On Mon, Oct 25, 2010 at 10:09 PM, Aryeh Gregor
<Simetrical+wikilist(a)gmail.com> wrote:
On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik
<maxsem.wiki(a)gmail.com> wrote:
Instead of amassing social constructs around
technical deficiency, I
propose to fix bug 24230 [1] by implementing proper checking for JAR
format.
Does that bug even affect Wikimedia? We have uploads segregated on
their own domain, where we don't set cookies or do anything else
interesting, so what would an uploaded JAR file even do?
upload.wikimedia.org could
end up on Google's Safe Surfing (or however
it's called) blacklist for hosting malicious .jar's which are injected
on another pwned web site or loaded through pwned advertising brokers.
Given the fact that Java is the 2nd biggest exploit vector in terms of
exploits (but 1st in terms of impact - users don't update Java as
often as the Adobe Reader), it should not be allowed to upload JARs
(or things that look like something else, but infact can be loaded and
executed by the JRT) to Wikipedia.
Marco
--
VMSoft GbR
Nabburger Str. 15
81737 München
Geschäftsführer: Marco Schuster, Volker Hemmert
http://vmsoft-gbr.de