am 24.09.2009 17:55 schrieb Alex: > Peter Velan wrote: >> am 24.09.2009 12:33 schrieb Haim (Howard) Roman: >>> There are some file types that the Wiki developers considered too >>> dangerous to allow to upload. So they're not allowed even if you >>> think you've configured it to "allow everything". I don't know enough >>> to defend or criticize this decision, but I assume the developers know >>> what they're doing. >> >> Ah, thanks for this insight. So I have to assume that >> "$wgCheckFileExtensions = false;" mean sometimes "false" and the error >> message is quite missleading: >> >> "„.zip“ is not allowed. Allowed extensions: 7z, zip, rar," >> ^^^ >>> This includes Open Office files. I'll bet it includes anything with XML. >> >> I have *no* problems to upload ".odt", ".ods", ".odg" etc. >> >>> I designated a place covered by an apache server to place such files, >>> then defined a template to take the file name & convert it to the >>> appropriate link. That way, if I move the location, I can just update >>> the template. >> >> I'm using the same approch by placing some (mostly the big ones) files >> to an MW-external place and linking it inside of MW > > You'll probably need to override MIME type checking as well.
For testing purpose I switched "$wgVerifyMimeType = false;" > See > <http://www.mediawiki.org/wiki/Manual:Mime_type_detection#Forbidden_files> Thanks! Your are right, the array "$wgFileblacklist" in "DefaultSettings.php" does explicitly forbids Windows executables, as per ... | # May contain harmful executables for Windows victims | 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', | 'com', 'pif', 'cmd', 'vxd', 'cpl' But, it seems a litle bit paranoid to consider files withe names like "xyz.exe.pdf" as a potential hazard. > Note that the MIME blacklist exists for security reasons. If untrusted > users are allowed to upload files, this can open up significant security > holes. I would never allow uploads of executables in a public accessible wiki. The wiki where I want to allow uploads of "dangerous" files is a closed intranet type with predefined users. Nevertheless, thanks for the reminder and the really appreciated hints. Peter _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
