r103772 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r103771‎ \| r103772 \| r103773 >
Date:	18:57, 20 November 2011
Author:	catrope
Status:	ok
Tags:
Comment:	(bug 1672) Add $wgDisableUploadScriptChecks to allow disabling of the HTML/JS detection for uploads. Patch by Emufarmers
Modified paths:	/trunk/phase3/RELEASE-NOTES-1.19 (modified) (history) /trunk/phase3/includes/DefaultSettings.php (modified) (history) /trunk/phase3/includes/upload/UploadBase.php (modified) (history)

Diff [purge]

Index: trunk/phase3/RELEASE-NOTES-1.19
—	—	@@ -91,6 +91,8 @@
92	92	* (bug 8859) Database::update should take array of tables too
93	93	* (bug 19698) Inverse selection for Special:Contributions
94	94	* (bug 24037) Add byte length of revision to Special:Contributions
	95	+* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files
	96	+ containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
95	97
96	98	=== Bug fixes in 1.19 ===
97	99	* $wgUploadNavigationUrl should be used for file redlinks if
Index: trunk/phase3/includes/upload/UploadBase.php
—	—	@@ -357,7 +357,7 @@
358	358	* @return mixed true of the file is verified, array otherwise.
359	359	*/
360	360	protected function verifyFile() {
361		~~- global $wgAllowJavaUploads;~~
	361	+ global $wgAllowJavaUploads, $wgDisableUploadScriptChecks;
362	362	# get the title, even though we are doing nothing with it, because
363	363	# we need to populate mFinalExtension
364	364	$this->getTitle();
—	—	@@ -372,13 +372,15 @@
373	373	}
374	374
375	375	# check for htmlish code and javascript
376		~~- if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {~~
377		~~- return array( 'uploadscripted' );~~
378		~~- }~~
379		~~- if( $this->mFinalExtension == 'svg' \|\| $mime == 'image/svg+xml' ) {~~
380		~~- if( $this->detectScriptInSvg( $this->mTempPath ) ) {~~
	376	+ if ( !$wgDisableUploadScriptChecks ) {
	377	+ if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
381	378	return array( 'uploadscripted' );
382	379	}
	380	+ if( $this->mFinalExtension == 'svg' \|\| $mime == 'image/svg+xml' ) {
	381	+ if( $this->detectScriptInSvg( $this->mTempPath ) ) {
	382	+ return array( 'uploadscripted' );
	383	+ }
	384	+ }
383	385	}
384	386
385	387	# Check for Java applets, which if uploaded can bypass cross-site
Index: trunk/phase3/includes/DefaultSettings.php
—	—	@@ -557,6 +557,13 @@
558	558	*/
559	559	$wgStrictFileExtensions = true;
560	560
	561	+/**
	562	+ * Setting this to true will disable the upload system's checks for HTML/JavaScript.
	563	+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
	564	+ * TO RESTRICT UPLOADING to only those that you trust
	565	+ */
	566	+$wgDisableUploadScriptChecks = false;
	567	+
561	568	/** Warn if uploaded files are larger than this (in bytes), or false to disable*/
562	569	$wgUploadSizeWarning = false;
563	570
—	—	@@ -2960,7 +2967,7 @@
2961	2968	$wgDebugTidy = false;
2962	2969
2963	2970	/** Allow raw, unchecked HTML in <html>...</html> sections.
2964		~~- * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions~~
	2971	+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
2965	2972	* TO RESTRICT EDITING to only those that you trust
2966	2973	*/
2967	2974	$wgRawHtml = false;

Status & tagging log

00:35, 23 November 2011 Brion VIBBER (talk | contribs) changed the status of r103772 [removed: new added: ok]