/** * Check if Internet Explorer will detect an incorrect cache extension in * PATH_INFO or QUERY_STRING. If the request can't be allowed, show an error * message or redirect to a safer URL. Returns true if the URL is OK, and * false if an error message has been shown and the request should be aborted. * * @param array $extWhitelist * @throws HttpError * @return bool */ public function checkUrlExtension($extWhitelist = array()) { $extWhitelist[] = 'php'; if (IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist)) { if (!$this->wasPosted()) { $newUrl = IEUrlExtension::fixUrlForIE6($this->getFullRequestURL(), $extWhitelist); if ($newUrl !== false) { $this->doSecurityRedirect($newUrl); return false; } } throw new HttpError(403, 'Invalid file extension found in the path info or query string.'); } return true; }
/** * Returns true if the PATH_INFO ends with an extension other than a script * extension. This could confuse IE for scripts that send arbitrary data which * is not HTML but may be detected as such. * * Various past attempts to use the URL to make this check have generally * run up against the fact that CGI does not provide a standard method to * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0), * but only by prefixing it with the script name and maybe some other stuff, * the extension is not mangled. So this should be a reasonably portable * way to perform this security check. * * Also checks for anything that looks like a file extension at the end of * QUERY_STRING, since IE 6 and earlier will use this to get the file type * if there was no dot before the question mark (bug 28235). * * @deprecated Use checkUrlExtension(). * * @param $extWhitelist array * * @return bool */ public function isPathInfoBad($extWhitelist = array()) { wfDeprecated(__METHOD__, '1.17'); global $wgScriptExtension; $extWhitelist[] = ltrim($wgScriptExtension, '.'); return IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist); }
/** * Returns true if the PATH_INFO ends with an extension other than a script * extension. This could confuse IE for scripts that send arbitrary data which * is not HTML but may be detected as such. * * Various past attempts to use the URL to make this check have generally * run up against the fact that CGI does not provide a standard method to * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0), * but only by prefixing it with the script name and maybe some other stuff, * the extension is not mangled. So this should be a reasonably portable * way to perform this security check. * * Also checks for anything that looks like a file extension at the end of * QUERY_STRING, since IE 6 and earlier will use this to get the file type * if there was no dot before the question mark (bug 28235). */ public function isPathInfoBad() { global $wgScriptExtension; $extWhitelist[] = ltrim($wgScriptExtension, '.'); return IEUrlExtension::areServerVarsBad($_SERVER, $extWhitelist); }