From: Tim Starling <tstarling@users.mediawiki.org>
Date: Wed, 2 Feb 2011 05:35:57 +0000 (+0000)
Subject: Blacklist ZIP subtypes added in r68873, to avoid GIFAR.
X-Git-Tag: 1.31.0-rc.0~32263
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/?a=commitdiff_plain;h=f471d3fcc2f5bab4152729f89139899ae4282ab2;p=lhc%2Fweb%2Fwiklou.git

Blacklist ZIP subtypes added in r68873, to avoid GIFAR.
---

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 1bffdb4d70..2fd7a86118 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -551,9 +551,16 @@ $wgMimeTypeBlacklist = array(
 	# A ZIP file may be a valid Java archive containing an applet which exploits the
 	# same-origin policy to steal cookies
 	'application/zip',
+
 	# MS Office OpenXML and other Open Package Conventions files are zip files
-	# and thus blacklisted just as other zip files
+	# and thus blacklisted just as other zip files. If you remove these entries
+	# from the blacklist in your local configuration, a malicious file upload
+	# will be able to compromise the wiki's user accounts, and the user 
+	# accounts of any other website in the same cookie domain.
 	'application/x-opc+zip',
+	'application/msword',
+	'application/vnd.ms-powerpoint',
+	'application/vnd.msexcel',
 );
 
 /**