Mglaser has submitted this change and it was merged. Change subject: API: Work around wfMangleFlashPolicy() ......................................................................
API: Work around wfMangleFlashPolicy() The things wfMangleFlashPolicy() does to the output break things in the API. For JSON we can work around it, while for PHP we just have to error out. XML isn't affected because <> are escaped anyway (unless something somehow uses 'cross-domain-policy' as a tag name), and the rest are going away soon so they're not worth the trouble. Backport, originally committed by Brad Jorsch Bug: 66776 Change-Id: Idc5f37bd778288a9cde572f081dc753d681ec354 --- M includes/api/ApiFormatJson.php M includes/api/ApiFormatPhp.php 2 files changed, 27 insertions(+), 1 deletion(-) Approvals: Mglaser: Verified; Looks good to me, approved diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index 6c5ad38..d9f9d46 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -63,6 +63,16 @@ $this->getIsHtml(), $params['utf8'] ? FormatJson::ALL_OK : FormatJson::XMLMETA_OK ); + + // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in + // Flash, but what it does isn't friendly for the API, so we need to + // work around it. + if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) { + $json = preg_replace( + '/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json + ); + } + $callback = $params['callback']; if ( $callback !== null ) { $callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $callback ); diff --git a/includes/api/ApiFormatPhp.php b/includes/api/ApiFormatPhp.php index b2d1f04..73ce80e 100644 --- a/includes/api/ApiFormatPhp.php +++ b/includes/api/ApiFormatPhp.php @@ -35,7 +35,23 @@ } public function execute() { - $this->printText( serialize( $this->getResultData() ) ); + $text = serialize( $this->getResultData() ); + + // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in + // Flash, but what it does isn't friendly for the API. There's nothing + // we can do here that isn't actively broken in some manner, so let's + // just be broken in a useful manner. + if ( $this->getConfig()->get( 'MangleFlashPolicy' ) && + in_array( 'wfOutputHandler', ob_list_handlers(), true ) && + preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text ) + ) { + $this->dieUsage( + 'This response cannot be represented using format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776', + 'internalerror' + ); + } + + $this->printText( $text ); } public function getDescription() { -- To view, visit https://gerrit.wikimedia.org/r/175956 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Idc5f37bd778288a9cde572f081dc753d681ec354 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_24 Gerrit-Owner: Mglaser <gla...@hallowelt.biz> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> Gerrit-Reviewer: Mglaser <gla...@hallowelt.biz> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits