/**
* Returns true if the PATH_INFO ends with an extension other than a script
* extension. This could confuse IE for scripts that send arbitrary data which
* is not HTML but may be detected as such.
*
* Various past attempts to use the URL to make this check have generally
* run up against the fact that CGI does not provide a standard method to
* determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
* but only by prefixing it with the script name and maybe some other stuff,
* the extension is not mangled. So this should be a reasonably portable
* way to perform this security check.
*
* Also checks for anything that looks like a file extension at the end of
* QUERY_STRING, since IE 6 and earlier will use this to get the file type
* if there was no dot before the question mark (bug 28235).
*
* @deprecated Use checkUrlExtension().
*
* @param $extWhitelist array
*
* @return bool
*/
public function isPathInfoBad($extWhitelist = array())
{
wfDeprecated(__METHOD__, '1.17');
global $wgScriptExtension;
$extWhitelist[] = ltrim($wgScriptExtension, '.');
return IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist);
}
/**
* Check if Internet Explorer will detect an incorrect cache extension in
* PATH_INFO or QUERY_STRING. If the request can't be allowed, show an error
* message or redirect to a safer URL. Returns true if the URL is OK, and
* false if an error message has been shown and the request should be aborted.
*
* @param array $extWhitelist
* @throws HttpError
* @return bool
*/
public function checkUrlExtension($extWhitelist = array())
{
$extWhitelist[] = 'php';
if (IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist)) {
if (!$this->wasPosted()) {
$newUrl = IEUrlExtension::fixUrlForIE6($this->getFullRequestURL(), $extWhitelist);
if ($newUrl !== false) {
$this->doSecurityRedirect($newUrl);
return false;
}
}
throw new HttpError(403, 'Invalid file extension found in the path info or query string.');
}
return true;
}
/**
* @covers IEUrlExtension::findIE6Extension
*/
public function testTwoDots()
{
$this->assertEquals('z', IEUrlExtension::findIE6Extension('x.y.z'), 'Two dots');
}
function testDotAtEnd()
{
$this->assertEquals('', IEUrlExtension::findIE6Extension('.'), 'Dot at end of string');
}
/**
* @covers IEUrlExtension::findIE6Extension
*/
public function testEscapedScriptQueryDot()
{
$this->assertEquals('y', IEUrlExtension::findIE6Extension('example%2Ephp?foo=a.x&bar=b.y'), 'Script with urlencoded dot and query with dot');
}
/**
* Returns true if the PATH_INFO ends with an extension other than a script
* extension. This could confuse IE for scripts that send arbitrary data which
* is not HTML but may be detected as such.
*
* Various past attempts to use the URL to make this check have generally
* run up against the fact that CGI does not provide a standard method to
* determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
* but only by prefixing it with the script name and maybe some other stuff,
* the extension is not mangled. So this should be a reasonably portable
* way to perform this security check.
*
* Also checks for anything that looks like a file extension at the end of
* QUERY_STRING, since IE 6 and earlier will use this to get the file type
* if there was no dot before the question mark (bug 28235).
*/
public function isPathInfoBad()
{
global $wgScriptExtension;
$extWhitelist[] = ltrim($wgScriptExtension, '.');
return IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist);
}
