As of now, most file types are disallowed for uploads to the wikipedia. As i
understand, this is due to the fact that MSIE can be tricked into executing
potentially harmful javascript-code in any file, regardles of mime-type or file
extension. This is the case because MSIE will interpret all files that "somehow
look like" HTML as such. In the following i would like to propose a solution to
this problem.
It would be good to be again able to upload files in formats like MIDI and SVG -
SVG ist especially tricky, as it allows JavaSCript by specification. This types
of files would be hande so the data can be easily edited and re-used by others,
an especially because the GFDL calls for the "transparent source" of a document,
which is at the moment impossible to provide via Wikipedia.
But it is also sad but true that javascript is in general not very secure, be it
in HTML or in SVG. Thus, i would suggest doing the following:
a) detect and reject all files that "somehow look like" HTML, emulating MSIEs
guess - as i hear there is already experimental code for this in the CVS. I
re-wrote a trivial version of this guess for the code presented at the URL given
below.
b) detect and reject all files containg javascript code. This will probably
produce some false positives, but that is better than rejecting all but a few
formats alltogether. The dection function in the URL below is rather crude, but
should work most of the time.
c) scan for viruses on upload, using an external virus scanner. The wrapper
function i wrote is generic and can deal with any scanner that can be invoked
from the command line. The example uses clamav.
A prototype, proof-of-concept implementation can be viewed and tested here:
http://area23.brightbyte.de/checkfile-test.php
The source is available there, but would need some modifications to be
integrated into mediawiki (i guess - i have never looked into the MW-source, and
i don't plan to). For more information and suggestions, please go to
http://de.wikipedia.org/w/wiki/Benutzer:Duesentrieb/checkfile
I hope you like it and it's not to hard to put it in. It would be extremely
helpful if we could again upload "obscure" things like MIDI and SVG to the
Wikipedia.
PS: Bug #667 relates to the same problem, but is very specific in that it justs
requests a single format to be alowed. It also does not propose a solution.
Version: 1.5.x
Severity: enhancement
URL: http://area23.brightbyte.de/checkfile-test.php