http://www.mediawiki.org/wiki/Special:Code/MediaWiki/89291
Revision: 89291
Author: platonides
Date: 2011-06-01 21:22:53 +0000 (Wed, 01 Jun 2011)
Log Message:
-----------
Document r89248,r89249 isQueryStringBad()
Modified Paths:
--------------
trunk/phase3/includes/WebRequest.php
Modified: trunk/phase3/includes/WebRequest.php
===================================================================
--- trunk/phase3/includes/WebRequest.php 2011-06-01 21:13:13 UTC (rev
89290)
+++ trunk/phase3/includes/WebRequest.php 2011-06-01 21:22:53 UTC (rev
89291)
@@ -877,6 +877,8 @@
* Check for a bad query string, which IE 6 will use as a potentially
* insecure cache file extension. See bug 28235. Returns true if the
* request should be disallowed.
+ *
+ * @return Boolean
*/
public function isQueryStringBad() {
if ( !isset( $_SERVER['QUERY_STRING'] ) ) {
@@ -885,9 +887,17 @@
$extension = self::findIE6Extension( $_SERVER['QUERY_STRING'] );
if ( strval( $extension ) === '' ) {
+ /* No extension or empty extension (false/'') */
return false;
}
+ /* Only consider the extension understood by IE to be
potentially
+ * dangerous if it is made of normal characters (so it is more
+ * likely to be registered with an application)
+ * Compromise with api.php convenience. Considers for instance
+ * that no sane application will register a dangerous file type
+ * in an extension containing an ampersand.
+ */
return (bool)preg_match( '/^[a-zA-Z0-9_-]+$/', $extension );
}
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
