Clayton wrote: >> OOXML formats are zip achives. It is likely the only way to correctly >> identify them is to extract the files from the zip archive and validate them >> as being office 2007 format. I think the same method was mentioned for >> OpenDocument files, except OpenDocument has a validator available. >> >> I can't find my previous post on this, but I provided a dirty, dirty hack >> for allowing OOXML uploads. Like the patch in the bug report, it opens a >> hole for exploits; but, without validation, I think any fix would open a >> hole for exploits. > > Well, in this case, it's only the one file type... or more accurately > the one specific file - as we discovered through more testing today. I > think we've nailed it down to this one file being "broken" somehow. > While being a valid OXT file (ie it can be used in OpenOffice.org), for > some reason its mime type isn't being correctly identified on the Wiki. > Other OXT files tested are correctly IDed (as they should be) and can > be uploaded. > > So... I'm thinking the hack isn't needed in this case, and that > ultimately, this is not a bug in MediaWiki - instead a problem with the > creation of this one file that a user was trying to upload. > > C.
Since OpenDocument files are Zip files, unless you do some extra validation, a Jar could be uploaded disguised as an OD? file. The vulnerability is that a Jar have same-origin permissions over the wiki, and so -linked from an external page viewed by logged-in users- can do all kinds of Bad Things. _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
