From 4c5d2a12a4b72e5b6e5f00b5aed4929fd0f45e4b Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Tue, 3 Jan 2006 02:14:55 +0000 Subject: [PATCH] Fix #2 for WMF vulnerability --- includes/DefaultSettings.php | 4 +++- includes/MimeMagic.php | 21 ++++++++++++++------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 1e7dd01775..e1ca6442a5 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1141,7 +1141,9 @@ $wgMimeTypeBlacklist= array( # PHP scripts may execute arbitrary code on the server 'application/x-php', 'text/x-php', # Other types that may be interpreted by some servers - 'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh' + 'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh', + # Windows metafile, client-side vulnerability on some systems + 'application/x-msmetafile' ); /** This is a flag to determine whether or not to check file extensions on upload. */ diff --git a/includes/MimeMagic.php b/includes/MimeMagic.php index d720412565..31f57d0e7d 100644 --- a/includes/MimeMagic.php +++ b/includes/MimeMagic.php @@ -339,14 +339,21 @@ class MimeMagic { $fname = 'MimeMagic::guessMimeType'; $mime= $this->detectMimeType($file,$useExt); - if (strpos($mime,"text/")===0 || - $mime==="application/xml") { + // Read a chunk of the file + $f = fopen( $file, "rt" ); + if( !$f ) return "unknown/unknown"; + $head = fread( $f, 1024 ); + fclose( $f ); + + $sub4 = substr( $head, 0, 4 ); + if ( $sub4 == "\x01\x00\x09\x00" || $sub4 == "\xd7\xcd\xc6\x9a" ) { + // WMF kill kill kill + // Note that WMF may have a bare header, no magic number. + // The former of the above two checks is theoretically prone to false positives + $mime = "application/x-msmetafile"; + } - // Read a chunk of the file - $f = fopen( $file, "rt" ); - if( !$f ) return "unknown/unknown"; - $head = fread( $f, 1024 ); - fclose( $f ); + if (strpos($mime,"text/")===0 || $mime==="application/xml") { $xml_type= NULL; $script_type= NULL; -- 2.20.1