Hello,
I have problems to upload some types of files
LocalSettings.php:
$wgCheckFileExtensions = false; $wgStrictFileExtensions = false; $wgVerifyMimeType = false; $wgFileExtensions = array( '7z', 'zip', 'rar', 'exe', 'gif', 'jpeg', 'jpg', 'png', 'odp', 'ods', 'odt', 'pdf' );
I could upload 'gif', 'jpg', 'png', 'pdf', 'ods', 'odt' ... etc. but not 'exe' and some times 'zip'
Every attempt to upload an .exe gives an error
"„.exe“ ist ein nicht erlaubtes Dateiformat. Erlaubt sind die Dateiformate: 7z, zip, rar, exe, gif, jpeg, jpg, png, odp, ods, odt, pdf."
works: rac-exe.zip rac.odt.zip rac.ods.odt.odt rac.ods.zip.odt
works *not*: rac.exe -- reports „.exe“ not allowed rac.exe.zip -- reports „.zip“ not allowed rac.ods.exe.odt -- reports „.odt“ not allowed
Why does MW checks extensions if I explicitly say "$wgCheckFileExtensions = false"?
It seems that a file with an an embedded "exe" part could not be uploaded!
Thanks for any hint, Peter
There are some file types that the Wiki developers considered too dangerous to allow to upload. So they're not allowed even if you think you've configured it to "allow everything". I don't know enough to defend or criticize this decision, but I assume the developers know what they're doing.
This includes Open Office files. I'll bet it includes anything with XML.
I designated a place covered by an apache server to place such files, then defined a template to take the file name & convert it to the appropriate link. That way, if I move the location, I can just update the template. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Haim (Howard) Roman Computer Center, Jerusalem College of Technology Phone: 052-8-592-599 (6022 from within Machon Lev)
On Thu, Sep 24, 2009 at 12:58, Peter Velan pv0001@dynapic.net wrote:
I have problems to upload some types of files
LocalSettings.php:
$wgCheckFileExtensions = false; $wgStrictFileExtensions = false; $wgVerifyMimeType = false; $wgFileExtensions = array( '7z', 'zip', 'rar', 'exe', 'gif', 'jpeg', 'jpg', 'png', 'odp', 'ods', 'odt', 'pdf' );
I could upload 'gif', 'jpg', 'png', 'pdf', 'ods', 'odt' ... etc. but not 'exe' and some times 'zip'
Every attempt to upload an .exe gives an error
"„.exe“ ist ein nicht erlaubtes Dateiformat. Erlaubt sind die Dateiformate: 7z, zip, rar, exe, gif, jpeg, jpg, png, odp, ods, odt, pdf."
works: rac-exe.zip rac.odt.zip rac.ods.odt.odt rac.ods.zip.odt
works *not*: rac.exe -- reports „.exe“ not allowed rac.exe.zip -- reports „.zip“ not allowed rac.ods.exe.odt -- reports „.odt“ not allowed
Why does MW checks extensions if I explicitly say "$wgCheckFileExtensions = false"?
It seems that a file with an an embedded "exe" part could not be uploaded!
Thanks for any hint, Peter
am 24.09.2009 12:33 schrieb Haim (Howard) Roman:
There are some file types that the Wiki developers considered too dangerous to allow to upload. So they're not allowed even if you think you've configured it to "allow everything". I don't know enough to defend or criticize this decision, but I assume the developers know what they're doing.
Ah, thanks for this insight. So I have to assume that "$wgCheckFileExtensions = false;" mean sometimes "false" and the error message is quite missleading:
"„.zip“ is not allowed. Allowed extensions: 7z, zip, rar," ^^^
This includes Open Office files. I'll bet it includes anything with XML.
I have *no* problems to upload ".odt", ".ods", ".odg" etc.
I designated a place covered by an apache server to place such files, then defined a template to take the file name & convert it to the appropriate link. That way, if I move the location, I can just update the template.
I'm using the same approch by placing some (mostly the big ones) files to an MW-external place and linking it inside of MW
Cheers, Peter
Peter Velan wrote:
am 24.09.2009 12:33 schrieb Haim (Howard) Roman:
There are some file types that the Wiki developers considered too dangerous to allow to upload. So they're not allowed even if you think you've configured it to "allow everything". I don't know enough to defend or criticize this decision, but I assume the developers know what they're doing.
Ah, thanks for this insight. So I have to assume that "$wgCheckFileExtensions = false;" mean sometimes "false" and the error message is quite missleading:
"„.zip“ is not allowed. Allowed extensions: 7z, zip, rar," ^^^
This includes Open Office files. I'll bet it includes anything with XML.
I have *no* problems to upload ".odt", ".ods", ".odg" etc.
I designated a place covered by an apache server to place such files, then defined a template to take the file name & convert it to the appropriate link. That way, if I move the location, I can just update the template.
I'm using the same approch by placing some (mostly the big ones) files to an MW-external place and linking it inside of MW
You'll probably need to override MIME type checking as well. See http://www.mediawiki.org/wiki/Manual:Mime_type_detection#Forbidden_files
Note that the MIME blacklist exists for security reasons. If untrusted users are allowed to upload files, this can open up significant security holes.
am 24.09.2009 17:55 schrieb Alex:
Peter Velan wrote:
am 24.09.2009 12:33 schrieb Haim (Howard) Roman:
There are some file types that the Wiki developers considered too dangerous to allow to upload. So they're not allowed even if you think you've configured it to "allow everything". I don't know enough to defend or criticize this decision, but I assume the developers know what they're doing.
Ah, thanks for this insight. So I have to assume that "$wgCheckFileExtensions = false;" mean sometimes "false" and the error message is quite missleading:
"„.zip“ is not allowed. Allowed extensions: 7z, zip, rar," ^^^
This includes Open Office files. I'll bet it includes anything with XML.
I have *no* problems to upload ".odt", ".ods", ".odg" etc.
I designated a place covered by an apache server to place such files, then defined a template to take the file name & convert it to the appropriate link. That way, if I move the location, I can just update the template.
I'm using the same approch by placing some (mostly the big ones) files to an MW-external place and linking it inside of MW
You'll probably need to override MIME type checking as well.
For testing purpose I switched "$wgVerifyMimeType = false;"
See http://www.mediawiki.org/wiki/Manual:Mime_type_detection#Forbidden_files
Thanks! Your are right, the array "$wgFileblacklist" in "DefaultSettings.php" does explicitly forbids Windows executables, as per ...
| # May contain harmful executables for Windows victims | 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', | 'com', 'pif', 'cmd', 'vxd', 'cpl'
But, it seems a litle bit paranoid to consider files withe names like "xyz.exe.pdf" as a potential hazard.
Note that the MIME blacklist exists for security reasons. If untrusted users are allowed to upload files, this can open up significant security holes.
I would never allow uploads of executables in a public accessible wiki. The wiki where I want to allow uploads of "dangerous" files is a closed intranet type with predefined users.
Nevertheless, thanks for the reminder and the really appreciated hints.
Peter
mediawiki-l@lists.wikimedia.org