On Mon, Oct 25, 2010 at 10:51 PM, Marco Schuster <ma...@harddisk.is-a-geek.org> wrote: > On Mon, Oct 25, 2010 at 10:09 PM, Aryeh Gregor > <simetrical+wikil...@gmail.com> wrote: >> On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik <maxsem.w...@gmail.com> wrote: >>> Instead of amassing social constructs around technical deficiency, I >>> propose to fix bug 24230 [1] by implementing proper checking for JAR >>> format. >> >> Does that bug even affect Wikimedia? We have uploads segregated on >> their own domain, where we don't set cookies or do anything else >> interesting, so what would an uploaded JAR file even do? > upload.wikimedia.org could end up on Google's Safe Surfing (or however > it's called) blacklist for hosting malicious .jar's which are injected > on another pwned web site or loaded through pwned advertising brokers. > Given the fact that Java is the 2nd biggest exploit vector in terms of > exploits (but 1st in terms of impact - users don't update Java as > often as the Adobe Reader), it should not be allowed to upload JARs > (or things that look like something else, but infact can be loaded and > executed by the JRT) to Wikipedia. > > Marco > -- > VMSoft GbR > Nabburger Str. 15 > 81737 München > Geschäftsführer: Marco Schuster, Volker Hemmert > http://vmsoft-gbr.de > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Should we also be exploring any possibly malicious archives inside archives recursively, or is just making sure the archive itself is good is good enough? _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l