update to MediaWiki 1.16.3

author: Pierre Schmitz <pierre@archlinux.de> 2011-04-13 05:42:02 +0200
committer: Pierre Schmitz <pierre@archlinux.de> 2011-04-13 05:42:02 +0200
commit: 124299758ca7454561118f466a0470905758924f (patch)
tree: f4d09ea1286d6747ae36aecd4ba28dfb04c9e7c5 /includes/WebRequest.php
parent: 3bddedf685051638fdba61268ad195fee041db1c (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index b6d6d27a..8a0ef48b 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -688,10 +688,27 @@ class WebRequest {
 	 * but only by prefixing it with the script name and maybe some other stuff,
 	 * the extension is not mangled. So this should be a reasonably portable
 	 * way to perform this security check.
+	 *
+	 * Also checks for anything that looks like a file extension at the end of
+	 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+	 * if there was no dot before the question mark (bug 28235).
 	 */
 	public function isPathInfoBad() {
 		global $wgScriptExtension;
 
+		if ( isset( $_SERVER['QUERY_STRING'] ) 
+			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+		{
+			// Bug 28235
+			// Block only Internet Explorer, and requests with missing UA 
+			// headers that could be IE users behind a privacy proxy.
+			if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) 
+				|| preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
+			{
+				return true;
+			}
+		}
+
 		if ( !isset( $_SERVER['PATH_INFO'] ) ) {
 			return false;
 		}
author	Pierre Schmitz <pierre@archlinux.de>	2011-04-13 05:42:02 +0200
committer	Pierre Schmitz <pierre@archlinux.de>	2011-04-13 05:42:02 +0200
commit	124299758ca7454561118f466a0470905758924f (patch)
tree	f4d09ea1286d6747ae36aecd4ba28dfb04c9e7c5 /includes/WebRequest.php
parent	3bddedf685051638fdba61268ad195fee041db1c (diff)