From 3846d1048766a7a7ba0e5727fb84e464dc1cbb98 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 19 Aug 2013 16:41:28 -0700
Subject: [PATCH] Be stricter for file types where we don't know canonical
 extension

Previously if a file had a format, where we didn't have an
extension associated with it in mime.types, people could upload
it with any extension that is in $wgFileExtensions. This meant
people could upload a non-allowed file type if it had an allowed
extension, and the non-allowed file type didn't have a canonical
extension in mime.types

Bug: 39012
Change-Id: Ib373fafdfceceed65fbd23cf468f3c19196545c9
---
 RELEASE-NOTES-1.22             | 3 +++
 includes/upload/UploadBase.php | 9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 45a6eef085..6f809adf2b 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -263,6 +263,9 @@ production.
   adding a new topic on a page
 * (bug 41756) Improve treatment of multiple comments on a blank line.
 * (bug 51064) Purge upstream caches when deleting file assets.
+* (bug 39012) File types with a mime that we do not know the extension for
+  can no longer be uploaded as an extension that we do know the mime type
+  for.
 
 === API changes in 1.22 ===
 * (bug 25553) The JSON output formatter now leaves forward slashes unescaped
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index b6ea4c86be..37dc7cba30 100644
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -940,8 +940,13 @@ abstract class UploadBase {
 		$match = $magic->isMatchingExtension( $extension, $mime );
 
 		if ( $match === null ) {
-			wfDebug( __METHOD__ . ": no file extension known for mime type $mime, passing file\n" );
-			return true;
+			if ( $magic->getTypesForExtension( $extension ) !== null ) {
+				wfDebug( __METHOD__ . ": No extension known for $mime, but we know a mime for $extension\n" );
+				return false;
+			} else {
+				wfDebug( __METHOD__ . ": no file extension known for mime type $mime, passing file\n" );
+				return true;
+			}
 		} elseif ( $match === true ) {
 			wfDebug( __METHOD__ . ": mime type $mime matches extension $extension, passing file\n" );
 
-- 
2.20.1