r86031 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r86030‎ \| r86031 \| r86032 >
Date:	07:15, 14 April 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	MFT r86027: fix IE6 XSS again
Modified paths:	/branches/wmf/1.17wmf1/img_auth.php (modified) (history) /branches/wmf/1.17wmf1/includes/WebRequest.php (modified) (history)

Diff [purge]

Index: branches/wmf/1.17wmf1/includes/WebRequest.php
—	—	@@ -755,7 +755,7 @@
756	756	global $wgScriptExtension;
757	757
758	758	if ( isset( $_SERVER['QUERY_STRING'] )
759		~~- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )~~
	759	+ && preg_match( '/\.[a-z0-9]{1,4}(#\|\?\|$)/i', $_SERVER['QUERY_STRING'] ) )
760	760	{
761	761	// Bug 28235
762	762	// Block only Internet Explorer, and requests with missing UA
Index: branches/wmf/1.17wmf1/img_auth.php
—	—	@@ -39,7 +39,7 @@
40	40
41	41	// Check for bug 28235: QUERY_STRING overriding the correct extension
42	42	if ( isset( $_SERVER['QUERY_STRING'] )
43		~~- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )~~
	43	+ && preg_match( '/\.[a-z0-9]{1,4}(#\|\?\|$)/i', $_SERVER['QUERY_STRING'] ) )
44	44	{
45	45	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
46	46	}

Revision	Commit summary	Author	Date
r86027	(bug 28507) Fix for r85844: that revision was not actually sufficient to fix ...	tstarling	07:10, 14 April 2011

22:33, 15 April 2011 Reedy (talk | contribs) changed the status of r86031 [removed: new added: ok]