diff options
| author | Pierre Schmitz <pierre@archlinux.de> | 2008-01-24 10:06:59 +0100 |
|---|---|---|
| committer | Pierre Schmitz <pierre@archlinux.de> | 2008-01-24 10:06:59 +0100 |
| commit | 554e44d001b2048a31b4b9e488fcb5832fdba6ea (patch) | |
| tree | 1f1b61c0dfd15e820f418dd329427c4c04ed31fa /api.php | |
| parent | 417cbeee53be17146ab8bbe0f67f90ea2ccee1d1 (diff) | |
Aktualisierung auf Mediawiki 1.11.1
Diffstat (limited to 'api.php')
| -rw-r--r-- | api.php | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -37,6 +37,29 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; |