User "Catrope" changed the status of MediaWiki.r89248. Old Status: new New Status: ok
Full URL: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/89248#c0 Commit summary: * Only blacklist query string extensions which match /^[a-zA-Z0-9_-]+$/. This avoids blacklisting pretty much every api.php URL with a dot in it, due to extensions like "webm&smaxage=3600&maxage=3600&format=jsonfm" being detected. Such an extension is unlikely to be registered to a dangerous file type. The proposed regex matches all extensions registered in HKEY_CLASSES_ROOT on my Windows XP VM, but does not include the ampersand, so avoids matching multiple URL parameters. * Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set. * Refactored the query string checks in WebRequest and img_auth.php into a single new function: isQueryStringBad(). _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
