On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: > Package: mediawiki > Version: 1:1.19.5-1 > Severity: normal > Tags: security > X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org > > Default allowed extensions for file upload are only: > $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); > > Under Firefox & Chrome it's indeed impossible to upload a pdf file under > those settings. > But under IE it's possible without warning or error. > > A quick inspection seems to indicate that the file extension is only > checked on the client side via javascript and IE does not do a proper job. > Note that "application/pdf" is by default in the $wgTrustedMediaFormats > array. > > IMHO file extension checks must also be enforced on server side, and, if > possible, a js workaround should be provided for proper handling in IE. > Malicious pdfs do exist... > > Best regards > Phil
Have you notified upstream about this issue? --- Henri Salo
signature.asc
Description: Digital signature
