From: Roan Kattouw Date: Sun, 20 Nov 2011 18:57:47 +0000 (+0000) Subject: (bug 1672) Add $wgDisableUploadScriptChecks to allow disabling of the HTML/JS detecti... X-Git-Tag: 1.31.0-rc.0~26381 X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=d14f8c89a0fc8779da5370a4de6ae248c80e365a;p=lhc%2Fweb%2Fwiklou.git (bug 1672) Add $wgDisableUploadScriptChecks to allow disabling of the HTML/JS detection for uploads. Patch by Emufarmers --- diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19 index b92622d9e7..9dd94ec7d6 100644 --- a/RELEASE-NOTES-1.19 +++ b/RELEASE-NOTES-1.19 @@ -91,6 +91,8 @@ production. * (bug 8859) Database::update should take array of tables too * (bug 19698) Inverse selection for Special:Contributions * (bug 24037) Add byte length of revision to Special:Contributions +* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files + containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS. === Bug fixes in 1.19 === * $wgUploadNavigationUrl should be used for file redlinks if diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 7cde88c835..92fe00ac58 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -557,6 +557,13 @@ $wgCheckFileExtensions = true; */ $wgStrictFileExtensions = true; +/** + * Setting this to true will disable the upload system's checks for HTML/JavaScript. + * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions + * TO RESTRICT UPLOADING to only those that you trust + */ +$wgDisableUploadScriptChecks = false; + /** Warn if uploaded files are larger than this (in bytes), or false to disable*/ $wgUploadSizeWarning = false; @@ -2960,7 +2967,7 @@ $wgTidyInternal = extension_loaded( 'tidy' ); $wgDebugTidy = false; /** Allow raw, unchecked HTML in ... sections. - * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions + * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions * TO RESTRICT EDITING to only those that you trust */ $wgRawHtml = false; diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index fc5c738afc..39b4ad2a3c 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -357,7 +357,7 @@ abstract class UploadBase { * @return mixed true of the file is verified, array otherwise. */ protected function verifyFile() { - global $wgAllowJavaUploads; + global $wgAllowJavaUploads, $wgDisableUploadScriptChecks; # get the title, even though we are doing nothing with it, because # we need to populate mFinalExtension $this->getTitle(); @@ -372,13 +372,15 @@ abstract class UploadBase { } # check for htmlish code and javascript - if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) { - return array( 'uploadscripted' ); - } - if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) { - if( $this->detectScriptInSvg( $this->mTempPath ) ) { + if ( !$wgDisableUploadScriptChecks ) { + if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) { return array( 'uploadscripted' ); } + if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) { + if( $this->detectScriptInSvg( $this->mTempPath ) ) { + return array( 'uploadscripted' ); + } + } } # Check for Java applets, which if uploaded can bypass cross-site