Index: trunk/phase3/RELEASE-NOTES-1.19 |
— | — | @@ -91,6 +91,8 @@ |
92 | 92 | * (bug 8859) Database::update should take array of tables too |
93 | 93 | * (bug 19698) Inverse selection for Special:Contributions |
94 | 94 | * (bug 24037) Add byte length of revision to Special:Contributions |
| 95 | +* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files |
| 96 | + containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS. |
95 | 97 | |
96 | 98 | === Bug fixes in 1.19 === |
97 | 99 | * $wgUploadNavigationUrl should be used for file redlinks if |
Index: trunk/phase3/includes/upload/UploadBase.php |
— | — | @@ -357,7 +357,7 @@ |
358 | 358 | * @return mixed true of the file is verified, array otherwise. |
359 | 359 | */ |
360 | 360 | protected function verifyFile() { |
361 | | - global $wgAllowJavaUploads; |
| 361 | + global $wgAllowJavaUploads, $wgDisableUploadScriptChecks; |
362 | 362 | # get the title, even though we are doing nothing with it, because |
363 | 363 | # we need to populate mFinalExtension |
364 | 364 | $this->getTitle(); |
— | — | @@ -372,13 +372,15 @@ |
373 | 373 | } |
374 | 374 | |
375 | 375 | # check for htmlish code and javascript |
376 | | - if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) { |
377 | | - return array( 'uploadscripted' ); |
378 | | - } |
379 | | - if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) { |
380 | | - if( $this->detectScriptInSvg( $this->mTempPath ) ) { |
| 376 | + if ( !$wgDisableUploadScriptChecks ) { |
| 377 | + if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) { |
381 | 378 | return array( 'uploadscripted' ); |
382 | 379 | } |
| 380 | + if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) { |
| 381 | + if( $this->detectScriptInSvg( $this->mTempPath ) ) { |
| 382 | + return array( 'uploadscripted' ); |
| 383 | + } |
| 384 | + } |
383 | 385 | } |
384 | 386 | |
385 | 387 | # Check for Java applets, which if uploaded can bypass cross-site |
Index: trunk/phase3/includes/DefaultSettings.php |
— | — | @@ -557,6 +557,13 @@ |
558 | 558 | */ |
559 | 559 | $wgStrictFileExtensions = true; |
560 | 560 | |
| 561 | +/** |
| 562 | + * Setting this to true will disable the upload system's checks for HTML/JavaScript. |
| 563 | + * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions |
| 564 | + * TO RESTRICT UPLOADING to only those that you trust |
| 565 | + */ |
| 566 | +$wgDisableUploadScriptChecks = false; |
| 567 | + |
561 | 568 | /** Warn if uploaded files are larger than this (in bytes), or false to disable*/ |
562 | 569 | $wgUploadSizeWarning = false; |
563 | 570 | |
— | — | @@ -2960,7 +2967,7 @@ |
2961 | 2968 | $wgDebugTidy = false; |
2962 | 2969 | |
2963 | 2970 | /** Allow raw, unchecked HTML in <html>...</html> sections. |
2964 | | - * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions |
| 2971 | + * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions |
2965 | 2972 | * TO RESTRICT EDITING to only those that you trust |
2966 | 2973 | */ |
2967 | 2974 | $wgRawHtml = false; |