Author: gmaxwell
Description:
I'm opening this for tracking and comment collection purposes, it is not yet actionable.
A recent foundation-l threat linked to some scaremongering about viruses/trojans on websites open to outside submissions. In this thread it was pointed out that the Wikimedia wikis are not sufficiently strict with uploaded content for some extensions. The risk created by this is probably fairly low but it should be addressed.
For example, a win32 exe uploaded under a number of names:
http://commons.wikimedia.org/wiki/Image:Winecmdexe.ogg
http://commons.wikimedia.org/wiki/Image:Winecmdexe.pdf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxw
http://commons.wikimedia.org/wiki/Image:Winecmdexe.mid
http://commons.wikimedia.org/wiki/Image:Winecmdexe.xcf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.svg
http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxd
As far as I can tell our current detection of Ogg and Midi files appear reliable and accurate. I don't see why we can't enforce for those types. Can anyone provide any counter examples or suggested test cases?
We do not appear to correctly detect valid XCFs.
I am not sure where we stand on the other formats.
Version: unspecified
Severity: enhancement