Hi @Johnywhy, thanks for taking the time to report this and welcome to Phabricator!

Please provide version information for WikiEditor and MediaWiki and follow https://mediawiki.org/wiki/How_to_report_a_bug to provide 1) steps to reproduce, 2) expected outcome, 3) actual outcome. Thanks.

MediaWiki v1.30
WikiEditor v0.5.1, bundled with MediaWiki v1.30

1. In FTP, add following lines to LocalSettings.php and save

wfLoadExtension( 'WikiEditor' );
$wgStrictFileExtensions = false;

1. Log into Wiki.
2. Go to Special:Upload page.
3. Confirm i can upload a .txt file.
4. Enter source edit-mode on a page.
5. Click "Embedded File" button in toolbar.
6. Click "Upload" button in popup.
7. Select a .txt file.
8. Check on "This is my own work".
9. Click "Upload".
10. Enter description.
11. Click "Save".
12. Receive error

Unknown warning: "{"upload":{"result":"Warning","warnings":{"filetype-unwanted-type":["txt","png, gif, jpg, jpeg, webp",5]},"filekey":"15m9ibdt6718.9j6h2t.1.txt","sessionkey":"15m9ibdt6718.9j6h2t.1.txt"}}"."

seems to me that, since both uploaders (on Special:Upload and in source-edit) are the same identical uploader interface, they should call the same php upload functions, instead of having a separate code base.

But apparently they are not sharing code, because one works and the other fails.

I reproduce the step. I got:

One of the parameters filekey, file and url is required.

I take back what I said before, because the error was caused by the fact that I did not assign write permission to the web-server user.

When I fix it and redo reproduce, I got exactly the same warning as the task creator described.

Probably WikiEditor build-in javascript plugin does not support handling this error. The plugin can't ignore the warning message and continue to upload the prohibited file.

The warning is not one of the recognised warnings listed in resources/src/mediawiki/mediawiki.Upload.BookletLayout.js should be fixed indeed.

ping @matmarex because i know this whole thing with errors vs warnings and which message can be which, was something he put some effort in because it was a mess.... Can we just add the message there, or does this require more extensive fixes ?

@TheDJ, are you saying the only fix needed is a different message?

Will that allow the upload of txt and other non-image files?

The bug reported here is that the upload should be allowed.

In T190258#4076307, @Johnywhy wrote:

@TheDJ, are you saying the only fix needed is a different message?

No i'm saying the upload dialog is incorrectly handling the warning.

Debug notes:
This happens in saveFile function of the tool, does a finishStashUpload, and the error handler for stash upload is getErrorMessageForStateDetails().. it seems that all warnings are errors in this tool, and expect that user input can avoid the error. It is not possible to either ignore a specific error, or to present to the user and continue...

Will need to add a flag to the mw.Upload object, to ignorewarnings, then based on that value in finishStashUpload, conditionally add the ignorewarnings flag to the upload. Then from getErrorMessageForStateDetails, toggle the ignorewarnings flag and somehow trigger a retry of finishStashUpload()...

Rather complex...
Note @matmarex btw.. maybe we should consider changing the upload api to accept an array of warnings we we want to ignore. That could simplify some of this and then we don't have to retry.

@Johnywhy you can set $wgCheckFileExtensions = false, which basically bypasses ALL checks on file extensions. That does affect security even more however.

In T190258#4077403, @TheDJ wrote:

set $wgCheckFileExtensions = false, which basically bypasses ALL checks on file extensions. That does affect security even more however.

Great!
Our security model is strict validation of users (via ConfirmAccount extension), rather than strict moderation of files. We don't allow anonymous editing.
thx

UploadWizard has the same problem

Change 421671 had a related patch set uploaded (by TheDJ; owner: TheDJ):
[mediawiki/extensions/UploadWizard@master] Allow uploads when wgStrictFileExtensions = false

https://gerrit.wikimedia.org/r/421671

Maybe we should have a discussion if wgstrictfileextensions should even continue to exist. It seems like a lot of additional complexity for little benefit.

In T190258#4087067, @TheDJ wrote:

Maybe we should have a discussion if wgstrictfileextensions should even continue to exist. It seems like a lot of additional complexity for little benefit.

because it's redundant with?

$wgCheckFileExtensions = false;

is it redundant?

Change 421671 abandoned by TheDJ:
Allow uploads when wgStrictFileExtensions = false

Reason:
more than 1 year old

https://gerrit.wikimedia.org/r/421671