Page MenuHomePhabricator
Create Task
Maniphest T20684

Uploading office 2007 files (docx, pptx etc) results in error
Closed, ResolvedPublic
Actions

Description

Author: amit.ray1

Description:
Overview:
With Mediawiki 1.14.0, trying to upload a word 2007 file (docx extension) resulted in an error message that it as application/zip and the file could be harmful, hence cannot be uploaded.
The LocalSettings.php had already been updated with 'docx' extension included in the array variable $wgFileExtensions. Also, the IIS server (5.0) has 'docx' extension type configured for allowable file transfer.

Temporary Work-around implemented at the local server:

In file "includes\Specials\SpecialUpload.php", in "function verify($tmpfile, $extension )", I bypass the checks "if ( $this->checkFileExtension( $mime, $wgMimeTypeBlacklist )", if the file extension is 'docx'.

Comments:
Not sure if it is a known issue in MediaWiki 1.14.0.
If it is a bug, I would be looking forward to a permanent solution to the above.

Version: 1.16.x
Severity: normal

Details

Reference
bz18684

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:31 PM
bzimport added a project: MediaWiki-Uploading.
bzimport set Reference to bz18684.
bzimport created this task.May 5 2009, 9:47 AM
bzimport added a comment.May 5 2009, 9:52 AM

amit.ray1 wrote:

see patch in 'function verify( $tmpfile, $extension )'

attachment SpecialUpload.php ignored as obsolete

demon added a comment.May 6 2009, 12:19 AM

Downgrading status from blocker.

Catrope added a comment.May 7 2009, 10:09 AM

(In reply to comment #1)

Created an attachment (id=6090) [details]
see patch in 'function verify( $tmpfile, $extension )'

Please submit a real patch in unified diff format.

demon added a comment.Jul 2 2009, 2:30 AM

Created attachment 6291
Patch of above file to trunk

Here's a diff of patching the above file into trunk. That being said, I won't commit it.

It's a nasty hack with a very easily exploitable vector: rename any file to one of the MSFT files, and you skip all of Tim's content-detection work.

Attached:

diff.patch1 KBDownload

Jdpond added a comment.Jul 29 2009, 9:51 PM

Patch for mime.types to allow MS Office 2007 doc types

This problem could also be fixed by patching the includes/mime.types file to identify the MS 2007 Office docs (see attached patch). If someone will assign to me, I would be glad to fix and submit.

Attached:

mime.types.patch825 BDownload

bzimport added a comment.Sep 25 2009, 4:43 PM

Bryan.TongMinh wrote:

Looks ok.(In reply to comment #5)

Created an attachment (id=6403) [details]
Patch for mime.types to allow MS Office 2007 doc types

This problem could also be fixed by patching the includes/mime.types file to
identify the MS 2007 Office docs (see attached patch). If someone will assign
to me, I would be glad to fix and submit.

Looks ok.

Jdpond added a comment.Sep 25 2009, 5:26 PM

Committed to revision 56923

Gilles added a project: Multimedia.Dec 4 2014, 10:47 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 10:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL