Page MenuHomePhabricator
Create Task
Maniphest T53367

Extension checking is only done client-side
Closed, InvalidPublic
Actions

Description

Reported on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716957

Default allowed extensions for file upload are only:
$wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );

Under Firefox & Chrome it's indeed impossible to upload a pdf file under
those settings.
But under IE it's possible without warning or error.

A quick inspection seems to indicate that the file extension is only
checked on the client side via javascript and IE does not do a proper job.
Note that "application/pdf" is by default in the $wgTrustedMediaFormats
array.

IMHO file extension checks must also be enforced on server side, and, if
possible, a js workaround should be provided for proper handling in IE.
Malicious pdfs do exist...

I did some cursory checking of the 1.19 codebase and it does seem like this is not checked server-side.

Version: 1.19.7
Severity: normal

Details

Reference
bz51367

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:57 AM
bzimport added a project: MediaWiki-Uploading.
bzimport set Reference to bz51367.
bzimport added a subscriber: Unknown Object (MLST).
MarkAHershberger created this task.Jul 15 2013, 2:53 PM
MarkAHershberger added a comment.Jul 15 2013, 6:42 PM

Just tested a debian installation with uploads enabled and javascript off and got ".pdf" is not a permitted file type. Permitted file types are png, gif, jpg, jpeg.

But maybe IE is sending the file name in a way that confuses mediawiki?

MarkAHershberger added a comment.Jul 15 2013, 6:46 PM

Even renaming my sample pdf to .jpg and re-uploading shows it failing. WORKSFORME?

csteipp added a comment.Jul 15 2013, 7:06 PM

I haven't been able to duplicate or confirm the issue, but it would be a very serious issue if that is happening.

The debian reporter is going to send me his LocalSettings tomorrow. In the meantime, if anyone is able to reproduce this, please report details.

In general:

  • Checking to ensure the file extension is allowed is done in UploadBase::getTitle() if $wgCheckFileExtensions and $wgStrictFileExtensions are true.
  • Checking is also done in javascript (./skins/common/upload.js)
  • If the javascript check is bypassed (either with noscript, or making a modification with a javascript debugger), the server side checks seem to still run (in all cases that I've been able to test)
csteipp added a comment.Jul 16 2013, 5:38 PM

The reporter actually had $wgCheckFileExtensions = false.

This seems to be the desired behavior for MediaWiki based on https://bugzilla.wikimedia.org/show_bug.cgi?id=14220

csteipp added a comment.Jul 16 2013, 11:00 PM

Making public in case anyone else hits this

Gilles added a project: Multimedia.Dec 4 2014, 9:32 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 9:34 AM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
csteipp changed the task status from Declined to Invalid.Mar 26 2015, 8:53 PM
csteipp set Security to None.
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL