[Foundation-l] Code detecting bots?

[Gregory Maxwell]

On 8/2/07, Brion Vibber <brion at wikimedia.org> wrote:
> > We do. And if it doesn't match what we think it will be... we put a
> > notice that no one notices on the image page.
>
> That's incorrect.
> If the detected filetype doesn't match the defined filetype for the
> extension, then the upload is rejected.
>
> (However note that at this moment we don't have very solid detection for
> OGG.)

O_o. I still find a lot of random crud uploaded as other things on commons.

We reliably detect Ogg as far as I can tell, at least in the sense
that when I've checked in the past all the files on commons that had
the bad mime data in the database were actually not ogg files.

I'll have to check more carefully but if we are, as I believe,
correctly detecting Ogg files then we could turn on limiting on those
files.

> The warning on image pages about malicious code is bullshit -- we should
> remove it, since it has nothing to do with reality.

I just conducted a test:
[gmaxwell at bessel ~]$ file ./.wine/drive_c/windows/system32/cmd.exe
./.wine/drive_c/windows/system32/cmd.exe: MS-DOS executable PE  for MS
Windows (console) Intel 80386

http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxd
http://commons.wikimedia.org/wiki/Image:Winecmdexe.svg
http://commons.wikimedia.org/wiki/Image:Winecmdexe.xcf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.mid
http://commons.wikimedia.org/wiki/Image:Winecmdexe.sxw
http://commons.wikimedia.org/wiki/Image:Winecmdexe.pdf
http://commons.wikimedia.org/wiki/Image:Winecmdexe.ogg

It did reject the exe renamed to both png and jpg but thats it.

> Greg, don't be afraid to pop things into bugzilla or work with us over
> in SVN to fix things up. :)

I'm not, but I honestly thought this was 'works as designed'.

At least in the ogg case we may already have reliable enough
detection.. if something is lacking there it should be trivial to fix
ogg is easy to detect robustly. I don't know about the other file
types.