(PLATFORM-3277) Backport patch for T128209 from MW 1.29.2

Backport patch for T128209 from MW 1.29.2 security release that avoids
some silliness with browser-guessed filenames.

api.php

@@ -63,6 +63,17 @@
 	return;
 }
 
+// Pathinfo can be used for stupid things. We don't support it for api.php at
+// all, so error out if it's present.
+if ( isset( $_SERVER['PATH_INFO'] ) && $_SERVER['PATH_INFO'] != '' ) {
+	$correctUrl = wfAppendQuery( wfScript( 'api' ), $wgRequest->getQueryValues() );
+	$correctUrl = wfExpandUrl( $correctUrl, PROTO_CANONICAL );
+	header( "Location: $correctUrl", true, 301 );
+	echo 'This endpoint does not support "path info", i.e. extra text between "api.php"'
+		. 'and the "?". Remove any such text and try again.';
+	die( 1 );
+}
+
 // Verify that the API has not been disabled
 if ( !$wgEnableAPI ) {
 	header( $_SERVER['SERVER_PROTOCOL'] . ' 500 MediaWiki configuration Error', true, 500 );

includes/Feed.php

@@ -227,6 +227,12 @@ public function httpHeaders() {
 		$wgOut->disable();
 		$mimetype = $this->contentType();
 		header( "Content-type: $mimetype; charset=UTF-8" );
+
+		// Set a sane filename
+		$exts = MimeMagic::singleton()->getExtensionsForType( $mimetype );
+		$ext = $exts ? strtok( $exts, ' ' ) : 'xml';
+		header( "Content-Disposition: inline; filename=\"feed.{$ext}\"" );
+
 		if ( $wgVaryOnXFP ) {
 			$wgOut->addVaryHeader( 'X-Forwarded-Proto' );
 		}

includes/api/ApiFormatBase.php

@@ -61,6 +61,24 @@ public function __construct( $main, $format ) {
 	 */
 	public abstract function getMimeType();
 
+	/**
+	 * Return a filename for this module's output.
+	 * @note If $this->getIsHtml(), you'll very
+	 *  likely want to fall back to this class's version.
+	 * @since 1.27
+	 * @return string Generally this should be "api-result.$ext", and must be
+	 *  encoded for inclusion in a Content-Disposition header's filename parameter.
+	 */
+	public function getFilename() {
+		if ( $this->getIsHtml() ) {
+			return 'api-result.html';
+		} else {
+			$exts = MimeMagic::singleton()->getExtensionsForType( $this->getMimeType() );
+			$ext = $exts ? strtok( $exts, ' ' ) : strtolower( $this->mFormat );
+			return "api-result.$ext";
+		}
+	}
+
 	/**
 	 * Whether this formatter needs raw data such as _element tags
 	 * @return bool
@@ -150,6 +168,13 @@ function initPrinter( $isError ) {
 			$this->getMain()->getRequest()->response()->header( "X-Frame-Options: $wgApiFrameOptions" );
 		}
 
+		// Set a Content-Disposition header so something downloading an API
+		// response uses a halfway-sensible filename (T128209).
+		$filename = $this->getFilename();
+		$this->getMain()->getRequest()->response()->header(
+			"Content-Disposition: inline; filename=\"{$filename}\""
+		);
+
 		if ( $isHtml ) {
 ?>
 <!DOCTYPE HTML>

includes/api/ApiFormatRaw.php

@@ -54,6 +54,17 @@ public function getMimeType() {
 		return $data['mime'];
 	}
 
+	public function getFilename() {
+		$data = $this->getResultData();
+		if ( isset( $data['error'] ) ) {
+			return $this->errorFallback->getFilename();
+		} elseif ( !isset( $data['filename'] ) || $this->getIsHtml() ) {
+			return parent::getFilename();
+		} else {
+			return $data['filename'];
+		}
+	}
+
 	public function execute() {
 		$data = $this->getResultData();
 		if ( isset( $data['error'] ) ) {

includes/api/ApiQuery.php

@@ -514,6 +514,7 @@ private function doExport( $pageSet, $result )	{
 			// Raw formatter will handle this
 			$result->addValue( null, 'text', $exportxml );
 			$result->addValue( null, 'mime', 'text/xml' );
+			$result->addValue( null, 'filename', 'export.xml', ApiResult::NO_SIZE_CHECK );
 		} else {
 			$r = array();
 			ApiResult::setContent( $r, $exportxml );