[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

[Philippe Teuwen]

On 07/16/2013 10:26 AM, Thorsten Glaser wrote:
> On Mon, 15 Jul 2013, Philippe Teuwen wrote:
>
>> A quick inspection seems to indicate that the file extension is only
>> checked on the client side via javascript and IE does not do a proper job.
> File extensions are a joke, really.
>
>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
>> array.
> In that case I’d say this is not a bug, right? ;-)

There are inconsistencies that can lead to an overlooked security issue
in some setups, call it as you want.
Now the good news is that the behavior is not showing up with the
default settings.
For me, answers ti those questions are still quite fuzzy:
* $wgCheckFileExtensions = false and $wgStrictFileExtensions = true then
pdf upload is working from IE but not from Chrome or Firefox, that's
just fact
* why pdf is by default not in $wgFileExtensions but present in
$wgTrustedMediaFormats?
* Is is wise to let by default "application/pdf" in the
$wgTrustedMediaFormats list?
* documentation is quite confusing between $wgCheckFileExtensions and
$wgStrictFileExtensions
https://www.mediawiki.org/wiki/Manual:$wgCheckFileExtensions indicates
$wgStrictFileExtensions is more reliable, $wgStrictFileExtensions says
If set to true, users will only be able to upload files with proper
extensions (see $wgFileExtensions) but in reality $wgCheckFileExtensions
= false and $wgStrictFileExtensions = true is just unsecure.

Best regards
Phil