Page MenuHomePhabricator

Titles containing a dot give HTTP 403 when accessed using action=raw and the short URL form
Closed, DeclinedPublic

Event Timeline

TTO raised the priority of this task from to Needs Triage.
TTO updated the task description. (Show Details)
TTO subscribed.

...unless something's changed since 1.26.2:

I don't have a local MW copy to test with at the moment.

This comes from WebRequest::checkUrlExtension

ShoutWiki does not have this issue because they run nginx, which is not listed in IEUrlExtension::haveUndecodedRequestUri

It looks as though the IEUrlExtension code is there to prevent XSS attacks in IE6 and earlier. Is it worth keeping this security shim around for broken old browsers which we no longer support? (Obviously the implications here are different than, say, dropping JS support for old IEs, but I just wonder what our position is on maintaining server-side special cases for IE6 and earlier.)

IE6 is effectively shut out of WMF wikis anyways, because we require HTTPS, and we don't support SSLv3 (or lower), which is the highest version that IE6 accepts.

(although I guess there are ways around that which wouldn't likely be popular - e.g. using IE6 behind some trusted proxy doing modern TLS to wikipedia for it)

Krinkle subscribed.

This works as intended. Per T85751, the canonical url for using the action parameter is to go through index.php. The virtual /wiki path is primarily meant for page views only.