[Pkg-mediawiki-devel] Bug#716957: [mediawiki] Upload of pdf files via IE still possible under default settings
Philippe Teuwen
phil at teuwen.org
Mon Jul 15 12:27:47 UTC 2013
On 07/15/2013 01:00 PM, Henri Salo wrote:
> On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote:
>> Package: mediawiki
>> Version: 1:1.19.5-1
>> Severity: normal
>> Tags: security
>> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>>
>> Default allowed extensions for file upload are only:
>> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
>>
>> Under Firefox & Chrome it's indeed impossible to upload a pdf file under
>> those settings.
>> But under IE it's possible without warning or error.
>>
>> A quick inspection seems to indicate that the file extension is only
>> checked on the client side via javascript and IE does not do a proper
job.
>> Note that "application/pdf" is by default in the $wgTrustedMediaFormats
>> array.
>>
>> IMHO file extension checks must also be enforced on server side, and, if
>> possible, a js workaround should be provided for proper handling in IE.
>> Malicious pdfs do exist...
>>
>> Best regards
>> Phil
>
> Have you notified upstream about this issue?
>
> ---
> Henri Salo
No
Phil
More information about the Pkg-mediawiki-devel
mailing list