# Protect against bug 28235
<IfModule rewrite_module>
RewriteEngine On
- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
+ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
RewriteRule . - [forbidden]
</IfModule>
// Check for bug 28235: QUERY_STRING overriding the correct extension
if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
{
wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
}
global $wgScriptExtension;
if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
{
// Bug 28235
// Block only Internet Explorer, and requests with missing UA