Page MenuHomePhabricator

File upload error messages don't properly take $wgFileBlacklist into account
Closed, ResolvedPublic


If you've set $wgFileExtensions[] = 'exe'; and try to upload an executable, you will get an error message:
".exe" is not a permitted file type. Permitted file types are png, gif, jpg, jpeg, doc, xls, ppt, pps, pdf, png, gif, jpg, jpeg, xml, xsd, wsdl, txt, exe, zip."
because .exe is blacklisted.

An extension being in $wgFileExtensions should probably override its being blacklisted: I assume $wgFileBlacklist is just there to make $wgStrictFileExtensions = false; safe.

Version: 1.15.x
Severity: minor



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:30 PM
bzimport set Reference to bz18372.

mdale wrote:

I think there are a bit too many configuration variables here. I recommend we depreciate blacklisted extensions and only those listed in wgFileExtensions? Do we lose any functionality that way? Seems strange to have to change it in two places (ie add it to wgFileExtensions and remove it from wgFileBlacklist ) or set $wgStrictFileExtensions = false;

Fixed in r77956.

Having $wgFileBlacklist lets you set $wgStrictFileExtensions = false; to make it so that certain extensions are warned against but not blocked. I'm not sure how useful that behavior actually is, but I left it alone.