OOXML formats
are zip achives. It is likely the only way to correctly
identify them is to extract the files from the zip archive and validate them
as being office 2007 format. I think the same method was mentioned for
OpenDocument files, except OpenDocument has a validator available.
I can't find my previous post on this, but I provided a dirty, dirty hack
for allowing OOXML uploads. Like the patch in the bug report, it opens a
hole for exploits; but, without validation, I think any fix would open a
hole for exploits.
Well, in this case, it's only the one file type... or more accurately
the one specific file - as we discovered through more testing today. I
think we've nailed it down to this one file being "broken" somehow.
While being a valid OXT file (ie it can be used in
OpenOffice.org), for
some reason its mime type isn't being correctly identified on the Wiki.
Other OXT files tested are correctly IDed (as they should be) and can
be uploaded.
So... I'm thinking the hack isn't needed in this case, and that
ultimately, this is not a bug in MediaWiki - instead a problem with the
creation of this one file that a user was trying to upload.
C.
Since OpenDocument files are Zip files, unless you do some extra
validation, a Jar could be uploaded disguised as an OD? file.
The vulnerability is that a Jar have same-origin permissions over the
wiki, and so -linked from an external page viewed by logged-in users-
can do all kinds of Bad Things.