I've been trying to fix this one on the OpenOffice.org Wiki for a while, but am getting nowhere... maybe someone here has an idea?
I've defined these mime types in both the apache2/conf/mime.types file and in the wiki/includes/mime.types file:
application/vnd.oasis.opendocument.chart odc application/vnd.oasis.opendocument.chart-template otc application/vnd.oasis.opendocument.database odb application/vnd.oasis.opendocument.formula odf application/vnd.oasis.opendocument.formula-template otf application/vnd.oasis.opendocument.graphics odg application/vnd.oasis.opendocument.graphics-template otg application/vnd.oasis.opendocument.image odi application/vnd.oasis.opendocument.image-template oti application/vnd.oasis.opendocument.presentation odp application/vnd.oasis.opendocument.presentation-template otp application/vnd.oasis.opendocument.spreadsheet ods application/vnd.oasis.opendocument.spreadsheet-template ots application/vnd.oasis.opendocument.text odt application/vnd.oasis.opendocument.text-master odm application/vnd.oasis.opendocument.text-template ott application/vnd.oasis.opendocument.text-web oth application/vnd.openofficeorg.extension oxt
These should be correctly defined according to the standards outlined here: http://www.iana.org/assignments/media-types/
These file extensions are also defined in the $wgFileExtensions variable in LocalSettings.php.
This seems to be working except for the OXT definition - the last one. When a Wiki user attempts to upload an OXT file to the Wiki they get an error message: ============ The file is corrupt or has an incorrect extension. Please check the file and upload again. ============
I've checked the file with file -bi and it returns application/x-zip. Since this does not match what the file really is (ie application/vnd.openofficeorg.extension) then the error is returned.
So, my question is... what needs to be done to convince the Wiki that the OXT file is really application/vnd.openofficeorg.extension? Is this an error in the creation of the OXT file? or possibly something I've done wrong on the Wiki admin side? or... ??
C.
Clayton,
I think the problem is in "file", not the wiki nor anything you've done to it. :-)
Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
Paul
On Sep 8, 2009, at 10:29 AM, ccornell - OpenOffice.org wrote:
I've been trying to fix this one on the OpenOffice.org Wiki for a while, but am getting nowhere... maybe someone here has an idea?
I've defined these mime types in both the apache2/conf/mime.types file and in the wiki/includes/mime.types file:
application/vnd.oasis.opendocument.chart odc application/vnd.oasis.opendocument.chart-template otc application/vnd.oasis.opendocument.database odb application/vnd.oasis.opendocument.formula odf application/vnd.oasis.opendocument.formula-template otf application/vnd.oasis.opendocument.graphics odg application/vnd.oasis.opendocument.graphics-template otg application/vnd.oasis.opendocument.image odi application/vnd.oasis.opendocument.image-template oti application/vnd.oasis.opendocument.presentation odp application/vnd.oasis.opendocument.presentation-template otp application/vnd.oasis.opendocument.spreadsheet ods application/vnd.oasis.opendocument.spreadsheet-template ots application/vnd.oasis.opendocument.text odt application/vnd.oasis.opendocument.text-master odm application/vnd.oasis.opendocument.text-template ott application/vnd.oasis.opendocument.text-web oth application/vnd.openofficeorg.extension oxt
These should be correctly defined according to the standards outlined here: http://www.iana.org/assignments/media-types/
These file extensions are also defined in the $wgFileExtensions variable in LocalSettings.php.
This seems to be working except for the OXT definition - the last one. When a Wiki user attempts to upload an OXT file to the Wiki they get an error message: ============ The file is corrupt or has an incorrect extension. Please check the file and upload again. ============
I've checked the file with file -bi and it returns application/x-zip. Since this does not match what the file really is (ie application/vnd.openofficeorg.extension) then the error is returned.
So, my question is... what needs to be done to convince the Wiki that the OXT file is really application/vnd.openofficeorg.extension? Is this an error in the creation of the OXT file? or possibly something I've done wrong on the Wiki admin side? or... ??
C.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
______________ Paul C Lustgarten Tools & Incubation AT&T Labs - Research Florham Park, NJ +1 973 360 7206
2009/9/8 Paul C Lustgarten plus@research.att.com:
I think the problem is in "file", not the wiki nor anything you've done to it. :-) Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
file lets you specify an environment variable MAGIC which points to your very own magic file.
So, do you have a list of the magic for each of the MIME types you need?
Then you need to get it into the upstream distro for file :-)
- d.
As a workaround you can try modifying includes/mime.types and add the line:
application/x-zip oxt
since I don't see a application/x-zip line in the version 1.15.1 mime.types file, in which case you could just add "oxt" to the line.
This will fool Mediawiki into matching the x-zip mime type with the "oxt" extension and allow the upload.
-jim ---------------------------- ------------------------------------------- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Paul C Lustgarten Sent: Tuesday, September 08, 2009 10:42 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] MediaWiki and Mimetypes problems
Clayton,
I think the problem is in "file", not the wiki nor anything you've done to it. :-)
Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
Paul
On Sep 8, 2009, at 10:29 AM, ccornell - OpenOffice.org wrote:
I've been trying to fix this one on the OpenOffice.org Wiki for a while, but am getting nowhere... maybe someone here has an idea?
I've defined these mime types in both the apache2/conf/mime.types file and in the wiki/includes/mime.types file:
application/vnd.oasis.opendocument.chart odc application/vnd.oasis.opendocument.chart-template otc application/vnd.oasis.opendocument.database odb application/vnd.oasis.opendocument.formula odf application/vnd.oasis.opendocument.formula-template otf application/vnd.oasis.opendocument.graphics odg application/vnd.oasis.opendocument.graphics-template otg application/vnd.oasis.opendocument.image odi application/vnd.oasis.opendocument.image-template oti application/vnd.oasis.opendocument.presentation odp application/vnd.oasis.opendocument.presentation-template otp application/vnd.oasis.opendocument.spreadsheet ods application/vnd.oasis.opendocument.spreadsheet-template ots application/vnd.oasis.opendocument.text odt application/vnd.oasis.opendocument.text-master odm application/vnd.oasis.opendocument.text-template ott application/vnd.oasis.opendocument.text-web oth application/vnd.openofficeorg.extension oxt
These should be correctly defined according to the standards outlined here: http://www.iana.org/assignments/media-types/
These file extensions are also defined in the $wgFileExtensions variable in LocalSettings.php.
This seems to be working except for the OXT definition - the last one. When a Wiki user attempts to upload an OXT file to the Wiki they get an error message: ============ The file is corrupt or has an incorrect extension. Please check the file and upload again. ============
I've checked the file with file -bi and it returns application/x-zip. Since this does not match what the file really is (ie application/vnd.openofficeorg.extension) then the error is returned.
So, my question is... what needs to be done to convince the Wiki that the OXT file is really application/vnd.openofficeorg.extension? Is this an error in the creation of the OXT file? or possibly something I've done wrong on the Wiki admin side? or... ??
C.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
______________ Paul C Lustgarten Tools & Incubation AT&T Labs - Research Florham Park, NJ +1 973 360 7206
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
This may be a more generic problem, see: https://bugzilla.wikimedia.org/show_bug.cgi?id=18684 - Uploading office 2007 files (docx, pptx etc) results in error.
When I mentioned this on-line one time, someone pointed out the problem with having a mime.types file specifically for MediaWiki when it probably should be dynamically resolved.
I forget the exact suggestion, but there are security bypass issues and maybe we should take a look at implementing more generically.
Jack D. Pond "The most truthful part of a newspaper is the advertisements" -- Thomas Jefferson (1762-1826)
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Sullivan, James (NIH/CIT) [C] Sent: Tuesday, September 08, 2009 10:57 AM To: 'MediaWiki announcements and site admin list' Subject: Re: [Mediawiki-l] MediaWiki and Mimetypes problems
As a workaround you can try modifying includes/mime.types and add the line:
application/x-zip oxt
since I don't see a application/x-zip line in the version 1.15.1 mime.types file, in which case you could just add "oxt" to the line.
This will fool Mediawiki into matching the x-zip mime type with the "oxt" extension and allow the upload.
-jim
From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Paul C Lustgarten Sent: Tuesday, September 08, 2009 10:42 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] MediaWiki and Mimetypes problems
Clayton,
I think the problem is in "file", not the wiki nor anything you've done to it. :-)
Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
Paul
On Sep 8, 2009, at 10:29 AM, ccornell - OpenOffice.org wrote:
I've been trying to fix this one on the OpenOffice.org Wiki for a while, but am getting nowhere... maybe someone here has an idea?
I've defined these mime types in both the
apache2/conf/mime.types file
and in the wiki/includes/mime.types file:
application/vnd.oasis.opendocument.chart odc application/vnd.oasis.opendocument.chart-template otc application/vnd.oasis.opendocument.database odb application/vnd.oasis.opendocument.formula odf application/vnd.oasis.opendocument.formula-template otf application/vnd.oasis.opendocument.graphics odg application/vnd.oasis.opendocument.graphics-template otg application/vnd.oasis.opendocument.image odi application/vnd.oasis.opendocument.image-template oti application/vnd.oasis.opendocument.presentation odp application/vnd.oasis.opendocument.presentation-template otp application/vnd.oasis.opendocument.spreadsheet ods application/vnd.oasis.opendocument.spreadsheet-template ots application/vnd.oasis.opendocument.text odt application/vnd.oasis.opendocument.text-master odm application/vnd.oasis.opendocument.text-template ott application/vnd.oasis.opendocument.text-web oth application/vnd.openofficeorg.extension oxt
These should be correctly defined according to the
standards outlined
here: http://www.iana.org/assignments/media-types/
These file extensions are also defined in the $wgFileExtensions variable in LocalSettings.php.
This seems to be working except for the OXT definition -
the last one.
When a Wiki user attempts to upload an OXT file to the Wiki
they get
an error message: ============ The file is corrupt or has an incorrect extension. Please
check the
file and upload again. ============
I've checked the file with file -bi and it returns
application/x-zip.
Since this does not match what the file really is (ie application/vnd.openofficeorg.extension) then the error is returned.
So, my question is... what needs to be done to convince the
Wiki that
the OXT file is really
application/vnd.openofficeorg.extension? Is
this an error in the creation of the OXT file? or possibly something I've done wrong on the Wiki admin side? or... ??
C.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Paul C Lustgarten Tools & Incubation AT&T Labs - Research Florham Park, NJ +1 973 360 7206
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
This may be a more generic problem, see: https://bugzilla.wikimedia.org/show_bug.cgi?id=18684 - Uploading office 2007 files (docx, pptx etc) results in error.
When I mentioned this on-line one time, someone pointed out the problem with having a mime.types file specifically for MediaWiki when it probably should be dynamically resolved.
I forget the exact suggestion, but there are security bypass issues and maybe we should take a look at implementing more generically.
Hmmm I wonder if this merits a new bug report? or an addition to the MS Office related one?
As a workaround you can try modifying includes/mime.types and add the line:
application/x-zip oxt
since I don't see a application/x-zip line in the version 1.15.1 mime.types file, in which case you could just add "oxt" to the line.
This will fool Mediawiki into matching the x-zip mime type with the "oxt" extension and allow the upload.
application/x-zip seems to be ignored - I tried this change and there were no changes in the behavior.
I also tried adding OXT to application/zip.. and this caught me up in the error that ZIP files are explicitly blocked by the MediaWiki mime type validation. This "can" be bypassed by disabling the mime type validation/check, but opens up (as I understand it) a hole for exploits. Since the OOo Wiki is quite public and subject to quite a lot of spamming and other malicious poking, I'm not so happy with workarounds that risk exploits :-(
I think the problem is in "file", not the wiki nor anything you've done to it. :-)
Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
This is something we're also looking at.. trying to find a way to reset the mime type in the file itself. So far no success...
C.
application/x-zip seems to be ignored - I tried this change and there were no changes in the behavior.
I also tried adding OXT to application/zip.. and this caught me up in the error that ZIP files are explicitly blocked by the MediaWiki mime type validation. This "can" be bypassed by disabling the mime type validation/check, but opens up (as I understand it) a hole for exploits. Since the OOo Wiki is quite public and subject to quite a lot of spamming and other malicious poking, I'm not so happy with workarounds that risk exploits :-(
I think the problem is in "file", not the wiki nor anything you've done to it. :-)
Specifically, you say that a "file -bi" reports those files as being application/x-zip. If I correctly recall some similar struggles I've had, that's the place to focus - convince "file" that what it is *really* is the MIME type for oxt.
This is something we're also looking at.. trying to find a way to reset the mime type in the file itself. So far no success...
OOXML formats are zip achives. It is likely the only way to correctly identify them is to extract the files from the zip archive and validate them as being office 2007 format. I think the same method was mentioned for OpenDocument files, except OpenDocument has a validator available.
I can't find my previous post on this, but I provided a dirty, dirty hack for allowing OOXML uploads. Like the patch in the bug report, it opens a hole for exploits; but, without validation, I think any fix would open a hole for exploits.
V/r,
Ryan Lane
OOXML formats are zip achives. It is likely the only way to correctly identify them is to extract the files from the zip archive and validate them as being office 2007 format. I think the same method was mentioned for OpenDocument files, except OpenDocument has a validator available.
I can't find my previous post on this, but I provided a dirty, dirty hack for allowing OOXML uploads. Like the patch in the bug report, it opens a hole for exploits; but, without validation, I think any fix would open a hole for exploits.
Well, in this case, it's only the one file type... or more accurately the one specific file - as we discovered through more testing today. I think we've nailed it down to this one file being "broken" somehow. While being a valid OXT file (ie it can be used in OpenOffice.org), for some reason its mime type isn't being correctly identified on the Wiki. Other OXT files tested are correctly IDed (as they should be) and can be uploaded.
So... I'm thinking the hack isn't needed in this case, and that ultimately, this is not a bug in MediaWiki - instead a problem with the creation of this one file that a user was trying to upload.
C.
Clayton wrote:
OOXML formats are zip achives. It is likely the only way to correctly identify them is to extract the files from the zip archive and validate them as being office 2007 format. I think the same method was mentioned for OpenDocument files, except OpenDocument has a validator available.
I can't find my previous post on this, but I provided a dirty, dirty hack for allowing OOXML uploads. Like the patch in the bug report, it opens a hole for exploits; but, without validation, I think any fix would open a hole for exploits.
Well, in this case, it's only the one file type... or more accurately the one specific file - as we discovered through more testing today. I think we've nailed it down to this one file being "broken" somehow. While being a valid OXT file (ie it can be used in OpenOffice.org), for some reason its mime type isn't being correctly identified on the Wiki. Other OXT files tested are correctly IDed (as they should be) and can be uploaded.
So... I'm thinking the hack isn't needed in this case, and that ultimately, this is not a bug in MediaWiki - instead a problem with the creation of this one file that a user was trying to upload.
C.
Since OpenDocument files are Zip files, unless you do some extra validation, a Jar could be uploaded disguised as an OD? file. The vulnerability is that a Jar have same-origin permissions over the wiki, and so -linked from an external page viewed by logged-in users- can do all kinds of Bad Things.
Platonides wrote:
Since OpenDocument files are Zip files, unless you do some extra validation, a Jar could be uploaded disguised as an OD? file. The vulnerability is that a Jar have same-origin permissions over the wiki, and so -linked from an external page viewed by logged-in users- can do all kinds of Bad Things.
It's possible to make a file which is simultaneously a valid JAR file and a valid OpenDocument file. Here's the one I made in September last year:
http://noc.wikimedia.org/~tstarling/odjar/
-- Tim Starling
mediawiki-l@lists.wikimedia.org