CCing secur...@wikimedia.org On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <p...@teuwen.org> wrote:
> On 07/15/2013 01:00 PM, Henri Salo wrote: > > On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: > >> Package: mediawiki > >> Version: 1:1.19.5-1 > >> Severity: normal > >> Tags: security > >> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org > >> > >> Default allowed extensions for file upload are only: > >> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); > >> > >> Under Firefox & Chrome it's indeed impossible to upload a pdf file under > >> those settings. > >> But under IE it's possible without warning or error. > >> > >> A quick inspection seems to indicate that the file extension is only > >> checked on the client side via javascript and IE does not do a proper > job. > >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats > >> array. > >> > >> IMHO file extension checks must also be enforced on server side, and, if > >> possible, a js workaround should be provided for proper handling in IE. > >> Malicious pdfs do exist... > >> > >> Best regards > >> Phil > > > > Have you notified upstream about this issue? > > > > --- > > Henri Salo > > No > Phil > > _______________________________________________ > Pkg-mediawiki-devel mailing list > pkg-mediawiki-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel >
