On Wed, Sep 9, 2009 at 9:20 PM, T. J. Frazier<tjfraz...@cfl.rr.com> wrote:
> Clayton wrote:
>>
>> Sebastien Lanteigne wrote:
[...]
>> OK, I've tinkered with this a bit more... by adding OXT ot the
>> application/zip mime type, we get past the corrupt file error message
>> and on to a completely now one... the fact that zip files are explicitly
>> blocked from MediaWiki by default because of a potential exploit:
>>
>> ===================
>> # A ZIP file may be a valid Java archive containing an applet which
>> exploits the
>> # same-origin policy to steal cookies
>> ===================
Basically this means that a jar applet could be camouflaged as any zip
based format. Then the applet could be ran and used to steal cookies
an a users computer. In other word it a risk for the users downloading
the extensions.
>> I can disable mime type checking altogether, but... that's not really a
>> good idea as it opens up a hole for exploits (from what I've read). I
>> can disable zip checking.. again, opening up a hole for exploits.
The way I see it you are not opening up a whole on the server. Just
for the users downloading the file. That risk exists anywhere on the
Internet where you may download a zip, jar, xpi, etc. file. I think
it's acceptable.
Here is what I would do.
Zip based format are blocked by mime type in LocalSettings.php( maybe
DefaultSettings.php) remove that.
Look for this array and comment the last line.
$wgMimeTypeBlacklist= array(
# HTML may contain cookie-stealing JavaScript and web bugs
'text/html', 'text/javascript', 'text/x-javascript',
'application/x-shellscript',
# PHP scripts may execute arbitrary code on the server
'application/x-php', 'text/x-php',
# Other types that may be interpreted by some servers
'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh',
'text/x-csh',
# Windows metafile, client-side vulnerability on some systems
'application/x-msmetafile',
# A ZIP file may be a valid Java archive containing an applet which
exploits the
# same-origin policy to steal cookies
'application/zip',
);
Then block common zip based file by extension. The exploit would still
work with but limits choices.
Look for this array (create it if it doesn't exist)
$wgFileBlacklist = array();
If it does exist add this in it
'zip' 'jar' 'xpi'
NOTE: Don't copy the whole list I cut and pasted from mediawiki in my
last e-mail as it included extension that should not be there. In fact
you should probablt change this
application/zip zip jar xpi sxc stc sxd std sxi sti sxm stm sxw
stw odt ott oth odm odg otg odp otp ods ots odc odf odb odi oxt
to this
application/zip zip jar xpi oxt
Thanks,
Seb.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@website.openoffice.org
For additional commands, e-mail: dev-h...@website.openoffice.org
