Page MenuHomePhabricator

"Forbidden error" on en.wp for ?action=raw when page name contains . or %2E
Closed, DeclinedPublic


When a page with a . or %2E in its name is accessed via ?action=raw , a page saying "<h1>Forbidden</h1><p>Invalid file extension found in the path info or query string.</p>" is returned instead.

Examples of this behaviour include:

Event Timeline

Firespeaker raised the priority of this task from to High.
Firespeaker updated the task description. (Show Details)
Firespeaker subscribed.
Aklapper renamed this task from raw view fails when . or %2E is in page name to "Forbidden error" on en.wp for ?action=raw when page name contains . or %2E.Jan 7 2015, 5:49 PM
Aklapper set Security to None.
brooke claimed this task.
brooke subscribed.

This restriction is a security hack for some (older?) browsers which can be fooled into executing arbitrary HTML+JavaScript code when there's a "recognized file extension" at the end of the URL path.

To avoid hitting this, either:


  • use the API to fetch data in XML or JSON packaging

Note that action=raw is a very old feature and is not recommended for current use since the API was created some years ago.