Hello, Actually now I see I had $wgCheckFileExtensions = false; left on the config file. I was abused by the fact that under Firefox & Chrome, pdf upload was properly banned and documentation of https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions and https://www.mediawiki.org/wiki/Manual:$wgStrictFileExtensions seem to indicate that $wgStrictFileExtensions was enough to enforce the check.
So what is the supposed behavior of $wgCheckFileExtensions = false; $wgStrictFileExtensions = true; ?? Here are the relevant parts of LocalSettings.php I'm using the regular Special:Upload page $wgEnableUploads = true; $wgCheckFileExtensions = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; On 07/15/2013 07:54 PM, Chris Steipp wrote: > Hi, I'm working on reproducing this. > > The file extension is checked in UploadBase::getTitle(). If > $wgCheckFileExtensions and $wgStrictFileExtensions are both true > (which by default they are), then the file should be rejected during > the upload process. If that check is being bypassed, then we have a > serious issue we need to get patched asap. > > Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to > true on the system where you're seeing this behavior? Also, are you > using UploadWizard, or another extension to trigger this, or the > standard Special:Upload page? > > On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <kren...@gmail.com> wrote: >> CCing secur...@wikimedia.org >> >> On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <p...@teuwen.org> wrote: >>> On 07/15/2013 01:00 PM, Henri Salo wrote: >>>> On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: >>>>> Package: mediawiki >>>>> Version: 1:1.19.5-1 >>>>> Severity: normal >>>>> Tags: security >>>>> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org >>>>> >>>>> Default allowed extensions for file upload are only: >>>>> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); >>>>> >>>>> Under Firefox & Chrome it's indeed impossible to upload a pdf file >>>>> under >>>>> those settings. >>>>> But under IE it's possible without warning or error. >>>>> >>>>> A quick inspection seems to indicate that the file extension is only >>>>> checked on the client side via javascript and IE does not do a proper >>> job. >>>>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats >>>>> array. >>>>> >>>>> IMHO file extension checks must also be enforced on server side, and, >>>>> if >>>>> possible, a js workaround should be provided for proper handling in IE. >>>>> Malicious pdfs do exist... >>>>> >>>>> Best regards >>>>> Phil >>>> Have you notified upstream about this issue? >>>> >>>> --- >>>> Henri Salo >>> No >>> Phil >>> >>> _______________________________________________ >>> Pkg-mediawiki-devel mailing list >>> pkg-mediawiki-de...@lists.alioth.debian.org >>> >>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel >> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
