On Thu, 18 Nov 2004 23:30:57 +0100, Walter Vermeir <walter(a)wikipedia.be> wrote:
I noticed that now you can not upload anymore a lot of
file types. Like
zip, gz, doc, xls, sxw, sxc
I understand that some types of files are not allowed
for legal and
system security reasons. But this is not the case here.
Why not? The same security flaws will be present wherever the software
is used. If I remember rightly, the originally security breach that
prompted the crack-down was a Japanese user uploading a specially
contstructed text-file that caused anyone browsing a certain page with
Internet Explorer to have their username and password automatically
sent elsewhere. It is not a risk to be taken lightly.
If you mean there is no risk in the filetypes you mentionned, I would
also disagree - apart from the possibility of the IE bug I just
mentioned applying, .doc and .xls files are notoriously good hosts for
Trojan horses, and an enticingly-named .zip file could contain
anything (and people *will* open it; remember the "I love you"
virus?).
I'm not saying the whitelist should never be expanded whatsoever, or
even that these filetpes should never ever be allowed, just that
opening up this decision to wiki administrators who may not understand
the full implications could be very risky. Currently, those with
access to the configuration files on the server can edit the
whitelist, and in general these are likely to be people who will
consider the implications of doing so. And the fact that there are so
few encourages discussion before action (as opposed to the "be bold"
mantra common on wikis).
You might want to look through the list archives at previous threads
on this topic. There is also a suggestion at
http://bugzilla.wikimedia.org/898 to implement validity-checking for
various types of file, to verify them as "safe".
--
Rowan Collins BSc
[IMSoP]