Thanks Philippe, that does explain it. This "feature" was actually implemented here: https://bugzilla.wikimedia.org/show_bug.cgi?id=14220, which intentionally made setting $wgCheckFileExtensions = false allow any file extension to be uploaded, regardless of how wgStrictFileExtensions is set. I'll make sure the documentation on those is a little more clear.
I'll also check with the developer community and see if there is consensus that this is still the desired functionality. On Tue, Jul 16, 2013 at 12:05 AM, Philippe Teuwen <p...@teuwen.org> wrote: > Hello, > > Actually now I see I had $wgCheckFileExtensions = false; left on the > config file. > I was abused by the fact that under Firefox & Chrome, pdf upload was > properly banned and documentation of > https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions and > https://www.mediawiki.org/wiki/Manual:$wgStrictFileExtensions > seem to indicate that $wgStrictFileExtensions was enough to enforce the > check. > > So what is the supposed behavior of > $wgCheckFileExtensions = false; > $wgStrictFileExtensions = true; > ?? > > Here are the relevant parts of LocalSettings.php > I'm using the regular Special:Upload page > > $wgEnableUploads = true; > $wgCheckFileExtensions = false; > $wgGroupPermissions['*']['createaccount'] = false; > $wgGroupPermissions['*']['edit'] = false; > $wgGroupPermissions['*']['read'] = false; > > > On 07/15/2013 07:54 PM, Chris Steipp wrote: >> Hi, I'm working on reproducing this. >> >> The file extension is checked in UploadBase::getTitle(). If >> $wgCheckFileExtensions and $wgStrictFileExtensions are both true >> (which by default they are), then the file should be rejected during >> the upload process. If that check is being bypassed, then we have a >> serious issue we need to get patched asap. >> >> Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to >> true on the system where you're seeing this behavior? Also, are you >> using UploadWizard, or another extension to trigger this, or the >> standard Special:Upload page? >> >> On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <kren...@gmail.com> wrote: >>> CCing secur...@wikimedia.org >>> >>> On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <p...@teuwen.org> wrote: >>>> On 07/15/2013 01:00 PM, Henri Salo wrote: >>>>> On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: >>>>>> Package: mediawiki >>>>>> Version: 1:1.19.5-1 >>>>>> Severity: normal >>>>>> Tags: security >>>>>> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org >>>>>> >>>>>> Default allowed extensions for file upload are only: >>>>>> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); >>>>>> >>>>>> Under Firefox & Chrome it's indeed impossible to upload a pdf file >>>>>> under >>>>>> those settings. >>>>>> But under IE it's possible without warning or error. >>>>>> >>>>>> A quick inspection seems to indicate that the file extension is only >>>>>> checked on the client side via javascript and IE does not do a proper >>>> job. >>>>>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats >>>>>> array. >>>>>> >>>>>> IMHO file extension checks must also be enforced on server side, and, >>>>>> if >>>>>> possible, a js workaround should be provided for proper handling in IE. >>>>>> Malicious pdfs do exist... >>>>>> >>>>>> Best regards >>>>>> Phil >>>>> Have you notified upstream about this issue? >>>>> >>>>> --- >>>>> Henri Salo >>>> No >>>> Phil >>>> >>>> _______________________________________________ >>>> Pkg-mediawiki-devel mailing list >>>> pkg-mediawiki-de...@lists.alioth.debian.org >>>> >>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel >>> > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
