From: Brion Vibber Date: Wed, 23 Jan 2008 23:45:46 +0000 (+0000) Subject: * Security fix for API on MSIE X-Git-Tag: 1.31.0-rc.0~49820 X-Git-Url: http://git.cyclocoop.org/%7D%7Cconcat%7B?a=commitdiff_plain;h=c8c176f7de6e017727c85fe0a7c0d80709f0081b;p=lhc%2Fweb%2Fwiklou.git * Security fix for API on MSIE --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 3b18aa96d1..2e3865380b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -334,6 +334,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN mystery failures when using $wgThumbnailScriptPath. * (bug 12327) Comma in username no longer disrupts mail headers * (bug 6436) Localization of Special:Import XML parser Error message(s). +* Security fix for API on MSIE == Parser changes in 1.12 == diff --git a/api.php b/api.php index fa85573df5..ce445ef4aa 100644 --- a/api.php +++ b/api.php @@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';