | 'http-invalid-url' => 'Invalid URL: $1', |
| Property changes on: branches/REL1_17/phase3/languages/messages/MessagesEn.php |
| ___________________________________________________________________ |
| Added: svn:mergeinfo |
| 2209 | 2210 | Merged /branches/sqlite/languages/messages/MessagesEn.php:r58211-58321 |
| 2210 | 2211 | Merged /trunk/phase3/languages/messages/MessagesEn.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,81657,81833,82845,82847-82849,85844 |
| 2211 | 2212 | Merged /branches/new-installer/phase3/languages/messages/MessagesEn.php:r43664-66004 |
| 2212 | 2213 | Merged /branches/REL1_15/phase3/languages/messages/MessagesEn.php:r51646 |