[Mediawiki-l] File upload help

Mike xclbur5150 at yahoo.com
Fri May 11 20:33:04 UTC 2007


>>IMPORTANT:  I cannot imagine any circumstance whereby you would allow 
the upload (and possible execution) of a .cmd, .sys, .com, . . . File. Unless
you are using this as a developer wiki in an extremely restricted environment, it sounds like a wonderful way to compromise your system.

Well, the wiki is for an online game.  Some of the files used to play the game use .cmd extensions.  The files that will be uploaded would not be windows executable .cmd files (unless like you said a malicious user uploads something they shouldn't)  I will see if there is a way around using the .cmd file type, but if not then am I correct in thinking that it is possible to remove the .cmd from the blacklist in DefaultSettings.php?
   
  Thanks so much for all the help!
Mike
  
Rob Church <robchur at gmail.com> wrote: 
  On 11/05/07, Oliver Schalch wrote:
> Aint $wgFileBlacklist has highest priority, so you have no way to upload
> files with extension in the blacklist, even if you add to $wgFileExtensions
> array.
>
> I guess, he has to remove the 'cmd' from DefaultSettings.php...

The file blacklist is for your safety and your users' safety. Removing
the extension from the blacklist would mean that a malicious user
would be able to upload a Windows command line script (equivalent to a
shell script) which could lead to execution rights on the client if
downloaded, especially since Windows has an annoying habit of
executing things left, right and centre.

You therefore remove this from the blacklist at your own risk.


Rob Church

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l


 
---------------------------------
The fish are biting.
 Get more visitors on your site using Yahoo! Search Marketing.


More information about the MediaWiki-l mailing list