[Pkg-mediawiki-devel] Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

Philippe Teuwen phil at teuwen.org
Tue Jul 16 07:05:18 UTC 2013 

Hello,

Actually now I see I had $wgCheckFileExtensions = false; left on the
config file.
I was abused by the fact that under Firefox & Chrome, pdf upload was
properly banned and documentation of
https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions and
https://www.mediawiki.org/wiki/Manual:$wgStrictFileExtensions
seem to indicate that $wgStrictFileExtensions was enough to enforce the
check.

So what is the supposed behavior of
$wgCheckFileExtensions = false;
$wgStrictFileExtensions = true;
??

Here are the relevant parts of LocalSettings.php
I'm using the regular Special:Upload page

$wgEnableUploads  = true;
$wgCheckFileExtensions = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;


On 07/15/2013 07:54 PM, Chris Steipp wrote:
> Hi, I'm working on reproducing this.
>
> The file extension is checked in UploadBase::getTitle(). If
> $wgCheckFileExtensions and $wgStrictFileExtensions are both true
> (which by default they are), then the file should be rejected during
> the upload process. If that check is being bypassed, then we have a
> serious issue we need to get patched asap.
>
> Are both $wgCheckFileExtensions and $wgStrictFileExtensions set to
> true on the system where you're seeing this behavior? Also, are you
> using UploadWizard, or another extension to trigger this, or the
> standard Special:Upload page?
>
> On Mon, Jul 15, 2013 at 9:00 AM, Alex Monk <krenair at gmail.com> wrote:
>> CCing security at wikimedia.org
>>
>> On Mon, Jul 15, 2013 at 1:27 PM, Philippe Teuwen <phil at teuwen.org> wrote:
>>> On 07/15/2013 01:00 PM, Henri Salo wrote:
>>>> On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
>>>>> Package: mediawiki
>>>>> Version: 1:1.19.5-1
>>>>> Severity: normal
>>>>> Tags: security
>>>>> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>>>>>
>>>>> Default allowed extensions for file upload are only:
>>>>> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
>>>>>
>>>>> Under Firefox & Chrome it's indeed impossible to upload a pdf file
>>>>> under
>>>>> those settings.
>>>>> But under IE it's possible without warning or error.
>>>>>
>>>>> A quick inspection seems to indicate that the file extension is only
>>>>> checked on the client side via javascript and IE does not do a proper
>>> job.
>>>>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
>>>>> array.
>>>>>
>>>>> IMHO file extension checks must also be enforced on server side, and,
>>>>> if
>>>>> possible, a js workaround should be provided for proper handling in IE.
>>>>> Malicious pdfs do exist...
>>>>>
>>>>> Best regards
>>>>> Phil
>>>> Have you notified upstream about this issue?
>>>>
>>>> ---
>>>> Henri Salo
>>> No
>>> Phil
>>>
>>> _______________________________________________
>>> Pkg-mediawiki-devel mailing list
>>> Pkg-mediawiki-devel at lists.alioth.debian.org
>>>
>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-devel
>>

More information about the Pkg-mediawiki-devel mailing list