The problem is highlighted here... https://github.com/wikimedia/mediawiki/blob/master/includes/DefaultSettings.php#L923-L930

* @warning If you add any OpenOffice or Microsoft Office file formats here,
* such as odt or doc, and untrusted users are allowed to upload files, then
* your wiki will be vulnerable to cross-site request forgery (CSRF).

I would suggest that unless we implemented some scanning of the files (I've no idea how easy, hard or otherwise that would be. It's probably a rabbit hole), we're basically blocked until we have something like T28508: Content Security Policy (CSP) and running with it in a restrictive mode. But I cannot say offhand if that would be sufficient to quell the problem

In T200187#4444907, @Reedy wrote:

The problem is highlighted here... https://github.com/wikimedia/mediawiki/blob/master/includes/DefaultSettings.php#L923-L930

* @warning If you add any OpenOffice or Microsoft Office file formats here,
* such as odt or doc, and untrusted users are allowed to upload files, then
* your wiki will be vulnerable to cross-site request forgery (CSRF).

I would suggest that unless we implemented some scanning of the files (I've no idea how easy, hard or otherwise that would be. It's probably a rabbit hole), we're basically blocked until we have something like T28508: Content Security Policy (CSP) and running with it in a restrictive mode. But I cannot say offhand if that would be sufficient to quell the problem

Thanks very much for clarifying the issues blocking this, are there any open slide formats that would not have this issue? LibreOffice can save files in many formats:

• .odp
• .otp
• .odg
• .fodp
• .uop
• .pptx
• .ppsx
• .potm

Not sure, would require some research

I would obviously avoid pptx and ppsx (at least), with them being Microsoft PowerPoint formats, and as such aren't so open formats :)

A thought as a workaround; try saving the presentations to TIFF? It supports multi page images, and MediaWiki will let you browse through the pages too. No idea how well they come out after being saved by the various programs

How could someone research if they would avoid this issue? What should they be looking for?

Thanks for the workaround, I know that zipping up the file also works, but its still a bit of a fudge

In T200187#4445010, @Reedy wrote:

A thought as a workaround; try saving the presentations to TIFF? It supports multi page images, and MediaWiki will let you browse through the pages too. No idea how well they come out after being saved by the various programs

Hmm. So on macOS, PowerPoint saves it to a TIFF file per slide (bleugh)

LibreOffice only seems to export one slide...

I did find https://extensions.libreoffice.org/extensions/export-as-images but might not work on newer versions

In T200187#4445029, @Mrjohncummings wrote:

Thanks for the workaround, I know that zipping up the file also works, but its still a bit of a fudge

? You can't upload zips to commons

In T200187#4445032, @Reedy wrote:

In T200187#4445029, @Mrjohncummings wrote:

Thanks for the workaround, I know that zipping up the file also works, but its still a bit of a fudge

? You can't upload zips to commons

Ah yes, you're right, I'd been told this at some time but never checked to see if it was true. Thanks

In T200187#4445030, @Reedy wrote:

In T200187#4445010, @Reedy wrote:

A thought as a workaround; try saving the presentations to TIFF? It supports multi page images, and MediaWiki will let you browse through the pages too. No idea how well they come out after being saved by the various programs

Hmm. So on macOS, PowerPoint saves it to a TIFF file per slide (bleugh)

LibreOffice only seems to export one slide...

I did find https://extensions.libreoffice.org/extensions/export-as-images but might not work on newer versions

Thanks, this is helpful for people who want share images of the slides but doesn't get to the issue of having editable slides.

See also T4089: Whitelist OASIS OpenDocument file format and T45154: Commons uploads: Support all LibreOffice/OpenOffice.org formats (and automatic conversion from Microsoft Office formats).

Maybe related: T25829 and T26076.

See also (and feel free to join) this current discussion at commons (permalink as of today). According to @Bawolff most of the security issues may no longer be a concern. The potential for malicious macros could be a blocker, though.

In T200187#4444907, @Reedy wrote:

The problem is highlighted here... https://github.com/wikimedia/mediawiki/blob/master/includes/DefaultSettings.php#L923-L930

* @warning If you add any OpenOffice or Microsoft Office file formats here,
* such as odt or doc, and untrusted users are allowed to upload files, then
* your wiki will be vulnerable to cross-site request forgery (CSRF).

I would suggest that unless we implemented some scanning of the files (I've no idea how easy, hard or otherwise that would be. It's probably a rabbit hole), we're basically blocked until we have something like T28508: Content Security Policy (CSP) and running with it in a restrictive mode. But I cannot say offhand if that would be sufficient to quell the problem

I think that's a reference to the possibility of them being JAR files, which we now scan for.

I think integrating https://webodf.org/ would be a very cool project.