Last modified: 2011-03-13 18:05:16 UTC
action=raw allows ctype=text/javascript by default. This is not a good security setting, because it becomes very easy for wikipages to link to this script and steal login cookies and other important cookie data. This patch adds a configurable whitelist of allowed mimetypes and also a configurable default mimetype.
Created attachment 703 [details] Configurable whitelist and default, and remove text/javascript from the default whitelist, rev. 1
This patch is against 1.4.6, I'm going to checkout and test HEAD now.
text/javascript is not dangerous. Scripts are executed in the security context of the HTML page which includes them with a <script> element, and their source location is not relevant. You could just as easily put the evil script on your own site or some other third party site and it would work equally well or poorly. If you believe you know of an actual vulnerability that can be caused through this, please e- mail me privately with details.
Created attachment 705 [details] Same patch, for HEAD This is the same patch merged to HEAD. I did not test it (don't have a head install ATM, but it's a simple merge so it shouldn't be a big deal).
Not a security issue, changing subject and priority for the feature request.
Created attachment 706 [details] HEAD patch with correct case
Created attachment 1179 [details] I propose the attached patch which sets text/css as default content type for action=raw
(In reply to comment #7) > I propose the attached patch which sets text/css as default content type for > action=raw I can't see where that patch fits in with the others, but why would you want to declare raw pages to be CSS by default? In the majority of cases, they will be wikitext, hence "text/x-wiki". Or am I missing the point?
Default as CSS doesn't make sense to me either. Default as text/plain might make more sense to me, but the current default is fine for my purposes.
(In reply to comment #9) > Default as CSS doesn't make sense to me either. Default as text/plain might make > more sense to me, but the current default is fine for my purposes. Brion has suggested yesterday in the irc to use text/css as default, which appears to be safe (if I understood him correctly), because the browsers let the source through unchanged. This is not the case for text/x-wiki on Internet Explorer, which let IE regard the page to be of "index.php" type and opens an ugly execute/save/abort window with all the consequences. If you want to dump the text of an article pagename using index.php?title=pagename&action=raw , text/css appears to be much better than text/x-wiki (please try it). But let me know your thoughts here, of course.
If you want it to just pass through unmolested, why not text/plain?
(In reply to comment #11) > If you want it to just pass through unmolested, why not text/plain? Yes, you are right. Perhaps Brion misunderstood me. I never understood, why text/x-wiki was used here. Can you explain ?
(In reply to comment #10) > [...] This is not the case for text/x-wiki on Internet > Explorer, which let IE regard the page to be of "index.php" type and opens an > ugly execute/save/abort window with all the consequences. Just to clarify this, it doesn't think it's a page of *type* "index.php", it thinks it's *called* "index.php". But yes, the "I don't know what this is, should I open, save, or what?" dialogue is an ugly thing to encounter on any browser, though presumably you can configure a more sane default for "text/x-wiki" documents if you play with them often... (In reply to comment #12) > I never understood, why text/x-wiki was used here. Can you explain ? It's because IE has an irritating tendency to try really really hard to guess if something's HTML, making it quite hard to persuade it not to, say, execute the 'contents' of text that says "<script>..." To confirm this, here's an e-mail from Brion describing the problem: http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002983.html [relatedly, here's why you have to use the "main script entry point", not a fancy URL: http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002952.html] So 'text/plain' is definitely out. 'text/css' might be "unambiguous" enough for IE not to try double-guessing, but it seems kind of arbitrary/hackish, and may end up giving a download prompt anyway [it seems to for me, when I use "&ctype=text/css" in IE].
(In reply to comment #13) > from Brion describing the problem [...] Rowan: 1000thanks for pointing me to that
Dormant request, with no use case. WONTFIX.
