From db4afa47abe81552897201f6b9034bee5ca6e5b2 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Sat, 23 Apr 2005 08:51:39 +0000
Subject: [PATCH] Changes to raw page security handler: * Use SCRIPT_URL
 instead of PHP_SELF if available. This fixes a problem with some hosts using
 rewrite rules for subdomains and CGI PHP which breaks PHP_SELF. * Instead of
 redirecting to the canonical URL on a suspect, just return a 403 Forbidden
 error. This might annoy a small number of people manually constructing
 incorrect action=raw URLs, but should be much less invasive than an infinite
 redirect loop when there are configuration bugs.

---
 includes/RawPage.php | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/includes/RawPage.php b/includes/RawPage.php
index 899de6d801..fdbd0a8787 100644
--- a/includes/RawPage.php
+++ b/includes/RawPage.php
@@ -55,21 +55,36 @@ class RawPage {
 	function view() {
 		global $wgUser, $wgOut, $wgScript;
 
-		if( strcmp( $wgScript, $_SERVER['PHP_SELF'] ) ) {
+		if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+			# Normally we use PHP_SELF to get the URL to the script
+			# as it was called, minus the query string.
+			#
+			# Some sites use Apache rewrite rules to handle subdomains,
+			# and have PHP set up in a weird way that causes PHP_SELF
+			# to contain the rewritten URL instead of the one that the
+			# outside world sees.
+			#
+			# If in this mode, use SCRIPT_URL instead, which mod_rewrite
+			# provides containing the "before" URL.
+			$url = $_SERVER['SCRIPT_URL'];
+		} else {
+			$url = $_SERVER['PHP_SELF'];
+		}
+		if( strcmp( $wgScript, $url ) ) {
 			# Internet Explorer will ignore the Content-Type header if it
 			# thinks it sees a file extension it recognizes. Make sure that
 			# all raw requests are done through the script node, which will
 			# have eg '.php' and should remain safe.
-			
-			$destUrl = $this->mTitle->getFullUrl(
-				'action=raw' .
-				'&ctype=' . urlencode( $this->mContentType ) .
-				'&smaxage=' . urlencode( $this->mSmaxage ) .
-				'&maxage=' . urlencode( $this->mMaxage ) .
-				'&gen=' . urlencode( $this->mGen ) .
-				'&oldid=' . urlencode( $this->mOldId ) );
-			header( 'Location: ' . $destUrl );
-			$wgOut->disable();
+			#
+			# We used to redirect to a canonical-form URL as a general
+			# backwards-compatibility / good-citizen nice thing. However
+			# a lot of servers are set up in buggy ways, resulting in
+			# redirect loops which hang the browser until the CSS load
+			# times out.
+			#
+			# Just return a 403 Forbidden and get it over with.
+			wfHttpError( 403, 'Forbidden',
+				'Raw pages must be accessed through the primary script entry point.' );
 			return;
 		}
 		
-- 
2.20.1