| Index: trunk/phase3/includes/DefaultSettings.php |
| — | — | @@ -502,6 +502,10 @@ |
| 503 | 503 | /** |
| 504 | 504 | * This is the list of preferred extensions for uploading files. Uploading files |
| 505 | 505 | * with extensions not in this list will trigger a warning. |
| | 506 | + * |
| | 507 | + * WARNING: If you add any OpenDocument file formats here, such as odt, ods or |
| | 508 | + * odp, and untrusted users are allowed to upload files, then your wiki will be |
| | 509 | + * vulnerable to cross-site request forgery (CSRF). |
| 506 | 510 | */ |
| 507 | 511 | $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); |
| 508 | 512 | |
| — | — | @@ -539,12 +543,18 @@ |
| 540 | 544 | 'application/x-opc+zip', |
| 541 | 545 | ); |
| 542 | 546 | |
| 543 | | -/** This is a flag to determine whether or not to check file extensions on upload. */ |
| | 547 | +/** |
| | 548 | + * This is a flag to determine whether or not to check file extensions on upload. |
| | 549 | + * |
| | 550 | + * WARNING: setting this to false is insecure for public wikis. |
| | 551 | + */ |
| 544 | 552 | $wgCheckFileExtensions = true; |
| 545 | 553 | |
| 546 | 554 | /** |
| 547 | 555 | * If this is turned off, users may override the warning for files not covered |
| 548 | 556 | * by $wgFileExtensions. |
| | 557 | + * |
| | 558 | + * WARNING: setting this to false is insecure for public wikis. |
| 549 | 559 | */ |
| 550 | 560 | $wgStrictFileExtensions = true; |
| 551 | 561 | |