MediaWiki  1.34.0
Static Public Member Functions | List of all members
IEUrlExtension Class Reference

Internet Explorer derives a cache filename from a URL, and then in certain circumstances, uses the extension of the resulting file to determine the content type of the data, ignoring the Content-Type header. More...

Static Public Member Functions

static areServerVarsBad ( $vars, $extWhitelist=[])
 Check a subset of $_SERVER (or the whole of $_SERVER if you like) to see if it indicates that the request was sent with a bad file extension. More...
 
static findIE6Extension ( $url)
 Determine what extension IE6 will infer from a certain query string. More...
 
static fixUrlForIE6 ( $url, $extWhitelist=[])
 Returns a variant of $url which will pass isUrlExtensionBad() but has the same GET parameters, or false if it can't figure one out. More...
 
static haveUndecodedRequestUri ( $serverSoftware)
 When passed the value of $_SERVER['SERVER_SOFTWARE'], this function returns true if that server is known to have a REQUEST_URI variable with %2E not decoded to ".". More...
 
static isUrlExtensionBad ( $urlPart, $extWhitelist=[])
 Given a right-hand portion of a URL, determine whether IE would detect a potentially harmful file extension. More...
 

Detailed Description

Internet Explorer derives a cache filename from a URL, and then in certain circumstances, uses the extension of the resulting file to determine the content type of the data, ignoring the Content-Type header.

This can be a problem, especially when non-HTML content is sent by MediaWiki, and Internet Explorer interprets it as HTML, exposing an XSS vulnerability.

Usually the script filename (e.g. api.php) is present in the URL, and this makes Internet Explorer think the extension is a harmless script extension. But Internet Explorer 6 and earlier allows the script extension to be obscured by encoding the dot as "%2E".

This class contains functions which help in detecting and dealing with this situation.

Checking the URL for a bad extension is somewhat complicated due to the fact that CGI doesn't provide a standard method to determine the URL. Instead it is necessary to pass a subset of $_SERVER variables, which we then attempt to use to guess parts of the URL.

Definition at line 44 of file IEUrlExtension.php.

Member Function Documentation

◆ areServerVarsBad()

static IEUrlExtension::areServerVarsBad (   $vars,
  $extWhitelist = [] 
)
static

Check a subset of $_SERVER (or the whole of $_SERVER if you like) to see if it indicates that the request was sent with a bad file extension.

Returns true if the request should be denied or modified, false otherwise. The relevant $_SERVER elements are:

  • SERVER_SOFTWARE
  • REQUEST_URI
  • QUERY_STRING
  • PATH_INFO

If the a variable is unset in $_SERVER, it should be unset in $vars.

Parameters
array$varsA subset of $_SERVER.
array$extWhitelistExtensions which are allowed, assumed harmless.
Returns
bool

Definition at line 62 of file IEUrlExtension.php.

Referenced by WebRequest\checkUrlExtension().

◆ findIE6Extension()

static IEUrlExtension::findIE6Extension (   $url)
static

Determine what extension IE6 will infer from a certain query string.

If the URL has an extension before the question mark, IE6 will use that and ignore the query string, but per the comment at isPathInfoBad() we don't have a reliable way to determine the URL, so isPathInfoBad() just passes in the query string for $url. All entry points have safe extensions (php, php5) anyway, so checking the query string is possibly overly paranoid but never insecure.

The criteria for finding an extension are as follows:

  • a possible extension is a dot followed by one or more characters not in <>\"/:|?.#
  • if we find a possible extension followed by the end of the string or a #, that's our extension
  • if we find a possible extension followed by a ?, that's our extension
    • UNLESS it's exe, dll or cgi, in which case we ignore it and continue searching for another possible extension
  • if we find a possible extension followed by a dot or another illegal character, we ignore it and continue searching
Parameters
string$url
Returns
mixed Detected extension (string), or false if none found

Definition at line 192 of file IEUrlExtension.php.

Referenced by isUrlExtensionBad().

◆ fixUrlForIE6()

static IEUrlExtension::fixUrlForIE6 (   $url,
  $extWhitelist = [] 
)
static

Returns a variant of $url which will pass isUrlExtensionBad() but has the same GET parameters, or false if it can't figure one out.

Parameters
string$url
array$extWhitelist
Returns
bool|string

Definition at line 140 of file IEUrlExtension.php.

Referenced by WebRequest\checkUrlExtension().

◆ haveUndecodedRequestUri()

static IEUrlExtension::haveUndecodedRequestUri (   $serverSoftware)
static

When passed the value of $_SERVER['SERVER_SOFTWARE'], this function returns true if that server is known to have a REQUEST_URI variable with %2E not decoded to ".".

On such a server, it is possible to detect whether the script filename has been obscured.

The function returns false if the server is not known to have this behavior. Microsoft IIS in particular is known to decode escaped script filenames.

SERVER_SOFTWARE typically contains either a plain string such as "Zeus", or a specification in the style of a User-Agent header, such as "Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.8a PHP/4.4.2"

Parameters
string$serverSoftware
Returns
bool

Definition at line 257 of file IEUrlExtension.php.

◆ isUrlExtensionBad()

static IEUrlExtension::isUrlExtensionBad (   $urlPart,
  $extWhitelist = [] 
)
static

Given a right-hand portion of a URL, determine whether IE would detect a potentially harmful file extension.

Parameters
string$urlPartThe right-hand portion of a URL
array$extWhitelistAn array of file extensions which may occur in this URL, and which should be allowed.
Returns
bool

Definition at line 100 of file IEUrlExtension.php.

References findIE6Extension().

The documentation for this class was generated from the following file: