diff options
| author | Tim Starling <tstarling@wikimedia.org> | 2019-11-25 13:56:17 +1100 |
|---|---|---|
| committer | Tim Starling <tstarling@wikimedia.org> | 2019-11-28 15:11:56 +1100 |
| commit | 164a3ac1f0997d85c6a826ff0331dce328d6043d (patch) | |
| tree | dea2044c4a11675084a3fb627b620d5ff6469397 /img_auth.php | |
| parent | 375acb6b46847e7d9416a44b4d8168077b01b711 (diff) | |
| download | mediawikicore-164a3ac1f0997d85c6a826ff0331dce328d6043d.tar.gz mediawikicore-164a3ac1f0997d85c6a826ff0331dce328d6043d.zip | |
Remove IE 6 security features from server-side code
* Deprecate WebRequest::checkUrlExtension() and have it always return
true. This reverts the security fixes made for T30235.
* Remove IEUrlExtension. This is a helper for checkUrlExtension() which
is not used in any extensions.
* Remove CSS sanitization code which is specific to IE6. This reverts
the changes made to fix T57332, and related followups. I confirmed
that the relevant test cases do not result in XSS on IE8.
* Remove related tests.
Bug: T232563
Change-Id: I7318ea4a63210252ebc64968691d4f62d79a63e9
Diffstat (limited to 'img_auth.php')
| -rw-r--r-- | img_auth.php | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/img_auth.php b/img_auth.php index dc50a6015600..94eaccb3fe85 100644 --- a/img_auth.php +++ b/img_auth.php @@ -71,16 +71,6 @@ function wfImageAuthMain() { $path = "/" . $path; } - // Check for T30235: QUERY_STRING overriding the correct extension - $whitelist = []; - $extension = FileBackend::extensionFromPath( $path, 'rawcase' ); - if ( $extension != '' ) { - $whitelist[] = $extension; - } - if ( !$request->checkUrlExtension( $whitelist ) ) { - return; - } - $user = RequestContext::getMain()->getUser(); // Various extensions may have their own backends that need access. |