Maniphest T20372

File upload error messages don't properly take $wgFileBlacklist into account
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	Emufarmers
	Apr 6 2009, 8:54 PM

Description

If you've set $wgFileExtensions[] = 'exe'; and try to upload an executable, you will get an error message:
".exe" is not a permitted file type. Permitted file types are png, gif, jpg, jpeg, doc, xls, ppt, pps, pdf, png, gif, jpg, jpeg, xml, xsd, wsdl, txt, exe, zip."
because .exe is blacklisted.

An extension being in $wgFileExtensions should probably override its being blacklisted: I assume $wgFileBlacklist is just there to make $wgStrictFileExtensions = false; safe.

Version: 1.15.x
Severity: minor
URL: http://www.mwusers.com/forums/showthread.php?t=10408

Details

Reference: bz18372

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:30 PM

• bzimport added a project: MediaWiki-Uploading.

• bzimport set Reference to bz18372.

Emufarmers created this task.Apr 6 2009, 8:54 PM

mdale wrote:

I think there are a bit too many configuration variables here. I recommend we depreciate blacklisted extensions and only those listed in wgFileExtensions? Do we lose any functionality that way? Seems strange to have to change it in two places (ie add it to wgFileExtensions and remove it from wgFileBlacklist ) or set $wgStrictFileExtensions = false;

Fixed in r77956.

Having $wgFileBlacklist lets you set $wgStrictFileExtensions = false; to make it so that certain extensions are warned against but not blocked. I'm not sure how useful that behavior actually is, but I left it alone.

• Gilles added a project: Multimedia.Dec 4 2014, 10:43 AM

• Gilles moved this task from Untriaged to Done on the Multimedia board.

File upload error messages don't properly take $wgFileBlacklist into accountClosed, ResolvedPublicActions

Description

Details

Event Timeline

File upload error messages don't properly take $wgFileBlacklist into account
Closed, ResolvedPublic
Actions