On Thu, 18 Nov 2004 23:30:57 +0100, Walter Vermeir walter@wikipedia.be wrote:
I noticed that now you can not upload anymore a lot of file types. Like zip, gz, doc, xls, sxw, sxc
I understand that some types of files are not allowed for legal and system security reasons. But this is not the case here.
Why not? The same security flaws will be present wherever the software is used. If I remember rightly, the originally security breach that prompted the crack-down was a Japanese user uploading a specially contstructed text-file that caused anyone browsing a certain page with Internet Explorer to have their username and password automatically sent elsewhere. It is not a risk to be taken lightly.
If you mean there is no risk in the filetypes you mentionned, I would also disagree - apart from the possibility of the IE bug I just mentioned applying, .doc and .xls files are notoriously good hosts for Trojan horses, and an enticingly-named .zip file could contain anything (and people *will* open it; remember the "I love you" virus?).
I'm not saying the whitelist should never be expanded whatsoever, or even that these filetpes should never ever be allowed, just that opening up this decision to wiki administrators who may not understand the full implications could be very risky. Currently, those with access to the configuration files on the server can edit the whitelist, and in general these are likely to be people who will consider the implications of doing so. And the fact that there are so few encourages discussion before action (as opposed to the "be bold" mantra common on wikis).
You might want to look through the list archives at previous threads on this topic. There is also a suggestion at http://bugzilla.wikimedia.org/898 to implement validity-checking for various types of file, to verify them as "safe".