Thank you. I thought $language and $project wouldn't need escaping because their values are known: $project can only be one of wikipedia, wikisource, ... and $language only one of http://noc.wikimedia.org/conf/langlist
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
2011/12/20 Roan Kattouw roan.kattouw@gmail.com
On Sun, Dec 18, 2011 at 4:06 PM, Robin Pepermans robinp.1273@gmail.com wrote:
So I would like to ask if someone can review & deploy this (Commits are here:
https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-...
it may be easier to just review current trunk version). That would be great :)
I've simplified the code a bit in r106818 and added escaping (there wasn't any, so there were multiple XSS vulnerabilities) in r106819 and r106822.
The only remaining issue I see is that the script assumes the requested URL will be something like http://foobar.wikipedia.org/wiki/Bazquux , while it might legitimately be /w/index.php?.... or /w/api.php or whatever. These cases should be handled in some way. We may not be able to redirect to the incubator intelligently in these cases so we may have to fall back to the error page, but we should at least detect this case rather than pretending it doesn't exist.
Roan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l