//
if ( $wgRequest->isPathInfoBad() ) {
wfHttpError( 403, 'Forbidden',
- 'Invalid file extension found in PATH_INFO. ' .
- 'The API must be accessed through the primary script entry point.' );
+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
return;
}
--- /dev/null
+# Protect against bug 28235
+<IfModule rewrite_module>
+ RewriteEngine On
+ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
+ RewriteRule . - [forbidden]
+</IfModule>
wfForbidden('img-auth-accessdenied','img-auth-public');
}
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+{
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}
+
$matches = WebRequest::getPathInfo();
$path = $matches['title'];
$filename = realpath( $wgUploadDirectory . $path );
#
# Just return a 403 Forbidden and get it over with.
wfHttpError( 403, 'Forbidden',
- 'Invalid file extension found in PATH_INFO. ' .
+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
'Raw pages must be accessed through the primary script entry point.' );
return;
}
* but only by prefixing it with the script name and maybe some other stuff,
* the extension is not mangled. So this should be a reasonably portable
* way to perform this security check.
+ *
+ * Also checks for anything that looks like a file extension at the end of
+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+ * if there was no dot before the question mark (bug 28235).
*/
public function isPathInfoBad() {
global $wgScriptExtension;
+ if ( isset( $_SERVER['QUERY_STRING'] )
+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ // Bug 28235
+ // Block only Internet Explorer 6, and requests with missing UA
+ // headers that could be IE users behind a privacy proxy.
+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
+ || preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
+ {
+ return true;
+ }
+ }
+
if ( !isset( $_SERVER['PATH_INFO'] ) ) {
return false;
}
This wiki is configured as a public wiki.
For optimal security, img_auth.php is disabled.',
'img-auth-noread' => 'User does not have access to read "$1".',
+'img-auth-bad-query-string' => 'The URL has an invalid query string.',
# HTTP errors
'http-invalid-url' => 'Invalid URL: $1',
//
if ( $wgRequest->isPathInfoBad() ) {
wfHttpError( 403, 'Forbidden',
- 'Invalid file extension found in PATH_INFO. ' .
- 'The resource loader must be accessed through the primary script entry point.' );
+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
return;
- // FIXME: Doesn't this execute the rest of the request anyway?
- // Was taken from api.php so I guess it's maybe OK but it doesn't look good.
}
// Respond to resource loading request