Last modified: 2013-07-16 23:00:49 UTC
Reported on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716957 Default allowed extensions for file upload are only: $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); Under Firefox & Chrome it's indeed impossible to upload a pdf file under those settings. But under IE it's possible without warning or error. A quick inspection seems to indicate that the file extension is only checked on the client side via javascript and IE does not do a proper job. Note that "application/pdf" is by default in the $wgTrustedMediaFormats array. IMHO file extension checks must also be enforced on server side, and, if possible, a js workaround should be provided for proper handling in IE. Malicious pdfs do exist... I did some cursory checking of the 1.19 codebase and it does seem like this is not checked server-side.
Just tested a debian installation with uploads enabled and javascript off and got ".pdf" is not a permitted file type. Permitted file types are png, gif, jpg, jpeg. But maybe IE is sending the file name in a way that confuses mediawiki?
Even renaming my sample pdf to .jpg and re-uploading shows it failing. WORKSFORME?
I haven't been able to duplicate or confirm the issue, but it would be a very serious issue if that is happening. The debian reporter is going to send me his LocalSettings tomorrow. In the meantime, if anyone is able to reproduce this, please report details. In general: * Checking to ensure the file extension is allowed is done in UploadBase::getTitle() if $wgCheckFileExtensions and $wgStrictFileExtensions are true. * Checking is also done in javascript (./skins/common/upload.js) * If the javascript check is bypassed (either with noscript, or making a modification with a javascript debugger), the server side checks seem to still run (in all cases that I've been able to test)
The reporter actually had $wgCheckFileExtensions = false. This seems to be the desired behavior for MediaWiki based on https://bugzilla.wikimedia.org/show_bug.cgi?id=14220
Making public in case anyone else hits this