http://www.mediawiki.org/wiki/Special:Code/MediaWiki/89248
Revision: 89248
Author: tstarling
Date: 2011-06-01 02:01:59 +0000 (Wed, 01 Jun 2011)
Log Message:
-----------
* Only blacklist query string extensions which match /^[a-zA-Z0-9_-]+$/. This
avoids blacklisting pretty much every api.php URL with a dot in it, due to
extensions like "webm&smaxage=3600&maxage=3600&format=jsonfm" being detected.
Such an extension is unlikely to be registered to a dangerous file type. The
proposed regex matches all extensions registered in HKEY_CLASSES_ROOT on my
Windows XP VM, but does not include the ampersand, so avoids matching multiple
URL parameters.
* Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused
dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set.
* Refactored the query string checks in WebRequest and img_auth.php into a
single new function: isQueryStringBad().
Modified Paths:
--------------
trunk/phase3/img_auth.php
trunk/phase3/includes/WebRequest.php
Modified: trunk/phase3/img_auth.php
===================================================================
--- trunk/phase3/img_auth.php 2011-06-01 01:24:45 UTC (rev 89247)
+++ trunk/phase3/img_auth.php 2011-06-01 02:01:59 UTC (rev 89248)
@@ -43,8 +43,7 @@
}
// Check for bug 28235: QUERY_STRING overriding the correct extension
-if ( isset( $_SERVER['QUERY_STRING'] )
- && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING']
) )
+if ( $wgRequest->isQueryStringBad() )
{
wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
}
Modified: trunk/phase3/includes/WebRequest.php
===================================================================
--- trunk/phase3/includes/WebRequest.php 2011-06-01 01:24:45 UTC (rev
89247)
+++ trunk/phase3/includes/WebRequest.php 2011-06-01 02:01:59 UTC (rev
89248)
@@ -785,10 +785,8 @@
public function isPathInfoBad() {
global $wgScriptExtension;
- if ( isset( $_SERVER['QUERY_STRING'] ) )
- {
- // Bug 28235
- return strval( self::findIE6Extension(
$_SERVER['QUERY_STRING'] ) ) !== '';
+ if ( $this->isQueryStringBad() ) {
+ return true;
}
if ( !isset( $_SERVER['PATH_INFO'] ) ) {
@@ -876,6 +874,24 @@
}
/**
+ * Check for a bad query string, which IE 6 will use as a potentially
+ * insecure cache file extension. See bug 28235. Returns true if the
+ * request should be disallowed.
+ */
+ public function isQueryStringBad() {
+ if ( !isset( $_SERVER['QUERY_STRING'] ) ) {
+ return false;
+ }
+
+ $extension = self::findIE6Extension( $_SERVER['QUERY_STRING'] );
+ if ( $extension === '' ) {
+ return false;
+ }
+
+ return (bool)preg_match( '/^[a-zA-Z0-9_-]+$/', $extension );
+ }
+
+ /**
* Parse the Accept-Language header sent by the client into an array
* @return array( languageCode => q-value ) sorted by q-value in
descending order
* May contain the "language" '*', which applies to languages other
than those explicitly listed.
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
