Timwi wrote:
Brion Vibber wrote:
# Files with these extensions will never be allowed as uploads. $wgFileBlacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs "html", "htm", # PHP scripts may execute arbitrary code on the server "php", "phtml", "php3", "php4", "phps", # Other types that may be interpreted by some servers "shtml", "jhtml", "pl", "py", # May contain harmful executables for Windows victims "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
You might want to add "cmd", "vxd", and "cpl" to the latter list.
Timwi
adding .zip to the blacklist might not hurt, as it is frequently used to smuggle Windows execuables through similar filters.
-- Neil