SECURITY: API: Avoid some silliness with browser-guessed filenames

[lhc/web/wiklou.git] / includes / Feed.php

diff --git a/includes/Feed.php b/includes/Feed.php
index f76a634..fd223e6 100644 (file)
--- a/includes/Feed.php
+++ b/includes/Feed.php
@@ -139,7 +139,7 @@ class FeedItem {
         */
        public function getLanguage() {
                global $wgLanguageCode;
-               return wfBCP47( $wgLanguageCode );
+               return LanguageCode::bcp47( $wgLanguageCode );
        }
 
        /**
@@ -230,6 +230,12 @@ abstract class ChannelFeed extends FeedItem {
                $wgOut->disable();
                $mimetype = $this->contentType();
                header( "Content-type: $mimetype; charset=UTF-8" );
+
+               // Set a sane filename
+               $exts = MimeMagic::singleton()->getExtensionsForType( $mimetype );
+               $ext = $exts ? strtok( $exts, ' ' ) : 'xml';
+               header( "Content-Disposition: inline; filename=\"feed.{$ext}\"" );
+
                if ( $wgVaryOnXFP ) {
                        $wgOut->addVaryHeader( 'X-Forwarded-Proto' );
                }