[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Tisza Gergő gti...@wikimedia.org changed: What|Removed |Added CC||gti...@wikimedia.org --- Comment #11 from Tisza Gergő gti...@wikimedia.org --- Alternatively just disable logins in IE6 (and 7?). As long as the user can't log in, allowing arbitrary script execution on upload.wikimedia.org should be harmless. Disabling logins for old and insecure browsers was discussed in bug 56575. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Bawolff (Brian Wolff) bawolff...@gmail.com changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=25163 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Jean-Fred jeanfrederic.w...@gmail.com changed: What|Removed |Added CC||jeanfrederic.w...@gmail.com Blocks||65681 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Bawolff (Brian Wolff) bawolff...@gmail.com changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=46087 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 --- Comment #9 from Bawolff bawolff...@gmail.com 2010-11-08 05:44:34 UTC --- Ok, so (From my understanding): *IE only looks at the first 255 bytes of a file *The EXIF standard allows arbitrary whitespace at the beginning of the exif application segment (right after the tiff header). Proposed solution: If we get a jpeg that fails the check, add about 255 bytes of whitespace, change the offsets for all the exif pointers, and see if it still fails the check. This of course would need to be tested to see if image viewers accept the arbitrary white space in practise and so on. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Bryan Tong Minh bryan.tongm...@gmail.com changed: What|Removed |Added CC||tstarl...@wikimedia.org --- Comment #10 from Bryan Tong Minh bryan.tongm...@gmail.com 2010-11-08 07:48:08 UTC --- (In reply to comment #9) Proposed solution: If we get a jpeg that fails the check, add about 255 bytes of whitespace, change the offsets for all the exif pointers, and see if it still fails the check. This of course would need to be tested to see if image viewers accept the arbitrary white space in practise and so on. Sounds reasonable to me, but this is a major change from how we have previously handled: previously your file after upload was more or less guaranteed to be exactly equal to that before upload. Now we are essentially losing the original file. I don't think we should care about this, but it is something to take in mind. cc Tim Starling for security review of the proposed solution -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Roan Kattouw roan.katt...@gmail.com changed: What|Removed |Added CC||roan.katt...@gmail.com --- Comment #8 from Roan Kattouw roan.katt...@gmail.com 2010-10-31 17:24:06 UTC --- We don't arbitrarily filter some HTML. We have code to predict whether IE will think a file is HTML or not (based on Tim's reengineering of the IE MIME type detection code) and filter based on that. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 --- Comment #5 from Bryan Tong Minh bryan.tongm...@gmail.com 2010-10-30 09:28:09 UTC --- Well, only script and style= should be blacklisted right? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 --- Comment #7 from Bawolff bawolff...@gmail.com 2010-10-30 17:10:19 UTC --- Also if we were filtering html from the file, it'd be kind of weird to filter some html, then of the html we let in, not allow it to be used on the metadata box on the image page (With our current super-weird mix of first doing specialhtmlchars() on (most, not all of) the exif values, and then feeding the result of that into the parser.) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 --- Comment #1 from Bryan Tong Minh bryan.tongm...@gmail.com 2010-10-29 16:27:57 UTC --- The security reason is that IE may get fooled into thinking that this is actually an HTML file and try to display it, executing any embedded JS in the process. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Bawolff bawolff...@gmail.com changed: What|Removed |Added CC||bawolff...@gmail.com --- Comment #2 from Bawolff bawolff...@gmail.com 2010-10-29 23:53:20 UTC --- Theoretically we could perhaps strip the html tags in exif fields. That would require a general means of editing exif tags. However we'll probably eventually need that anyways if we plan to fix Bug 20326. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 --- Comment #3 from DieBuche diebu...@gmail.com 2010-10-30 00:09:52 UTC --- Oh, sorry, maybe I wasn't clear enough. I'm aware of the script issue, but would it still be a concern if we only disallowed script and iframe tags, and let a or img pass? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25707] Allow html in exif tags
https://bugzilla.wikimedia.org/show_bug.cgi?id=25707 Derk-Jan Hartman hart...@videolan.org changed: What|Removed |Added CC||hart...@videolan.org --- Comment #4 from Derk-Jan Hartman hart...@videolan.org 2010-10-30 00:22:25 UTC --- That would mean tying an html parser into the filetype detection system. I guess in theory it could be done with a whitelisting of several html tags, and stripping other tags as well as dangerous css from style=... That's not a straightforward thing to implement though. Also, the solution would of course be far from HTML, and people would probably be asking for every single HTML tag they think might be useful to them :D -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
