On Sun, Dec 18, 2011 at 4:06 PM, Robin Pepermans robinp.1273@gmail.com wrote:
So I would like to ask if someone can review & deploy this (Commits are here: https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-... it may be easier to just review current trunk version). That would be great :)
I've simplified the code a bit in r106818 and added escaping (there wasn't any, so there were multiple XSS vulnerabilities) in r106819 and r106822.
The only remaining issue I see is that the script assumes the requested URL will be something like http://foobar.wikipedia.org/wiki/Bazquux , while it might legitimately be /w/index.php?.... or /w/api.php or whatever. These cases should be handled in some way. We may not be able to redirect to the incubator intelligently in these cases so we may have to fall back to the error page, but we should at least detect this case rather than pretending it doesn't exist.
Roan