On Mon, Oct 25, 2010 at 10:09 PM, Aryeh Gregor <[email protected]> wrote: > On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik <[email protected]> wrote: >> Instead of amassing social constructs around technical deficiency, I >> propose to fix bug 24230 [1] by implementing proper checking for JAR >> format. > > Does that bug even affect Wikimedia? We have uploads segregated on > their own domain, where we don't set cookies or do anything else > interesting, so what would an uploaded JAR file even do? upload.wikimedia.org could end up on Google's Safe Surfing (or however it's called) blacklist for hosting malicious .jar's which are injected on another pwned web site or loaded through pwned advertising brokers. Given the fact that Java is the 2nd biggest exploit vector in terms of exploits (but 1st in terms of impact - users don't update Java as often as the Adobe Reader), it should not be allowed to upload JARs (or things that look like something else, but infact can be loaded and executed by the JRT) to Wikipedia.
Marco -- VMSoft GbR Nabburger Str. 15 81737 München Geschäftsführer: Marco Schuster, Volker Hemmert http://vmsoft-gbr.de _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
