On Mon, Jan 28, 2019 at 10:58 PM Kunal Mehta <[email protected]> wrote:
> Tim wrote a nice blog post about how he reverse-engineered this: > <https://tstarling.com/blog/2008/12/secure-web-uploads/>. > > I don't have any comments on whether it's still needed, but if it's > determined that MediaWiki can drop the checks, I'd like to see it > turned into a PHP library...mostly because it's some neat code. > Heck yes. :) My provisional patch is still keeping the code, but using it more conservatively: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/487527 The exact IE-based heuristics are still checked but will trip only on files matching the exact conditions that would affect old IE versions. Most uploaded JPEG or PNG files with HTML-ish links in EXIF metadata should not trigger it, as the tag strings won't appear in the first 256 bytes of the file. The less-exact heuristics (held over from before Tim's addition of the reverse-engineered exact checks) are now less overbearing, and should no longer trigger on <a href, <img, <pre, <table, or <title tags. This also obsoletes the $wgAllowTitlesInSVG setting, which will now be always true. Feel free to help with review and testing -- especially welcome if folks have samples of JPEG, PDF, DjVu, or other files that were blocked before but should work so we can double-check. Thanks all! -- brion _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
