I noticed that now you can not upload anymore a lot of file types. Like zip, gz, doc, xls, sxw, sxc
I understand that some types of files are not allowed for legal and system security reasons. But this is not the case here. For creating and maintaining the wikipedia software all are the system developers greatful. But to use or not to use those files is a editorial decision that has to be made by every wikipedia. It is not something that may be decided by the system developers.
I most strongly request on behalf of the dutch wikipedia a more free upload possibility. Like a white list that can be edited or a override. Do not ignore this.
On Thu, 18 Nov 2004 23:30:57 +0100, Walter Vermeir walter@wikipedia.be wrote:
I noticed that now you can not upload anymore a lot of file types. Like zip, gz, doc, xls, sxw, sxc
I understand that some types of files are not allowed for legal and system security reasons. But this is not the case here.
Why not? The same security flaws will be present wherever the software is used. If I remember rightly, the originally security breach that prompted the crack-down was a Japanese user uploading a specially contstructed text-file that caused anyone browsing a certain page with Internet Explorer to have their username and password automatically sent elsewhere. It is not a risk to be taken lightly.
If you mean there is no risk in the filetypes you mentionned, I would also disagree - apart from the possibility of the IE bug I just mentioned applying, .doc and .xls files are notoriously good hosts for Trojan horses, and an enticingly-named .zip file could contain anything (and people *will* open it; remember the "I love you" virus?).
I'm not saying the whitelist should never be expanded whatsoever, or even that these filetpes should never ever be allowed, just that opening up this decision to wiki administrators who may not understand the full implications could be very risky. Currently, those with access to the configuration files on the server can edit the whitelist, and in general these are likely to be people who will consider the implications of doing so. And the fact that there are so few encourages discussion before action (as opposed to the "be bold" mantra common on wikis).
You might want to look through the list archives at previous threads on this topic. There is also a suggestion at http://bugzilla.wikimedia.org/898 to implement validity-checking for various types of file, to verify them as "safe".
On Nov 18, 2004, at 2:30 PM, Walter Vermeir wrote:
I noticed that now you can not upload anymore a lot of file types. Like zip, gz, doc, xls, sxw, sxc
I understand that some types of files are not allowed for legal and system security reasons. But this is not the case here. For creating and maintaining the wikipedia software all are the system developers greatful. But to use or not to use those files is a editorial decision that has to be made by every wikipedia. It is not something that may be decided by the system developers.
It's not an editorial decision at all; it's purely a security decision.
zip and gz are compression formats which can carry other, dangerous files. doc, and xls are notorious carriers of macro viruses (thanks, Microsoft!) There's been some sample code submitted for running uploads through the clamav virus scanner; I'll try and get this integrated this weekend, and we can then enable a bunch of formats with greater confidence.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org