r81376 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r81375‎ | r81376 | r81377 >
Date:05:35, 2 February 2011
Author:tstarling
Status:ok
Tags:
Comment:
Blacklist ZIP subtypes added in r68873, to avoid GIFAR.
Modified paths:
  • /trunk/phase3/includes/DefaultSettings.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/DefaultSettings.php
@@ -551,9 +551,16 @@
552552 # A ZIP file may be a valid Java archive containing an applet which exploits the
553553 # same-origin policy to steal cookies
554554 'application/zip',
 555+
555556 # MS Office OpenXML and other Open Package Conventions files are zip files
556 - # and thus blacklisted just as other zip files
 557+ # and thus blacklisted just as other zip files. If you remove these entries
 558+ # from the blacklist in your local configuration, a malicious file upload
 559+ # will be able to compromise the wiki's user accounts, and the user
 560+ # accounts of any other website in the same cookie domain.
557561 'application/x-opc+zip',
 562+ 'application/msword',
 563+ 'application/vnd.ms-powerpoint',
 564+ 'application/vnd.msexcel',
558565 );
559566
560567 /**

Follow-up revisions

RevisionCommit summaryAuthorDate
r814131.17: MFT r78395, r79968, r81311, r81313, r81349, r81352, r81376, r81389, r81...catrope20:45, 2 February 2011

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r68873(bug 24073) Recognize MS Office 2003 style files that have been saved by MS 2...hartman12:11, 2 July 2010

Status & tagging log