Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/trackback.php
Brion Vibber 2d5ac3c276 * Add 'charset' to Content-Type headers on various HTTP error responses 
to forestall additional UTF-7-autodetect XSS issues. Probably not an
  issue on Apache 2.0+, but most servers send only 'text/html' by default
  when the script didn't specify more details.
    This fixes an issue with the Ajax interface error message on MSIE when
  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
  http://www.bugsec.com/articles.php?Security=24

* Trackback responses now specify XML content type
2007-02-21 01:02:47 +00:00

66 lines
1.3 KiB
PHP
Raw Blame History

<?php
/**
* Provide functions to handle article trackbacks.
* @addtogroup SpecialPage
*/
require_once( './includes/WebStart.php' );
require_once( './includes/DatabaseFunctions.php' );
/**
*
*/
function XMLsuccess() {
header("Content-Type: application/xml; charset=utf-8");
echo "
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<response>
<error>0</error>
</response>
";
exit;
}
function XMLerror($err = "Invalid request.") {
header("HTTP/1.0 400 Bad Request");
header("Content-Type: application/xml; charset=utf-8");
echo "
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<response>
<error>1</error>
<message>Invalid request: $err</message>
</response>
";
exit;
}
if (!$wgUseTrackbacks)
XMLerror("Trackbacks are disabled.");
if ( !isset($_POST['url'])
|| !isset($_POST['blog_name'])
|| !isset($_REQUEST['article']))
XMLerror("Required field not specified");
$dbw = wfGetDB(DB_MASTER);
$tbtitle = $_POST['title'];
$tbex = $_POST['excerpt'];
$tburl = $_POST['url'];
$tbname = $_POST['blog_name'];
$tbarticle = $_REQUEST['article'];
$title = Title::newFromText($tbarticle);
if (!isset($title) || !$title->exists())
XMLerror("Specified article does not exist.");
$dbw->insert('trackbacks', array(
'tb_page' => $title->getArticleID(),
'tb_title' => $tbtitle,
'tb_url' => $tburl,
'tb_ex' => $tbex,
'tb_name' => $tbname
));
XMLsuccess();
exit;
?>
Reference in a new issue View git blame Copy permalink