Last modified: 2012-04-12 13:56:08 UTC
At least, it still works on IE6 from following URL. http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.shtml
Please tell me this is the last one.
This has been fixed in 1.16.4, I think. Tim, could you close it, if so?
No, it's not fixed.
One possibility is /\.[^\\/:\*\?\"<>|]+(#|\?|$)/i This was suggested by Reedy based on the characters that are not allowed in Windows paths. I'm wondering if it's a good idea to allow the percent symbol: /\.[^\\/:\*\?\"<>|%]+(#|\?|$)/i This would make it less likely that innocuous plain text at the end of a query string would be disallowed, in URLs such as: <http://www.mediawiki.org/w/api.php?action=parse&text=Sentence%20one.%20Sentence%20two> In theory, file extensions can contain percent symbols, but in practice this doesn't seem to be done.
(In reply to comment #4) > In theory, file extensions can contain percent symbols, but in practice this > doesn't seem to be done. Allowing it sounds safe enough. The percent sign being a very obscure character in extensions makes it very unlikely it would be associated with a dangerous MIME type.
marking fixed 1.16.5 was pushed the other day.
Fixes are in r85844 and following; there are still serious outstanding bugs in 1.16.x & 1.17 beta releases caused by the fix series. Latest updates on r89397 and r89558 may help reduce the false positives, but probably needs a quick test survey to confirm that things are ok.
It looks like Tim has been doing most of the work on this to fix the problem, updating the assignee to reflect that. Looks like the this is actually fixed, too, since the fixes mentioned Comment #7 have been merged. I'm sure you know how to reopen this if I'm wrong ;)
