Package: mediawiki Version: 1:1.19.5-1 Severity: normal Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
Default allowed extensions for file upload are only: $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); Under Firefox & Chrome it's indeed impossible to upload a pdf file under those settings. But under IE it's possible without warning or error. A quick inspection seems to indicate that the file extension is only checked on the client side via javascript and IE does not do a proper job. Note that "application/pdf" is by default in the $wgTrustedMediaFormats array. IMHO file extension checks must also be enforced on server side, and, if possible, a js workaround should be provided for proper handling in IE. Malicious pdfs do exist... Best regards Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
