Last modified: 2011-05-15 12:58:05 UTC
r12922 introduced a patch to allow clients other than MSIE to utilize action=raw via the article path, eg /wiki/Article?action=raw (due to mime type extension overrides in MSIE)
This was recently disabled for *all* clients in r29939 due to a possible security bug, whereby certain other clients (including Mozilla/Firefox) would allow file extensions of any type to be the default suggested filename, when saving data from an arbitrary page's contents using a malicious URL. For example: /wiki/Fake_page_name.bat?oldid=1234&action=raw
However, this might be breaking interwiki transclusions?
Could action=raw instead always have a Content-disposition header? Something like: header('content-disposition: inline; filename="$filename"'); where $filename is a multi-platform safe version of the article's filename (probably ascii, with spaces, slashes, dots, etc removed) as well as a harmless file extension appended (such as .txt)?
This would probably first require writing and testing a function for escaping filenames, possibly Sanitizer::escapeFilename().
Well, to clarify, *if* no ctype or gen is used, the default mime type is text/x-wiki. For such a case, a Content-disposition would be useful.
Parameters that would define a filename:
"ctype": only for "text/x-wiki" (the default) and maybe "application/x-zope-edit" ?... it might be worthwhile just to exclude css/js.
"smaxage", "maxage", "templates", "usemsgcache", "section", "oldid": ignore
See the file name that's generated for Special:Export as well; consider using the same style for both, making use of the site name and/or page name when available (as long as appropriately sanitized).
Interwiki transclusion use POSTs and are unaffected by this change.
Seems we don't need this.