Page MenuHomePhabricator
Create Task
Maniphest T64451

Possible to upload files with not allowed extension, if it has a multiple extensions, one of which is good
Closed, ResolvedPublic
Actions

Description

Splitting this out from bug 33549 comment 8 and bug 33549 comment 9:

[[commons:File:Deamado ko.png.bmp]] is MIME type: image/x-bmp.

Looking at MediaWiki core's DefaultSettings.php and Wikimedia's CommonSettings.php, I can't figure out how this file type is allowed. Don't we strictly validate file extensions at least? Referring to [[mw:Manual:$wgStrictFileExtensions]], I suppose.

I was able to reproduce an upload of this file type on Commons via [[commons:Special:Upload]] a few minutes ago by simply disabling JavaScript in my browser (the file selection input has some associated JavaScript validation logic).

(In reply, Bawolff (Brian Wolff) from bug 33549 comment 10)

Umm yeah, that shouldnt be allowed.

Version: 1.23.0
Severity: normal

Details

Reference
bz62451

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:55 AM
bzimport added projects: MW-1.23.0-release, MediaWiki-File-management.
bzimport set Reference to bz62451.
MZMcBride created this task.Mar 9 2014, 7:55 AM
gerritbot added a comment.Mar 9 2014, 8:09 AM

Change 117668 had a related patch set uploaded by Brian Wolff:
When checking whitelist of extensions, only count last extension.

https://gerrit.wikimedia.org/r/117668

gerritbot added a comment.Mar 11 2014, 9:43 PM

Change 117668 merged by jenkins-bot:
When checking whitelist of extensions, only count last extension.

https://gerrit.wikimedia.org/r/117668

Bawolff added a comment.Mar 25 2014, 5:38 PM
  • Bug 63076 has been marked as a duplicate of this bug. ***
Ciencia_Al_Poder added a comment.May 10 2014, 10:46 AM

Change merged, so marking as resolved

Gilles added a project: Multimedia.Dec 4 2014, 10:20 AM
Gilles raised the priority of this task from Medium to Unbreak Now!.Dec 4 2014, 10:25 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to Medium.Dec 4 2014, 11:20 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL