MediaWiki r29939 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r29938‎ | r29939 (on ViewVC)‎ | r29940 >
Date:01:18, 19 January 2008
Author:brion
Status:old (Comments)
Tags:
Comment:
Restore the complete prohibition on action=raw with arbitrary script entry points.
While only MSIE is known to let the URL's "extension" override the allowed mime types, other browsers will still happily download a file with the name from the URL. That seems unwise as the content may be arbitrary (and perhaps executable).
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/RawPage.php
===================================================================
--- trunk/phase3/includes/RawPage.php	(revision 29938)
+++ trunk/phase3/includes/RawPage.php	(revision 29939)
@@ -126,8 +126,7 @@
 			$url = $_SERVER['PHP_SELF'];
 		}
 		
-		$ua = @$_SERVER['HTTP_USER_AGENT'];
-		if( strcmp( $wgScript, $url ) && strpos( $ua, 'MSIE' ) !== false ) {
+		if( strcmp( $wgScript, $url ) ) {
 			# Internet Explorer will ignore the Content-Type header if it
 			# thinks it sees a file extension it recognizes. Make sure that
 			# all raw requests are done through the script node, which will

Comments

#Comment by Platonides (Talk | contribs)   23:27, 14 November 2011

It had been allowed in r12922

Status & tagging log

  • 15:23, 12 September 2011 Meno25 (Talk | contribs) changed the status of r29939 [removed: ok added: old]
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/29939"
Personal tools
Namespaces
Variants
Views
Actions
Site
Support
Download
Development
Communication
Toolbox