bad-query-string.patch
Public
Actions

Authored By

	• bzimport
	Nov 21 2014, 11:32 PM

Size

4 KB

Referenced Files

None

Subscribers

None

bad-query-string.patch
View Options

	Index: images/.htaccess
	===================================================================
	--- images/.htaccess (revision 0)
	+++ images/.htaccess (revision 0)
	@@ -0,0 +1,6 @@
	+# Protect against bug 28235
	+<IfModule rewrite_module>
	+ RewriteEngine On
	+ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
	+ RewriteRule . - [forbidden]
	+</IfModule>

	Property changes on: images/.htaccess
	___________________________________________________________________
	Added: svn:eol-style
	+ native

	Index: includes/WebRequest.php
	===================================================================
	--- includes/WebRequest.php (revision 85778)
	+++ includes/WebRequest.php (working copy)
	@@ -776,10 +776,27 @@
	* but only by prefixing it with the script name and maybe some other stuff,
	* the extension is not mangled. So this should be a reasonably portable
	* way to perform this security check.
	+ *
	+ * Also checks for anything that looks like a file extension at the end of
	+ * QUERY_STRING, since IE 6 and earlier will use this to get the file type
	+ * if there was no dot before the question mark (bug 28235).
	*/
	public function isPathInfoBad() {
	global $wgScriptExtension;

	+ if ( isset( $_SERVER['QUERY_STRING'] )
	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	+ {
	+ // Bug 28235
	+ // Block only Internet Explorer 6, and requests with missing UA
	+ // headers that could be IE users behind a privacy proxy.
	+ if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
	+ \|\| preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) )
	+ {
	+ return true;
	+ }
	+ }
	+
	if ( !isset( $_SERVER['PATH_INFO'] ) ) {
	return false;
	}
	Index: includes/RawPage.php
	===================================================================
	--- includes/RawPage.php (revision 85778)
	+++ includes/RawPage.php (working copy)
	@@ -132,7 +132,7 @@
	#
	# Just return a 403 Forbidden and get it over with.
	wfHttpError( 403, 'Forbidden',
	- 'Invalid file extension found in PATH_INFO. ' .
	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
	'Raw pages must be accessed through the primary script entry point.' );
	return;
	}
	Index: img_auth.php
	===================================================================
	--- img_auth.php (revision 85778)
	+++ img_auth.php (working copy)
	@@ -38,6 +38,13 @@
	wfForbidden('img-auth-accessdenied','img-auth-public');
	}

	+// Check for bug 28235: QUERY_STRING overriding the correct extension
	+if ( isset( $_SERVER['QUERY_STRING'] )
	+ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
	+{
	+ wfForbidden( 'img-auth-accessdenied', 'img-auth-bad-query-string' );
	+}
	+
	$matches = WebRequest::getPathInfo();
	$path = $matches['title'];
	$filename = realpath( $wgUploadDirectory . $path );
	Index: api.php
	===================================================================
	--- api.php (revision 85778)
	+++ api.php (working copy)
	@@ -55,8 +55,7 @@
	//
	if ( $wgRequest->isPathInfoBad() ) {
	wfHttpError( 403, 'Forbidden',
	- 'Invalid file extension found in PATH_INFO. ' .
	- 'The API must be accessed through the primary script entry point.' );
	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
	return;
	}

	Index: load.php
	===================================================================
	--- load.php (revision 85778)
	+++ load.php (working copy)
	@@ -37,11 +37,8 @@
	//
	if ( $wgRequest->isPathInfoBad() ) {
	wfHttpError( 403, 'Forbidden',
	- 'Invalid file extension found in PATH_INFO. ' .
	- 'The resource loader must be accessed through the primary script entry point.' );
	+ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
	return;
	- // FIXME: Doesn't this execute the rest of the request anyway?
	- // Was taken from api.php so I guess it's maybe OK but it doesn't look good.
	}

	// Respond to resource loading request
	Index: languages/messages/MessagesEn.php
	===================================================================
	--- languages/messages/MessagesEn.php (revision 85778)
	+++ languages/messages/MessagesEn.php (working copy)
	@@ -2261,6 +2261,7 @@
	This wiki is configured as a public wiki.
	For optimal security, img_auth.php is disabled.',
	'img-auth-noread' => 'User does not have access to read "$1".',
	+'img-auth-bad-query-string' => 'The URL has an invalid query string.',

	# HTTP errors
	'http-invalid-url' => 'Invalid URL: $1',

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 7282
Default Alt Text: bad-query-string.patch (4 KB)

bad-query-string.patchPublicActions

bad-query-string.patchView Options

File Metadata

Event Timeline

bad-query-string.patch
Public
Actions

bad-query-string.patch
View Options