Platonides wrote: > Since OpenDocument files are Zip files, unless you do some extra > validation, a Jar could be uploaded disguised as an OD? file. > The vulnerability is that a Jar have same-origin permissions over the > wiki, and so -linked from an external page viewed by logged-in users- > can do all kinds of Bad Things.
It's possible to make a file which is simultaneously a valid JAR file and a valid OpenDocument file. Here's the one I made in September last year: http://noc.wikimedia.org/~tstarling/odjar/ -- Tim Starling _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
