Page MenuHomePhabricator

Possible to upload files with not allowed extension, if it has a multiple extensions, one of which is good
Closed, ResolvedPublic

Description

Splitting this out from bug 33549 comment 8 and bug 33549 comment 9:

[[commons:File:Deamado ko.png.bmp]] is MIME type: image/x-bmp.

Looking at MediaWiki core's DefaultSettings.php and Wikimedia's CommonSettings.php, I can't figure out how this file type is allowed. Don't we strictly validate file extensions at least? Referring to [[mw:Manual:$wgStrictFileExtensions]], I suppose.

I was able to reproduce an upload of this file type on Commons via [[commons:Special:Upload]] a few minutes ago by simply disabling JavaScript in my browser (the file selection input has some associated JavaScript validation logic).

(In reply, Bawolff (Brian Wolff) from bug 33549 comment 10)

Umm yeah, that shouldnt be allowed.


Version: 1.23.0
Severity: normal

Details

Reference
bz62451

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:55 AM
bzimport set Reference to bz62451.
MZMcBride created this task.Mar 9 2014, 7:55 AM

Change 117668 had a related patch set uploaded by Brian Wolff:
When checking whitelist of extensions, only count last extension.

https://gerrit.wikimedia.org/r/117668

Change 117668 merged by jenkins-bot:
When checking whitelist of extensions, only count last extension.

https://gerrit.wikimedia.org/r/117668

  • Bug 63076 has been marked as a duplicate of this bug. ***

Change merged, so marking as resolved

Gilles raised the priority of this task from Normal to Unbreak Now!.Dec 4 2014, 10:25 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to Normal.Dec 4 2014, 11:20 AM