MediaWiki already sets this header unconditionally on all requests,
but images are served directly by the webserver. We want to remove the
IEContentAnalyzer, which currently provides protection against
uploading problematic files, so instead we are going to recommend
setting this header to instruct browsers to not sniff.
Per pingback data, ~83% of reporting installs use Apache.
This was suggested by Taavi.
Bug: T309787
Change-Id: I8a0c50cc0a8bc037f4c9b0a114f87793446aed7f
All our docs strongly reccomend doing this. There is even a prompt
in the installer. Not all webservers listen to this of course, but
it won't hurt things that ignore it.
The general idea is that there should be no directory that is
both writable and executable at the same time by the webserver.
images must be writable, so we should turn off php so its not executable.
Change-Id: Ic03cee12845a56a0f4f7e356493eb0f446ccf34c
The rewrite rules were removed in 164a3ac1f0. The rest of this
was just to support that. Additionally, follow sym links is not
really best practise. Sometimes this causes problems if apache
is configured with AllowOverride None (E.g. Topic:T6fd0tdieo4h8q0k)
Change-Id: Iba6c544c991f4d8aff65c4479e2f896fa290a665
* Deprecate WebRequest::checkUrlExtension() and have it always return
true. This reverts the security fixes made for T30235.
* Remove IEUrlExtension. This is a helper for checkUrlExtension() which
is not used in any extensions.
* Remove CSS sanitization code which is specific to IE6. This reverts
the changes made to fix T57332, and related followups. I confirmed
that the relevant test cases do not result in XSS on IE8.
* Remove related tests.
Bug: T232563
Change-Id: I7318ea4a63210252ebc64968691d4f62d79a63e9
This makes sure that thumbnails load properly. Apparently
(in OSX at least), if you don't have FollowSymLinks or
SymLinksIfOwnerMatch on, loading thumbnails gives a 500
error with the existing rewrite rules in place.
Bug: 62289
Change-Id: Icc812fcf9a0b821d2ad84359e5c1d8fb8e9c78a0
