https://bugzilla.wikimedia.org/show_bug.cgi?id=2089
Bawolff (Brian Wolff) <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #38 from Bawolff (Brian Wolff) <[email protected]> --- (In reply to comment #36) > See the links from > <http://lists.wikimedia.org/pipermail/wikitech-l/2012-April/059837.html> > > And the discussion at > <https://commons.wikimedia.org/wiki/Commons:Village_pump/Archive/2012/ > 03#Enabling_upload_of_ZIP_types.2C_such_as_MS_Office_or_OpenOffice> > > It was stated that, with the resolution of bug 24230, « Uploads of ZIP types, > such as MS Office or OpenOffice can now be safely enabled. A ZIP file reader > was added which can scan a ZIP file for potentially dangerous Java applets. > This allows applets to be blocked specifically, rather than all ZIP files > being > blocked. » > > I have asked the question in several places and answers are both unclear and > sometimes contradictory. Some have pointed out that concerns lie still with: > * Potential embedded macros > * Validation that it is actually ODF > > Are these concerns valid? If not, what is missing to allow ODF upload on > projects? The zip reader prevents someone from uploading an ODF file that's really a java archive, which was a pretty big security vulnrability. (It also would prevent those hacks where people make combined ODF/PDF files). It does not prevent embedded macros, nor does it validate the file is an ODF file (beyond some very superficial checks. It would prevent someone from accidentally uploading another format. It would not prevent someone intentionally uploading a non-odf format that they've tweaked to slightly look like an ODF file) Whether or not this is an acceptable situation (I consider the macro virus possibility a little scary. Platonides suggestion in comment 26 may be something we should look into) is probably a matter that's up to debate. I've cc'd Chris Steipp, as he probably has some thoughts on this, and would probably have the final word on if ODF upload is acceptable. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
