r85848 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r85847‎ \| r85848 \| r85849 >
Date:	01:23, 12 April 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	MFT r85844 via REL1_17 85846: IE 6 XSS fix
Modified paths:	/branches/wmf/1.17wmf1/api.php (modified) (history) /branches/wmf/1.17wmf1/img_auth.php (modified) (history) /branches/wmf/1.17wmf1/includes/RawPage.php (modified) (history) /branches/wmf/1.17wmf1/includes/WebRequest.php (modified) (history) /branches/wmf/1.17wmf1/languages/messages/MessagesEn.php (modified) (history) /branches/wmf/1.17wmf1/load.php (modified) (history)

Diff [purge]

Index: branches/wmf/1.17wmf1/includes/WebRequest.php
—	—	@@ -746,10 +746,27 @@
747	747	* but only by prefixing it with the script name and maybe some other stuff,
748	748	* the extension is not mangled. So this should be a reasonably portable
749	749	* way to perform this security check.
	750	+ *
	751	+ * Also checks for anything that looks like a file extension at the end of
	752	+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
	753	+ * if there was no dot before the question mark (bug 28235).
750	754	*/
751	755	public function isPathInfoBad() {
752	756	global $wgScriptExtension;
753	757
	758	+ if ( isset( $_SERVER['QUERY_STRING'] )
	759	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	760	+ {
	761	+ // Bug 28235
	762	+ // Block only Internet Explorer 6, and requests with missing UA
	763	+ // headers that could be IE users behind a privacy proxy.
	764	+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
	765	+ \|\| preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
	766	+ {
	767	+ return true;
	768	+ }
	769	+ }
	770	+
754	771	if ( !isset( $_SERVER['PATH_INFO'] ) ) {
755	772	return false;
756	773	}
Property changes on: branches/wmf/1.17wmf1/includes/WebRequest.php
___________________________________________________________________
Added: svn:mergeinfo
757	774	Merged /branches/REL1_15/phase3/includes/WebRequest.php:r51646
758	775	Merged /branches/wmf/1.16wmf4/includes/WebRequest.php:r67177,69199,76243,77266
759	776	Merged /branches/REL1_17/phase3/includes/WebRequest.php:r85846
760	777	Merged /branches/sqlite/includes/WebRequest.php:r58211-58321
761	778	Merged /trunk/phase3/includes/WebRequest.php:r83590
762	779	Merged /branches/REL1_17/phase3/images/includes/WebRequest.php:r85846
763	780	Merged /branches/new-installer/phase3/includes/WebRequest.php:r43664-66004
764	781	Merged /branches/wmf-deployment/includes/WebRequest.php:r53381,60970
Index: branches/wmf/1.17wmf1/includes/RawPage.php
—	—	@@ -132,7 +132,7 @@
133	133	#
134	134	# Just return a 403 Forbidden and get it over with.
135	135	wfHttpError( 403, 'Forbidden',
136		~~- 'Invalid file extension found in PATH_INFO. ' .~~
	136	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
137	137	'Raw pages must be accessed through the primary script entry point.' );
138	138	return;
139	139	}
Property changes on: branches/wmf/1.17wmf1/includes/RawPage.php
___________________________________________________________________
Added: svn:mergeinfo
140	140	Merged /branches/REL1_15/phase3/includes/RawPage.php:r51646
141	141	Merged /branches/wmf/1.16wmf4/includes/RawPage.php:r67177,69199,76243,77266
142	142	Merged /branches/REL1_17/phase3/includes/RawPage.php:r85846
143	143	Merged /branches/sqlite/includes/RawPage.php:r58211-58321
144	144	Merged /trunk/phase3/includes/RawPage.php:r83590
145	145	Merged /branches/REL1_17/phase3/images/includes/RawPage.php:r85846
146	146	Merged /branches/new-installer/phase3/includes/RawPage.php:r43664-66004
147	147	Merged /branches/wmf-deployment/includes/RawPage.php:r53381,60970
Index: branches/wmf/1.17wmf1/img_auth.php
—	—	@@ -37,6 +37,13 @@
38	38	wfForbidden('img-auth-accessdenied','img-auth-public');
39	39	}
40	40
	41	+// Check for bug 28235: QUERY_STRING overriding the correct extension
	42	+if ( isset( $_SERVER['QUERY_STRING'] )
	43	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	44	+{
	45	+ wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
	46	+}
	47	+
41	48	// Extract path and image information
42	49	if( !isset( $_SERVER['PATH_INFO'] ) ) {
43	50	$path = $wgRequest->getText( 'path' );
Property changes on: branches/wmf/1.17wmf1/img_auth.php
___________________________________________________________________
Modified: svn:mergeinfo
44	51	Merged /branches/REL1_16/phase3/img_auth.php:r85845
45	52	Merged /branches/REL1_17/phase3/img_auth.php:r85846
46	53	Merged /branches/REL1_17/phase3/images/img_auth.php:r85846
Index: branches/wmf/1.17wmf1/api.php
—	—	@@ -55,8 +55,7 @@
56	56	//
57	57	if ( $wgRequest->isPathInfoBad() ) {
58	58	wfHttpError( 403, 'Forbidden',
59		~~- 'Invalid file extension found in PATH_INFO. ' .~~
60		~~- 'The API must be accessed through the primary script entry point.' );~~
	59	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
61	60	return;
62	61	}
63	62
Property changes on: branches/wmf/1.17wmf1/api.php
___________________________________________________________________
Added: svn:mergeinfo
64	63	Merged /branches/wmf/1.16wmf4/api.php:r67177,69199,76243,77266
65	64	Merged /branches/REL1_17/phase3/api.php:r85846
66	65	Merged /branches/sqlite/api.php:r58211-58321
67	66	Merged /trunk/phase3/api.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,81833,83212,83590
68	67	Merged /branches/REL1_17/phase3/images/api.php:r85846
69	68	Merged /branches/new-installer/phase3/api.php:r43664-66004
70	69	Merged /branches/wmf-deployment/api.php:r60970
71	70	Merged /branches/REL1_15/phase3/api.php:r51646
Index: branches/wmf/1.17wmf1/load.php
—	—	@@ -37,11 +37,8 @@
38	38	//
39	39	if ( $wgRequest->isPathInfoBad() ) {
40	40	wfHttpError( 403, 'Forbidden',
41		~~- 'Invalid file extension found in PATH_INFO. ' .~~
42		~~- 'The resource loader must be accessed through the primary script entry point.' );~~
	41	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
43	42	return;
44		~~- // FIXME: Doesn't this execute the rest of the request anyway?~~
45		~~- // Was taken from api.php so I guess it's maybe OK but it doesn't look good.~~
46	43	}
47	44
48	45	// Respond to resource loading request
Property changes on: branches/wmf/1.17wmf1/load.php
___________________________________________________________________
Added: svn:mergeinfo
49	46	Merged /branches/new-installer/phase3/load.php:r43664-66004
50	47	Merged /branches/wmf-deployment/load.php:r60970
51	48	Merged /branches/REL1_15/phase3/load.php:r51646
52	49	Merged /branches/wmf/1.16wmf4/load.php:r67177,69199,76243,77266
53	50	Merged /branches/REL1_17/phase3/load.php:r85846
54	51	Merged /branches/sqlite/load.php:r58211-58321
55	52	Merged /trunk/phase3/load.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,81833,83212,83590
56	53	Merged /branches/REL1_17/phase3/images/load.php:r85846
Index: branches/wmf/1.17wmf1/languages/messages/MessagesEn.php
—	—	@@ -2211,6 +2211,7 @@
2212	2212	This wiki is configured as a public wiki.
2213	2213	For optimal security, img_auth.php is disabled.',
2214	2214	'img-auth-noread' => 'User does not have access to read "$1".',
	2215	+'img-auth-bad-query-string' => 'The URL has an invalid query string.',
2215	2216
2216	2217	# HTTP errors
2217	2218	'http-invalid-url' => 'Invalid URL: $1',
Property changes on: branches/wmf/1.17wmf1/languages/messages/MessagesEn.php
___________________________________________________________________
Added: svn:mergeinfo
2218	2219	Merged /branches/sqlite/languages/messages/MessagesEn.php:r58211-58321
2219	2220	Merged /trunk/phase3/languages/messages/MessagesEn.php:r79828,79830,79848,79853,79950-79951,79954,79989,80006-80007,80013,80016,80080,80083,80124,80128,80238,83212
2220	2221	Merged /branches/REL1_17/phase3/images/languages/messages/MessagesEn.php:r85846
2221	2222	Merged /branches/new-installer/phase3/languages/messages/MessagesEn.php:r43664-66004
2222	2223	Merged /branches/wmf-deployment/languages/messages/MessagesEn.php:r60970
2223	2224	Merged /branches/REL1_15/phase3/languages/messages/MessagesEn.php:r51646
2224	2225	Merged /branches/wmf/1.16wmf4/languages/messages/MessagesEn.php:r67177,69199,76243,77266
2225	2226	Merged /branches/REL1_17/phase3/languages/messages/MessagesEn.php:r81465,85846

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r85844	Fix for bug 28235: IE6 looks for the file extension in the query string	tstarling	00:55, 12 April 2011

Status & tagging log

16:26, 27 April 2011 😂 (talk | contribs) changed the status of r85848 [removed: new added: ok]