Last modified: 2011-05-15 12:58:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14720, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 12720 - action=raw should define Content-disposition
action=raw should define Content-disposition
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
Interface (Other open bugs)
1.12.x
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-21 09:19 UTC by Splarka
Modified: 2011-05-15 12:58 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Splarka 2008-01-21 09:19:01 UTC
r12922 introduced a patch to allow clients other than MSIE to utilize action=raw via the article path, eg /wiki/Article?action=raw (due to mime type extension overrides in MSIE)

This was recently disabled for *all* clients in r29939 due to a possible security bug, whereby certain other clients (including Mozilla/Firefox) would allow file extensions of any type to be the default suggested filename, when saving data from an arbitrary page's contents using a malicious URL. For example: /wiki/Fake_page_name.bat?oldid=1234&action=raw

However, this might be breaking interwiki transclusions?

Could action=raw instead always have a Content-disposition header? Something like: header('content-disposition: inline; filename="$filename"');   where $filename is a multi-platform safe version of the article's filename (probably ascii, with spaces, slashes, dots, etc removed) as well as a harmless file extension appended (such as .txt)? 

This would probably first require writing and testing a function for escaping filenames, possibly Sanitizer::escapeFilename().
Comment 1 Huji 2008-01-21 12:04:33 UTC
As action=raw is generally used for JS and CSS, maybe we should let the content-disposition to show the appropriate filetype accordingly. This can use the "ctype" parameter to see what the expected extensions is( .css for text/css, .js for text/javascript, etc) and the list can be limitted (so for example, one can't use ctype=application/octet-stream, and when it is used, a default cross-platform-safe extension (like .txt) is used.
Comment 2 Splarka 2008-01-21 12:20:23 UTC
Well, to clarify, *if* no ctype or gen is used, the default mime type is text/x-wiki. For such a case, a Content-disposition would be useful.

Parameters that would define a filename:

 "ctype": only for "text/x-wiki" (the default) and maybe "application/x-zope-edit" ?... it might be worthwhile just to exclude css/js.

 "gen": never

 "smaxage", "maxage", "templates", "usemsgcache", "section", "oldid": ignore
Comment 3 Brion Vibber 2008-03-13 19:14:10 UTC
See the file name that's generated for Special:Export as well; consider using the same style for both, making use of the site name and/or page name when available (as long as appropriately sanitized).
Comment 4 Platonides 2011-05-15 12:58:05 UTC
Interwiki transclusion use POSTs and are unaffected by this change.

JavaScript and CSS are now done through the ResourceLoader.

Seems we don't need this.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links