Your message dated Thu, 05 Sep 2013 15:49:02 +0000
with message-id <[email protected]>
and subject line Bug#716957: fixed in mediawiki 1:1.19.8+dfsg-1
has caused the Debian Bug report #716957,
regarding [mediawiki] Upload of pdf files via IE still possible under default
settings
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
716957: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716957
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mediawiki
Version: 1:1.19.5-1
Severity: normal
Tags: security
X-Debbugs-CC: [email protected]
Default allowed extensions for file upload are only:
$wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
Under Firefox & Chrome it's indeed impossible to upload a pdf file under
those settings.
But under IE it's possible without warning or error.
A quick inspection seems to indicate that the file extension is only
checked on the client side via javascript and IE does not do a proper job.
Note that "application/pdf" is by default in the $wgTrustedMediaFormats
array.
IMHO file extension checks must also be enforced on server side, and, if
possible, a js workaround should be provided for proper handling in IE.
Malicious pdfs do exist...
Best regards
Phil
--- End Message ---
--- Begin Message ---
Source: mediawiki
Source-Version: 1:1.19.8+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <[email protected]> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Thu, 05 Sep 2013 17:07:53 +0200
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.8+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team
<[email protected]>
Changed-By: Thorsten Glaser <[email protected]>
Description:
mediawiki - website engine for collaborative work
Closes: 669832 705107 709943 716884 716957
Changes:
mediawiki (1:1.19.8+dfsg-1) unstable; urgency=low
.
* mediawiki-math is now called mediawiki-extensions-math
⇒ update the package relationship fields
* Make my self-drawn CC images nicer and more consistent
* New upstream security release
* Secure the default images directory (Closes: #716884)
* Allow PDF upload (Closes: #716957)
* Nuke ref to ENOENT dir (Closes: #705107)
* Update debian/copyright information
* Pull upstream patch to fix variables (Closes: #709943)
* Sort patches ASCIIbetically; refresh them against new version
* For Apache 2.4, move configuration file (Closes: #669832)
Checksums-Sha1:
9ea030740e6dffa5c5aa81f2c5b337b74e52c085 2133 mediawiki_1.19.8+dfsg-1.dsc
2b762e4802a96b4ad441ae14a12abf7a51609872 12084316
mediawiki_1.19.8+dfsg.orig.tar.xz
15c6dffa766228e5a7a5a0f3168b848216e7bf6b 50637
mediawiki_1.19.8+dfsg-1.debian.tar.gz
91a17ac6c33ec8ce2a7b88411a717376f69d27ab 11718012
mediawiki_1.19.8+dfsg-1_all.deb
Checksums-Sha256:
b20c01b8aa830e5e3eb0c1f51a5fddba29ab1f7be065e2b23000bd28c4606d8e 2133
mediawiki_1.19.8+dfsg-1.dsc
c10f0ddede992b76c219c428fc00e3bb851ed6b14c3b29030f29a6685eb29909 12084316
mediawiki_1.19.8+dfsg.orig.tar.xz
545a318a29fe19aa41c77144b57f3ec079f47cad645e8b1d1f0b189354103edb 50637
mediawiki_1.19.8+dfsg-1.debian.tar.gz
bd03bbc792f2f461eb9b2020b595b0ce7191caae13d037ee65caaea68b7d0029 11718012
mediawiki_1.19.8+dfsg-1_all.deb
Files:
759eda14a85f3663f74219ccbde0ca26 2133 web optional mediawiki_1.19.8+dfsg-1.dsc
67a0c29474102bd3f791b38da089745e 12084316 web optional
mediawiki_1.19.8+dfsg.orig.tar.xz
82e423054145d10a91a260ae3ced81e5 50637 web optional
mediawiki_1.19.8+dfsg-1.debian.tar.gz
f27510a1472870e946f834d2b418d7da 11718012 web optional
mediawiki_1.19.8+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
iQIcBAEBCQAGBQJSKKCMAAoJEHa1NLLpkAfgVDIP/2qy/jEr2ChHlAntTHEkMopH
8nwwq3pR2bL++1SrxvPp08RXOBQMhSsDaBhWJc2AxqFLpi/QR2x3LH37ARggLf7f
0IUa1f4YhM/JStCjiMEMpaiqonLMDZA6hPhEF5j8RzhY/CIdSSOcCgjTWJFSuXkA
hy6d0IjFfxf2+6SDnygMkw5juld1/VaYJ9NK7D7wbPBWUqgTKn4CM3CFElufbU0t
R1d9ajWmXPWrxtx5SlFoFImKxPSUsh0IbIesYg446HIzBTrY5HWK91yV1AJgmwe8
7NvUbGAOJufgRaWHQHxF71sLEwma0FZSEh6NKIsUJInxHIh6lh3lzSzzZBQc2BFM
7TwrTU09bvh6emrzSF8zirW2h/nc19VsPB+tsU8ijYwOTf+NXMlsUxKWXM1JhDR0
+Zyey3BmTGmWnt/fRwTZAW1LcX0eVVTs0VuTDL4vdFM4AOIEukpCqPX5JNBhjv4e
juiPuq7Ago0M9dYLSpp32C3Nxg5t2agXZmGPw9m3ZlQcBxyGUPa7cHHDeSUeFUR9
Smmw3B7TykKgRh7KiT2lwvXFs1QyD7sMfWWCBD5VKdRudSB2iBhhq6vJ23cWY8/r
qxDrT97SNy77CTluM+aF9WF0gVwitaSOqHcdVpsDr1ZRSWPAGV22lpFq/OUtBptQ
b9eSTjYw59vaiykNDZnT
=Y9+e
-----END PGP SIGNATURE-----
--- End Message ---
