Platonides wrote:
Since OpenDocument files are Zip files, unless you do
some extra
validation, a Jar could be uploaded disguised as an OD? file.
The vulnerability is that a Jar have same-origin permissions over the
wiki, and so -linked from an external page viewed by logged-in users-
can do all kinds of Bad Things.
It's possible to make a file which is simultaneously a valid JAR file
and a valid OpenDocument file. Here's the one I made in September last
year:
http://noc.wikimedia.org/~tstarling/odjar/
-- Tim Starling