Last modified: 2011-03-13 18:05:16 UTC
setting, because it becomes very easy for wikipages to link to this script and
steal login cookies and other important cookie data.
This patch adds a configurable whitelist of allowed mimetypes and also a
configurable default mimetype.
Created attachment 703 [details]
This patch is against 1.4.6, I'm going to checkout and test HEAD now.
page which includes them with a <script> element, and their source location is not relevant.
You could just as easily put the evil script on your own site or some other third party site
and it would work equally well or poorly.
If you believe you know of an actual vulnerability that can be caused through this, please e-
mail me privately with details.
Created attachment 705 [details]
Same patch, for HEAD
This is the same patch merged to HEAD. I did not test it (don't have a head
install ATM, but it's a simple merge so it shouldn't be a big deal).
Not a security issue, changing subject and priority for the feature request.
Created attachment 706 [details]
HEAD patch with correct case
Created attachment 1179 [details]
I propose the attached patch which sets text/css as default content type for action=raw
(In reply to comment #7)
> I propose the attached patch which sets text/css as default content type for
I can't see where that patch fits in with the others, but why would you want to
declare raw pages to be CSS by default? In the majority of cases, they will be
wikitext, hence "text/x-wiki". Or am I missing the point?
Default as CSS doesn't make sense to me either. Default as text/plain might make
more sense to me, but the current default is fine for my purposes.
(In reply to comment #9)
> Default as CSS doesn't make sense to me either. Default as text/plain might make
> more sense to me, but the current default is fine for my purposes.
Brion has suggested yesterday in the irc to use text/css as default, which
appears to be safe (if I understood him correctly), because the browsers let the
source through unchanged. This is not the case for text/x-wiki on Internet
Explorer, which let IE regard the page to be of "index.php" type and opens an
ugly execute/save/abort window with all the consequences. If you want to dump
the text of an article pagename using index.php?title=pagename&action=raw ,
text/css appears to be much better than text/x-wiki (please try it).
But let me know your thoughts here, of course.
If you want it to just pass through unmolested, why not text/plain?
(In reply to comment #11)
> If you want it to just pass through unmolested, why not text/plain?
Yes, you are right. Perhaps Brion misunderstood me.
I never understood, why text/x-wiki was used here. Can you explain ?
(In reply to comment #10)
> [...] This is not the case for text/x-wiki on Internet
> Explorer, which let IE regard the page to be of "index.php" type and opens an
> ugly execute/save/abort window with all the consequences.
Just to clarify this, it doesn't think it's a page of *type* "index.php", it
thinks it's *called* "index.php". But yes, the "I don't know what this is,
should I open, save, or what?" dialogue is an ugly thing to encounter on any
browser, though presumably you can configure a more sane default for
"text/x-wiki" documents if you play with them often...
(In reply to comment #12)
> I never understood, why text/x-wiki was used here. Can you explain ?
It's because IE has an irritating tendency to try really really hard to guess if
something's HTML, making it quite hard to persuade it not to, say, execute the
'contents' of text that says "<script>..." To confirm this, here's an e-mail
from Brion describing the problem:
[relatedly, here's why you have to use the "main script entry point", not a
fancy URL: http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002952.html]
So 'text/plain' is definitely out. 'text/css' might be "unambiguous" enough for
IE not to try double-guessing, but it seems kind of arbitrary/hackish, and may
end up giving a download prompt anyway [it seems to for me, when I use
"&ctype=text/css" in IE].
(In reply to comment #13)
> from Brion describing the problem [...]
Rowan: 1000thanks for pointing me to that
Dormant request, with no use case. WONTFIX.