https://bugzilla.wikimedia.org/show_bug.cgi?id=29874
Web browser: ---
Bug #: 29874
Summary: Image extension strict whitelist handling is
inconsistent
Product: MediaWiki
Version: 1.19-svn
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: Images and files
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
Classification: Unclassified
Created attachment 8780
--> https://bugzilla.wikimedia.org/attachment.cgi?id=8780
Patch that brings UploadBase.php in line with StreamFile.php
Greetings. While reviewing another bug report, I noticed the following:
On upload, UploadBase's getTitle is called, which validated image file
extensions. It checks all of a file's extensions against the blacklist, but
only the last extension against the whitelist (iff $wgCheckFileExtensions &&
$wgStrictFileExtensions, of course). However, StreamFile.php wfGetType checks
all of a file's extensions against both lists. This is certainly wrong. Brion
said on bug 11142 "Multiple extensions are checked on upload because the web
server also checks multiple extensions when it's determining the type of a file
to serve out", and so if we want to have StrictFileExtensions actually have any
effect, it should really impose its will on every extension, not just one. The
attached patch does just that, bringing UploadBase.php in line with
StreamFile.php. Of course, the opposite change is also acceptable.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
