MediaWiki REL1_28
|
Internet Explorer derives a cache filename from a URL, and then in certain circumstances, uses the extension of the resulting file to determine the content type of the data, ignoring the Content-Type header. More...
Static Public Member Functions | |
static | areServerVarsBad ( $vars, $extWhitelist=[]) |
Check a subset of $_SERVER (or the whole of $_SERVER if you like) to see if it indicates that the request was sent with a bad file extension. | |
static | findIE6Extension ( $url) |
Determine what extension IE6 will infer from a certain query string. | |
static | fixUrlForIE6 ( $url, $extWhitelist=[]) |
Returns a variant of $url which will pass isUrlExtensionBad() but has the same GET parameters, or false if it can't figure one out. | |
static | haveUndecodedRequestUri ( $serverSoftware) |
When passed the value of $_SERVER['SERVER_SOFTWARE'], this function returns true if that server is known to have a REQUEST_URI variable with %2E not decoded to ".". | |
static | isUrlExtensionBad ( $urlPart, $extWhitelist=[]) |
Given a right-hand portion of a URL, determine whether IE would detect a potentially harmful file extension. | |
Internet Explorer derives a cache filename from a URL, and then in certain circumstances, uses the extension of the resulting file to determine the content type of the data, ignoring the Content-Type header.
This can be a problem, especially when non-HTML content is sent by MediaWiki, and Internet Explorer interprets it as HTML, exposing an XSS vulnerability.
Usually the script filename (e.g. api.php) is present in the URL, and this makes Internet Explorer think the extension is a harmless script extension. But Internet Explorer 6 and earlier allows the script extension to be obscured by encoding the dot as "%2E".
This class contains functions which help in detecting and dealing with this situation.
Checking the URL for a bad extension is somewhat complicated due to the fact that CGI doesn't provide a standard method to determine the URL. Instead it is necessary to pass a subset of $_SERVER variables, which we then attempt to use to guess parts of the URL.
Definition at line 44 of file IEUrlExtension.php.
|
static |
Check a subset of $_SERVER (or the whole of $_SERVER if you like) to see if it indicates that the request was sent with a bad file extension.
Returns true if the request should be denied or modified, false otherwise. The relevant $_SERVER elements are:
If the a variable is unset in $_SERVER, it should be unset in $vars.
array | $vars | A subset of $_SERVER. |
array | $extWhitelist | Extensions which are allowed, assumed harmless. |
Definition at line 62 of file IEUrlExtension.php.
References $vars.
Referenced by WebRequest\checkUrlExtension().
|
static |
Determine what extension IE6 will infer from a certain query string.
If the URL has an extension before the question mark, IE6 will use that and ignore the query string, but per the comment at isPathInfoBad() we don't have a reliable way to determine the URL, so isPathInfoBad() just passes in the query string for $url. All entry points have safe extensions (php, php5) anyway, so checking the query string is possibly overly paranoid but never insecure.
The criteria for finding an extension are as follows:
string | $url | URL |
Definition at line 192 of file IEUrlExtension.php.
Referenced by isUrlExtensionBad(), IEUrlExtensionTest\testDotAtEnd(), IEUrlExtensionTest\testEmpty(), IEUrlExtensionTest\testEscapedScriptQuery(), IEUrlExtensionTest\testEscapedScriptQueryDot(), IEUrlExtensionTest\testExeException(), IEUrlExtensionTest\testExeException2(), IEUrlExtensionTest\testExtQuestionMark(), IEUrlExtensionTest\testHash(), IEUrlExtensionTest\testHash2(), IEUrlExtensionTest\testInvalidChar(), IEUrlExtensionTest\testInvalidCharThenExtension(), IEUrlExtensionTest\testMultipleQuestionMarks(), IEUrlExtensionTest\testQuestionMark(), IEUrlExtensionTest\testQuestionMarkExt(), IEUrlExtensionTest\testScriptQuery(), IEUrlExtensionTest\testSimple(), IEUrlExtensionTest\testSimpleNoExt(), and IEUrlExtensionTest\testTwoDots().
|
static |
Returns a variant of $url which will pass isUrlExtensionBad() but has the same GET parameters, or false if it can't figure one out.
$url | |
$extWhitelist | array |
Definition at line 140 of file IEUrlExtension.php.
References $query.
Referenced by WebRequest\checkUrlExtension().
|
static |
When passed the value of $_SERVER['SERVER_SOFTWARE'], this function returns true if that server is known to have a REQUEST_URI variable with %2E not decoded to ".".
On such a server, it is possible to detect whether the script filename has been obscured.
The function returns false if the server is not known to have this behavior. Microsoft IIS in particular is known to decode escaped script filenames.
SERVER_SOFTWARE typically contains either a plain string such as "Zeus", or a specification in the style of a User-Agent header, such as "Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.8a PHP/4.4.2"
$serverSoftware |
Definition at line 258 of file IEUrlExtension.php.
|
static |
Given a right-hand portion of a URL, determine whether IE would detect a potentially harmful file extension.
string | $urlPart | The right-hand portion of a URL |
array | $extWhitelist | An array of file extensions which may occur in this URL, and which should be allowed. |
Definition at line 100 of file IEUrlExtension.php.
References findIE6Extension().