[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

Chris Steipp csteipp at wikimedia.org
Mon Jul 15 17:54:53 UTC 2013 

Hi, I'm working on reproducing this.

The file extension is checked in UploadBase::getTitle(). If
$wgCheckFileExtensions and $wgStrictFileExtensions are both true
(which by default they are), then the file should be rejected during
the upload process. If that check is being bypassed, then we have a
serious issue we need to get patched asap.

Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to
true on the system where you're seeing this behavior? Also, are you
using UploadWizard, or another extension to trigger this, or the
standard Special:Upload page?

On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <krenair at gmail.com> wrote:
> CCing security at wikimedia.org
>
> On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <phil at teuwen.org> wrote:
>>
>> On 07/15/2013 01:00 PM, Henri Salo wrote:
>> > On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
>> >> Package: mediawiki
>> >> Version: 1:1.19.5-1
>> >> Severity: normal
>> >> Tags: security
>> >> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>> >>
>> >> Default allowed extensions for file upload are only:
>> >> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
>> >>
>> >> Under Firefox & Chrome it's indeed impossible to upload a pdf file
>> >> under
>> >> those settings.
>> >> But under IE it's possible without warning or error.
>> >>
>> >> A quick inspection seems to indicate that the file extension is only
>> >> checked on the client side via javascript and IE does not do a proper
>> job.
>> >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
>> >> array.
>> >>
>> >> IMHO file extension checks must also be enforced on server side, and,
>> >> if
>> >> possible, a js workaround should be provided for proper handling in IE.
>> >> Malicious pdfs do exist...
>> >>
>> >> Best regards
>> >> Phil
>> >
>> > Have you notified upstream about this issue?
>> >
>> > ---
>> > Henri Salo
>>
>> No
>> Phil
>>
>> _______________________________________________
>> Pkg-mediawiki-devel mailing list
>> Pkg-mediawiki-devel at lists.alioth.debian.org
>>
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel
>
>

More information about the Pkg-mediawiki-devel mailing list