From 1b924420843af603cde23644a2de157f87ecd4c4 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Tue, 28 Sep 2004 23:32:18 +0000
Subject: [PATCH] More checks for IE hideousness.

---
 includes/SpecialUpload.php | 39 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
index 3cfa4a0839..f02cb23e1a 100644
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@@ -401,7 +401,21 @@ class UploadForm {
 	</td></tr></table></form>\n" );
 	}
 	
+	/**
+	 * Returns false if the file is of a known type but can't be recognized,
+	 * indicating a corrupt file.
+	 * Returns true otherwise; unknown file types are not checked if given
+	 * with an unrecognized extension.
+	 *
+	 * @param string $tmpfile Pathname to the temporary upload file
+	 * @param string $extension The filename extension that the file is to be served with
+	 * @return bool
+	 */
 	function verify( $tmpfile, $extension ) {
+		if( $this->triggersIEbug( $tmpfile ) ) {
+			return false;
+		}
+		
 		$fname = 'SpecialUpload::verify';
 		$mergeExtensions = array(
 			'jpg' => 'jpeg',
@@ -470,5 +484,30 @@ class UploadForm {
 		wfDebug( "$fname: all clear; passing.\n" );
 		return true;
 	}
+	
+	/**
+	 * Internet Explorer for Windows performs some really stupid file type
+	 * autodetection which can cause it to interpret valid image files as HTML
+	 * and potentially execute JavaScript, creating a cross-site scripting
+	 * attack vectors.
+	 *
+	 * Returns true if IE is likely to mistake the given file for HTML.
+	 *
+	 * @param string $filename
+	 * @return bool
+	 */
+	function triggersIEbug( $filename ) {
+		$file = fopen( $filename, 'rb' );
+		$chunk = strtolower( fread( $file, 200 ) );
+		fclose( $file );
+		
+		$tags = array( '<html', '<head', '<body', '<script' );
+		foreach( $tags as $tag ) {
+			if( false !== strpos( $chunk, $tag ) ) {
+				return true;
+			}
+		}
+		return false;
+	}
 }
 ?>
-- 
2.20.1