Page MenuHomePhabricator

Upload verification check broken. mp4 uploaded as .ogg
Closed, ResolvedPublic

Description

It seems that again our filetype verification checks are broken. The link is a recently uploaded mp4 file under a .ogg name.

This should not be possible with the WMF configuration.


Version: 1.20.x
Severity: normal
URL: https://en.wikipedia.org/wiki/File:02_Calma_Pueblo.ogg
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=48306
https://bugzilla.wikimedia.org/show_bug.cgi?id=22934

Details

Reference
bz39012

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 12:55 AM
bzimport set Reference to bz39012.
bzimport added a subscriber: Unknown Object (MLST).
TheDJ created this task.Aug 3 2012, 3:00 PM

There's also a couple of "gif" files on commons that aren't really gif's which should be investigated.

Given how this sort of thing keeps popping up, it screams unittests ;)

https://en.wikipedia.org/wiki/File:02_Calma_Pueblo.ogg only mentions November 2012 in its version history but this report is from August so that testcase is probably moot now.

  • Bug 47709 has been marked as a duplicate of this bug. ***

This is definitely still present. https://commons.wikimedia.org/wiki/File:2dschrodinger.ogg is from less than a month ago (April 7, 2013).

Bumping up to normal (could argue even higher).

this was likely caused and (now) fixed by bug 48306 ?

(In reply to comment #6)

this was likely caused and (now) fixed by bug 48306 ?

Not entirely. We still let through things that have a mime type not on the blacklist and have no known (to mediawiki) canonical extension associated with that mime type. (I think we should change that. Note I do not believe that represents a security issue currently, but probably not the best idea in terms of appropriate level of paranoia)

TheDJ added a comment.May 21 2013, 7:26 PM

I vaguely remember I once had a discussion with Tim S about this problem and he didn't consider it terribly important if I remember well (and specifically he said that it definitely wasn't a regression).

But I still don't like it, and there have also been quite a few complaints 'on wiki' about this.

I think it would be appropriate to check if the target extension has a known mime type, and only allow the mimes with no known ext if the target ext has no associated mime.

  • Bug 52990 has been marked as a duplicate of this bug. ***

For mp4 specificly, see https://gerrit.wikimedia.org/r/79809

The issue in general still needs to be addressed.

Change 79954 had a related patch set uploaded by Brian Wolff:
Be stricter for file types where we don't know canonical extension

https://gerrit.wikimedia.org/r/79954

Change 79954 merged by jenkins-bot:
Be stricter for file types where we don't know canonical extension

https://gerrit.wikimedia.org/r/79954

  • Bug 33549 has been marked as a duplicate of this bug. ***

(In reply to Marco from comment #15)

How come that someone uploaded _JPE_ files in May?
https://commons.wikimedia.org/wiki/File:Bombinhas_SC.jpe
https://commons.wikimedia.org/wiki/File:
%D0%91%D1%83%D1%86%D1%8C%D0%BA%D0%B8%D0%B9_%D0%BA%D0%B0%D0%BD%D1%8C%D0%B9%D0%
BE%D0%BD,_c._%D0%91%D1%83%D0%BA%D0%B8.jpe

Looks like issue with file move code (both moved to new name by Ahonc)

Gilles raised the priority of this task from Normal to Unbreak Now!.Dec 4 2014, 10:25 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to Normal.Dec 4 2014, 11:20 AM