Index: branches/REL1_17/phase3/includes/WebRequest.php |
— | — | @@ -736,6 +736,62 @@ |
737 | 737 | } |
738 | 738 | |
739 | 739 | /** |
| 740 | + * Check if Internet Explorer will detect an incorrect cache extension in |
| 741 | + * PATH_INFO or QUERY_STRING. If the request can't be allowed, show an error |
| 742 | + * message or redirect to a safer URL. Returns true if the URL is OK, and |
| 743 | + * false if an error message has been shown and the request should be aborted. |
| 744 | + */ |
| 745 | + public function checkUrlExtension( $extWhitelist = array() ) { |
| 746 | + global $wgScriptExtension; |
| 747 | + $extWhitelist[] = ltrim( $wgScriptExtension, '.' ); |
| 748 | + if ( IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist ) ) { |
| 749 | + if ( !$this->wasPosted() ) { |
| 750 | + $newUrl = IEUrlExtension::fixUrlForIE6( |
| 751 | + $this->getFullRequestURL(), $extWhitelist ); |
| 752 | + if ( $newUrl !== false ) { |
| 753 | + $this->doSecurityRedirect( $newUrl ); |
| 754 | + return false; |
| 755 | + } |
| 756 | + } |
| 757 | + wfHttpError( 403, 'Forbidden', |
| 758 | + 'Invalid file extension found in the path info or query string.' ); |
| 759 | + |
| 760 | + return false; |
| 761 | + } |
| 762 | + return true; |
| 763 | + } |
| 764 | + |
| 765 | + /** |
| 766 | + * Attempt to redirect to a URL with a QUERY_STRING that's not dangerous in |
| 767 | + * IE 6. Returns true if it was successful, false otherwise. |
| 768 | + */ |
| 769 | + protected function doSecurityRedirect( $url ) { |
| 770 | + header( 'Location: ' . $url ); |
| 771 | + header( 'Content-Type: text/html' ); |
| 772 | + $encUrl = htmlspecialchars( $url ); |
| 773 | + echo <<<HTML |
| 774 | +<html> |
| 775 | +<head> |
| 776 | +<title>Security redirect</title> |
| 777 | +</head> |
| 778 | +<body> |
| 779 | +<h1>Security redirect</h1> |
| 780 | +<p> |
| 781 | +We can't serve non-HTML content from the URL you have requested, because |
| 782 | +Internet Explorer would interpret it as an incorrect and potentially dangerous |
| 783 | +content type.</p> |
| 784 | +<p>Instead, please use <a href="$encUrl">this URL</a>, which is the same as the URL you have requested, except that |
| 785 | +"&*" is appended. This prevents Internet Explorer from seeing a bogus file |
| 786 | +extension. |
| 787 | +</p> |
| 788 | +</body> |
| 789 | +</html> |
| 790 | +HTML; |
| 791 | + echo "\n"; |
| 792 | + return true; |
| 793 | + } |
| 794 | + |
| 795 | + /** |
740 | 796 | * Returns true if the PATH_INFO ends with an extension other than a script |
741 | 797 | * extension. This could confuse IE for scripts that send arbitrary data which |
742 | 798 | * is not HTML but may be detected as such. |
— | — | @@ -753,30 +809,8 @@ |
754 | 810 | */ |
755 | 811 | public function isPathInfoBad() { |
756 | 812 | global $wgScriptExtension; |
757 | | - |
758 | | - if ( isset( $_SERVER['QUERY_STRING'] ) |
759 | | - && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
760 | | - { |
761 | | - // Bug 28235 |
762 | | - // Block only Internet Explorer, and requests with missing UA |
763 | | - // headers that could be IE users behind a privacy proxy. |
764 | | - if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) |
765 | | - || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) ) |
766 | | - { |
767 | | - return true; |
768 | | - } |
769 | | - } |
770 | | - |
771 | | - if ( !isset( $_SERVER['PATH_INFO'] ) ) { |
772 | | - return false; |
773 | | - } |
774 | | - $pi = $_SERVER['PATH_INFO']; |
775 | | - $dotPos = strrpos( $pi, '.' ); |
776 | | - if ( $dotPos === false ) { |
777 | | - return false; |
778 | | - } |
779 | | - $ext = substr( $pi, $dotPos ); |
780 | | - return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) ); |
| 813 | + $extWhitelist[] = ltrim( $wgScriptExtension, '.' ); |
| 814 | + return IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist ); |
781 | 815 | } |
782 | 816 | |
783 | 817 | /** |
— | — | @@ -1025,7 +1059,11 @@ |
1026 | 1060 | $this->session[$key] = $data; |
1027 | 1061 | } |
1028 | 1062 | |
1029 | | - public function isPathInfoBad() { |
| 1063 | + public function isPathInfoBad( $extWhitelist = array() ) { |
1030 | 1064 | return false; |
1031 | 1065 | } |
| 1066 | + |
| 1067 | + public function checkUrlExtension( $extWhitelist = array() ) { |
| 1068 | + return true; |
| 1069 | + } |
1032 | 1070 | } |
Property changes on: branches/REL1_17/phase3/includes/WebRequest.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
1033 | 1071 | Merged /branches/REL1_18/phase3/includes/templates/WebRequest.php:r89627 |
1034 | 1072 | Merged /branches/REL1_18/phase3/includes/WebRequest.php:r89627 |
1035 | 1073 | Merged /trunk/phase3/includes/WebRequest.php:r89558 |
1036 | 1074 | Merged /branches/REL1_18/phase3/includes/libs/WebRequest.php:r89627 |
Index: branches/REL1_17/phase3/includes/AutoLoader.php |
— | — | @@ -475,6 +475,7 @@ |
476 | 476 | |
477 | 477 | # includes/libs |
478 | 478 | 'IEContentAnalyzer' => 'includes/libs/IEContentAnalyzer.php', |
| 479 | + 'IEUrlExtension' => 'includes/libs/IEUrlExtension.php', |
479 | 480 | 'Spyc' => 'includes/libs/spyc.php', |
480 | 481 | |
481 | 482 | # includes/media |
Property changes on: branches/REL1_17/phase3/includes/AutoLoader.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
482 | 483 | Merged /trunk/phase3/includes/AutoLoader.php:r89558 |
483 | 484 | Merged /branches/REL1_18/phase3/includes/libs/AutoLoader.php:r89627 |
484 | 485 | Merged /branches/REL1_18/phase3/includes/templates/AutoLoader.php:r89627 |
485 | 486 | Merged /branches/REL1_18/phase3/includes/AutoLoader.php:r89627 |
Index: branches/REL1_17/phase3/includes/RawPage.php |
— | — | @@ -118,22 +118,8 @@ |
119 | 119 | function view() { |
120 | 120 | global $wgOut, $wgRequest; |
121 | 121 | |
122 | | - if( $wgRequest->isPathInfoBad() ) { |
123 | | - # Internet Explorer will ignore the Content-Type header if it |
124 | | - # thinks it sees a file extension it recognizes. Make sure that |
125 | | - # all raw requests are done through the script node, which will |
126 | | - # have eg '.php' and should remain safe. |
127 | | - # |
128 | | - # We used to redirect to a canonical-form URL as a general |
129 | | - # backwards-compatibility / good-citizen nice thing. However |
130 | | - # a lot of servers are set up in buggy ways, resulting in |
131 | | - # redirect loops which hang the browser until the CSS load |
132 | | - # times out. |
133 | | - # |
134 | | - # Just return a 403 Forbidden and get it over with. |
135 | | - wfHttpError( 403, 'Forbidden', |
136 | | - 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' . |
137 | | - 'Raw pages must be accessed through the primary script entry point.' ); |
| 122 | + if( !$wgRequest->checkUrlExtension() ) { |
| 123 | + $wgOut->disable(); |
138 | 124 | return; |
139 | 125 | } |
140 | 126 | |
Property changes on: branches/REL1_17/phase3/includes/RawPage.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
141 | 127 | Merged /branches/REL1_18/phase3/includes/templates/RawPage.php:r89627 |
142 | 128 | Merged /branches/REL1_18/phase3/includes/RawPage.php:r89627 |
143 | 129 | Merged /trunk/phase3/includes/RawPage.php:r89397,89558 |
144 | 130 | Merged /branches/REL1_18/phase3/includes/libs/RawPage.php:r89627 |
Index: branches/REL1_17/phase3/includes/libs/IEUrlExtension.php |
— | — | @@ -0,0 +1,247 @@ |
| 2 | +<?php |
| 3 | + |
| 4 | +/** |
| 5 | + * Internet Explorer derives a cache filename from a URL, and then in certain |
| 6 | + * circumstances, uses the extension of the resulting file to determine the |
| 7 | + * content type of the data, ignoring the Content-Type header. |
| 8 | + * |
| 9 | + * This can be a problem, especially when non-HTML content is sent by MediaWiki, |
| 10 | + * and Internet Explorer interprets it as HTML, exposing an XSS vulnerability. |
| 11 | + * |
| 12 | + * Usually the script filename (e.g. api.php) is present in the URL, and this |
| 13 | + * makes Internet Explorer think the extension is a harmless script extension. |
| 14 | + * But Internet Explorer 6 and earlier allows the script extension to be |
| 15 | + * obscured by encoding the dot as "%2E". |
| 16 | + * |
| 17 | + * This class contains functions which help in detecting and dealing with this |
| 18 | + * situation. |
| 19 | + * |
| 20 | + * Checking the URL for a bad extension is somewhat complicated due to the fact |
| 21 | + * that CGI doesn't provide a standard method to determine the URL. Instead it |
| 22 | + * is necessary to pass a subset of $_SERVER variables, which we then attempt |
| 23 | + * to use to guess parts of the URL. |
| 24 | + */ |
| 25 | +class IEUrlExtension { |
| 26 | + /** |
| 27 | + * Check a subset of $_SERVER (or the whole of $_SERVER if you like) |
| 28 | + * to see if it indicates that the request was sent with a bad file |
| 29 | + * extension. Returns true if the request should be denied or modified, |
| 30 | + * false otherwise. The relevant $_SERVER elements are: |
| 31 | + * |
| 32 | + * - SERVER_SOFTWARE |
| 33 | + * - REQUEST_URI |
| 34 | + * - QUERY_STRING |
| 35 | + * - PATH_INFO |
| 36 | + * |
| 37 | + * If the a variable is unset in $_SERVER, it should be unset in $vars. |
| 38 | + * |
| 39 | + * @param $vars A subset of $_SERVER. |
| 40 | + * @param $extWhitelist Extensions which are allowed, assumed harmless. |
| 41 | + */ |
| 42 | + public static function areServerVarsBad( $vars, $extWhitelist = array() ) { |
| 43 | + // Check QUERY_STRING or REQUEST_URI |
| 44 | + if ( isset( $vars['SERVER_SOFTWARE'] ) |
| 45 | + && isset( $vars['REQUEST_URI'] ) |
| 46 | + && self::haveUndecodedRequestUri( $vars['SERVER_SOFTWARE'] ) ) |
| 47 | + { |
| 48 | + $urlPart = $vars['REQUEST_URI']; |
| 49 | + } elseif ( isset( $vars['QUERY_STRING'] ) ) { |
| 50 | + $urlPart = $vars['QUERY_STRING']; |
| 51 | + } else { |
| 52 | + $urlPart = ''; |
| 53 | + } |
| 54 | + |
| 55 | + if ( self::isUrlExtensionBad( $urlPart, $extWhitelist ) ) { |
| 56 | + return true; |
| 57 | + } |
| 58 | + |
| 59 | + // Some servers have PATH_INFO but not REQUEST_URI, so we check both |
| 60 | + // to be on the safe side. |
| 61 | + if ( isset( $vars['PATH_INFO'] ) |
| 62 | + && self::isUrlExtensionBad( $vars['PATH_INFO'], $extWhitelist ) ) |
| 63 | + { |
| 64 | + return true; |
| 65 | + } |
| 66 | + |
| 67 | + // All checks passed |
| 68 | + return false; |
| 69 | + } |
| 70 | + |
| 71 | + /** |
| 72 | + * Given a right-hand portion of a URL, determine whether IE would detect |
| 73 | + * a potentially harmful file extension. |
| 74 | + * |
| 75 | + * @param $urlPart The right-hand portion of a URL |
| 76 | + * @param $extWhitelist An array of file extensions which may occur in this |
| 77 | + * URL, and which should be allowed. |
| 78 | + * @return bool |
| 79 | + */ |
| 80 | + public static function isUrlExtensionBad( $urlPart, $extWhitelist = array() ) { |
| 81 | + if ( strval( $urlPart ) === '' ) { |
| 82 | + return false; |
| 83 | + } |
| 84 | + |
| 85 | + $extension = self::findIE6Extension( $urlPart ); |
| 86 | + if ( strval( $extension ) === '' ) { |
| 87 | + // No extension or empty extension |
| 88 | + return false; |
| 89 | + } |
| 90 | + |
| 91 | + if ( in_array( $extension, array( 'php', 'php5' ) ) ) { |
| 92 | + // Script extension, OK |
| 93 | + return false; |
| 94 | + } |
| 95 | + if ( in_array( $extension, $extWhitelist ) ) { |
| 96 | + // Whitelisted extension |
| 97 | + return false; |
| 98 | + } |
| 99 | + |
| 100 | + if ( !preg_match( '/^[a-zA-Z0-9_-]+$/', $extension ) ) { |
| 101 | + // Non-alphanumeric extension, unlikely to be registered. |
| 102 | + // |
| 103 | + // The regex above is known to match all registered file extensions |
| 104 | + // in a default Windows XP installation. It's important to allow |
| 105 | + // extensions with ampersands and percent signs, since that reduces |
| 106 | + // the number of false positives substantially. |
| 107 | + return false; |
| 108 | + } |
| 109 | + |
| 110 | + // Possibly bad extension |
| 111 | + return true; |
| 112 | + } |
| 113 | + |
| 114 | + /** |
| 115 | + * Returns a variant of $url which will pass isUrlExtensionBad() but has the |
| 116 | + * same GET parameters, or false if it can't figure one out. |
| 117 | + */ |
| 118 | + public static function fixUrlForIE6( $url, $extWhitelist = array() ) { |
| 119 | + $questionPos = strpos( $url, '?' ); |
| 120 | + if ( $questionPos === false ) { |
| 121 | + $beforeQuery = $url . '?'; |
| 122 | + $query = ''; |
| 123 | + } elseif ( $questionPos === strlen( $url ) - 1 ) { |
| 124 | + $beforeQuery = $url; |
| 125 | + $query = ''; |
| 126 | + } else { |
| 127 | + $beforeQuery = substr( $url, 0, $questionPos + 1 ); |
| 128 | + $query = substr( $url, $questionPos + 1 ); |
| 129 | + } |
| 130 | + |
| 131 | + // Multiple question marks cause problems. Encode the second and |
| 132 | + // subsequent question mark. |
| 133 | + $query = str_replace( '?', '%3E', $query ); |
| 134 | + // Append an invalid path character so that IE6 won't see the end of the |
| 135 | + // query string as an extension |
| 136 | + $query .= '&*'; |
| 137 | + // Put the URL back together |
| 138 | + $url = $beforeQuery . $query; |
| 139 | + if ( self::isUrlExtensionBad( $url, $extWhitelist ) ) { |
| 140 | + // Avoid a redirect loop |
| 141 | + return false; |
| 142 | + } |
| 143 | + return $url; |
| 144 | + } |
| 145 | + |
| 146 | + /** |
| 147 | + * Determine what extension IE6 will infer from a certain query string. |
| 148 | + * If the URL has an extension before the question mark, IE6 will use |
| 149 | + * that and ignore the query string, but per the comment at |
| 150 | + * isPathInfoBad() we don't have a reliable way to determine the URL, |
| 151 | + * so isPathInfoBad() just passes in the query string for $url. |
| 152 | + * All entry points have safe extensions (php, php5) anyway, so |
| 153 | + * checking the query string is possibly overly paranoid but never |
| 154 | + * insecure. |
| 155 | + * |
| 156 | + * The criteria for finding an extension are as follows: |
| 157 | + * - a possible extension is a dot followed by one or more characters not |
| 158 | + * in <>\"/:|?.# |
| 159 | + * - if we find a possible extension followed by the end of the string or |
| 160 | + * a #, that's our extension |
| 161 | + * - if we find a possible extension followed by a ?, that's our extension |
| 162 | + * - UNLESS it's exe, dll or cgi, in which case we ignore it and continue |
| 163 | + * searching for another possible extension |
| 164 | + * - if we find a possible extension followed by a dot or another illegal |
| 165 | + * character, we ignore it and continue searching |
| 166 | + * |
| 167 | + * @param $url string URL |
| 168 | + * @return mixed Detected extension (string), or false if none found |
| 169 | + */ |
| 170 | + public static function findIE6Extension( $url ) { |
| 171 | + $pos = 0; |
| 172 | + $hashPos = strpos( $url, '#' ); |
| 173 | + if ( $hashPos !== false ) { |
| 174 | + $urlLength = $hashPos; |
| 175 | + } else { |
| 176 | + $urlLength = strlen( $url ); |
| 177 | + } |
| 178 | + $remainingLength = $urlLength; |
| 179 | + while ( $remainingLength > 0 ) { |
| 180 | + // Skip ahead to the next dot |
| 181 | + $pos += strcspn( $url, '.', $pos, $remainingLength ); |
| 182 | + if ( $pos >= $urlLength ) { |
| 183 | + // End of string, we're done |
| 184 | + return false; |
| 185 | + } |
| 186 | + |
| 187 | + // We found a dot. Skip past it |
| 188 | + $pos++; |
| 189 | + $remainingLength = $urlLength - $pos; |
| 190 | + |
| 191 | + // Check for illegal characters in our prospective extension, |
| 192 | + // or for another dot |
| 193 | + $nextPos = $pos + strcspn( $url, "<>\\\"/:|?*.", $pos, $remainingLength ); |
| 194 | + if ( $nextPos >= $urlLength ) { |
| 195 | + // No illegal character or next dot |
| 196 | + // We have our extension |
| 197 | + return substr( $url, $pos, $urlLength - $pos ); |
| 198 | + } |
| 199 | + if ( $url[$nextPos] === '?' ) { |
| 200 | + // We've found a legal extension followed by a question mark |
| 201 | + // If the extension is NOT exe, dll or cgi, return it |
| 202 | + $extension = substr( $url, $pos, $nextPos - $pos ); |
| 203 | + if ( strcasecmp( $extension, 'exe' ) && strcasecmp( $extension, 'dll' ) && |
| 204 | + strcasecmp( $extension, 'cgi' ) ) |
| 205 | + { |
| 206 | + return $extension; |
| 207 | + } |
| 208 | + // Else continue looking |
| 209 | + } |
| 210 | + // We found an illegal character or another dot |
| 211 | + // Skip to that character and continue the loop |
| 212 | + $pos = $nextPos + 1; |
| 213 | + $remainingLength = $urlLength - $pos; |
| 214 | + } |
| 215 | + return false; |
| 216 | + } |
| 217 | + |
| 218 | + /** |
| 219 | + * When passed the value of $_SERVER['SERVER_SOFTWARE'], this function |
| 220 | + * returns true if that server is known to have a REQUEST_URI variable |
| 221 | + * with %2E not decoded to ".". On such a server, it is possible to detect |
| 222 | + * whether the script filename has been obscured. |
| 223 | + * |
| 224 | + * The function returns false if the server is not known to have this |
| 225 | + * behaviour. Microsoft IIS in particular is known to decode escaped script |
| 226 | + * filenames. |
| 227 | + * |
| 228 | + * SERVER_SOFTWARE typically contains either a plain string such as "Zeus", |
| 229 | + * or a specification in the style of a User-Agent header, such as |
| 230 | + * "Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.8a PHP/4.4.2" |
| 231 | + * |
| 232 | + * @param $serverSoftware |
| 233 | + * @return bool |
| 234 | + * |
| 235 | + */ |
| 236 | + public static function haveUndecodedRequestUri( $serverSoftware ) { |
| 237 | + static $whitelist = array( |
| 238 | + 'Apache', |
| 239 | + 'Zeus', |
| 240 | + 'LiteSpeed' ); |
| 241 | + if ( preg_match( '/^(.*?)($|\/| )/', $serverSoftware, $m ) ) { |
| 242 | + return in_array( $m[1], $whitelist ); |
| 243 | + } else { |
| 244 | + return false; |
| 245 | + } |
| 246 | + } |
| 247 | + |
| 248 | +} |
Property changes on: branches/REL1_17/phase3/includes/libs/IEUrlExtension.php |
___________________________________________________________________ |
Added: svn:mergeinfo |
1 | 249 | Merged /branches/REL1_15/phase3/includes/libs/IEUrlExtension.php:r51646 |
2 | 250 | Merged /branches/sqlite/includes/libs/IEUrlExtension.php:r58211-58321 |
3 | 251 | Merged /branches/new-installer/phase3/includes/libs/IEUrlExtension.php:r43664-66004 |
4 | 252 | Merged /branches/wmf-deployment/includes/libs/IEUrlExtension.php:r53381 |
Added: svn:eol-style |
5 | 253 | + native |
Index: branches/REL1_17/phase3/img_auth.php |
— | — | @@ -37,13 +37,6 @@ |
38 | 38 | wfForbidden('img-auth-accessdenied','img-auth-public'); |
39 | 39 | } |
40 | 40 | |
41 | | -// Check for bug 28235: QUERY_STRING overriding the correct extension |
42 | | -if ( isset( $_SERVER['QUERY_STRING'] ) |
43 | | - && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) |
44 | | -{ |
45 | | - wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' ); |
46 | | -} |
47 | | - |
48 | 41 | // Extract path and image information |
49 | 42 | if( !isset( $_SERVER['PATH_INFO'] ) ) { |
50 | 43 | $path = $wgRequest->getText( 'path' ); |
— | — | @@ -55,6 +48,17 @@ |
56 | 49 | $path = $_SERVER['PATH_INFO']; |
57 | 50 | } |
58 | 51 | |
| 52 | +// Check for bug 28235: QUERY_STRING overriding the correct extension |
| 53 | +$dotPos = strpos( $path, '.' ); |
| 54 | +$whitelist = array(); |
| 55 | +if ( $dotPos !== false ) { |
| 56 | + $whitelist[] = substr( $path, $dotPos + 1 ); |
| 57 | +} |
| 58 | +if ( !$wgRequest->checkUrlExtension( $whitelist ) ) |
| 59 | +{ |
| 60 | + return; |
| 61 | +} |
| 62 | + |
59 | 63 | $filename = realpath( $wgUploadDirectory . $path ); |
60 | 64 | $realUpload = realpath( $wgUploadDirectory ); |
61 | 65 | |
Property changes on: branches/REL1_17/phase3/img_auth.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
62 | 66 | Merged /branches/REL1_18/phase3/img_auth.php:r89627 |
Index: branches/REL1_17/phase3/api.php |
— | — | @@ -44,18 +44,7 @@ |
45 | 45 | $starttime = microtime( true ); |
46 | 46 | |
47 | 47 | // URL safety checks |
48 | | -// |
49 | | -// See RawPage.php for details; summary is that MSIE can override the |
50 | | -// Content-Type if it sees a recognized extension on the URL, such as |
51 | | -// might be appended via PATH_INFO after 'api.php'. |
52 | | -// |
53 | | -// Some data formats can end up containing unfiltered user-provided data |
54 | | -// which will end up triggering HTML detection and execution, hence |
55 | | -// XSS injection and all that entails. |
56 | | -// |
57 | | -if ( $wgRequest->isPathInfoBad() ) { |
58 | | - wfHttpError( 403, 'Forbidden', |
59 | | - 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); |
| 48 | +if ( !$wgRequest->checkUrlExtension() ) { |
60 | 49 | return; |
61 | 50 | } |
62 | 51 | |
Property changes on: branches/REL1_17/phase3/api.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
63 | 52 | Merged /branches/REL1_18/phase3/api.php:r89627 |
64 | 53 | Merged /trunk/phase3/api.php:r87632,87636,87640,87644,89397 |
Index: branches/REL1_17/phase3/load.php |
— | — | @@ -27,17 +27,7 @@ |
28 | 28 | wfProfileIn( 'load.php' ); |
29 | 29 | |
30 | 30 | // URL safety checks |
31 | | -// |
32 | | -// See RawPage.php for details; summary is that MSIE can override the |
33 | | -// Content-Type if it sees a recognized extension on the URL, such as |
34 | | -// might be appended via PATH_INFO after 'load.php'. |
35 | | -// |
36 | | -// Some resources can contain HTML-like strings (e.g. in messages) |
37 | | -// which will end up triggering HTML detection and execution. |
38 | | -// |
39 | | -if ( $wgRequest->isPathInfoBad() ) { |
40 | | - wfHttpError( 403, 'Forbidden', |
41 | | - 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); |
| 31 | +if ( !$wgRequest->checkUrlExtension() ) { |
42 | 32 | return; |
43 | 33 | } |
44 | 34 | |
Property changes on: branches/REL1_17/phase3/load.php |
___________________________________________________________________ |
Modified: svn:mergeinfo |
45 | 35 | Merged /branches/REL1_18/phase3/load.php:r89627 |
46 | 36 | Merged /trunk/phase3/load.php:r87632,87636,87640,87644,89397 |
Index: branches/REL1_17/phase3/RELEASE-NOTES |
— | — | @@ -38,6 +38,13 @@ |
39 | 39 | * The lowest supported version of PHP is now 5.2.3. If necessary, please |
40 | 40 | upgrade PHP prior to upgrading MediaWiki. |
41 | 41 | |
| 42 | +=== Changes since 1.17 beta 1 === |
| 43 | + |
| 44 | +* (bug 28840) Reduce the collateral damage caused by the fix for bug 28235 (XSS |
| 45 | + on Internet Explorer 6 due to a file extension in the query string) by |
| 46 | + reducing the number of URLs that are blocked, and by redirecting the request |
| 47 | + to a safer URL where possible instead of blocking it. |
| 48 | + |
42 | 49 | === Configuration changes in 1.17 === |
43 | 50 | |
44 | 51 | * $wgLogAutocreatedAccounts controls whether autocreation of accounts is logged |