Index: trunk/phase3/includes/DefaultSettings.php |
— | — | @@ -551,9 +551,16 @@ |
552 | 552 | # A ZIP file may be a valid Java archive containing an applet which exploits the |
553 | 553 | # same-origin policy to steal cookies |
554 | 554 | 'application/zip', |
| 555 | + |
555 | 556 | # MS Office OpenXML and other Open Package Conventions files are zip files |
556 | | - # and thus blacklisted just as other zip files |
| 557 | + # and thus blacklisted just as other zip files. If you remove these entries |
| 558 | + # from the blacklist in your local configuration, a malicious file upload |
| 559 | + # will be able to compromise the wiki's user accounts, and the user |
| 560 | + # accounts of any other website in the same cookie domain. |
557 | 561 | 'application/x-opc+zip', |
| 562 | + 'application/msword', |
| 563 | + 'application/vnd.ms-powerpoint', |
| 564 | + 'application/vnd.msexcel', |
558 | 565 | ); |
559 | 566 | |
560 | 567 | /** |