Brion Vibber wrote:
There's been some sample code submitted for running uploads through the clamav virus scanner; I'll try and get this integrated this weekend, and we can then enable a bunch of formats with greater confidence.
that would be great, thank you! If anyone else wants to have a look, the sample code can be tested here: http://area23.brightbyte.de/checkfile-test.php
I would however like to add another suggestion: Show an extra warning on the description-page of media in a potentially dangerous format (or rather for any non-image, non-sound format). The message could read something like this:
"This file may contain executable code that might damage your system. If you download this file and open it on your computer, potentially harmfult contents may be run. Please make sure you know what you are doing. The Wikimedia Foundation does not take any resposibility for the contents of this file or any harm it may do to your system."
This is not only aimed at macro-viruses hidden in doc-fiels etc (which the virus scanner will hopefully find on upload), but maily at "trivial trojans" like batch files containing a "format C:" or some such.
In that context, it meight also be good to block all files with the extensions .exe, .bat, .cmd, .reg, .js as well as any files starting with a she-bang (#!), regardles of the guessed mime-type. That is, there should be a list of forbidden extensions in addition to a list of forbidden mime-types (or does that already exist?), and an additional check for the she-bang. If you like, i could add that to the sample code, but it's trivial.
Thank you, daniel