Last modified: 2011-05-15 12:58:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 12720 - action=raw should define Content-disposition
action=raw should define Content-disposition
Product: MediaWiki
Classification: Unclassified
Interface (Other open bugs)
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2008-01-21 09:19 UTC by Splarka
Modified: 2011-05-15 12:58 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Splarka 2008-01-21 09:19:01 UTC
r12922 introduced a patch to allow clients other than MSIE to utilize action=raw via the article path, eg /wiki/Article?action=raw (due to mime type extension overrides in MSIE)

This was recently disabled for *all* clients in r29939 due to a possible security bug, whereby certain other clients (including Mozilla/Firefox) would allow file extensions of any type to be the default suggested filename, when saving data from an arbitrary page's contents using a malicious URL. For example: /wiki/Fake_page_name.bat?oldid=1234&action=raw

However, this might be breaking interwiki transclusions?

Could action=raw instead always have a Content-disposition header? Something like: header('content-disposition: inline; filename="$filename"');   where $filename is a multi-platform safe version of the article's filename (probably ascii, with spaces, slashes, dots, etc removed) as well as a harmless file extension appended (such as .txt)? 

This would probably first require writing and testing a function for escaping filenames, possibly Sanitizer::escapeFilename().
Comment 1 Huji 2008-01-21 12:04:33 UTC
As action=raw is generally used for JS and CSS, maybe we should let the content-disposition to show the appropriate filetype accordingly. This can use the "ctype" parameter to see what the expected extensions is( .css for text/css, .js for text/javascript, etc) and the list can be limitted (so for example, one can't use ctype=application/octet-stream, and when it is used, a default cross-platform-safe extension (like .txt) is used.
Comment 2 Splarka 2008-01-21 12:20:23 UTC
Well, to clarify, *if* no ctype or gen is used, the default mime type is text/x-wiki. For such a case, a Content-disposition would be useful.

Parameters that would define a filename:

 "ctype": only for "text/x-wiki" (the default) and maybe "application/x-zope-edit" ?... it might be worthwhile just to exclude css/js.

 "gen": never

 "smaxage", "maxage", "templates", "usemsgcache", "section", "oldid": ignore
Comment 3 Brion Vibber 2008-03-13 19:14:10 UTC
See the file name that's generated for Special:Export as well; consider using the same style for both, making use of the site name and/or page name when available (as long as appropriately sanitized).
Comment 4 Platonides 2011-05-15 12:58:05 UTC
Interwiki transclusion use POSTs and are unaffected by this change.

JavaScript and CSS are now done through the ResourceLoader.

Seems we don't need this.

Note You need to log in before you can comment on or make changes to this bug.