From e868f703ad4afbdcf81e7e392a46f20e356c4331 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Thu, 7 Aug 2014 20:10:16 +0100 Subject: [PATCH] API: Work around wfMangleFlashPolicy() The things wfMangleFlashPolicy() does to the output break things in the API. For JSON we can work around it, while for PHP we just have to error out. XML isn't affected because <> are escaped anyway (unless something somehow uses 'cross-domain-policy' as a tag name), and the rest are going away soon so they're not worth the trouble. Bug: 66776 Change-Id: Idc5f37bd778288a9cde572f081dc753d681ec354 --- RELEASE-NOTES-1.25 | 3 +++ includes/api/ApiFormatJson.php | 10 ++++++++++ includes/api/ApiFormatPhp.php | 18 +++++++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25 index ae1c23ef18..b36daa61c8 100644 --- a/RELEASE-NOTES-1.25 +++ b/RELEASE-NOTES-1.25 @@ -97,6 +97,9 @@ production. * If the user has the 'deletedhistory' right, action=query's revids parameter will now recognize deleted revids. * prop=revisions may be used as a generator, generating revids. +* (bug 66776) format=json results will no longer be corrupted when + $wgMangleFlashPolicy is in effect. format=php results will cleanly return an + error instead of returning invalid serialized data. === Action API internal changes in 1.25 === * ApiHelp has been rewritten to support i18n and paginated HTML output. diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index ce8656e221..966e82dc6a 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -67,6 +67,16 @@ class ApiFormatJson extends ApiFormatBase { $this->getIsHtml(), $params['utf8'] ? FormatJson::ALL_OK : FormatJson::XMLMETA_OK ); + + // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in + // Flash, but what it does isn't friendly for the API, so we need to + // work around it. + if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) { + $json = preg_replace( + '/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json + ); + } + $callback = $params['callback']; if ( $callback !== null ) { $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ); diff --git a/includes/api/ApiFormatPhp.php b/includes/api/ApiFormatPhp.php index ae93812254..a4b4a11d61 100644 --- a/includes/api/ApiFormatPhp.php +++ b/includes/api/ApiFormatPhp.php @@ -35,6 +35,22 @@ class ApiFormatPhp extends ApiFormatBase { } public function execute() { - $this->printText( serialize( $this->getResultData() ) ); + $text = serialize( $this->getResultData() ); + + // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in + // Flash, but what it does isn't friendly for the API. There's nothing + // we can do here that isn't actively broken in some manner, so let's + // just be broken in a useful manner. + if ( $this->getConfig()->get( 'MangleFlashPolicy' ) && + in_array( 'wfOutputHandler', ob_list_handlers(), true ) && + preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text ) + ) { + $this->dieUsage( + 'This response cannot be represented using format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776', + 'internalerror' + ); + } + + $this->printText( $text ); } } -- 2.20.1