[Pkg-mediawiki-devel] Bug#716957: Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings

Thorsten Glaser t.glaser at tarent.de
Tue Jul 16 11:14:43 UTC 2013

On Tue, 16 Jul 2013, Philippe Teuwen wrote:

> There are inconsistencies that can lead to an overlooked security issue
> in some setups, call it as you want.


> Now the good news is that the behavior is not showing up with the
> default settings.


> For me, answers ti those questions are still quite fuzzy:
> * $wgCheckFileExtensions = false and $wgStrictFileExtensions = true then
> pdf upload is working from IE but not from Chrome or Firefox, that's

That’s inconsistent, but also an inconsistent setup.
Maybe something like this:

if ($wgStrictFileExtensions)
	$wgCheckFileExtensions = true;

> * why pdf is by default not in $wgFileExtensions but present in
> $wgTrustedMediaFormats?

Let’s delegate these two to upstream ☺

> * Is is wise to let by default "application/pdf" in the
> $wgTrustedMediaFormats list?


tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

More information about the Pkg-mediawiki-devel mailing list