r89248 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r89247‎ \| r89248 \| r89249 >
Date:	02:01, 1 June 2011
Author:	tstarling
Status:	ok (Comments)
Tags:
Comment:	* Only blacklist query string extensions which match /^[a-zA-Z0-9_-]+$/. This avoids blacklisting pretty much every api.php URL with a dot in it, due to extensions like "webm&smaxage=3600&maxage=3600&format=jsonfm" being detected. Such an extension is unlikely to be registered to a dangerous file type. The proposed regex matches all extensions registered in HKEY_CLASSES_ROOT on my Windows XP VM, but does not include the ampersand, so avoids matching multiple URL parameters. * Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set. * Refactored the query string checks in WebRequest and img_auth.php into a single new function: isQueryStringBad().
Modified paths:	/trunk/phase3/img_auth.php (modified) (history) /trunk/phase3/includes/WebRequest.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/WebRequest.php
—	—	@@ -785,10 +785,8 @@
786	786	public function isPathInfoBad() {
787	787	global $wgScriptExtension;
788	788
789		~~- if ( isset( $_SERVER['QUERY_STRING'] ) )~~
790		~~- {~~
791		~~- // Bug 28235~~
792		~~- return strval( self::findIE6Extension( $_SERVER['QUERY_STRING'] ) ) !== '';~~
	789	+ if ( $this->isQueryStringBad() ) {
	790	+ return true;
793	791	}
794	792
795	793	if ( !isset( $_SERVER['PATH_INFO'] ) ) {
—	—	@@ -876,6 +874,24 @@
877	875	}
878	876
879	877	/**
	878	+ * Check for a bad query string, which IE 6 will use as a potentially
	879	+ * insecure cache file extension. See bug 28235. Returns true if the
	880	+ * request should be disallowed.
	881	+ */
	882	+ public function isQueryStringBad() {
	883	+ if ( !isset( $_SERVER['QUERY_STRING'] ) ) {
	884	+ return false;
	885	+ }
	886	+
	887	+ $extension = self::findIE6Extension( $_SERVER['QUERY_STRING'] );
	888	+ if ( $extension === '' ) {
	889	+ return false;
	890	+ }
	891	+
	892	+ return (bool)preg_match( '/^[a-zA-Z0-9_-]+$/', $extension );
	893	+ }
	894	+
	895	+ /**
880	896	* Parse the Accept-Language header sent by the client into an array
881	897	* @return array( languageCode => q-value ) sorted by q-value in descending order
882	898	* May contain the "language" '*', which applies to languages other than those explicitly listed.
Index: trunk/phase3/img_auth.php
—	—	@@ -43,8 +43,7 @@
44	44	}
45	45
46	46	// Check for bug 28235: QUERY_STRING overriding the correct extension
47		~~-if ( isset( $_SERVER['QUERY_STRING'] )~~
48		~~- && preg_match( '/\.[^\\/:*?"<>\|%]+(#\|\?\|$)/i', $_SERVER['QUERY_STRING'] ) )~~
	47	+if ( $wgRequest->isQueryStringBad() )
49	48	{
50	49	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
51	50	}

Follow-up revisions

Revision	Commit summary	Author	Date
r89249	Fix for r89248: don't run the regex if findIE6Extension returns false. Only a...	tstarling	02:05, 1 June 2011
r89291	Document r89248,r89249 isQueryStringBad()	platonides	21:22, 1 June 2011

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r88883	(bug 28840) URLs with dots break because of IE6 security check...	catrope	09:49, 26 May 2011

Comments

#Comment by Tim Starling (talk | contribs) 06:46, 5 July 2011

Removing backport tags since this has been superseded by r89627 etc.

Status & tagging log

06:46, 5 July 2011 Tim Starling (talk | contribs) changed the tags for r89248 [removed: 1.17wmf1,1.18]
19:10, 7 June 2011 Catrope (talk | contribs) changed the tags for r89248 [removed: 1.17]
23:07, 1 June 2011 Reedy (talk | contribs) changed the tags for r89248 [added: 1.18]
13:48, 1 June 2011 Catrope (talk | contribs) changed the tags for r89248 [added: 1.17,1.17wmf1]
13:38, 1 June 2011 Catrope (talk | contribs) changed the status of r89248 [removed: new added: ok]