[Mediawiki-l] Slowness
Gabriel Wicke
lists at wikidev.net
Wed Jan 12 15:41:09 UTC 2005
On Tue, 2005-01-11 at 23:49 -0800, Brion Vibber wrote:
> In Windows XP SP2, IE now has an option to turn off some of this
> autodetection, though I'm not sure it fixes all such holes. The unsafe
> behavior is on by default.
Brion,
in my test only 5.0 exhibits this bug, 5.5 and 6.0 both offer to save
the file (both on Win2K). For them the behaviour with php is unchanged.
There are likely more interesting exploits with 5.0 anyway, possibly
requiring more effort from the attacker.
> The workaround is to require that a 'raw' access be made from a
> canonical script URL, which will have a nice boring .php or .phtml
> extension and doesn't trigger the IE type autodetection bug. I did this
> with a redirect (instead of simply a 403 rejection) to preserve
> existing links.
Unfortunately this breaks wikis where edit/diff etc urls are supposed to
be short and tidy. There the browser gets stuck in an endless
redirection loop. It's not too hard to fix this though, will change it
in the next days.
--
Gabriel Wicke
MediaWiki hosting, support and development
http://wikidev.net wicke at wikidev.net
Tel(SIP) +49 (0)1801-7775555258, Mob +49 (0)177 2065127
Eckernförder Str.58, 24116 Kiel
More information about the MediaWiki-l
mailing list