Page MenuHomePhabricator
Create Task
Maniphest T22780

Upload of MIDI file erroneously rejected
Closed, ResolvedPublic
Actions

Description

Uploading the MIDI file at http://mbednarek.com/temp/maidensprayer.mid results in the error message: "This file contains HTML or script code that may be erroneously interpreted by a web browser."

According to user Splarka at http://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=315675310#Upload_MIDI this happend because this particular file happened to have the string "<A" in its first 1024 characters. That string is part of a valid MIDI instruction.

Binary files, like MIDI files, should not be subject to screening for text strings; fragments like "<A" in this case can obviously occur outside the context of "HTML or script code."

User Splarka mentioned that "UploadBase.php" might be at the core of the problem.

Version: unspecified
Severity: major

Details

Reference
bz20780

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:46 PM
bzimport added a project: MediaWiki-Uploading.
bzimport set Reference to bz20780.
mb created this task.Sep 23 2009, 11:23 AM
bzimport added a comment.Sep 23 2009, 1:22 PM

herd wrote:

Also got this with http://commons.wikimedia.org/wiki/File:Loading.gif

bzimport added a comment.Sep 23 2009, 1:48 PM

Bryan.TongMinh wrote:

Something went wrong when I tried to merge r43627 in the new-upload branch with r45378, it should detect '<a href='

TheDJ added a comment.Sep 23 2009, 1:51 PM

Shouldn't that be '<a'*'href=', because <a title="woot i haxored you" href= would still do the trick of course.

bzimport added a comment.Sep 23 2009, 2:00 PM

herd wrote:

Shouldn't that be '<a'*'href=', because <a title="woot i haxored you" href=
would still do the trick of course.

IE specifically checks for '<A HREF' and since the only reason to have this detection is to pre-guess IE, it just needs to find '<A HREF'. I think.

Catrope added a comment.Sep 23 2009, 2:00 PM

(In reply to comment #3)

Shouldn't that be '<a'*'href=', because <a title="woot i haxored you" href=
would still do the trick of course.

Like the comments in IEContentAnalyzer.php say, the objective is to emulate IE's broken MIME detection code, not to be correct. You've just pointed out an obvious flaw in IE's algorithm, which IEContentAnalyzer duplicates because its purpose is to predict how IE will react.

bzimport added a comment.Sep 23 2009, 2:08 PM

Bryan.TongMinh wrote:

(In reply to comment #5)

(In reply to comment #3)

Shouldn't that be '<a'*'href=', because <a title="woot i haxored you" href=
would still do the trick of course.

Like the comments in IEContentAnalyzer.php say, the objective is to emulate
IE's broken MIME detection code, not to be correct. You've just pointed out an
obvious flaw in IE's algorithm, which IEContentAnalyzer duplicates because its
purpose is to predict how IE will react.

Note that this is UploadBase::detectScript, which is separate of IEContentAnalyzer. I don't exactly understand if and how those two functions are related and whether UploadBase::detectScript duplicated functions of IEContentAnalyzer.

bzimport added a comment.Sep 23 2009, 2:14 PM

Bryan.TongMinh wrote:

r56817.

Gilles added a project: Multimedia.Dec 4 2014, 10:47 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL