On Nov 5, 2004, at 7:07 PM, Jamie Bliss wrote:
Basically, the file name is the page name. some more
examples:
/wiki/Wikipedia?action=raw
/wiki/Special:Search?search=foo
/wiki/Main_Page?action=edit
For some types of page view (eg, action=raw) there are exploitable
Internet Explorer security flaws which can be used to produce scripting
attacks or other arbitrary file-type setting attacks with this style of
URL. (The problem is the ability to add a "file extension" to the
title, which in Internet Explorer sometimes overrides the content-type
setting.)
So, it's not generally used and is explicitly forbidden for raw pages,
where the attack could be used to inject potentially dangerous data
(JavaScript for scripting/cookie attacks, or to load ActiveX etc
bypassing 'trusted zones' if someone thinks your wiki is safe, or
various other potential things).
If you really want this URL format, you'll have to tweak up
Title::getLocalUrl() in Title.php, being careful to use an alternate
format for action=raw. (You'll notice there's in 1.3.7 and earlier some
code for a similar look special-cased if $wgScript is set to ""; this
was unfortunate as it leaves the IE security hole maximally open, and
was accidentally not removed in 1.3.7 so if you use that -- very unwise
-- mode you need to hack it out. You should generally not dump wiki
pages into the root path as this produces overlap between other data
and the wiki, which is ugly, hard to debug when there are problems, and
can potentially cause conflicts. In 1.3.8 it will be removed entirely.)
-- brion vibber (brion @
pobox.com)