From: Brion Vibber Date: Tue, 28 Sep 2004 23:32:18 +0000 (+0000) Subject: More checks for IE hideousness. X-Git-Tag: 1.5.0alpha1~1740 X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22messagerie%22%29%20.%20%22?a=commitdiff_plain;h=1b924420843af603cde23644a2de157f87ecd4c4;p=lhc%2Fweb%2Fwiklou.git More checks for IE hideousness. --- diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index 3cfa4a0839..f02cb23e1a 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -401,7 +401,21 @@ class UploadForm { \n" ); } + /** + * Returns false if the file is of a known type but can't be recognized, + * indicating a corrupt file. + * Returns true otherwise; unknown file types are not checked if given + * with an unrecognized extension. + * + * @param string $tmpfile Pathname to the temporary upload file + * @param string $extension The filename extension that the file is to be served with + * @return bool + */ function verify( $tmpfile, $extension ) { + if( $this->triggersIEbug( $tmpfile ) ) { + return false; + } + $fname = 'SpecialUpload::verify'; $mergeExtensions = array( 'jpg' => 'jpeg', @@ -470,5 +484,30 @@ class UploadForm { wfDebug( "$fname: all clear; passing.\n" ); return true; } + + /** + * Internet Explorer for Windows performs some really stupid file type + * autodetection which can cause it to interpret valid image files as HTML + * and potentially execute JavaScript, creating a cross-site scripting + * attack vectors. + * + * Returns true if IE is likely to mistake the given file for HTML. + * + * @param string $filename + * @return bool + */ + function triggersIEbug( $filename ) { + $file = fopen( $filename, 'rb' ); + $chunk = strtolower( fread( $file, 200 ) ); + fclose( $file ); + + $tags = array( '