Page MenuHomePhabricator

"Forbidden error" on en.wp for ?action=raw when page name contains . or %2E
Closed, DeclinedPublic

Description

When a page with a . or %2E in its name is accessed via ?action=raw , a page saying "<h1>Forbidden</h1><p>Invalid file extension found in the path info or query string.</p>" is returned instead.

Examples of this behaviour include:
https://en.wikipedia.org/wiki/Washington_University_in_St._Louis?action=raw
https://en.wikipedia.org/wiki/Washington_University_in_St%2E_Louis?action=raw

Event Timeline

Firespeaker updated the task description. (Show Details)
Firespeaker raised the priority of this task from to High.
Firespeaker added a subscriber: Firespeaker.
Aklapper renamed this task from raw view fails when . or %2E is in page name to "Forbidden error" on en.wp for ?action=raw when page name contains . or %2E.Jan 7 2015, 5:49 PM
Aklapper set Security to None.
brion closed this task as Declined.Jan 23 2015, 7:50 PM
brion claimed this task.
brion added a subscriber: brion.

This restriction is a security hack for some (older?) browsers which can be fooled into executing arbitrary HTML+JavaScript code when there's a "recognized file extension" at the end of the URL path.

To avoid hitting this, either:

or

  • use the API to fetch data in XML or JSON packaging

Note that action=raw is a very old feature and is not recommended for current use since the API was created some years ago.