From 1aaf3e6b2eefc62db11cc9e91efeff6c9a194537 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Tue, 20 Jan 2004 04:12:21 +0000 Subject: [PATCH] Quickie blacklist & stricter whitelist for upload extensions. Whitelist isn't perfect yet, since some server configs may interpret multiple extensions and we pass the wrong one. --- includes/DefaultSettings.php | 16 +++++++++++++++- includes/SpecialUpload.php | 23 +++++++++++++++++++++-- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index d43214c8f1..0893d83bd3 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -181,11 +181,25 @@ $wgCompressRevisions = false; $wgFileExtensions = array( "png", "jpg", "jpeg", "ogg" ); +# Files with these extensions will never be allowed as uploads. +$wgFileBlacklist = array( + # HTML may contain cookie-stealing JavaScript and web bugs + "html", "htm", + # PHP scripts may execute arbitrary code on the server + "php", "phtml", "php3", "php4", "phps", + # Other types that may be interpreted by some servers + "shtml", "jhtml", "pl", "py", + # May contain harmful executables for Windows victims + "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" ); + # This is a flag to determine whether or not to check file extensions on # upload. - $wgCheckFileExtensions = true; +# If this is turned off, users may override the warning for files not +# covered by $wgFileExtensions. +$wgStrictFileExtensions = true; + $wgPasswordSalt = true; # For compatibility with old installations set to false # Which namespaces should support subpages? diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index fffd05777c..acbba9239b 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -39,7 +39,8 @@ function processUpload() global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize; global $wgSavedFile, $wgUploadOldVersion, $wpUploadOldVersion; global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ; - global $wgCheckFileExtensions, $wgFileExtensions; + global $wgCheckFileExtensions, $wgStrictFileExtensions; + global $wgFileExtensions, $wgFileBlacklist; if ( $wgUseCopyrightUpload ) { $wpUploadAffirm = 1; @@ -82,6 +83,12 @@ function processUpload() $nt = Title::newFromText( $basename ); $wpUploadSaveName = $nt->getDBkey(); + /* Don't allow users to override the blacklist */ + if( checkFileExtension( $ext, $wgFileBlacklist ) || + ($wgStrictFileExtensions && !checkFileExtension( $ext, $wgFileExtensions ) ) ) { + return uploadError( wfMsg( "badfiletype", $ext ) ); + } + saveUploadedFile(); if ( ( ! $wpIgnoreWarning ) && ( 0 != strcmp( ucfirst( $basename ), $wpUploadSaveName ) ) ) { @@ -90,7 +97,7 @@ function processUpload() if ( $wgCheckFileExtensions ) { if ( ( ! $wpIgnoreWarning ) && - ( ! in_array( strtolower( $ext ), $wgFileExtensions ) ) ) { + ( ! checkFileExtension( $ext, $wgFileExtensions ) ) ) { return uploadWarning( wfMsg( "badfiletype", $ext ) ); } } @@ -116,6 +123,10 @@ function processUpload() $wgOut->returnToMain( false ); } +function checkFileExtension( $ext, $list ) { + return in_array( strtolower( $ext ), $list ); +} + function saveUploadedFile() { global $wpUploadSaveName, $wpUploadTempName; @@ -167,6 +178,14 @@ function unsaveUploadedFile() } } +function uploadError( $error ) +{ + global $wgOut; + $sub = wfMsg( "uploadwarning" ); + $wgOut->addHTML( "

{$sub}

\n" ); + $wgOut->addHTML( "

{$error}

\n" ); +} + function uploadWarning( $warning ) { global $wgOut, $wgUser, $wgLang, $wgUploadDirectory; -- 2.20.1