X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=api.php;h=817f4bca78a689812ef91fa9819bed25cf74c523;hb=7f1c4b12030e8ca4c6e7136d00f4eed26749975d;hp=981910d8e9fc7791545ad34915285798a8416665;hpb=a15c419b3d130248f2556b9d00643ba9666a4189;p=lhc%2Fweb%2Fwiklou.git

diff --git a/api.php b/api.php
index 981910d8e9..817f4bca78 100644
--- a/api.php
+++ b/api.php
@@ -37,11 +37,34 @@ require (dirname(__FILE__) . '/includes/WebStart.php');
 
 wfProfileIn('api.php');
 
+// URL safety checks
+//
+// See RawPage.php for details; summary is that MSIE can override the
+// Content-Type if it sees a recognized extension on the URL, such as
+// might be appended via PATH_INFO after 'api.php'.
+//
+// Some data formats can end up containing unfiltered user-provided data
+// which will end up triggering HTML detection and execution, hence
+// XSS injection and all that entails.
+//
+// Ensure that all access is through the canonical entry point...
+//
+if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+	$url = $_SERVER['SCRIPT_URL'];
+} else {
+	$url = $_SERVER['PHP_SELF'];
+}
+if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
+	wfHttpError( 403, 'Forbidden',
+		'API must be accessed through the primary script entry point.' );
+	return;
+}
+
 // Verify that the API has not been disabled
 if (!$wgEnableAPI) {
 	echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
 	echo '<pre><b>$wgEnableAPI=true;</b></pre>';
-	die(-1);
+	die(1);
 }
 
 /* Construct an ApiMain with the arguments passed via the URL. What we get back
@@ -50,10 +73,16 @@ if (!$wgEnableAPI) {
  */
 $processor = new ApiMain($wgRequest, $wgEnableWriteAPI);
 
-// Generate the output.
+// Process data & print results
 $processor->execute();
 
+// Execute any deferred updates
+wfDoUpdates();
+
 // Log what the user did, for book-keeping purposes.
 wfProfileOut('api.php');
 wfLogProfilingData();
 
+// Shut down the database
+wfGetLBFactory()->shutdown();
+