Last modified: 2013-07-25 07:07:29 UTC
Linux is very permissive with its file names (compared to Windows). I was able to create a file with the following name: <a onmouseover="alert('XSS')">abc</a>test.png Then I uploaded this file and when hovering the title, an XSS alert is shown.
(js-client exploitable)
Change 75090 had a related patch set uploaded by Rillke: Filename: Using text instead of HTML to avoid exploitable https://gerrit.wikimedia.org/r/75090
Change 75090 merged by jenkins-bot: Filename: Using text instead of HTML to avoid exploitable https://gerrit.wikimedia.org/r/75090