From 3ef857fe4d25c9e5cfd4d73718988df591cf885d Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Tue, 12 Apr 2011 00:55:10 +0000
Subject: [PATCH] Fix for bug 28235: IE6 looks for the file extension in the
 query string

---
 api.php                           |  3 +--
 images/.htaccess                  |  6 ++++++
 img_auth.php                      |  7 +++++++
 includes/RawPage.php              |  2 +-
 includes/WebRequest.php           | 17 +++++++++++++++++
 languages/messages/MessagesEn.php |  1 +
 load.php                          |  5 +----
 7 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 images/.htaccess

diff --git a/api.php b/api.php
index 370884dffc..6ac1451487 100644
--- a/api.php
+++ b/api.php
@@ -55,8 +55,7 @@ $starttime = microtime( true );
 //
 if ( $wgRequest->isPathInfoBad() ) {
 	wfHttpError( 403, 'Forbidden',
-		'Invalid file extension found in PATH_INFO. ' .
-		'The API must be accessed through the primary script entry point.' );
+		'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
 	return;
 }
 
diff --git a/images/.htaccess b/images/.htaccess
new file mode 100644
index 0000000000..e84a09522a
--- /dev/null
+++ b/images/.htaccess
@@ -0,0 +1,6 @@
+# Protect against bug 28235
+<IfModule rewrite_module>
+	RewriteEngine On
+	RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
+	RewriteRule . - [forbidden]
+</IfModule>
diff --git a/img_auth.php b/img_auth.php
index e6485fc111..c9a2242059 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -38,6 +38,13 @@ if ( $wgImgAuthPublicTest
 	wfForbidden('img-auth-accessdenied','img-auth-public');
 }
 
+// Check for bug 28235: QUERY_STRING overriding the correct extension
+if ( isset( $_SERVER['QUERY_STRING'] )
+	&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+{
+	wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
+}	
+
 $matches = WebRequest::getPathInfo();
 $path = $matches['title'];
 $filename = realpath( $wgUploadDirectory . $path );
diff --git a/includes/RawPage.php b/includes/RawPage.php
index a4d5400920..0608c222cf 100644
--- a/includes/RawPage.php
+++ b/includes/RawPage.php
@@ -132,7 +132,7 @@ class RawPage {
 			#
 			# Just return a 403 Forbidden and get it over with.
 			wfHttpError( 403, 'Forbidden',
-				'Invalid file extension found in PATH_INFO. ' .
+				'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
 				'Raw pages must be accessed through the primary script entry point.' );
 			return;
 		}
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index a48cd797dd..67a9bc2fec 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -776,10 +776,27 @@ class WebRequest {
 	 * but only by prefixing it with the script name and maybe some other stuff,
 	 * the extension is not mangled. So this should be a reasonably portable
 	 * way to perform this security check.
+	 *
+	 * Also checks for anything that looks like a file extension at the end of
+	 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+	 * if there was no dot before the question mark (bug 28235).
 	 */
 	public function isPathInfoBad() {
 		global $wgScriptExtension;
 
+		if ( isset( $_SERVER['QUERY_STRING'] ) 
+			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+		{
+			// Bug 28235
+			// Block only Internet Explorer 6, and requests with missing UA 
+			// headers that could be IE users behind a privacy proxy.
+			if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) 
+				|| preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
+			{
+				return true;
+			}
+		}
+
 		if ( !isset( $_SERVER['PATH_INFO'] ) ) {
 			return false;
 		}
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 2a65c2a6ef..46f5faf8e4 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -2261,6 +2261,7 @@ Only file access is allowed.',
 This wiki is configured as a public wiki.
 For optimal security, img_auth.php is disabled.',
 'img-auth-noread'       => 'User does not have access to read "$1".',
+'img-auth-bad-query-string' => 'The URL has an invalid query string.',
 
 # HTTP errors
 'http-invalid-url'      => 'Invalid URL: $1',
diff --git a/load.php b/load.php
index 9f594e5f11..89aec9874d 100644
--- a/load.php
+++ b/load.php
@@ -37,11 +37,8 @@ wfProfileIn( 'load.php' );
 //
 if ( $wgRequest->isPathInfoBad() ) {
 	wfHttpError( 403, 'Forbidden',
-		'Invalid file extension found in PATH_INFO. ' .
-		'The resource loader must be accessed through the primary script entry point.' );
+		'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
 	return;
-	// FIXME: Doesn't this execute the rest of the request anyway?
-	// Was taken from api.php so I guess it's maybe OK but it doesn't look good.
 }
 
 // Respond to resource loading request
-- 
2.20.1