https://bugzilla.wikimedia.org/show_bug.cgi?id=16583
Summary: MIME type detection of "application/x-php" gives false
positives on any file with "<?" in it
Product: MediaWiki
Version: unspecified
Platform: All
URL: http://commons.wikimedia.org/wiki/Image:Bundesarchiv_Bil
d_137-002552,_Türkei,_Anatolien,_Taurus,_Feldbahn.jpg
OS/Version: All
Status: NEW
Severity: normal
Priority: Normal
Component: File/Repo
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
Apparently, any file uploaded to Commons that has the character pair "<?"
anywhere within the first 1024 bytes gets detected as having the MIME type
"application/x-php". This seems a bit excessive. Some examples include:
http://commons.wikimedia.org/wiki/Image:Bundesarchiv_Bild_137-002552,_Türkei,_Anatolien,_Taurus,_Feldbahn.jpg
http://commons.wikimedia.org/wiki/Commons:Village_pump/Archive/2008Nov#Uploading-Error
Note that I don't believe there should be any security issues with serving such
files to users: I'm not aware of any user agent that would execute downloaded
PHP code, and certainly not one that would use such a hair-trigger check for
detecting it.
(Ps. This might be a Wikimedia configuration issue: I haven't yet looked at the
MIME type detection code closely enough to tell. Filing this for now as a
MediaWiki bug, feel free to reclassify.)
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
