jenkins-bot has submitted this change and it was merged.
Change subject: mw.ForeignApi: Percent-encode dots in the 'origin' parameter
......................................................................
mw.ForeignApi: Percent-encode dots in the 'origin' parameter
Depending on server configuration, MediaWiki may forbid some periods in
URLs, due to an IE 6 XSS bug. If that is the case on the remote wiki,
ForeignApi would previously not be able to contact it.
Also tweaked similar code in mw.Api to make it more obvious what is
the purpose of it, and future-proof against any dots in tokens.
Bug: T132612
Change-Id: I6dc0b4ab18e5756fc7566608192d59d10729db99
---
M resources/src/mediawiki/ForeignApi.js
M resources/src/mediawiki/api.js
2 files changed, 8 insertions(+), 5 deletions(-)
Approvals:
Krinkle: Looks good to me, but someone else must approve
Legoktm: Looks good to me, approved
jenkins-bot: Verified
diff --git a/resources/src/mediawiki/ForeignApi.js
b/resources/src/mediawiki/ForeignApi.js
index b8cc059..899daa5 100644
--- a/resources/src/mediawiki/ForeignApi.js
+++ b/resources/src/mediawiki/ForeignApi.js
@@ -94,7 +94,9 @@
url = ( ajaxOptions && ajaxOptions.url ) ||
this.defaults.ajax.url;
origin = ( parameters && parameters.origin ) ||
this.defaults.parameters.origin;
url += ( url.indexOf( '?' ) !== -1 ? '&' : '?' ) +
- 'origin=' + encodeURIComponent( origin );
+ // Depending on server configuration, MediaWiki
may forbid periods in URLs, due to an IE 6
+ // XSS bug. So let's escape them here. See
WebRequest::checkUrlExtension() and T30235.
+ 'origin=' + encodeURIComponent( origin
).replace( /\./g, '%2E' );
newAjaxOptions = $.extend( {}, ajaxOptions, { url: url
} );
} else {
newAjaxOptions = ajaxOptions;
diff --git a/resources/src/mediawiki/api.js b/resources/src/mediawiki/api.js
index 3bc0ad3..ab24a00 100644
--- a/resources/src/mediawiki/api.js
+++ b/resources/src/mediawiki/api.js
@@ -212,16 +212,17 @@
// Prevent jQuery from overriding the
Content-Type header
ajaxOptions.contentType = false;
} else {
- // Some deployed MediaWiki >= 1.17 forbid
periods in URLs, due to an IE XSS bug
- // So let's escape them here. See bug #28235
// This works because jQuery accepts data as a
query string or as an Object
- ajaxOptions.data = $.param( parameters
).replace( /\./g, '%2E' );
-
+ ajaxOptions.data = $.param( parameters );
// If we extracted a token parameter, add it
back in.
if ( token ) {
ajaxOptions.data += '&token=' +
encodeURIComponent( token );
}
+ // Depending on server configuration, MediaWiki
may forbid periods in URLs, due to an IE 6
+ // XSS bug. So let's escape them here. See
WebRequest::checkUrlExtension() and T30235.
+ ajaxOptions.data = ajaxOptions.data.replace(
/\./g, '%2E' );
+
if ( ajaxOptions.contentType ===
'multipart/form-data' ) {
// We were asked to emulate but can't,
so drop the Content-Type header, otherwise
// it'll be wrong and the server will
fail to decode the POST body
--
To view, visit https://gerrit.wikimedia.org/r/283487
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6dc0b4ab18e5756fc7566608192d59d10729db99
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Bartosz Dziewoński <matma....@gmail.com>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Bartosz Dziewoński <matma....@gmail.com>
Gerrit-Reviewer: Edokter <er...@darcoury.nl>
Gerrit-Reviewer: Hoo man <h...@online.de>
Gerrit-Reviewer: Jack Phoenix <j...@countervandalism.net>
Gerrit-Reviewer: Jdlrobson <jrob...@wikimedia.org>
Gerrit-Reviewer: Krinkle <krinklem...@gmail.com>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
