https://bugzilla.wikimedia.org/show_bug.cgi?id=24073
--- Comment #20 from Derk-Jan Hartman <hart...@videolan.org> 2010-06-30 21:33:13 CEST --- Created an attachment (id=7534) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=7534) gifar cleanup A patch of what I am proposing: 1: Move zip and virus checks before mime checks 2: ZIP gifar check is now separate from mime checks 3: Added $wgAllowGIFARVulnerableFiles global variable 4: Add zip mime detection support for openxml trailers on 2003 Office files. This will allow people to either choose to basically allow zip files uploads when they want. They would still need to whitelist filetypes, and in the case of actual zip files, they have to change the mime blacklist. But when setting $wgAllowGIFARVulnerableFiles=true and adding .doc .docx .odt to their whitelist, they will be able to upload such files none the less (and actual GIFAR files). We could consider expanding on this to add a "best-effort" mode to detectGIFAR(), where it will only allow opendocument/openxml files, and disallow the rest, though that is somewhat of a fake security model in my opinion. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
