On Mon, Oct 25, 2010 at 10:51 PM, Marco Schuster marco@harddisk.is-a-geek.org wrote:
On Mon, Oct 25, 2010 at 10:09 PM, Aryeh Gregor Simetrical+wikilist@gmail.com wrote:
On Mon, Oct 25, 2010 at 3:50 PM, Max Semenik maxsem.wiki@gmail.com wrote:
Instead of amassing social constructs around technical deficiency, I propose to fix bug 24230 [1] by implementing proper checking for JAR format.
Does that bug even affect Wikimedia? We have uploads segregated on their own domain, where we don't set cookies or do anything else interesting, so what would an uploaded JAR file even do?
upload.wikimedia.org could end up on Google's Safe Surfing (or however it's called) blacklist for hosting malicious .jar's which are injected on another pwned web site or loaded through pwned advertising brokers. Given the fact that Java is the 2nd biggest exploit vector in terms of exploits (but 1st in terms of impact - users don't update Java as often as the Adobe Reader), it should not be allowed to upload JARs (or things that look like something else, but infact can be loaded and executed by the JRT) to Wikipedia.
Marco
VMSoft GbR Nabburger Str. 15 81737 München Geschäftsführer: Marco Schuster, Volker Hemmert http://vmsoft-gbr.de
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Should we also be exploring any possibly malicious archives inside archives recursively, or is just making sure the archive itself is good is good enough?