MediaWiki r39203 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r39202‎ | r39203 (on ViewVC)‎ | r39204 >
Date:03:10, 12 August 2008
Author:tstarling
Status:old
Tags:
Comment:
By default, reject file uploads that look like ZIP files, to avoid the so-called GIFAR vulnerability.
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/MimeMagic.php
===================================================================
--- trunk/phase3/includes/MimeMagic.php	(revision 39202)
+++ trunk/phase3/includes/MimeMagic.php	(revision 39203)
@@ -402,6 +402,8 @@
 		wfRestoreWarnings();
 		if( !$f ) return "unknown/unknown";
 		$head = fread( $f, 1024 );
+		fseek( $f, -65558, SEEK_END );
+		$tail = fread( $f, 65558 ); // 65558 = maximum size of a zip EOCDR
 		fclose( $f );
 
 		// Hardcode a few magic number checks...
@@ -505,6 +507,12 @@
 			}
 		}
 
+		// Check for ZIP (before getimagesize)
+		if ( strpos( $tail, "PK\x05\x06" ) !== false ) {
+			wfDebug( __METHOD__.": ZIP header present at end of $file\n" );
+			return 'application/zip';
+		}
+
 		wfSuppressWarnings();
 		$gis = getimagesize( $file );
 		wfRestoreWarnings();
@@ -513,8 +521,6 @@
 			$mime = $gis['mime'];
 			wfDebug( __METHOD__.": getimagesize detected $file as $mime\n" );
 			return $mime;
-		} else {
-			return false;
 		}
 
 		// Also test DjVu
@@ -523,6 +529,8 @@
 			wfDebug( __METHOD__.": detected $file as image/vnd.djvu\n" );
 			return 'image/vnd.djvu';
 		}
+
+		return false;
 	}
 
 	/** Internal mime type detection, please use guessMimeType() for application code instead.
Index: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php	(revision 39202)
+++ trunk/phase3/includes/DefaultSettings.php	(revision 39203)
@@ -1802,7 +1802,10 @@
 	# Other types that may be interpreted by some servers
 	'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh',
 	# Windows metafile, client-side vulnerability on some systems
-	'application/x-msmetafile'
+	'application/x-msmetafile',
+	# A ZIP file may be a valid Java archive containing an applet which exploits the 
+	# same-origin policy to steal cookies
+	'application/zip',
 );
 
 /** This is a flag to determine whether or not to check file extensions on upload. */
Index: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES	(revision 39202)
+++ trunk/phase3/RELEASE-NOTES	(revision 39203)
@@ -67,6 +67,8 @@
 * (bug 14929) removeUnusedAccounts.php now supports 'ignore-touched' and
   'ignore-groups'. Patch by Louperivois
 * (bug 15127) Work around minor display glitch in Opera.
+* By default, reject file uploads that look like ZIP files, to avoid the 
+  so-called GIFAR vulnerability.
 
 === Bug fixes in 1.14 ===

Status & tagging log

  • 15:30, 12 September 2011 Meno25 (Talk | contribs) changed the status of r39203 [removed: ok added: old]
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/39203"
Personal tools
Namespaces
Variants
Views
Actions
Site
Support
Download
Development
Communication
Toolbox