Page MenuHomePhabricator
Create Task
Maniphest T85751

"Forbidden error" on en.wp for ?action=raw when page name contains . or %2E
Closed, DeclinedPublic
Actions

Description

When a page with a . or %2E in its name is accessed via ?action=raw , a page saying "<h1>Forbidden</h1><p>Invalid file extension found in the path info or query string.</p>" is returned instead.

Examples of this behaviour include:
https://en.wikipedia.org/wiki/Washington_University_in_St._Louis?action=raw
https://en.wikipedia.org/wiki/Washington_University_in_St%2E_Louis?action=raw

Related Objects

Event Timeline

Firespeaker created this task.Jan 4 2015, 5:42 AM
Firespeaker raised the priority of this task from to High.
Firespeaker updated the task description. (Show Details)
Firespeaker subscribed.
Aklapper renamed this task from raw view fails when . or %2E is in page name to "Forbidden error" on en.wp for ?action=raw when page name contains . or %2E.Jan 7 2015, 5:49 PM
Aklapper added projects: MediaWiki-General, WMF-General-or-Unknown.
Aklapper set Security to None.
Glaisher mentioned this in T86302: "Invalid file extension found in the path info or query string" error for page names with dots when using "/wiki/" instead of "/w/index.php?title=".Jan 9 2015, 3:44 PM
brion closed this task as Declined.Jan 23 2015, 7:50 PM
brion claimed this task.
brion subscribed.

This restriction is a security hack for some (older?) browsers which can be fooled into executing arbitrary HTML+JavaScript code when there's a "recognized file extension" at the end of the URL path.

To avoid hitting this, either:

or

  • use the API to fetch data in XML or JSON packaging

Note that action=raw is a very old feature and is not recommended for current use since the API was created some years ago.

matmarex mentioned this in T126183: Titles containing a dot give HTTP 403 when accessed using action=raw and the short URL form.Feb 10 2016, 3:38 AM
matmarex merged tasks: T139897: "403 Forbidden: Invalid file extension" on getting source of page "Motor1.com" on en.wp, T215673: action=raw does not work with a period in the page title.Feb 9 2019, 8:16 PM
matmarex added subscribers: GoldsteinEmmanuel, SQL, Nnemo and 2 others.
BPirkle mentioned this in T230848: Reader gets file description.Nov 19 2019, 4:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL