MediaWiki already sets this header unconditionally on all requests,
but images are served directly by the webserver. We want to remove the
IEContentAnalyzer, which currently provides protection against
uploading problematic files, so instead we are going to recommend
setting this header to instruct browsers to not sniff.
Per pingback data, ~83% of reporting installs use Apache.
This was suggested by Taavi.
Bug: T309787
Change-Id: I8a0c50cc0a8bc037f4c9b0a114f87793446aed7f
All our docs strongly reccomend doing this. There is even a prompt
in the installer. Not all webservers listen to this of course, but
it won't hurt things that ignore it.
The general idea is that there should be no directory that is
both writable and executable at the same time by the webserver.
images must be writable, so we should turn off php so its not executable.
Change-Id: Ic03cee12845a56a0f4f7e356493eb0f446ccf34c
The rewrite rules were removed in 164a3ac1f0. The rest of this
was just to support that. Additionally, follow sym links is not
really best practise. Sometimes this causes problems if apache
is configured with AllowOverride None (E.g. Topic:T6fd0tdieo4h8q0k)
Change-Id: Iba6c544c991f4d8aff65c4479e2f896fa290a665
* Deprecate WebRequest::checkUrlExtension() and have it always return
true. This reverts the security fixes made for T30235.
* Remove IEUrlExtension. This is a helper for checkUrlExtension() which
is not used in any extensions.
* Remove CSS sanitization code which is specific to IE6. This reverts
the changes made to fix T57332, and related followups. I confirmed
that the relevant test cases do not result in XSS on IE8.
* Remove related tests.
Bug: T232563
Change-Id: I7318ea4a63210252ebc64968691d4f62d79a63e9
This makes sure that thumbnails load properly. Apparently
(in OSX at least), if you don't have FollowSymLinks or
SymLinksIfOwnerMatch on, loading thumbnails gives a 500
error with the existing rewrite rules in place.
Bug: 62289
Change-Id: Icc812fcf9a0b821d2ad84359e5c1d8fb8e9c78a0
* Ported file delete/restore to the filerepo framework. Some user-visible changes in error reporting.
* $wgSaveDeletedFiles has been removed, the feature is now enabled unconditionally. Added a "deleted" directory for the default location, protected by a .htaccess file and the practical obscurity of content hashes.
* Fixed bug 2735: "Preview" shown in title bar for action=submit on special pages
* Removed "restore" links from the deletion log embedded in Special:Undelete
* Added img_sha1/oi_sha1 fields, preserved through upload, delete and restore
* Referenced the new oi_metadata etc. fields to preserve metadata across upload and delete/restore.
* Add 'pagetitle' message to customize the HTML page title format (eg, "$1 - Wikipedia Encyclopedia")
* Some XHTML fixes to Nostalgia skin, prefs
* Removing the unfinished Smarty skins, renamed Standard to Classic
* Remove "gnunote" message in favor of general "copyright" msg, which is filled with the link & name in $wgRightsPage/$wgRightsURL and $wgRightsText
* Support a copyright-related icon as $wgRightsIcon (includes sample gnu-fdl.png)
* Show "Powered by MediaWiki" icon in footer (poweredby_mediawiki_88x31.png by Dan Carlson)
