From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun, 9 Mar 2014 09:08:19 +0000 (-0300)
Subject: When checking whitelist of extensions, only count last extension.
X-Git-Tag: 1.31.0-rc.0~16660^2
X-Git-Url: http://git.cyclocoop.org/url?a=commitdiff_plain;h=3090ace527df340015aca6dcb5a14d8f94838d18;p=lhc%2Fweb%2Fwiklou.git

When checking whitelist of extensions, only count last extension.

When we are doing blacklisted extensions, we count all extensions
as some programs (like apache sometimes) consider extensions that
aren't the final extension. However when doing whitelists we need
to only count the last extension, otherwise people can name files
foo.goodExt.BadExt. For example [[commons:File:Deamado ko.png.bmp]]

I do not believe this represents a security risk as bad files are
still filtered out. However it does allow unwanted files to be
uploaded.

Bug: 62451
Change-Id: Ie27c15f749812710571f432bc5915e498f8017e3
---

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index db7a24e4e8..6cce4ac3f2 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -786,7 +786,7 @@ abstract class UploadBase {
 			return $this->mTitle;
 		} elseif ( $blackListedExtensions ||
 				( $wgCheckFileExtensions && $wgStrictFileExtensions &&
-					!$this->checkFileExtensionList( $ext, $wgFileExtensions ) ) ) {
+					!$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
 			$this->mBlackListedExtensions = $blackListedExtensions;
 			$this->mTitleError = self::FILETYPE_BADTYPE;
 			$this->mTitle = null;