Simetrical schrieb:
On Thu, Mar 27, 2008 at 2:34 PM, raymond-Y8jq7F6rJ48dvk2hry9Ukdi2O/JbrIOy@public.gmane.org wrote:
$val = trim( ini_get( 'upload_max_filesize' ) );
$last = ( substr( $val, -1 ) );
switch( $last ) {
switch is case-sensitive, the suffix in the config file is not. Don't you need a strtoupper() on $last?
Yeah, done with r32524.
$val2 = $wgAllowCopyUploads ? min( $wgMaxUploadSize, $val2 ) : $val2;
$maxUploadSize = wfMsgExt( 'upload-maxfilesize', 'parseinline', $wgLang->formatSize( $val2 ) );
You seem to be assuming that nobody is setting upload_max_filesize to an invalid value, or that if they do, PHP will somehow sanitize it so that it fits one of those cases. Is that the case? What happens if you set upload_max_filesize to "jagdajgadk" or '<span onload="alert(\'Evil!\')"></span>' or something? If this does work, you should add a comment that testing indicates that PHP seems to guarantee that a value in this form is passed.
Sanitized with r32524.
I tested with my XAMPP a few evil entries: upload_max_filesize to "jagdajgadk" returns 0
Something more evil like your <span> onload="alert('Evil!')"></span>' crashes my Apache directly at start.
Raymond.