r87997 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r87996‎ \| r87997 \| r87998 >
Date:	15:52, 13 May 2011
Author:	brion
Status:	ok (Comments)
Tags:	needs-js-test
Comment:	* (bug 15461) Make IE8 turn off content sniffing. Everbody else should ignore this Adding X-Content-Type-Options: nosniff header in WebStart.php so that it's always set, even for alternate entry points and when $wgOut gets disabled or overridden. Note that this of course doesn't apply to uploaded images and such loaded directly -- the usual caveats still apply. Have not tested to confirm that this actually protects against sniffing errors -- please test on IE8 and IE9.
Modified paths:	/trunk/phase3/includes/WebStart.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/WebStart.php
—	—	@@ -56,6 +56,11 @@
57	57	}
58	58	}
59	59
	60	+# bug 15461: Make IE8 turn off content sniffing. Everbody else should ignore this
	61	+# We're adding it here so that it's always set, even for alternate entry
	62	+# points and when $wgOut gets disabled or overridden.
	63	+header( 'X-Content-Type-Options: nosniff' );
	64	+
60	65	$wgRequestTime = microtime(true);
61	66	# getrusage() does not exist on the Microsoft Windows platforms, catching this
62	67	if ( function_exists ( 'getrusage' ) ) {

Sign-offs

User	Flag	Date
Hashar	inspected	19:03, 6 June 2011

Follow-up revisions

Revision	Commit summary	Author	Date
r99067	* (bug 31374) Pass relevant additional parameters for action=raw on Special:M...	brion	01:10, 6 October 2011
r99068	MFT r99067: fix bug 31400, followup to r87997....	brion	01:13, 6 October 2011

Comments

#Comment by Hashar (talk | contribs) 19:03, 6 June 2011

Brion, can you possibly provide a test plan. I might have IE8 on one of my computer but I do not know how to test your patch.

#Comment by Hashar (talk | contribs) 19:03, 6 June 2011

Please? :-)

#Comment by Brion VIBBER (talk | contribs) 19:28, 6 June 2011

As a regression test, I suppose would need:

some sample dangerous files (as would get sent out via wfStreamFile through img_auth.php) and raw page contents (as via ?action=raw)
selenium...? or qunit...? -based tests that use a live wiki to upload the files/add the pages, then load them back, and confirm that an exploit code does *not* run with access to the local session
... uhhh... maybe some way to disable all our other checks so those things can actually get turned on in the first place ;)

A confirm-that-this-thing-works-in-general test could probably be done in the qunit tests, but could need a .php file or something to serve out the data.

#Comment by Krinkle (talk | contribs) 03:46, 15 March 2012

That's fine. The unit tests are ran in a PHP environment, albeit most files being html or js. We have a php file already that generates a stylesheet to test @import and mw.loader.load and such.

Status & tagging log

03:47, 15 March 2012 Krinkle (talk | contribs) changed the tags for r87997 [removed: needs-test added: needs-js-test]
21:54, 5 July 2011 Aaron Schulz (talk | contribs) changed the status of r87997 [removed: new added: ok]
22:58, 28 June 2011 Krinkle (talk | contribs) changed the tags for r87997 [added: needs-test]