This is the first time I've tried to submit code to the MediaWiki community, so please accept my apologies if I have gone about doing so the wrong way. (and apologies the extension itself is such a hack and/or is already redundant because of others' work I wasn't aware of - I've noted SpecialUploadLocal recently)
SpecialMultipleUplaoadViaZip has been added as a meta.wikimedia.org page including the special page extension's source code. As that page describes, this special page provides a form for uploading a ZIP file that is subsequently decompressed and passed directly to a class extended from the existing MediaWiki file upload form.
I needed a multiple file uploading tool for a local intranet wiki I manage(ish). I suspect this feature might have already been scheduled to be included for future releases in a manner far cleaner than the hack I've done. Still, I figured it still might be useful for the community even so (e.g. possibly for those running to-be-legacy MediaWiki releases into which this extension might be able to be installed).
Best wishes, Dave
Hello Dave,
from a look at the code, it appears that you're not currently checking the file size before decompressing. A relatively small zip file can contain a file full of zeroes which is actually a gigabyte large when compressed. This could be used for DoS attacks against the server. The basic attack strategy can be defeated fairly easily -- in your code by checking $tmpfsize against a variable before decompressing.
The archive could also contain a large number of files of normally acceptable size (e.g. 100*1MB). Finally, keep in mind that an attacker could upload multiple ZIP files in a row to spam the server. That's true for images as well, but a lot easier when you can generate hundreds of megabytes by uploading hundreds of kilobytes.
It appears the compression ratio is about 1000:1 for such files, i.e. 100 MB will compress to a 100K file. I don't know if different ZIP implementations achieve different compression ratios here.
One way to deal with this would be to have a per-IP upload limit, e.g. 100 MB per IP/day. You'd have to store this information in a table somewhere, though. Others may have more clever ideas.
As you're running this on an Intranet, this is likely not an issue. However, perhaps we should add a warning about this to the page on Meta for people who intend to run the extension publicly.
Erik
On 7/8/06, Erik Moeller eloquence@gmail.com wrote:
The archive could also contain a large number of files of normally acceptable size (e.g. 100*1MB). Finally, keep in mind that an attacker could upload multiple ZIP files in a row to spam the server.
Both of these problems may be less serious if temporary files are thrown away immediately if they are not valid files. It's probably still possible to generate huge files that pass the MIME check, but not something a typical skript kiddy could easily do.
Erik
mediawiki-l@lists.wikimedia.org