Manual talk:$wgMimeTypeBlacklist

From mediawiki.org
Jump to navigation Jump to search

Zip files[edit]

I understand the effort to, on one hand, allow zip files to be uploaded, and in another hand to restrict, unsafe zip files to be uploaded. But the current documentation concerning zip files is poor. And because it is new since version 1.14, I got that warn:

Files of the MIME type "application/zip" are not allowed to be uploaded

which, according to the list of allowed extensions (which wasn't explicit in earlier versions) just before the click to upload, appears as a new bug for the users.

Also the manual page Manual:Mime_type_detection is more documented but not on zip files and it doesn't show the code which could inspire the solution that I applied and which consists in commenting the "application/zip" line, like it was in earlier versions.

Opendocument files are zip files but have their own extensions (.odp etc.) and this makes me confused regarding what this newer restriction is adding. --Nbrouard 22:54, 1 March 2010 (UTC)

Default changed in 1.17[edit]

to:

 $wgMimeTypeBlacklist = array(
   # HTML may contain cookie-stealing JavaScript and web bugs
   'text/html', 'text/javascript', 'text/x-javascript',  'application/x-shellscript',
   # PHP scripts may execute arbitrary code on the server
   'application/x-php', 'text/x-php',
   # Other types that may be interpreted by some servers
   'text/x-python', 'text/x-perl', 'text/x-bash', 'text/x-sh', 'text/x-csh',
   # Client-side hazards on Internet Explorer
   'text/scriptlet', 'application/x-msdownload',
   # Windows metafile, client-side vulnerability on some systems
   'application/x-msmetafile',
   # A ZIP file may be a valid Java archive containing an applet which exploits the
   # same-origin policy to steal cookies
   'application/zip',
  
   # MS Office OpenXML and other Open Package Conventions files are zip files
   # and thus blacklisted just as other zip files. If you remove these entries
   # from the blacklist in your local configuration, a malicious file upload
   # will be able to compromise the wiki's user accounts, and the user 
   # accounts of any other website in the same cookie domain.
   'application/x-opc+zip',
   'application/msword',
   'application/vnd.ms-powerpoint',
   'application/vnd.msexcel',
 );

So doc.. files are no longer uploadable. Please update this in Article. I even dont't understand the functionality of restricting msword...... There are some more zip based files then those 4. By the way xls files are detectet as MIME application/vnd.ms-excel.sheet.binary.macroenabled on my Wikis, so that restriction won't work either, or not. Perhaps this is an issue to IE that opens up these files directly in Browser, or?

Enable MS Office document upload[edit]

'application/x-opc+zip', 'application/msword', 'application/vnd.ms-powerpoint', 'application/vnd.msexcel' where added to the DefaultSettings.php file after 1.17.0. So, you can see a mime type error when you try to upload a Word, Excel or Powerpoint document.

  • You can disabled mime type verification by adding this parameter but it will be a security hole.
$wgVerifyMimeType = true;
  • You can add this parameter to you LocalSettings.php file. Then, if a change is done to the DefaultSettings in a future version, you will enjoy all the same
 $wgMimeTypeBlacklist = array_diff($wgMimeTypeBlacklist, array(
	'application/x-opc+zip',
	'application/msword',
	'application/vnd.ms-powerpoint',
	'application/vnd.msexcel'
 ));