diff options
| author | Brian Wolff <bawolff+wn@gmail.com> | 2018-05-19 09:30:17 +0000 |
|---|---|---|
| committer | Krinkle <krinklemail@gmail.com> | 2018-05-22 22:20:43 +0000 |
| commit | c14e9ed13ae7e177afe6c9ffaf39c59f4c8369b8 (patch) | |
| tree | 8503920fa9d9c5fe0e28f3f7dffddd8fb3aeb18e /includes/ContentSecurityPolicy.php | |
| parent | 39ca88374ed3bb9c40ea7fe0ff4c5e79e1ebef6e (diff) | |
| download | mediawikicore-c14e9ed13ae7e177afe6c9ffaf39c59f4c8369b8.tar.gz mediawikicore-c14e9ed13ae7e177afe6c9ffaf39c59f4c8369b8.zip | |
ContentSecurityPolicy: Add trailing & to report urls
This works around a bug in HHVM, where it treats post body as part of
request parameters, even if content-type is application/json.
See https://github.com/facebook/hhvm/issues/6676.
Change-Id: Id54d6657056dee56fc71100dedfb3b53d512eaba
Diffstat (limited to 'includes/ContentSecurityPolicy.php')
| -rw-r--r-- | includes/ContentSecurityPolicy.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/includes/ContentSecurityPolicy.php b/includes/ContentSecurityPolicy.php index 21d7d57dcded..66a3535ee853 100644 --- a/includes/ContentSecurityPolicy.php +++ b/includes/ContentSecurityPolicy.php @@ -326,7 +326,10 @@ class ContentSecurityPolicy { $reportUri = wfAppendQuery( wfScript( 'api' ), $apiArguments ); // Per spec, ';' and ',' must be hex-escaped in report uri - $reportUri = $this->escapeUrlForCSP( $reportUri ); + // Also add an & at the end of url to work around bug in hhvm + // with handling of POST parameters when always_decode_post_data + // is set to true. See https://github.com/facebook/hhvm/issues/6676 + $reportUri = $this->escapeUrlForCSP( $reportUri ) . '&'; return $reportUri; } |