[Pkg-mediawiki-devel] Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings
Philippe Teuwen
phil at teuwen.org
Mon Jul 15 09:41:16 UTC 2013
Package: mediawiki
Version: 1:1.19.5-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
Default allowed extensions for file upload are only:
$wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
Under Firefox & Chrome it's indeed impossible to upload a pdf file under
those settings.
But under IE it's possible without warning or error.
A quick inspection seems to indicate that the file extension is only
checked on the client side via javascript and IE does not do a proper job.
Note that "application/pdf" is by default in the $wgTrustedMediaFormats
array.
IMHO file extension checks must also be enforced on server side, and, if
possible, a js workaround should be provided for proper handling in IE.
Malicious pdfs do exist...
Best regards
Phil
More information about the Pkg-mediawiki-devel
mailing list