Talk:MediaWiki Stakeholders' Group/Tasks/Feature wishlist/2015 assessment

MS Office File Upload
An anonymous editor added to the feature wishlist "Upload of Office documents (docx etc.). Security issue. Needs changes in MW core". I just want to clarify that it is possible to upload MS Office documents, though as the anonymous editor indicates there may be security issues. In my usage environment the following is sufficiently secure.

First add the file extensions ('docx', 'xlsx', 'pptx') to $wgFileExtensions. Then modify $wgTrustedMediaFormats with the following to remove the "this file type may contain malicious code" warning:

Lastly, make sure your $wgMimeTypeBlacklist variable doesn't contain "application/x-opc+zip". This setting will prevent upload of docx files. The setting was added into the blacklist, then removed at some point...so just make sure whatever you're running doesn't have it.

You may have to do additional things to make this work for .doc, .xls and .ppt files, and it may include setting $wgAllowJavaUploads to true, which would be security issue on public wikis. Personally I've decided to not support .doc, .xls or .ppt because it forces all users to upgrade documents to a newer format. The benefit of this is that MediaWiki doesn't let you upload a new version of a document with a different file extension. So if someone uploads a .doc, and I go modify it and save as .docx, I cannot upload a new version of the document. Having one file type makes it simpler.

--Jamesmontalvo3 (talk) 13:06, 10 October 2014 (UTC)
 * Note that this would not be sufficiently secure in an environment where untrusted users can upload. Jackmcbarn (talk) 13:55, 10 October 2014 (UTC)

How to deal with (un)planned breaking changes?
From time to time there are breaking changes that more or less dramatically impact on third party users of MediaWiki. Sometimes these changes come with some time advance notice (like this public/private issue for SMW last year) sometimes they come at short notice such as the recent 70672 which breaks skinning and with 71621 trying to fix it being stuck in "hell".

Probably we should establish some process there third party users may notify breaking issues/situations occurring, which are assessed in some way and reacting to it according to the assessment. This is not exactly a feature wish but a process wish, so I am putting it onto this talk page until we figure out if and where to put it.

Cheers --&#91;&#91;kgh&#93;&#93; (talk) 14:32, 20 October 2014 (UTC)