summaryrefslogtreecommitdiff
path: root/api.php
diff options
context:
space:
mode:
Diffstat (limited to 'api.php')
-rw-r--r--api.php23
1 files changed, 23 insertions, 0 deletions
diff --git a/api.php b/api.php
index fa85573d..ce445ef4 100644
--- a/api.php
+++ b/api.php
@@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php');
wfProfileIn('api.php');
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ $url = $_SERVER['SCRIPT_URL'];
+} else {
+ $url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+ wfHttpError( 403, 'Forbidden',
+ 'API must be accessed through the primary script entry point.' );
+ return;
+}
+
// Verify that the API has not been disabled
if (!$wgEnableAPI) {
echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';