On 07/16/2013 10:26 AM, Thorsten Glaser wrote: > On Mon, 15 Jul 2013, Philippe Teuwen wrote: > >> A quick inspection seems to indicate that the file extension is only >> checked on the client side via javascript and IE does not do a proper job. > File extensions are a joke, really. > >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats >> array. > In that case I’d say this is not a bug, right? ;-)
There are inconsistencies that can lead to an overlooked security issue in some setups, call it as you want. Now the good news is that the behavior is not showing up with the default settings. For me, answers ti those questions are still quite fuzzy: * $wgCheckFileExtensions = false and $wgStrictFileExtensions = true then pdf upload is working from IE but not from Chrome or Firefox, that's just fact * why pdf is by default not in $wgFileExtensions but present in $wgTrustedMediaFormats? * Is is wise to let by default "application/pdf" in the $wgTrustedMediaFormats list? * documentation is quite confusing between $wgCheckFileExtensions and $wgStrictFileExtensions https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions indicates $wgStrictFileExtensions is more reliable, $wgStrictFileExtensions says If set to true, users will only be able to upload files with proper extensions (see $wgFileExtensions) but in reality $wgCheckFileExtensions = false and $wgStrictFileExtensions = true is just unsecure. Best regards Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
