I can see this, the command "Fire!" triggers the .cmd batchfile, and the battle starts...
Fred
-----Original Message----- From: Mike [mailto:xclbur5150@yahoo.com] Sent: Friday, May 11, 2007 02:33 PM To: 'MediaWiki announcements and site admin list' Subject: Re: [Mediawiki-l] File upload help
IMPORTANT: I cannot imagine any circumstance whereby you would allow
the upload (and possible execution) of a .cmd, .sys, .com, . . . File. Unless you are using this as a developer wiki in an extremely restricted environment, it sounds like a wonderful way to compromise your system.
Well, the wiki is for an online game. Some of the files used to play the game use .cmd extensions. The files that will be uploaded would not be windows executable .cmd files (unless like you said a malicious user uploads something they shouldn't) I will see if there is a way around using the .cmd file type, but if not then am I correct in thinking that it is possible to remove the .cmd from the blacklist in DefaultSettings.php?
Thanks so much for all the help! Mike
Rob Church robchur@gmail.com wrote: On 11/05/07, Oliver Schalch wrote:
Aint $wgFileBlacklist has highest priority, so you have no way to upload files with extension in the blacklist, even if you add to $wgFileExtensions array.
I guess, he has to remove the 'cmd' from DefaultSettings.php...
The file blacklist is for your safety and your users' safety. Removing the extension from the blacklist would mean that a malicious user would be able to upload a Windows command line script (equivalent to a shell script) which could lead to execution rights on the client if downloaded, especially since Windows has an annoying habit of executing things left, right and centre.
You therefore remove this from the blacklist at your own risk.
Rob Church
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l