[Mediawiki-l] MediaWiki security release 1.16.3

[Tim Starling]

On 14/04/11 17:29, Gordon Joly wrote:
> I see that this snippet is to be found in ".htaccess" file inside 
> ./images/ (this appears to be new file 1.16.3)
> 
> Could the ".htaccess" be placed at top level (that is one above ./images/)?

If you do that, then certain URLs that give harmless HTML responses
will be blacklisted. For example, if you type ".html" into the search
box and hit enter, you get the URL:

<http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=.html>

This URL would be forbidden if you applied the .htaccess at the top
level, despite it being harmless, as far as we know. However, it's a
reasonable thing to do if you care more about security than about such
inconveniences, and you're worried that we might be missing something.

I did apply it at the top level for *.m.wikipedia.org, because it's
difficult to get things fixed in the mobile application. The result is
that we have to put up with bug 28510 for now.

> Since the file is there, is there any need to change the web server 
> configuration?

No, as long as you have an appropriate AllowOverride directive in your
web server configuration. To test it, go to any image on the wiki and
append "?.html" to the URL. For example:

http://<wiki domain>/images/d/d9/Test.png?.html

It should show "403 Forbidden". If it shows the image, then you have
to change your web server configuration.

-- Tim Starling