Page MenuHomePhabricator
Create Task
Maniphest T178060

RawAction should set proper Content-Type header
Open, MediumPublic
Actions

Description

Currently, action=raw will return text/x-wiki for all content (except for JS and CSS pages, but even then, the property MIME type will only be used if requested with the ctype or gen parameter).

This is a relict from times before ContentHandler. With ContentHandler, page content knows its mime type. RawAction should ask ContentHandler for the default serialization format if ctype and gen are not given. It should use Content::serialize to generate the desired output format. And finally, it should declare the actual format used for serialization in the Content-Type header.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use ContentHandler to get proper MIME type in RawActionmediawiki/coremaster+22 -19
RawAction: Add json to the allowed content typesmediawiki/coremaster+7 -1
Customize query in gerrit

Related Objects

Event Timeline

daniel created this task.Oct 12 2017, 12:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 12 2017, 12:02 PM
daniel mentioned this in T177966: Add CORS-enabled, cacheable way to access contents of Data namespace.Oct 12 2017, 12:02 PM
Bawolff subscribed.Oct 12 2017, 1:54 PM

Well in general this sounds nice - there is a potential security issue here in the event that a content handler returns an unsafe mime that could execute scripts. E.g. returning text/html, application/svg+xml would be bad.Some browsers do a lot of sniffing on text/plain (not sure how much that still is the case). And there is also the potential for a format which is downloaded and executed unsafely (e.g. text/csv interpreted by excel. ) which may or not be an issue. Even if not executed could maybe cause a network request to be issued to a third party server which may be unacceptable privacy wise.

That doesnt totally block doing this, and im certainly not opposed for obviously safe cases like application/json, we just need to be sure to be careful about these issues before doing this.

Lucas_Werkmeister_WMDE subscribed.Oct 12 2017, 2:51 PM
Bawolff added a project: Security-Team.Oct 12 2017, 4:08 PM
gerritbot subscribed.Oct 13 2017, 6:44 PM

Change 384089 had a related patch set uploaded (by Ladsgroup; owner: Amir Sarabadani):
[mediawiki/core@master] Add json to the allowed content types

https://gerrit.wikimedia.org/r/384089

gerritbot added a project: Patch-For-Review.Oct 13 2017, 6:44 PM
gerritbot added a comment.Oct 13 2017, 7:49 PM

Change 384096 had a related patch set uploaded (by Ladsgroup; owner: Amir Sarabadani):
[mediawiki/core@master] Use ContentHandler to get proper MIME type in RawAction

https://gerrit.wikimedia.org/r/384096

gerritbot added a comment.Oct 26 2017, 10:06 AM

Change 384089 merged by jenkins-bot:
[mediawiki/core@master] RawAction: Add json to the allowed content types

https://gerrit.wikimedia.org/r/384089

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-10-31 (1.31.0-wmf.6)).Oct 30 2017, 4:01 PM
MZMcBride subscribed.Mar 15 2018, 5:33 AM
Bawolff edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:31 PM
Bawolff moved this task from Backlog to Watching on the Security-team-backlog board.
sbassett moved this task from Watching to Backlog on the Security-team-backlog board.Dec 2 2019, 5:09 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp triaged this task as Medium priority.Dec 23 2019, 5:19 PM
Krinkle subscribed.Apr 2 2021, 10:36 PM

In general, the API should be used for this. Imho the only use case for action=raw is for when a client functionally hard-requires returning the content as the only response body. This is basically only true for JS and CSS. Anything else can use the API.

So perhaps instead of making these non-wikitext types more accomodated, we could instead change them to HTTP 40x since they are probably not yet commonly used for anything.

See also T279120.

Lucas_Werkmeister_WMDE added a comment.Apr 6 2021, 11:11 AM

That sounds like a step backwards to me. Why should we force clients to talk to our bespoke MediaWiki API instead of speaking standard HTTP?

Reedy removed a project: Security-Team.Nov 3 2021, 7:22 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.May 24 2024, 8:41 PM
Pppery subscribed.

Agreed with Lucas here that deliberately breaking this use seems like a step backwards, for what it's worth.

Krinkle mentioned this in T419192: CVE-2026-34095: action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request.Mar 6 2026, 1:41 AM
gerritbot added a comment.Mar 30 2026, 1:13 PM

Change #384096 abandoned by Hashar:

[mediawiki/core@master] Use ContentHandler to get proper MIME type in RawAction

https://gerrit.wikimedia.org/r/384096

Pppery removed a project: Patch-Needs-Improvement.Mar 30 2026, 3:50 PM
gerritbot added a comment.Mar 30 2026, 11:44 PM

Change #384096 restored by Thcipriani:

[mediawiki/core@master] Use ContentHandler to get proper MIME type in RawAction

https://gerrit.wikimedia.org/r/384096

gerritbot added a project: Patch-For-Review.Mar 30 2026, 11:45 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 31 2026, 12:06 AM
gerritbot added a comment.Mar 31 2026, 10:14 AM

Change #384096 abandoned by Ladsgroup:

[mediawiki/core@master] Use ContentHandler to get proper MIME type in RawAction

Reason:

Not working on it atm

https://gerrit.wikimedia.org/r/384096

Pppery removed a project: Patch-Needs-Improvement.Mar 31 2026, 3:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits