Aryeh Gregor wrote:
On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik maxsem.wiki@gmail.com wrote:
Instead of amassing social constructs around technical deficiency, I propose to fix bug 24230 [1] by implementing proper checking for JAR format.
Does that bug even affect Wikimedia? We have uploads segregated on their own domain, where we don't set cookies or do anything else interesting, so what would an uploaded JAR file even do? If that kind of attack is still a problem even with separate domains, we can do like Mozilla's Bugzilla and serve each uploaded file from its own unique domain (that would have ramifications for how browsers fetch the images, but they might be positive anyway).
Well, the fact that a would not be able to steal the cookies if they could place a jar file there* doesn't mean a malicious applet there isn't bad.
*Not sure if we can really assert that. Most likely it varies depending on browser, JVM and version.
Doing a full ZIP exploration against java classes is simple. However, we should check that everything there is clean, not that nothing there is blacklisted.
Archive formats have its own can of of issues. We don't want people to upload a "OASIS file" that contains a videogame, even if it's not a jar or a virus. How to determine if a file should be in the archive or not? What to do with archived archives?