From 641f48596552722f96d71f5abc808a1d694981b4 Mon Sep 17 00:00:00 2001
From: Platonides <platonides@users.mediawiki.org>
Date: Wed, 1 Jun 2011 21:22:53 +0000
Subject: [PATCH] Document r89248,r89249 isQueryStringBad()

---
 includes/WebRequest.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 69c4a31c50..68cb73e5a0 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -877,6 +877,8 @@ class WebRequest {
 	 * Check for a bad query string, which IE 6 will use as a potentially 
 	 * insecure cache file extension. See bug 28235. Returns true if the 
 	 * request should be disallowed.
+	 * 
+	 * @return Boolean
 	 */
 	public function isQueryStringBad() {
 		if ( !isset( $_SERVER['QUERY_STRING'] ) ) {
@@ -885,9 +887,17 @@ class WebRequest {
 
 		$extension = self::findIE6Extension( $_SERVER['QUERY_STRING'] );
 		if ( strval( $extension ) === '' ) {
+			/* No extension or empty extension (false/'') */
 			return false;
 		}
 
+		/* Only consider the extension understood by IE to be potentially 
+		 * dangerous if it is made of normal characters (so it is more 
+		 * likely to be registered with an application)
+		 * Compromise with api.php convenience. Considers for instance 
+		 * that no sane application will register a dangerous file type
+		 * in an extension containing an ampersand.
+		 */
 		return (bool)preg_match( '/^[a-zA-Z0-9_-]+$/', $extension );
 	}
 
-- 
2.20.1