On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik <maxsem.w...@gmail.com> wrote: > Instead of amassing social constructs around technical deficiency, I > propose to fix bug 24230 [1] by implementing proper checking for JAR > format.
Does that bug even affect Wikimedia? We have uploads segregated on their own domain, where we don't set cookies or do anything else interesting, so what would an uploaded JAR file even do? If that kind of attack is still a problem even with separate domains, we can do like Mozilla's Bugzilla and serve each uploaded file from its own unique domain (that would have ramifications for how browsers fetch the images, but they might be positive anyway). _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l