Hi, I'm working on reproducing this. The file extension is checked in UploadBase::getTitle(). If $wgCheckFileExtensions and $wgStrictFileExtensions are both true (which by default they are), then the file should be rejected during the upload process. If that check is being bypassed, then we have a serious issue we need to get patched asap.
Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to true on the system where you're seeing this behavior? Also, are you using UploadWizard, or another extension to trigger this, or the standard Special:Upload page? On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <kren...@gmail.com> wrote: > CCing secur...@wikimedia.org > > On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <p...@teuwen.org> wrote: >> >> On 07/15/2013 01:00 PM, Henri Salo wrote: >> > On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: >> >> Package: mediawiki >> >> Version: 1:1.19.5-1 >> >> Severity: normal >> >> Tags: security >> >> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org >> >> >> >> Default allowed extensions for file upload are only: >> >> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); >> >> >> >> Under Firefox & Chrome it's indeed impossible to upload a pdf file >> >> under >> >> those settings. >> >> But under IE it's possible without warning or error. >> >> >> >> A quick inspection seems to indicate that the file extension is only >> >> checked on the client side via javascript and IE does not do a proper >> job. >> >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats >> >> array. >> >> >> >> IMHO file extension checks must also be enforced on server side, and, >> >> if >> >> possible, a js workaround should be provided for proper handling in IE. >> >> Malicious pdfs do exist... >> >> >> >> Best regards >> >> Phil >> > >> > Have you notified upstream about this issue? >> > >> > --- >> > Henri Salo >> >> No >> Phil >> >> _______________________________________________ >> Pkg-mediawiki-devel mailing list >> pkg-mediawiki-de...@lists.alioth.debian.org >> >> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
