http://www.mediawiki.org/wiki/Special:Code/MediaWiki/72890
Revision: 72890
Author: tstarling
Date: 2010-09-13 04:05:20 +0000 (Mon, 13 Sep 2010)
Log Message:
-----------
Added some warnings for some upload security issues, such as allowing
OpenDocument uploads.
Modified Paths:
--------------
trunk/phase3/includes/DefaultSettings.php
Modified: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php 2010-09-13 03:10:28 UTC (rev
72889)
+++ trunk/phase3/includes/DefaultSettings.php 2010-09-13 04:05:20 UTC (rev
72890)
@@ -502,6 +502,10 @@
/**
* This is the list of preferred extensions for uploading files. Uploading
files
* with extensions not in this list will trigger a warning.
+ *
+ * WARNING: If you add any OpenDocument file formats here, such as odt, ods or
+ * odp, and untrusted users are allowed to upload files, then your wiki will
be
+ * vulnerable to cross-site request forgery (CSRF).
*/
$wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
@@ -539,12 +543,18 @@
'application/x-opc+zip',
);
-/** This is a flag to determine whether or not to check file extensions on
upload. */
+/**
+ * This is a flag to determine whether or not to check file extensions on
upload.
+ *
+ * WARNING: setting this to false is insecure for public wikis.
+ */
$wgCheckFileExtensions = true;
/**
* If this is turned off, users may override the warning for files not covered
* by $wgFileExtensions.
+ *
+ * WARNING: setting this to false is insecure for public wikis.
*/
$wgStrictFileExtensions = true;
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
