https://bugzilla.wikimedia.org/show_bug.cgi?id=20924
Ilmari Karonen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Ilmari Karonen <[email protected]> 2009-12-06 19:07:39 UTC --- As I noted at bug 16583, this issue has security implications: the code in MimeMagic.php that triggers these occasional false positives is also what's protecting MediaWiki from things like the GIFAR exploit (a file which is simultaneously a valid GIF image and an executable Java archive). That said, the error reporting could be cleaner: in particular, rather than detecting these files as application/zip, we should ideally first run them through normal MIME type detection and only then check for any unexpected ZIP EOCDR markers and, if any are found, fail with a message something like: "This file, apparently of type foo/bar, contains a marker suggesting it might also be a valid ZIP archive. For security reasons, uploading such files has been disabled." Also, it might be possible to reduce the false positive rate for the ZIP file detection, but doing so safely would have to involve checking how existing ZIP decoders (in particular, the Info-ZIP decoder and Java's java.util.zip classes) do it, lest we accidentally allow through files which, though not necessarily valid according to the ZIP format spec, might still be accepted by these decoders. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
