Last modified: 2014-06-26 09:29:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T68428, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 66428 - MimeMagic: ZIP types not properly detected
MimeMagic: ZIP types not properly detected
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
1.24rc
All All
: High normal (vote)
: ---
Assigned To: Rainer Rillke @commons.wikimedia
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-10 16:14 UTC by Rainer Rillke @commons.wikimedia
Modified: 2014-06-26 09:29 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---
aklapper: Backport_to_Stable+

Attachments
ZIP-type file with fake extension. (6.37 KB, image/jpeg)
2014-06-10 16:14 UTC, Rainer Rillke @commons.wikimedia 		Details
This file will be detected by MediaWiki because $tail is not empty. (13.16 KB, image/jpeg)
2014-06-10 16:15 UTC, Rainer Rillke @commons.wikimedia 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Rainer Rillke @commons.wikimedia 2014-06-10 16:14:07 UTC 
Created attachment 15612 [details]
ZIP-type file with fake extension.

In MimeMagic.php, there is a function that is supposed to detect zips - ::doGuessMimeType() - and zip types -  ::detectZipType(). However, it fails when supplying small files like attached. Neither small ZIPs are detected nor other kind of zip-types.

So I did some debugging and found that $tail in ::doGuessMimeType() appears to be empty when the file size is below about 8192 bytes. Lowering the number of bytes from the end of the file to set the cursor to in the call to fseek to the actual file size "fixes" the issue.

Reproducible:

* Production: Always.
** Evidence: When uploading c.jpg to Commons, the following response is issued:
  File extension ".jpg" does not match the detected MIME type of the file (unknown/unknown).
** Evidence: When uploading c_big.jpg to Commons, the following response is issued:
  File extension ".jpg" does not match the detected MIME type of the file (application/vnd.oasis.opendocument.spreadsheet).

* Debug environment with PHP 5.4.20 (apache2handler): Always.
** Evidence: Debug logging and inspecting variables using xDebug and Eclipse.
Comment 1 Rainer Rillke @commons.wikimedia 2014-06-10 16:15:29 UTC 
Created attachment 15613 [details]
This file will be detected by MediaWiki because $tail is not empty.
Comment 2 Bawolff (Brian Wolff) 2014-06-10 16:21:27 UTC 
Cc ing csteipp. I suspect this might be exploitable...
Comment 3 Chris Steipp 2014-06-10 17:14:37 UTC 
Thanks Rainer / Brian, I'm going to put this into security while I play with it. I agree, that seems like it could be used for malicious purposes, but hopefully not.
Comment 4 Rainer Rillke @commons.wikimedia 2014-06-10 22:05:00 UTC 
Was it wrong to publicly submit a patch with I182128c6958244 ? How could I privately submit to Gerrit?
Comment 5 Bawolff (Brian Wolff) 2014-06-10 22:09:52 UTC 
(In reply to Rainer Rillke @commons.wikimedia from comment #4)
> Was it wrong to publicly submit a patch with I182128c6958244 ? How could I
> privately submit to Gerrit?

You can't. If its a super critical security issue, people usually put the patches on bugzilla I believe.
Comment 6 Chris Steipp 2014-06-10 23:27:53 UTC 
Adding -D (draft) to git review will keep it from being advertised, but gerrit doesn't have a good way to deal with private patches.

This isn't horrible since the detection is still done when finfo is installed, or the wiki shells out for the detection. Also, since it's unknown/unknown, the file isn't allowed to be uploaded (unless $wgVerifyMimeType, in which case there are plenty of other ways to upload malicious files).

So I'm not worried about this being public, although I think it's good hardening. But unless someone finds a way to get the upload to succeed with a relatively secure config, I don't think we need to be overly private about this bug.
Comment 7 Chris Steipp 2014-06-11 17:19:06 UTC 
Making this public again. I think we should also backport the fix, since it's a good security hardening measure.
Comment 8 Gerrit Notification Bot 2014-06-12 06:46:37 UTC 
Change 139070 had a related patch set uploaded by Rillke:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139070
Comment 9 Gerrit Notification Bot 2014-06-12 07:06:46 UTC 
Change 139073 had a related patch set uploaded by Rillke:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139073
Comment 10 Gerrit Notification Bot 2014-06-12 07:09:08 UTC 
Change 139074 had a related patch set uploaded by Rillke:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139074
Comment 11 Rainer Rillke @commons.wikimedia 2014-06-21 15:02:57 UTC 
Release managers would be notified if Backport_to_Stable is set to "?", the docs say. Does this still work?
Comment 12 Andre Klapper 2014-06-21 15:54:57 UTC 
(In reply to Rainer Rillke @commons.wikimedia from comment #11)
> Release managers would be notified if Backport_to_Stable is set to "?", the
> docs say. Does this still work?

The docs at https://www.mediawiki.org/wiki/Backporting_fixes state this and tarball release managers are aware of the flag; but there was no automatic bugmail notification sent to them so far, sigh. I've fixed this now.
Comment 13 Mark A. Hershberger 2014-06-22 16:35:57 UTC 
There is no automatic method that I know of.  We're still checking these manually.

Cherry-picking, as was done here, is the best route to go because then it will be in the queue during our monthly maintenance releases.   If that isn't possible, then adding us as CC on the bug at least sends us email.
Comment 14 Gerrit Notification Bot 2014-06-25 09:47:39 UTC 
Change 139070 merged by Mglaser:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139070
Comment 15 Gerrit Notification Bot 2014-06-25 09:48:27 UTC 
Change 139074 merged by Mglaser:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139074
Comment 16 Gerrit Notification Bot 2014-06-25 09:53:01 UTC 
Change 139073 merged by Mglaser:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/139073
Comment 17 Andre Klapper 2014-06-25 14:09:30 UTC 
Updating the flag from ? to + now that this has been backported.
Comment 18 Gerrit Notification Bot 2014-06-25 19:07:38 UTC 
Change 142041 had a related patch set uploaded by Mglaser:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/142041
Comment 19 Gerrit Notification Bot 2014-06-25 19:51:58 UTC 
Change 142041 merged by Mglaser:
MimeMagic: Don't seek before BOF

https://gerrit.wikimedia.org/r/142041
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links