On Mon, Jan 28, 2019 at 10:58 PM Kunal Mehta <legoktm(a)member.fsf.org> wrote:
Tim wrote a nice blog post about how he
reverse-engineered this:
<https://tstarling.com/blog/2008/12/secure-web-uploads/>.
I don't have any comments on whether it's still needed, but if it's
determined that MediaWiki can drop the checks, I'd like to see it
turned into a PHP library...mostly because it's some neat code.
Heck yes. :)
My provisional patch is still keeping the code, but using it more
conservatively:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/487527
The exact IE-based heuristics are still checked but will trip only on files
matching the exact conditions that would affect old IE versions. Most
uploaded JPEG or PNG files with HTML-ish links in EXIF metadata should not
trigger it, as the tag strings won't appear in the first 256 bytes of the
file.
The less-exact heuristics (held over from before Tim's addition of the
reverse-engineered exact checks) are now less overbearing, and should no
longer trigger on <a href, <img, <pre, <table, or <title tags. This also
obsoletes the $wgAllowTitlesInSVG setting, which will now be always true.
Feel free to help with review and testing -- especially welcome if folks
have samples of JPEG, PDF, DjVu, or other files that were blocked before
but should work so we can double-check. Thanks all!
-- brion