From c8c176f7de6e017727c85fe0a7c0d80709f0081b Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 23 Jan 2008 23:45:46 +0000
Subject: [PATCH] * Security fix for API on MSIE

---
 RELEASE-NOTES |  1 +
 api.php       | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 3b18aa96d1..2e3865380b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -334,6 +334,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
   mystery failures when using $wgThumbnailScriptPath.
 * (bug 12327) Comma in username no longer disrupts mail headers
 * (bug 6436) Localization of Special:Import XML parser Error message(s).
+* Security fix for API on MSIE
 
 
 == Parser changes in 1.12 ==
diff --git a/api.php b/api.php
index fa85573df5..ce445ef4aa 100644
--- a/api.php
+++ b/api.php
@@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php');
 
 wfProfileIn('api.php');
 
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+	$url = $_SERVER['SCRIPT_URL'];
+} else {
+	$url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+	wfHttpError( 403, 'Forbidden',
+		'API must be accessed through the primary script entry point.' );
+	return;
+}
+
 // Verify that the API has not been disabled
 if (!$wgEnableAPI) {
 	echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
-- 
2.20.1