Talk:MediaWiki Stakeholders' Group/Tasks/Feature wishlist/2015 assessment

MS Office File Upload
An anonymous editor added to the feature wishlist "Upload of Office documents (docx etc.). Security issue. Needs changes in MW core". I just want to clarify that it is possible to upload MS Office documents, though as the anonymous editor indicates there may be security issues. In my usage environment the following is sufficiently secure.

First add the file extensions ('docx', 'xlsx', 'pptx') to $wgFileExtensions. Then modify $wgTrustedMediaFormats with the following to remove the "this file type may contain malicious code" warning:

Lastly, make sure your $wgMimeTypeBlacklist variable doesn't contain "application/x-opc+zip". This setting will prevent upload of docx files. The setting was added into the blacklist, then removed at some point...so just make sure whatever you're running doesn't have it.

You may have to do additional things to make this work for .doc, .xls and .ppt files, and it may include setting $wgAllowJavaUploads to true, which would be security issue on public wikis. Personally I've decided to not support .doc, .xls or .ppt because it forces all users to upgrade documents to a newer format. The benefit of this is that MediaWiki doesn't let you upload a new version of a document with a different file extension. So if someone uploads a .doc, and I go modify it and save as .docx, I cannot upload a new version of the document. Having one file type makes it simpler.

--Jamesmontalvo3 (talk) 13:06, 10 October 2014 (UTC)
 * Note that this would not be sufficiently secure in an environment where untrusted users can upload. Jackmcbarn (talk) 13:55, 10 October 2014 (UTC)