https://bugzilla.wikimedia.org/show_bug.cgi?id=66776
Bug ID: 66776 Summary: API output containing <cross-domain-policy> is corrupted in non-XML formats Product: MediaWiki Version: 1.24-git Hardware: All URL: https://www.mediawiki.org/w/api.php?action=query&forma t=json&titles=%3Ccross-domain-policy%3E OS: All Status: NEW Severity: normal Priority: Unprioritized Component: API Assignee: wikibugs-l@lists.wikimedia.org Reporter: pleasest...@live.com CC: bjor...@wikimedia.org, bryan.tongm...@gmail.com, cste...@wikimedia.org, roan.katt...@gmail.com, s...@reedyboy.net Web browser: --- Mobile Platform: --- The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output containing "<cross-domain-policy>" by replacing the string with "<NOT-cross-domain-policy>". https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&diff=540155307&oldid=540154194 In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe addressed the vulnerability in Flash Player, and six years have since passed. According to Adobe's website, by default Flash Player 10 only allows crossdomain.xml at the root ("master-only" meta-policy). So it may be possible simply to remove the check, which already fails to work on many PHP configurations (e.g. output_buffering = 4096 from the sample php.ini files). There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent. https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.edu.html Alternatively, ApiFormatJson could be changed to hex-escape < and > (by removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so on. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l