[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings
Alex Monk
krenair at gmail.com
Mon Jul 15 16:00:40 UTC 2013
CCing security at wikimedia.org
On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <phil at teuwen.org> wrote:
> On 07/15/2013 01:00 PM, Henri Salo wrote:
> > On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
> >> Package: mediawiki
> >> Version: 1:1.19.5-1
> >> Severity: normal
> >> Tags: security
> >> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
> >>
> >> Default allowed extensions for file upload are only:
> >> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
> >>
> >> Under Firefox & Chrome it's indeed impossible to upload a pdf file under
> >> those settings.
> >> But under IE it's possible without warning or error.
> >>
> >> A quick inspection seems to indicate that the file extension is only
> >> checked on the client side via javascript and IE does not do a proper
> job.
> >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
> >> array.
> >>
> >> IMHO file extension checks must also be enforced on server side, and, if
> >> possible, a js workaround should be provided for proper handling in IE.
> >> Malicious pdfs do exist...
> >>
> >> Best regards
> >> Phil
> >
> > Have you notified upstream about this issue?
> >
> > ---
> > Henri Salo
>
> No
> Phil
>
> _______________________________________________
> Pkg-mediawiki-devel mailing list
> Pkg-mediawiki-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20130715/8bed075f/attachment-0001.html>
More information about the Pkg-mediawiki-devel
mailing list