From 493785c5e1e82d6848f7cf35f0f2dea5cd0432fc Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Mon, 13 Sep 2010 04:05:20 +0000
Subject: [PATCH] Added some warnings for some upload security issues, such as
 allowing OpenDocument uploads.

---
 includes/DefaultSettings.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index fab31a8e8d..328f8491b1 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -502,6 +502,10 @@ $wgRepositoryBaseUrl = "http://commons.wikimedia.org/wiki/File:";
 /**
  * This is the list of preferred extensions for uploading files. Uploading files
  * with extensions not in this list will trigger a warning.
+ *
+ * WARNING: If you add any OpenDocument file formats here, such as odt, ods or 
+ * odp, and untrusted users are allowed to upload files, then your wiki will be 
+ * vulnerable to cross-site request forgery (CSRF). 
  */
 $wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg' );
 
@@ -539,12 +543,18 @@ $wgMimeTypeBlacklist = array(
 	'application/x-opc+zip',
 );
 
-/** This is a flag to determine whether or not to check file extensions on upload. */
+/** 
+ * This is a flag to determine whether or not to check file extensions on upload.
+ *
+ * WARNING: setting this to false is insecure for public wikis.
+ */
 $wgCheckFileExtensions = true;
 
 /**
  * If this is turned off, users may override the warning for files not covered
  * by $wgFileExtensions.
+ *
+ * WARNING: setting this to false is insecure for public wikis. 
  */
 $wgStrictFileExtensions = true;
 
-- 
2.20.1