[Pkg-mediawiki-devel] Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

Henri Salo henri at nerv.fi
Mon Jul 15 11:00:16 UTC 2013

On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
> Package: mediawiki
> Version: 1:1.19.5-1
> Severity: normal
> Tags: security
> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
> Default allowed extensions for file upload are only:
> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
> Under Firefox & Chrome it's indeed impossible to upload a pdf file under
> those settings.
> But under IE it's possible without warning or error.
> A quick inspection seems to indicate that the file extension is only
> checked on the client side via javascript and IE does not do a proper job.
> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
> array.
> IMHO file extension checks must also be enforced on server side, and, if
> possible, a js workaround should be provided for proper handling in IE.
> Malicious pdfs do exist...
> Best regards
> Phil

Have you notified upstream about this issue?

Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20130715/90774c15/attachment.sig>

More information about the Pkg-mediawiki-devel mailing list