Last modified: 2013-04-08 11:01:57 UTC
Extensions such as SyntaxHighlight[1] currently break on a default install. It tries to load titleMediaWiki:Geshi.css, with a querystring that contains action=raw, and calls ->getLocalURL($q) to get the URL. This is causing MW to throw a 403 error on that http request. -- Krinkle [1] http://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
403 Forbidden: http://localhost/SVN/mediawiki/trunk/phase3/index.php/MediaWiki:Geshi.css?usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000 PHP Code (abstracted): private static function buildHeadItem( $geshi ) { // ... $title = Title::makeTitle( NS_MEDIAWIKI, 'Geshi.css' ); $q = "usemsgcache=yes&action=raw&ctype=text/css"; $css[] = '<style type="text/css">/*<![CDATA[*/'; $css[] = '@import "' . $title->getLocalUrl( $q ) . '";'; $css[] = '/*]]>*/'; $css[] = '</style>'; return implode( "\n", $css ); } This is likely not the only extension doing this.
CC-ing hashar who implemented this (iirc).
Adding blocker to bug 28425 (1.18 Milestone), we can't ship 1.18 without this as many extensions (including parts of SyntaxHighlighter) would fail.
I have rewrote it in r87964 to get prettier URLs. Self notes: the issue is related to the file extension (.css), the error is: 403 - Forbidden Invalid file extension found in PATH_INFO or QUERY_STRING. Raw pages must be accessed through the primary script entry point. Not sure what is the root cause, will try to poke it next week-end.
>Not sure what is the root cause, will try to poke it next week-end. I believe ?action=raw must happen with index.php style links only, as opposed to short urls due to the IE6 XSS issue.
I've reverted r87964 in r88667, which'll make this bug obsolete. Note that action=raw specifically forbids use of PATHINFO-style title appending because it's a security problem on IE 6.