Last modified: 2011-05-15 12:58:05 UTC
r12922 introduced a patch to allow clients other than MSIE to utilize action=raw via the article path, eg /wiki/Article?action=raw (due to mime type extension overrides in MSIE) This was recently disabled for *all* clients in r29939 due to a possible security bug, whereby certain other clients (including Mozilla/Firefox) would allow file extensions of any type to be the default suggested filename, when saving data from an arbitrary page's contents using a malicious URL. For example: /wiki/Fake_page_name.bat?oldid=1234&action=raw However, this might be breaking interwiki transclusions? Could action=raw instead always have a Content-disposition header? Something like: header('content-disposition: inline; filename="$filename"'); where $filename is a multi-platform safe version of the article's filename (probably ascii, with spaces, slashes, dots, etc removed) as well as a harmless file extension appended (such as .txt)? This would probably first require writing and testing a function for escaping filenames, possibly Sanitizer::escapeFilename().
As action=raw is generally used for JS and CSS, maybe we should let the content-disposition to show the appropriate filetype accordingly. This can use the "ctype" parameter to see what the expected extensions is( .css for text/css, .js for text/javascript, etc) and the list can be limitted (so for example, one can't use ctype=application/octet-stream, and when it is used, a default cross-platform-safe extension (like .txt) is used.
Well, to clarify, *if* no ctype or gen is used, the default mime type is text/x-wiki. For such a case, a Content-disposition would be useful. Parameters that would define a filename: "ctype": only for "text/x-wiki" (the default) and maybe "application/x-zope-edit" ?... it might be worthwhile just to exclude css/js. "gen": never "smaxage", "maxage", "templates", "usemsgcache", "section", "oldid": ignore
See the file name that's generated for Special:Export as well; consider using the same style for both, making use of the site name and/or page name when available (as long as appropriately sanitized).
Interwiki transclusion use POSTs and are unaffected by this change. JavaScript and CSS are now done through the ResourceLoader. Seems we don't need this.