From f471d3fcc2f5bab4152729f89139899ae4282ab2 Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Wed, 2 Feb 2011 05:35:57 +0000 Subject: [PATCH] Blacklist ZIP subtypes added in r68873, to avoid GIFAR. --- includes/DefaultSettings.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 1bffdb4d70..2fd7a86118 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -551,9 +551,16 @@ $wgMimeTypeBlacklist = array( # A ZIP file may be a valid Java archive containing an applet which exploits the # same-origin policy to steal cookies 'application/zip', + # MS Office OpenXML and other Open Package Conventions files are zip files - # and thus blacklisted just as other zip files + # and thus blacklisted just as other zip files. If you remove these entries + # from the blacklist in your local configuration, a malicious file upload + # will be able to compromise the wiki's user accounts, and the user + # accounts of any other website in the same cookie domain. 'application/x-opc+zip', + 'application/msword', + 'application/vnd.ms-powerpoint', + 'application/vnd.msexcel', ); /** -- 2.20.1