[Mediawiki-l] File upload help

Fred Bauder fredbaud at waterwiki.info
Fri May 11 22:45:23 UTC 2007 

I can see this, the command "Fire!" triggers the .cmd batchfile, and the battle starts...

Fred

>-----Original Message-----
>From: Mike [mailto:xclbur5150 at yahoo.com]
>Sent: Friday, May 11, 2007 02:33 PM
>To: 'MediaWiki announcements and site admin list'
>Subject: Re: [Mediawiki-l] File upload help
>
>>>IMPORTANT:  I cannot imagine any circumstance whereby you would allow 
>the upload (and possible execution) of a .cmd, .sys, .com, . . . File. Unless
>you are using this as a developer wiki in an extremely restricted environment, it sounds like a wonderful way to compromise your system.
>
>Well, the wiki is for an online game.  Some of the files used to play the game use .cmd extensions.  The files that will be uploaded would not be windows executable .cmd files (unless like you said a malicious user uploads something they shouldn't)  I will see if there is a way around using the .cmd file type, but if not then am I correct in thinking that it is possible to remove the .cmd from the blacklist in DefaultSettings.php?
>   
>  Thanks so much for all the help!
>Mike
>  
>Rob Church <robchur at gmail.com> wrote: 
>  On 11/05/07, Oliver Schalch wrote:
>> Aint $wgFileBlacklist has highest priority, so you have no way to upload
>> files with extension in the blacklist, even if you add to $wgFileExtensions
>> array.
>>
>> I guess, he has to remove the 'cmd' from DefaultSettings.php...
>
>The file blacklist is for your safety and your users' safety. Removing
>the extension from the blacklist would mean that a malicious user
>would be able to upload a Windows command line script (equivalent to a
>shell script) which could lead to execution rights on the client if
>downloaded, especially since Windows has an annoying habit of
>executing things left, right and centre.
>
>You therefore remove this from the blacklist at your own risk.
>
>
>Rob Church
>
>_______________________________________________
>MediaWiki-l mailing list
>MediaWiki-l at lists.wikimedia.org
>http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
> 
>---------------------------------
>The fish are biting.
> Get more visitors on your site using Yahoo! Search Marketing.
>_______________________________________________
>MediaWiki-l mailing list
>MediaWiki-l at lists.wikimedia.org
>http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

More information about the MediaWiki-l mailing list