From: Tim Starling Date: Tue, 12 Aug 2008 03:10:07 +0000 (+0000) Subject: By default, reject file uploads that look like ZIP files, to avoid the so-called... X-Git-Tag: 1.31.0-rc.0~45941 X-Git-Url: http://git.cyclocoop.org/%24href?a=commitdiff_plain;h=1347fc05a6110b72ff918967284fae936617d57c;p=lhc%2Fweb%2Fwiklou.git By default, reject file uploads that look like ZIP files, to avoid the so-called GIFAR vulnerability. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index f6d6488224..cd87a18974 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -67,6 +67,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * (bug 14929) removeUnusedAccounts.php now supports 'ignore-touched' and 'ignore-groups'. Patch by Louperivois * (bug 15127) Work around minor display glitch in Opera. +* By default, reject file uploads that look like ZIP files, to avoid the + so-called GIFAR vulnerability. === Bug fixes in 1.14 === diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 7e80706cec..9a3c567002 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1802,7 +1802,10 @@ $wgMimeTypeBlacklist= array( # Other types that may be interpreted by some servers 'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh', # Windows metafile, client-side vulnerability on some systems - 'application/x-msmetafile' + 'application/x-msmetafile', + # A ZIP file may be a valid Java archive containing an applet which exploits the + # same-origin policy to steal cookies + 'application/zip', ); /** This is a flag to determine whether or not to check file extensions on upload. */ diff --git a/includes/MimeMagic.php b/includes/MimeMagic.php index ec4505ab28..8f903a8fdb 100644 --- a/includes/MimeMagic.php +++ b/includes/MimeMagic.php @@ -402,6 +402,8 @@ class MimeMagic { wfRestoreWarnings(); if( !$f ) return "unknown/unknown"; $head = fread( $f, 1024 ); + fseek( $f, -65558, SEEK_END ); + $tail = fread( $f, 65558 ); // 65558 = maximum size of a zip EOCDR fclose( $f ); // Hardcode a few magic number checks... @@ -505,6 +507,12 @@ class MimeMagic { } } + // Check for ZIP (before getimagesize) + if ( strpos( $tail, "PK\x05\x06" ) !== false ) { + wfDebug( __METHOD__.": ZIP header present at end of $file\n" ); + return 'application/zip'; + } + wfSuppressWarnings(); $gis = getimagesize( $file ); wfRestoreWarnings(); @@ -513,8 +521,6 @@ class MimeMagic { $mime = $gis['mime']; wfDebug( __METHOD__.": getimagesize detected $file as $mime\n" ); return $mime; - } else { - return false; } // Also test DjVu @@ -523,6 +529,8 @@ class MimeMagic { wfDebug( __METHOD__.": detected $file as image/vnd.djvu\n" ); return 'image/vnd.djvu'; } + + return false; } /** Internal mime type detection, please use guessMimeType() for application code instead.