From 124299758ca7454561118f466a0470905758924f Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Wed, 13 Apr 2011 05:42:02 +0200
Subject: update to MediaWiki 1.16.3

---
 includes/WebRequest.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'includes/WebRequest.php')

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index b6d6d27a..8a0ef48b 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -688,10 +688,27 @@ class WebRequest {
 	 * but only by prefixing it with the script name and maybe some other stuff,
 	 * the extension is not mangled. So this should be a reasonably portable
 	 * way to perform this security check.
+	 *
+	 * Also checks for anything that looks like a file extension at the end of
+	 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
+	 * if there was no dot before the question mark (bug 28235).
 	 */
 	public function isPathInfoBad() {
 		global $wgScriptExtension;
 
+		if ( isset( $_SERVER['QUERY_STRING'] ) 
+			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
+		{
+			// Bug 28235
+			// Block only Internet Explorer, and requests with missing UA 
+			// headers that could be IE users behind a privacy proxy.
+			if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) 
+				|| preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
+			{
+				return true;
+			}
+		}
+
 		if ( !isset( $_SERVER['PATH_INFO'] ) ) {
 			return false;
 		}
-- 
cgit v1.2.3-54-g00ecf