$wgFileExtensions = array( "png", "jpg", "jpeg", "ogg" );
+# Files with these extensions will never be allowed as uploads.
+$wgFileBlacklist = array(
+ # HTML may contain cookie-stealing JavaScript and web bugs
+ "html", "htm",
+ # PHP scripts may execute arbitrary code on the server
+ "php", "phtml", "php3", "php4", "phps",
+ # Other types that may be interpreted by some servers
+ "shtml", "jhtml", "pl", "py",
+ # May contain harmful executables for Windows victims
+ "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif" );
+
# This is a flag to determine whether or not to check file extensions on
# upload.
-
$wgCheckFileExtensions = true;
+# If this is turned off, users may override the warning for files not
+# covered by $wgFileExtensions.
+$wgStrictFileExtensions = true;
+
$wgPasswordSalt = true; # For compatibility with old installations set to false
# Which namespaces should support subpages?
global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize;
global $wgSavedFile, $wgUploadOldVersion, $wpUploadOldVersion;
global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ;
- global $wgCheckFileExtensions, $wgFileExtensions;
+ global $wgCheckFileExtensions, $wgStrictFileExtensions;
+ global $wgFileExtensions, $wgFileBlacklist;
if ( $wgUseCopyrightUpload ) {
$wpUploadAffirm = 1;
$nt = Title::newFromText( $basename );
$wpUploadSaveName = $nt->getDBkey();
+ /* Don't allow users to override the blacklist */
+ if( checkFileExtension( $ext, $wgFileBlacklist ) ||
+ ($wgStrictFileExtensions && !checkFileExtension( $ext, $wgFileExtensions ) ) ) {
+ return uploadError( wfMsg( "badfiletype", $ext ) );
+ }
+
saveUploadedFile();
if ( ( ! $wpIgnoreWarning ) &&
( 0 != strcmp( ucfirst( $basename ), $wpUploadSaveName ) ) ) {
if ( $wgCheckFileExtensions ) {
if ( ( ! $wpIgnoreWarning ) &&
- ( ! in_array( strtolower( $ext ), $wgFileExtensions ) ) ) {
+ ( ! checkFileExtension( $ext, $wgFileExtensions ) ) ) {
return uploadWarning( wfMsg( "badfiletype", $ext ) );
}
}
$wgOut->returnToMain( false );
}
+function checkFileExtension( $ext, $list ) {
+ return in_array( strtolower( $ext ), $list );
+}
+
function saveUploadedFile()
{
global $wpUploadSaveName, $wpUploadTempName;
}
}
+function uploadError( $error )
+{
+ global $wgOut;
+ $sub = wfMsg( "uploadwarning" );
+ $wgOut->addHTML( "<h2>{$sub}</h2>\n" );
+ $wgOut->addHTML( "<h4><font color=red>{$error}</font></h4>\n" );
+}
+
function uploadWarning( $warning )
{
global $wgOut, $wgUser, $wgLang, $wgUploadDirectory;