Quickie blacklist & stricter whitelist for upload extensions.

Whitelist isn't perfect yet, since some server configs may interpret
multiple extensions and we pass the wrong one.

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index d43214c..0893d83 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -181,11 +181,25 @@ $wgCompressRevisions = false;
 
 $wgFileExtensions = array( "png", "jpg", "jpeg", "ogg" );
 
+# Files with these extensions will never be allowed as uploads.
+$wgFileBlacklist = array(
+       # HTML may contain cookie-stealing JavaScript and web bugs
+       "html", "htm",
+       # PHP scripts may execute arbitrary code on the server
+       "php", "phtml", "php3", "php4", "phps",
+       # Other types that may be interpreted by some servers
+       "shtml", "jhtml", "pl", "py",
+       # May contain harmful executables for Windows victims
+       "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
+
 # This is a flag to determine whether or not to check file extensions on
 # upload.
-
 $wgCheckFileExtensions = true;
 
+# If this is turned off, users may override the warning for files not
+# covered by $wgFileExtensions.
+$wgStrictFileExtensions = true;
+
 $wgPasswordSalt = true; # For compatibility with old installations set to false
 
 # Which namespaces should support subpages?

diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
index fffd057..acbba92 100644 (file)
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@@ -39,7 +39,8 @@ function processUpload()
        global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize;
        global $wgSavedFile, $wgUploadOldVersion, $wpUploadOldVersion;
        global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ;
-       global $wgCheckFileExtensions, $wgFileExtensions;
+       global $wgCheckFileExtensions, $wgStrictFileExtensions;
+       global $wgFileExtensions, $wgFileBlacklist;
 
        if ( $wgUseCopyrightUpload ) {
                $wpUploadAffirm = 1;
@@ -82,6 +83,12 @@ function processUpload()
                $nt = Title::newFromText( $basename );
                $wpUploadSaveName = $nt->getDBkey();
 
+               /* Don't allow users to override the blacklist */
+               if( checkFileExtension( $ext, $wgFileBlacklist ) ||
+                       ($wgStrictFileExtensions && !checkFileExtension( $ext, $wgFileExtensions ) ) ) {
+                       return uploadError( wfMsg( "badfiletype", $ext ) );
+               }
+               
                saveUploadedFile();
                if ( ( ! $wpIgnoreWarning ) &&
                  ( 0 != strcmp( ucfirst( $basename ), $wpUploadSaveName ) ) ) {
@@ -90,7 +97,7 @@ function processUpload()
            
                if ( $wgCheckFileExtensions ) {
                        if ( ( ! $wpIgnoreWarning ) &&
-                                ( ! in_array( strtolower( $ext ), $wgFileExtensions ) ) ) {
+                                ( ! checkFileExtension( $ext, $wgFileExtensions ) ) ) {
                                return uploadWarning( wfMsg( "badfiletype", $ext ) );
                        }
                }
@@ -116,6 +123,10 @@ function processUpload()
        $wgOut->returnToMain( false );
 }
 
+function checkFileExtension( $ext, $list ) {
+       return in_array( strtolower( $ext ), $list );
+}
+
 function saveUploadedFile()
 {
        global $wpUploadSaveName, $wpUploadTempName;
@@ -167,6 +178,14 @@ function unsaveUploadedFile()
        }
 }
 
+function uploadError( $error )
+{
+       global $wgOut;
+       $sub = wfMsg( "uploadwarning" );
+       $wgOut->addHTML( "<h2>{$sub}</h2>\n" );
+       $wgOut->addHTML( "<h4><font color=red>{$error}</font></h4>\n" );
+}
+
 function uploadWarning( $warning )
 {
        global $wgOut, $wgUser, $wgLang, $wgUploadDirectory;