MediaWiki r29939 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r29938‎ | r29939 (on ViewVC)‎ | r29940 >
Date:01:18, 19 January 2008
Author:brion
Status:old (Comments)
Tags:
Comment:
Restore the complete prohibition on action=raw with arbitrary script entry points.
While only MSIE is known to let the URL's "extension" override the allowed mime types, other browsers will still happily download a file with the name from the URL. That seems unwise as the content may be arbitrary (and perhaps executable).
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/RawPage.php
@@ -126,8 +126,7 @@
127127 $url = $_SERVER['PHP_SELF'];
128128 }
129129
130 - $ua = @$_SERVER['HTTP_USER_AGENT'];
131 - if( strcmp( $wgScript, $url ) && strpos( $ua, 'MSIE' ) !== false ) {
 130+ if( strcmp( $wgScript, $url ) ) {
132131 # Internet Explorer will ignore the Content-Type header if it
133132 # thinks it sees a file extension it recognizes. Make sure that
134133 # all raw requests are done through the script node, which will

Past revisions this follows-up on

Rev.Commit summaryAuthorDate
r12922Fixes and improvements to interwiki transclusion:...timstarling03:44, 31 January 2006

Comments

#Comment by Platonides (talk | contribs)   23:27, 14 November 2011

It had been allowed in r12922

Status & tagging log

  • 15:23, 12 September 2011 Meno25 (talk | contribs) changed the status of r29939 [removed: ok added: old]
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/29939"