dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2539016) | patch
SECURITY: API: Avoid some silliness with browser-guessed filenames
authorBrad Jorsch <bjorsch@wikimedia.org>
Fri, 26 Feb 2016 22:46:07 +0000 (17:46 -0500)
committerReedy <reedy@wikimedia.org>
Wed, 15 Nov 2017 00:58:44 +0000 (00:58 +0000)
commitc75f0e95c9888489961548c72ef24786c43838aa
tree2118dca6a5f9dab0b395b83a640529cd3d0e481ftree | snapshot
parent25390162c755eb19077310fc04b8f3d19bf1dc23commit | diff
SECURITY: API: Avoid some silliness with browser-guessed filenames

If someone is both dumb enough to blindly save an API response and to
then execute the resulting file, this can be used to attack their
computer.

We can mitigate this by disallowing PATH_INFO in api.php URLs (because
we don't make any use of them anyway) and by setting a sensible filename
using a Content-Disposition header so the browser won't go guessing at
the filename based on what is in the URL.

Issue reported by: Abdullah Hussam

Bug: T128209
Change-Id: I8526f5cc506c551edb6138d68450b6acea065e93
api.php diff | blob | history
includes/Feed.php diff | blob | history
includes/api/ApiFormatBase.php diff | blob | history
includes/api/ApiFormatRaw.php diff | blob | history
includes/api/ApiHelp.php diff | blob | history
includes/api/ApiQuery.php diff | blob | history
Wiklou, le Wiki du Wiklou