When I try to upload a .pdf or .gif via
http://en.wikipedia.org/wiki/Special:Upload
I get:
Upload warning
".pdf" is not a recommended image file format.
But no form to submit anyway appears. Thus I cannot upload the files. Is this a bug, the intended behavior, or a misconfiguration?
- David [[User:Nohat]]
On Jan 30, 2004, at 13:41, David Friedland wrote:
".pdf" is not a recommended image file format.
But no form to submit anyway appears. Thus I cannot upload the files. Is this a bug, the intended behavior, or a misconfiguration?
This was a misconfiguration (using the now default extra-strict mode instead of the more lenient mode we want for Wikipedia) which was fixed yesterday, then accidentally put back in place. Should be fixed now.
It'll now completely refuse to accept a few formats, but should be again overrideable for formats that it just doesn't recognize.
Here are the defaults for 'recommended' file formats and the blacklist:
# This is the list of preferred extensions for uploading files. Uploading # files with extensions not in this list will trigger a warning. $wgFileExtensions = array( "png", "jpg", "jpeg", "ogg" );
# Files with these extensions will never be allowed as uploads. $wgFileBlacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs "html", "htm", # PHP scripts may execute arbitrary code on the server "php", "phtml", "php3", "php4", "phps", # Other types that may be interpreted by some servers "shtml", "jhtml", "pl", "py", # May contain harmful executables for Windows victims "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
The blacklist isn't foolproof, but it's just a little extra precaution.
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
# Files with these extensions will never be allowed as uploads. $wgFileBlacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs "html", "htm", # PHP scripts may execute arbitrary code on the server "php", "phtml", "php3", "php4", "phps", # Other types that may be interpreted by some servers "shtml", "jhtml", "pl", "py", # May contain harmful executables for Windows victims "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
You might want to add "cmd", "vxd", and "cpl" to the latter list.
Timwi
On Jan 31, 2004, at 04:45, Timwi wrote:
# May contain harmful executables for Windows victims"exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );You might want to add "cmd", "vxd", and "cpl" to the latter list.
Jeez! Is there any file type that _isn't_ executable by default on Windows? :P
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
On Jan 31, 2004, at 04:45, Timwi wrote:
# May contain harmful executables for Windows victims"exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );You might want to add "cmd", "vxd", and "cpl" to the latter list.
Jeez! Is there any file type that _isn't_ executable by default on Windows? :P
Well, out of those three, only "cmd" is "executable by double-click".
But the file format of libraries, drivers and everything is the same for EXE, and so they are also executable. For example, "cpl" is a plug-in for the Windows Control Panel, and so a CPL file in your Windows directory would be executed when you open the Control Panel. Similarly, VXD is a device driver, I think.
Greetings, Timwi
"Timwi" timwi@gmx.net wrote in message news:bvj1b6$d5m$1@sea.gmane.org...
Brion Vibber wrote:
On Jan 31, 2004, at 04:45, Timwi wrote:
# May contain harmful executables for Windows victims"exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );You might want to add "cmd", "vxd", and "cpl" to the latter list.
Jeez! Is there any file type that _isn't_ executable by default on Windows? :P
Well, out of those three, only "cmd" is "executable by double-click".
But the file format of libraries, drivers and everything is the same for EXE, and so they are also executable. For example, "cpl" is a plug-in for the Windows Control Panel, and so a CPL file in your Windows directory would be executed when you open the Control Panel. Similarly, VXD is a device driver, I think.
Any file can contain machine code. Files such as dll, vxd and cpl are only dangerous if they are somehow downloaded in such a way as to overwrite existing libraries. Far more dangerous are file formats which are executed on double-click and can contain VBA macros: doc, xls, etc.
-- Tim Starling
Timwi wrote:
Brion Vibber wrote:
# Files with these extensions will never be allowed as uploads. $wgFileBlacklist = array( # HTML may contain cookie-stealing JavaScript and web bugs "html", "htm", # PHP scripts may execute arbitrary code on the server "php", "phtml", "php3", "php4", "phps", # Other types that may be interpreted by some servers "shtml", "jhtml", "pl", "py", # May contain harmful executables for Windows victims "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
You might want to add "cmd", "vxd", and "cpl" to the latter list.
Timwi
adding .zip to the blacklist might not hurt, as it is frequently used to smuggle Windows execuables through similar filters.
-- Neil
Brion Vibber wrote:
Here are the defaults for 'recommended' file formats and the blacklist: # Other types that may be interpreted by some servers "shtml", "jhtml", "pl", "py",
+ .cgi
# May contain harmful executables for Windows victims "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
+ .msi (executable MS Windows installation file)
Regards, Nils.
wikitech-l@lists.wikimedia.org