Clayton wrote:
OOXML formats are zip achives. It is likely the only way to correctly identify them is to extract the files from the zip archive and validate them as being office 2007 format. I think the same method was mentioned for OpenDocument files, except OpenDocument has a validator available.
I can't find my previous post on this, but I provided a dirty, dirty hack for allowing OOXML uploads. Like the patch in the bug report, it opens a hole for exploits; but, without validation, I think any fix would open a hole for exploits.
Well, in this case, it's only the one file type... or more accurately the one specific file - as we discovered through more testing today. I think we've nailed it down to this one file being "broken" somehow. While being a valid OXT file (ie it can be used in OpenOffice.org), for some reason its mime type isn't being correctly identified on the Wiki. Other OXT files tested are correctly IDed (as they should be) and can be uploaded.
So... I'm thinking the hack isn't needed in this case, and that ultimately, this is not a bug in MediaWiki - instead a problem with the creation of this one file that a user was trying to upload.
C.
Since OpenDocument files are Zip files, unless you do some extra validation, a Jar could be uploaded disguised as an OD? file. The vulnerability is that a Jar have same-origin permissions over the wiki, and so -linked from an external page viewed by logged-in users- can do all kinds of Bad Things.