Actually I also had to add a `RewriteCond %{REQUEST_FILENAME} ^/?images`
to prevent /index.php from being broken.
My root .htaccess looks something like this now:
RewriteEngine on
# Protect against bug 28235
RewriteCond %{REQUEST_FILENAME} ^/?images
RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
RewriteRule . - [forbidden]
# Thumbnail handler for image thumbnails
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(/?)images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$
$1thumb.php?f=$2&width=$3 [L,QSA]
# Thumbnail handler for archived images
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule
^(/?)images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$
$1thumb.php?f=$2&width=$3&archived=1 [L,QSA]
# Handler for 404 pages
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/?.*$ /index.php?title=Special:Error404
RewriteRule ^(/?)images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$
$1thumb.php?f=$2&width=$3 [L,QSA]
I haven't figured out how to replicate that bug 28235 fix in Nginx though.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
On 11-04-19 09:28 AM, Daniel Friesen wrote:
> Using the rewrite inside images/.htaccess appears to conflict with
> existing installations with a root .htaccess including the code for the
> thumbnail handler.
>
> You won't notice it right away because most images will already have
> existing thumbnails generated, but at some random point when someone.
>
> In fact, I ONLY found out things were broken on any of my wiki after I
> created a brand new wiki with similar config and found I got 404s
> instead of thumbnails.
>
> My fix was to comment out the code in images/.htaccess and add it to my
> root .htaccess. Of course I'll need to do something else on another one
> of my wiki that uses a separate domain for serving uploads.
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
> On 11-04-14 12:47 AM, Tim Starling wrote:
>> Our patch for the Internet Explorer 6 XSS issue (bug 28235) released
>> two days ago in 1.16.3 was insufficient to fix that bug. The original
>> reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we
>> are doing another release, which contains a second attempt at fixing
>> the issue.
>>
>> Apologies to everyone for the inconvenience. Big thanks go to Masato
>> Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan
>> Kattouw who helped me test the patch this time around, so that we can
>> hopefully avoid a repeat.
>>
>> It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for
>> Internet Explorer clients, version 6 and earlier. Also, if you used
>> the Apache configuration I suggested in the previous release
>> announcement, you should update it to:
>>
>> RewriteEngine On
>> RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
>> RewriteRule . - [forbidden]
>>
>>
>> We missed the fact that there can be more than one question mark in a
>> URL. In certain circumstances, IE 6 will use a file extension
>> immediately before a question mark character, regardless of how many
>> question marks precede it. For example, with the URL:
>>
>> http://example.com/a?b?c.html?d?e
>>
>> IE 6 will see the file extension as ".html".
>>
>> **********************************************************************
>> Download:
>> http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz
>>
>> Patch to previous version (1.16.3):
>> http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz
>>
>> GPG signatures:
>> http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sig
>> http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig
>>
>> Public keys:
>> https://secure.wikimedia.org/keys.html
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
