Our users are currently using the Media tag for images:
[[Media:http://someplace.com/someimage.jpg]]
How is that more secure?
Thanks - sorry about the no quotes - got sick of trying to make Thunderbird quote so there ya go...
Jeff
On 13 Jul 2005, at 15:54, Jeff Harrington wrote:
Our users are currently using the Media tag for images:
[[Media:http://someplace.com/someimage.jpg]] How is that more secure?
I don't believe it is. If you can upload an image and download it unaltered, you are a suitable vector.
The payload is the image's embedded color profile, so if you strip that via some utility on upload, you're okay.
:::: Honor the memory of Martin Luther King, Jr.: <http:// www.bushflash.com/mlk.html> :::: Jan Steinman http://www.Bytesmiths.com/Item/99AL08
On 13/07/05, Jeff Harrington jeff@parnasse.com wrote:
Our users are currently using the Media tag for images:
[[Media:http://someplace.com/someimage.jpg]]
Yuck! I didn't know there was even a configuration to allow that (although there at least used to be one that allowed linking to external images just by typing the URL, because that's what older wikis did). Two questions spring to mind:
1) Why do you need the <img> tag if you already have this working? The obvious answer is that you want to play with its attributes, such as 'alt' and 'title'. But then: 2) Why do you not want your users to upload images to your own server (rather than leaching bandwidth from their hosts)? If you did that, the full range of image syntax would be available to you, you could deal with security issues, and you could even track what images are being used...
mediawiki-l@lists.wikimedia.org