[Mediawiki-l] A couple of cookbook questions

Charles Martin Charles.Martin at Sun.COM
Tue Jan 16 18:04:58 UTC 2007

Kasimir Gabert wrote:
> Hello Charles,
> For (1) I would not allow uploads of HTML through MediaWiki -- this is
> much too big of a security hole.  I would build a custom script that
> uploads files but scans through for any illegal HTML tags (do it by
> whitelist, not by blacklist)  -- the script can also integrate the
> uploaded files into MediaWiki *after* it has passed the security
> inspection.

Okay, thanks, but this is under pretty tight control.  Let's say I 
*really* *really* wanted to do this, even with security concerns in 
mind.  Let's say, further, that I've already taken HTML types out of 
$wgFileBlacklist, text/html and similar types out of 
$wgMimeTypeBlacklist, and set $wgCheckFileExtensions, 
$wgStrictFileExtensions, and $wgVeryfyMimeType all to false ...
and I still get an error and it refuses to upload my html files.

What am I missing?

> For (2) It seems to me that you do not have "diff3" installed on your
> machine.  Type in "which diff3" and see whether or not you have it
> installed.  You might need to change it to a different diff engine, or
> install the proper one.

I appear to have a proper diff3, but what I'm getting as a result is a 
file called "index.php" with these contents (inserted as a quote to make 
it stand out):

> [Process]
> Type=Diff text
> Engine=MediaWiki
> Script=http://vortex.stortek.com/wiki/index.php
> Special namespace=Special
> [File]
> Extension=wiki
> URL=http://vortex.stortek.com/wiki/index.php?title=Main_Page&action=raw&oldid=2433
> [File 2]
> Extension=wiki
> URL=http://vortex.stortek.com/wiki/index.php?title=Main_Page&action=raw&oldid=2526

Does this give anyone any clues?


        Charles R. Martin | Sr Staff Engineer | Sun Microsystems
                         charles.martin at sun.com

More information about the MediaWiki-l mailing list