brion@svn.wikimedia.org wrote:
Revision: 41264 Author: brion Date: 2008-09-25 18:43:33 +0000 (Thu, 25 Sep 2008)
Log Message:
- Improved upload file type detection for OpenDocument formats
Added a check for the magic value header in OpenDocument zip archives which specifies which subtype it is. Such files will get detected with the appropriate mime type and matching extension, so ODT etc uploads will work again where enabled.
(Previously the general ZIP check and blacklist would disable them.)
I think you're missing the point. It's trivial to make a file which is both a valid OpenDocument file, and a valid JAR file subject to the same origin policy.
http://noc.wikimedia.org/~tstarling/odjar/
print $mm->guessMimeType('.../odjar.odt')
application/vnd.oasis.opendocument.text
Just done with zip/unzip, no hex editing involved.
-- Tim Starling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Starling wrote:
- Improved upload file type detection for OpenDocument formats
Added a check for the magic value header in OpenDocument zip archives
which specifies which subtype it is. Such files will get detected with the appropriate mime type and matching extension, so ODT etc uploads will work again where enabled.
(Previously the general ZIP check and blacklist would disable them.)
I think you're missing the point. It's trivial to make a file which is both a valid OpenDocument file, and a valid JAR file subject to the same origin policy.
I have no doubt of this, but only our restricted-write-access internal sites allow OpenDocument uploads, and they also allow Zip uploads. ;)
The point is to make the uploads actually *work* when and where they've been explicitly enabled.
Smarter "evil JAR detection" that pokes through the ZIP file index looking for Java classes and blocks the specific file would be a nice addition, particularly if we were to do something foolish like enable OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose, though of course it's not enabled by default and may not be present on any given setup. :(
- -- brion
Brion Vibber wrote:
Smarter "evil JAR detection" that pokes through the ZIP file index looking for Java classes and blocks the specific file would be a nice addition, particularly if we were to do something foolish like enable OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose, though of course it's not enabled by default and may not be present on any given setup. :(
Just make sure it'll fail gracefully if someone tries to upload 42.zip.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ilmari Karonen wrote:
Brion Vibber wrote:
Smarter "evil JAR detection" that pokes through the ZIP file index looking for Java classes and blocks the specific file would be a nice addition, particularly if we were to do something foolish like enable OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose, though of course it's not enabled by default and may not be present on any given setup. :(
Just make sure it'll fail gracefully if someone tries to upload 42.zip.
:D
Checks for these purposes probably only require reading the file directory, not actually decompressing any file contents.
- -- brion
wikitech-l@lists.wikimedia.org