[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings
phil at teuwen.org
Tue Jul 16 09:46:58 UTC 2013
On 07/16/2013 10:26 AM, Thorsten Glaser wrote:
> On Mon, 15 Jul 2013, Philippe Teuwen wrote:
>> A quick inspection seems to indicate that the file extension is only
> File extensions are a joke, really.
>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
> In that case I’d say this is not a bug, right? ;-)
There are inconsistencies that can lead to an overlooked security issue
in some setups, call it as you want.
Now the good news is that the behavior is not showing up with the
For me, answers ti those questions are still quite fuzzy:
* $wgCheckFileExtensions = false and $wgStrictFileExtensions = true then
pdf upload is working from IE but not from Chrome or Firefox, that's
* why pdf is by default not in $wgFileExtensions but present in
* Is is wise to let by default "application/pdf" in the
* documentation is quite confusing between $wgCheckFileExtensions and
$wgStrictFileExtensions is more reliable, $wgStrictFileExtensions says
If set to true, users will only be able to upload files with proper
extensions (see $wgFileExtensions) but in reality $wgCheckFileExtensions
= false and $wgStrictFileExtensions = true is just unsecure.
More information about the Pkg-mediawiki-devel