-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Starling wrote:
- Improved upload file type detection for OpenDocument formats
Added a check for the magic value header in OpenDocument zip archives
which specifies which subtype it is. Such files will get detected with the appropriate mime type and matching extension, so ODT etc uploads will work again where enabled.
(Previously the general ZIP check and blacklist would disable them.)
I think you're missing the point. It's trivial to make a file which is both a valid OpenDocument file, and a valid JAR file subject to the same origin policy.
I have no doubt of this, but only our restricted-write-access internal sites allow OpenDocument uploads, and they also allow Zip uploads. ;)
The point is to make the uploads actually *work* when and where they've been explicitly enabled.
Smarter "evil JAR detection" that pokes through the ZIP file index looking for Java classes and blocks the specific file would be a nice addition, particularly if we were to do something foolish like enable OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose, though of course it's not enabled by default and may not be present on any given setup. :(
- -- brion