SECURITY: API: Avoid some silliness with browser-guessed filenames

[lhc/web/wiklou.git] / api.php

diff --git a/api.php b/api.php
index 6e75fb7..d9a69db 100644 (file)
--- a/api.php
+++ b/api.php
@@ -44,6 +44,17 @@ if ( !$wgRequest->checkUrlExtension() ) {
        return;
 }
 
+// Pathinfo can be used for stupid things. We don't support it for api.php at
+// all, so error out if it's present.
+if ( isset( $_SERVER['PATH_INFO'] ) && $_SERVER['PATH_INFO'] != '' ) {
+       $correctUrl = wfAppendQuery( wfScript( 'api' ), $wgRequest->getQueryValues() );
+       $correctUrl = wfExpandUrl( $correctUrl, PROTO_CANONICAL );
+       header( "Location: $correctUrl", true, 301 );
+       echo 'This endpoint does not support "path info", i.e. extra text between "api.php"'
+               . 'and the "?". Remove any such text and try again.';
+       die( 1 );
+}
+
 // Verify that the API has not been disabled
 if ( !$wgEnableAPI ) {
        header( $_SERVER['SERVER_PROTOCOL'] . ' 500 MediaWiki configuration Error', true, 500 );
@@ -63,7 +74,7 @@ RequestContext::getMain()->setTitle( $wgTitle );
 try {
        /* Construct an ApiMain with the arguments passed via the URL. What we get back
         * is some form of an ApiMain, possibly even one that produces an error message,
-        * but we don't care here, as that is handled by the ctor.
+        * but we don't care here, as that is handled by the constructor.
         */
        $processor = new ApiMain( RequestContext::getMain(), $wgEnableWriteAPI );