http://www.mediawiki.org/wiki/Special:Code/MediaWiki/72890
Revision: 72890 Author: tstarling Date: 2010-09-13 04:05:20 +0000 (Mon, 13 Sep 2010) Log Message: ----------- Added some warnings for some upload security issues, such as allowing OpenDocument uploads. Modified Paths: -------------- trunk/phase3/includes/DefaultSettings.php Modified: trunk/phase3/includes/DefaultSettings.php =================================================================== --- trunk/phase3/includes/DefaultSettings.php 2010-09-13 03:10:28 UTC (rev 72889) +++ trunk/phase3/includes/DefaultSettings.php 2010-09-13 04:05:20 UTC (rev 72890) @@ -502,6 +502,10 @@ /** * This is the list of preferred extensions for uploading files. Uploading files * with extensions not in this list will trigger a warning. + * + * WARNING: If you add any OpenDocument file formats here, such as odt, ods or + * odp, and untrusted users are allowed to upload files, then your wiki will be + * vulnerable to cross-site request forgery (CSRF). */ $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); @@ -539,12 +543,18 @@ 'application/x-opc+zip', ); -/** This is a flag to determine whether or not to check file extensions on upload. */ +/** + * This is a flag to determine whether or not to check file extensions on upload. + * + * WARNING: setting this to false is insecure for public wikis. + */ $wgCheckFileExtensions = true; /** * If this is turned off, users may override the warning for files not covered * by $wgFileExtensions. + * + * WARNING: setting this to false is insecure for public wikis. */ $wgStrictFileExtensions = true; _______________________________________________ MediaWiki-CVS mailing list MediaWiki-CVS@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs