I can see this, the command "Fire!" triggers the .cmd batchfile, and the battle
starts...
Fred
-----Original Message-----
From: Mike [mailto:xclbur5150@yahoo.com]
Sent: Friday, May 11, 2007 02:33 PM
To: 'MediaWiki announcements and site admin list'
Subject: Re: [Mediawiki-l] File upload help
>IMPORTANT: I cannot imagine any circumstance
whereby you would allow
the upload (and possible execution) of a .cmd, .sys, .com,
. . . File. Unless
you are using this as a developer wiki in an extremely restricted environment, it sounds
like a wonderful way to compromise your system.
Well, the wiki is for an online game. Some of the files used to play the game use .cmd
extensions. The files that will be uploaded would not be windows executable .cmd files
(unless like you said a malicious user uploads something they shouldn't) I will see
if there is a way around using the .cmd file type, but if not then am I correct in
thinking that it is possible to remove the .cmd from the blacklist in
DefaultSettings.php?
Thanks so much for all the help!
Mike
Rob Church <robchur(a)gmail.com> wrote:
On 11/05/07, Oliver Schalch wrote:
Aint $wgFileBlacklist has highest priority, so
you have no way to upload
files with extension in the blacklist, even if you add to $wgFileExtensions
array.
I guess, he has to remove the 'cmd' from DefaultSettings.php...
The file blacklist is for your safety and your users' safety. Removing
the extension from the blacklist would mean that a malicious user
would be able to upload a Windows command line script (equivalent to a
shell script) which could lead to execution rights on the client if
downloaded, especially since Windows has an annoying habit of
executing things left, right and centre.
You therefore remove this from the blacklist at your own risk.
Rob Church
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l