Page MenuHomePhabricator
Create Task
Maniphest T23587

Multiple calls from index.php with action=raw results in 403 Forbidden
Closed, DeclinedPublic
Actions

Description

Author: lukis.mail

Description:
After clean wikimedia install all sites calls during loading:
/index.php?title=MediaWiki:Common.css&usemsgcache=yes&ctype=text%2Fcss&smaxage=18000&action=raw&maxage=18000
/index.php?title=MediaWiki:Print.css&usemsgcache=yes&ctype=text%2Fcss&smaxage=18000&action=raw&maxage=18000
/index.php?title=MediaWiki:Monobook.css&usemsgcache=yes&ctype=text%2Fcss&smaxage=18000&action=raw&maxage=18000
/index.php?title=-&action=raw&maxage=18000&smaxage=0&ts=20091121231526&gen=css
/index.php?title=-&action=raw&smaxage=0&gen=js&useskin=monobook
/index.php?title=-&action=raw&smaxage=0&gen=js&useskin=monobook

Each called site results in 403 Forbidden and html:
<!DOCTYPE HTML PUBLIC "-IETFDTD HTML 2.0//EN"><html><head><title>Forbidden</title></head><body><h1>Forbidden</h1><p>Raw pages must be accessed through the primary script entry point.</p></body></html>

Server configuration:
os: debian unstable
http server: ngingx/0.7.63
php: PHP Version 5.2.11-1
fcgi-server: spawn-fcgi 1.6.3-1

No logs in nginx/error.log during site loading.

Version: 1.15.x
Severity: normal
OS: Linux
Platform: Other

Details

Reference
bz21587

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:49 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz21587.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Nov 21 2009, 10:45 PM
bzimport added a comment.Mar 20 2010, 5:04 PM

diken.chen wrote:

The same issue was found in my personal wiki. I just noticed this issue when I was trying to use common.js to customize the sidebar. I did not see common.js was included in the html page.

My Configuration is:
Server: Cherokee Web Server 0.99.43 with URL rewriting
PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cgi-fcgi) (built: Jan 6 2010 22:34:28)

bzimport added a comment.Mar 20 2010, 5:08 PM

diken.chen wrote:

Forget to write down my mediawiki version: 1.15.0
I tried the fix as described in http://www.mediawiki.org/wiki/Special:Code/MediaWiki/49833. It does not fix this issue.

bzimport added a comment.Dec 5 2010, 4:54 PM

mike.mcgurrin wrote:

I get what I think is an aspect of the same problem on Wikipedia for some queries. For example, http://en.wikipedia.org/wiki/Washington,_d.c. gives me a redirection page, but http://en.wikipedia.org/wiki/Washington,_d.c.?action=raw yield:

Forbidden

Invalid file extension found in PATH_INFO. Raw pages must be accessed through the primary script entry point.

Bawolff added a comment.Dec 5 2010, 9:59 PM

(In reply to comment #3)

I get what I think is an aspect of the same problem on Wikipedia for some
queries. For example, http://en.wikipedia.org/wiki/Washington,_d.c. gives me a
redirection page, but http://en.wikipedia.org/wiki/Washington,_d.c.?action=raw
yield:

Forbidden

Invalid file extension found in PATH_INFO. Raw pages must be accessed through
the primary script entry point.

Thats desired behaviour to stop IE3 from being stupid and trying to execute the page as js. action=raw is only supposed to work if you access it through index.php like http://en.wikipedia.org/w/index.php?title=Washington,_d.c.&action=raw (The original poster have a different issue since they're accessing the pages through index.php.)

brion added a comment.May 27 2011, 9:37 PM

Bug 28840 seems to be the same issues though specifically mentioning ResourceLoader initially. The checks similarly break action=raw for titles containing periods, such as we use for all JS/CSS pages not loaded via RL. (Not the traditional check that actually does make you use the index.php point, but the new extension checks on the query string are the problem here.)

Possibly this should just be marked dupe? Adding a dep for now.

Bawolff added a comment.May 27 2011, 9:42 PM

(In reply to comment #5)

Bug 28840 seems to be the same issues though specifically mentioning
ResourceLoader initially. The checks similarly break action=raw for titles
containing periods, such as we use for all JS/CSS pages not loaded via RL. (Not
the traditional check that actually does make you use the index.php point, but
the new extension checks on the query string are the problem here.)

Possibly this should just be marked dupe? Adding a dep for now.

I think they are different unrelated issues. This one is about the check thats been there forever, where the other one is about the check just recently introduced.

brion added a comment.May 27 2011, 9:44 PM

Ah true, that's on the older version. Restoring.

jayvdb subscribed.Aug 19 2015, 2:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2015, 2:11 AM
TTO subscribed.Sep 8 2015, 9:52 AM

All the URLs in the description work for me on enwiki and my local test wiki. Can this be closed now?

Aklapper closed this task as Declined.Sep 17 2015, 10:56 AM
Aklapper claimed this task.
In T23587#1615969, @TTO wrote:

All the URLs in the description work for me on enwiki and my local test wiki. Can this be closed now?

Yeah let's do that. Thanks for retesting.

Meno25 unsubscribed.Sep 20 2015, 3:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL