From ab6758a697672628acc687afbd78a18e083cab4d Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@wikimedia.org>
Date: Wed, 14 Aug 2013 09:31:05 -0700
Subject: [PATCH] SECURITY: Fix extension detection with 2 .'s

Fix IE6 extension detection, to prevent XSS in the API response.

Bug: 52746
Change-Id: If58a81b62209b36bd143a1766a8a20c9c34dbe3b
---
 includes/libs/IEUrlExtension.php                   | 2 +-
 tests/phpunit/includes/libs/IEUrlExtensionTest.php | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/includes/libs/IEUrlExtension.php b/includes/libs/IEUrlExtension.php
index 79387e632d..49d05d4b72 100644
--- a/includes/libs/IEUrlExtension.php
+++ b/includes/libs/IEUrlExtension.php
@@ -232,7 +232,7 @@ class IEUrlExtension {
 			}
 			// We found an illegal character or another dot
 			// Skip to that character and continue the loop
-			$pos = $nextPos + 1;
+			$pos = $nextPos;
 			$remainingLength = $urlLength - $pos;
 		}
 		return false;
diff --git a/tests/phpunit/includes/libs/IEUrlExtensionTest.php b/tests/phpunit/includes/libs/IEUrlExtensionTest.php
index 984907b184..d04dd7d4df 100644
--- a/tests/phpunit/includes/libs/IEUrlExtensionTest.php
+++ b/tests/phpunit/includes/libs/IEUrlExtensionTest.php
@@ -115,4 +115,12 @@ class IEUrlExtensionTest extends MediaWikiTestCase {
 			'Dot at end of string'
 		);
 	}
+
+	function testTwoDots() {
+		$this->assertEquals(
+			'z',
+			IEUrlExtension::findIE6Extension( 'x.y.z' ),
+			'Two dots'
+		);
+	}
 }
-- 
2.20.1