Test_text_file.txt (file size: 458 bytes, MIME type: text/plain) Warning: This file type may contain malicious code. By executing it, your system may be compromised.
Really?
Test_text_file.txt (file size: 458 bytes, MIME type: text/plain) Warning: This file type may contain malicious code. By executing it, your system may be compromised.
Really?
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Add text/plain as a trusted MIME type | mediawiki/core | master | +1 -1 |
rMW MediaWiki | |||
rMW61104de613ba Add text/plain as a trusted MIME type |
Upload any .txt file on any out-of-the-box MediaWiki installation. This issue doesn't apply to the WMF cluster, because you can't upload .txt files.
Certain web browsers might do unsafe mime sniffing on text/plain. Perhaps thats the reason (have not looked at code)
You can "fix" this by doing the following in LocalSettings.php:
$wgTrustedMediaFormats[] = 'text/plain';
If you want to submit a patch adding that value to the default trusted formats array, that would be fine, but I'd like someone with some kind of security chops to at least briefly glance at it and say "OK."
Change 328852 had a related patch set uploaded (by TTO):
Add text/plain as a trusted MIME type
According to https://bugzilla.mozilla.org/show_bug.cgi?id=637981, it appears that IE 6-8 will do the unsafe MIME sniffing and process what should be plain text as HTML.
This is indeed the case, and it's quite scary: https://developer.microsoft.com/en-us/microsoft-edge/tools/screenshots/?url=http%3A%2F%2Fatlight.github.io%2Ftestmime.txt
However, MediaWiki didn't let me upload such a file. Depending on the file contents, I get various errors like Files of the MIME type "text/html" are not allowed to be uploaded. or This file contains HTML or script code that may be erroneously interpreted by a web browser.
And isn't IEContentAnalyzer supposed to protect against this kind of thing as well?
I guess the original intention of that warning is for executable formats. In the case of mime sniffing issues, an attacker would probably force the user to directly load the file, at which point a warning would be too late, since the browser would not present any prompt or confirmation before running the html, as it would be treated as just another website.
The warning is completely bogus and useless -- it's roughly a "we can't verify this file is safe" warning for things like "PDF might contain invalid data that a vulnerable buggy reader program will misinterpret" but we can't verify that legitimate image files are *actually* safe either, they might have weird crap in their EXIF data etc that triggers something specific to a specific decoder. Warning should just get removed entirely.