Aryeh Gregor wrote:
On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik
<maxsem.wiki(a)gmail.com> wrote:
Instead of amassing social constructs around
technical deficiency, I
propose to fix bug 24230 [1] by implementing proper checking for JAR
format.
Does that bug even affect Wikimedia? We have uploads segregated on
their own domain, where we don't set cookies or do anything else
interesting, so what would an uploaded JAR file even do? If that kind
of attack is still a problem even with separate domains, we can do
like Mozilla's Bugzilla and serve each uploaded file from its own
unique domain (that would have ramifications for how browsers fetch
the images, but they might be positive anyway).
Well, the fact that a would not be able to steal the cookies if they
could place a jar file there* doesn't mean a malicious applet there
isn't bad.
*Not sure if we can really assert that. Most likely it varies depending
on browser, JVM and version.
Doing a full ZIP exploration against java classes is simple. However, we
should check that everything there is clean, not that nothing there is
blacklisted.
Archive formats have its own can of of issues. We don't want people to
upload a "OASIS file" that contains a videogame, even if it's not a jar
or a virus. How to determine if a file should be in the archive or not?
What to do with archived archives?