From 2be26155ecdff6351ad7d664b416f108191942f9 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Fri, 22 Feb 2019 04:31:56 +0000 Subject: [PATCH] Add .phar to $wgFileBlacklist as a paranoia measure Seems like it can't hurt. Change-Id: I833dd95742d7de772833c738ca7f5403e57bc2f4 --- includes/DefaultSettings.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 92865915e8..5ede1184c5 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -940,7 +940,7 @@ $wgFileBlacklist = [ # HTML may contain cookie-stealing JavaScript and web bugs 'html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'xhtml', 'xht', # PHP scripts may execute arbitrary code on the server - 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', + 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'phar', # Other types that may be interpreted by some servers 'shtml', 'jhtml', 'pl', 'py', 'cgi', # May contain harmful executables for Windows victims -- 2.20.1