On 8/2/07, Brion Vibber <brion(a)wikimedia.org> wrote:
We do. And if
it doesn't match what we think it will be... we put a
notice that no one notices on the image page.
That's incorrect.
If the detected filetype doesn't match the defined filetype for the
extension, then the upload is rejected.
(However note that at this moment we don't have very solid detection for
OGG.)
O_o. I still find a lot of random crud uploaded as other things on commons.
We reliably detect Ogg as far as I can tell, at least in the sense
that when I've checked in the past all the files on commons that had
the bad mime data in the database were actually not ogg files.
I'll have to check more carefully but if we are, as I believe,
correctly detecting Ogg files then we could turn on limiting on those
files.
The warning on image pages about malicious code is
bullshit -- we should
remove it, since it has nothing to do with reality.
I just conducted a test:
[gmaxwell@bessel ~]$ file ./.wine/drive_c/windows/system32/cmd.exe
./.wine/drive_c/windows/system32/cmd.exe: MS-DOS executable PE for MS
Windows (console) Intel 80386
http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxd
http://commons.wikimedia.org/wiki/Image:Winecmdexe.svg
http://commons.wikimedia.org/wiki/Image:Winecmdexe.xcf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.mid
http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxw
http://commons.wikimedia.org/wiki/Image:Winecmdexe.pdf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.ogg
It did reject the exe renamed to both png and jpg but thats it.
Greg, don't be afraid to pop things into bugzilla
or work with us over
in SVN to fix things up. :)
I'm not, but I honestly thought this was 'works as designed'.
At least in the ogg case we may already have reliable enough
detection.. if something is lacking there it should be trivial to fix
ogg is easy to detect robustly. I don't know about the other file
types.