On 14/04/11 17:29, Gordon Joly wrote:
I see that this snippet is to be found in ".htaccess" file inside ./images/ (this appears to be new file 1.16.3)
Could the ".htaccess" be placed at top level (that is one above ./images/)?
If you do that, then certain URLs that give harmless HTML responses will be blacklisted. For example, if you type ".html" into the search box and hit enter, you get the URL:
http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=.html
This URL would be forbidden if you applied the .htaccess at the top level, despite it being harmless, as far as we know. However, it's a reasonable thing to do if you care more about security than about such inconveniences, and you're worried that we might be missing something.
I did apply it at the top level for *.m.wikipedia.org, because it's difficult to get things fixed in the mobile application. The result is that we have to put up with bug 28510 for now.
Since the file is there, is there any need to change the web server configuration?
No, as long as you have an appropriate AllowOverride directive in your web server configuration. To test it, go to any image on the wiki and append "?.html" to the URL. For example:
http://<wiki domain>/images/d/d9/Test.png?.html
It should show "403 Forbidden". If it shows the image, then you have to change your web server configuration.
-- Tim Starling