On 07/15/2013 01:00 PM, Henri Salo wrote: > On Mon, Jul 15, 2013 at 11:41:16AM +0200, Philippe Teuwen wrote: >> Package: mediawiki >> Version: 1:1.19.5-1 >> Severity: normal >> Tags: security >> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org >> >> Default allowed extensions for file upload are only: >> $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' ); >> >> Under Firefox & Chrome it's indeed impossible to upload a pdf file under >> those settings. >> But under IE it's possible without warning or error. >> >> A quick inspection seems to indicate that the file extension is only >> checked on the client side via javascript and IE does not do a proper job. >> Note that "application/pdf" is by default in the $wgTrustedMediaFormats >> array. >> >> IMHO file extension checks must also be enforced on server side, and, if >> possible, a js workaround should be provided for proper handling in IE. >> Malicious pdfs do exist... >> >> Best regards >> Phil > > Have you notified upstream about this issue? > > --- > Henri Salo
No Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
