https://bugzilla.wikimedia.org/show_bug.cgi?id=57550

--- Comment #11 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to comment #8)
> In my role as sysadmin at RationalWiki.org, I just upgraded it to 1.19.10 -
> or
> thought I had - and Chris Davis' 'sploit link still runs the demo 'sploit for
> me:
> 
> http://rationalwiki.org/w/images/0/03/Silly_mediawiki.svg
> 
> Looking at includes/XmlTypeCheck.php and includes/upload/UploadBase.php in
> the
> RW installation, the patches in attachment 13916 [details] appear to be
> present.
> 
> Should the demo 'sploit still work?

Yes, the patch prevents the upload, but existing files will still be there. 

Grepping for "<?xml-stylesheet" in your images would identify any that have
previously come in.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to