r90649 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r90648‎ \| r90649 \| r90650 >
Date:	06:19, 23 June 2011
Author:	neilk
Status:	ok
Tags:
Comment:	encode periods in API arguments. There are now countermeasures in MediaWiki to possible XSS exploits that reject unencoded periods in the query args, so avoid triggering that.
Modified paths:	/trunk/extensions/UploadWizard/resources/mw.Api.js (modified) (history)

Diff [purge]

Index: trunk/extensions/UploadWizard/resources/mw.Api.js
—	—	@@ -122,7 +122,11 @@
123	123	ajax: function( parameters, ajaxOptions ) {
124	124	parameters = $j.extend( {}, this.defaults.parameters, parameters );
125	125	ajaxOptions = $j.extend( {}, this.defaults.ajax, ajaxOptions );
126		~~- ajaxOptions.data = parameters;~~
	126	+
	127	+ // Some deployed MediaWiki >= 1.17 forbid periods in URLs, due to an IE XSS bug
	128	+ // So let's escape them here. See bug #28235
	129	+ // This works because jQuery accepts data as a query string or as an Object
	130	+ ajaxOptions.data = $j.param( parameters ).replace( /\./g, '%2E' );
127	131
128	132	ajaxOptions.error = function( xhr, textStatus, exception ) {
129	133	ajaxOptions.err( 'http', { xhr: xhr, textStatus: textStatus, exception: exception } );

Follow-up revisions

Revision	Commit summary	Author	Date
r90676	MFT @ r90649, minus features unavailable in production branch--neilk	pdhanda	20:45, 23 June 2011
r90686	merged r90649	neilk	00:39, 24 June 2011

Status & tagging log

19:09, 23 June 2011 Catrope (talk | contribs) changed the status of r90649 [removed: new added: ok]