Manual:$wgMimeTypeBlacklist

From MediaWiki.org
Jump to: navigation, search
MIME types: $wgMimeTypeBlacklist
Files with these mime types will never be allowed as uploads if $wgVerifyMimeType is enabled.
Introduced in version: 1.5.0
Removed in version: still in use
Allowed values: array of MIME types (strings)
Default value: (see below)

Other settings: Alphabetical | By Function


Details [edit]

Files with these mime types will never be allowed as uploads if $wgVerifyMimeType is enabled.

Default value [edit]

MediaWiki version: 1.18

Default value on 1.18:

$wgMimeTypeBlacklist = array(
        # HTML may contain cookie-stealing JavaScript and web bugs
        'text/html', 'text/javascript', 'text/x-javascript',  'application/x-shellscript',
        # PHP scripts may execute arbitrary code on the server
        'application/x-php', 'text/x-php',
        # Other types that may be interpreted by some servers
        'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh',
        # Client-side hazards on Internet Explorer
        'text/scriptlet', 'application/x-msdownload',
        # Windows metafile, client-side vulnerability on some systems
        'application/x-msmetafile',
);


MediaWiki version: 1.17

Default value on 1.17:

$wgMimeTypeBlacklist = array(
        # HTML may contain cookie-stealing JavaScript and web bugs
        'text/html', 'text/javascript', 'text/x-javascript',  'application/x-shellscript',
        # PHP scripts may execute arbitrary code on the server
        'application/x-php', 'text/x-php',
        # Other types that may be interpreted by some servers
        'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh',
        # Client-side hazards on Internet Explorer
        'text/scriptlet', 'application/x-msdownload',
        # Windows metafile, client-side vulnerability on some systems
        'application/x-msmetafile',
        # A ZIP file may be a valid Java archive containing an applet which exploits the
        # same-origin policy to steal cookies
        'application/zip',
 
        # MS Office OpenXML and other Open Package Conventions files are zip files
        # and thus blacklisted just as other zip files. If you remove these entries
        # from the blacklist in your local configuration, a malicious file upload
        # will be able to compromise the wiki's user accounts, and the user 
        # accounts of any other website in the same cookie domain.
        'application/x-opc+zip',
        'application/msword',
        'application/vnd.ms-powerpoint',
        'application/vnd.msexcel',
);
  • 'application/x-opc+zip', 'application/msword', 'application/vnd.ms-powerpoint', 'application/vnd.msexcel' where introduced after 1.17.0 (see SVN change)
  • 'application/x-opc+zip', 'text/scriptlet', 'application/x-msdownload' were introduced after 1.5.5
  • 'application/x-msmetafile' was added in 1.5.5, 'application/zip' in 1.14
  • All other values were available since the setting was introduced in 1.5.0