It's possible for a small .zip file to expand to arbitrarily large content files. This opens a DOS vector in this extension's upload-and-unpack feature.
It can use unzip -l or equivalent (and tar -t or equivalent for tar files) to find out how large the package's contents are before unpacking it, and refuse oversize content.
Version: master
Severity: normal
@Worden.lee: I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!).
Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task.
Please claim this task again when you plan to work on it (via Add Action... → Assign / Claim in the dropdown menu) - it would be welcome! Thanks for your understanding!
Declining as the MultiUpload extension is unmaintained and non-functional with recent MediaWiki releases. See T268667 for more information.