Page MenuHomePhabricator

.txt files "may contain malicious content"
Closed, DuplicatePublic

Description

Test_text_file.txt ‎(file size: 458 bytes, MIME type: text/plain)
Warning: This file type may contain malicious code. By executing it, your system may be compromised.

Really?

Event Timeline

TTO created this task.Dec 21 2016, 10:48 AM
Restricted Application added projects: Multimedia, Commons. · View Herald TranscriptDec 21 2016, 10:48 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

What are steps to reproduce? Where can the file and its content be found?

TTO added a comment.EditedDec 21 2016, 12:17 PM

What are steps to reproduce? Where can the file and its content be found?

Upload any .txt file on any out-of-the-box MediaWiki installation. This issue doesn't apply to the WMF cluster, because you can't upload .txt files.

Poyekhali added a subscriber: Poyekhali.

Commons don't allow .txt files, so Commons should not be involved with this task.

Certain web browsers might do unsafe mime sniffing on text/plain. Perhaps thats the reason (have not looked at code)

MarkTraceur triaged this task as Low priority.Dec 22 2016, 5:21 PM
MarkTraceur moved this task from Untriaged to Triaged on the Multimedia board.
MarkTraceur added a subscriber: MarkTraceur.

You can "fix" this by doing the following in LocalSettings.php:

$wgTrustedMediaFormats[] = 'text/plain';

If you want to submit a patch adding that value to the default trusted formats array, that would be fine, but I'd like someone with some kind of security chops to at least briefly glance at it and say "OK."

Change 328852 had a related patch set uploaded (by TTO):
Add text/plain as a trusted MIME type

https://gerrit.wikimedia.org/r/328852

According to https://bugzilla.mozilla.org/show_bug.cgi?id=637981, it appears that IE 6-8 will do the unsafe MIME sniffing and process what should be plain text as HTML.

TTO added a comment.Dec 23 2016, 3:40 AM

According to https://bugzilla.mozilla.org/show_bug.cgi?id=637981, it appears that IE 6-8 will do the unsafe MIME sniffing and process what should be plain text as HTML.

This is indeed the case, and it's quite scary: https://developer.microsoft.com/en-us/microsoft-edge/tools/screenshots/?url=http%3A%2F%2Fatlight.github.io%2Ftestmime.txt

However, MediaWiki didn't let me upload such a file. Depending on the file contents, I get various errors like Files of the MIME type "text/html" are not allowed to be uploaded. or This file contains HTML or script code that may be erroneously interpreted by a web browser.

And isn't IEContentAnalyzer supposed to protect against this kind of thing as well?

I guess the original intention of that warning is for executable formats. In the case of mime sniffing issues, an attacker would probably force the user to directly load the file, at which point a warning would be too late, since the browser would not present any prompt or confirmation before running the html, as it would be treated as just another website.

brion added a subscriber: brion.Jan 14 2017, 3:55 AM

The warning is completely bogus and useless -- it's roughly a "we can't verify this file is safe" warning for things like "PDF might contain invalid data that a vulnerable buggy reader program will misinterpret" but we can't verify that legitimate image files are *actually* safe either, they might have weird crap in their EXIF data etc that triggers something specific to a specific decoder. Warning should just get removed entirely.

We have a different, more explicit warning for PDF files.