[Engineering] [Wikitech-l] IE 6/7 MIME type sniffing checks on uploads - is it time to retire them?
Brion Vibber
bvibber at wikimedia.org
Fri Feb 1 20:03:20 UTC 2019
On Mon, Jan 28, 2019 at 10:58 PM Kunal Mehta <legoktm at member.fsf.org> wrote:
> Tim wrote a nice blog post about how he reverse-engineered this:
> <https://tstarling.com/blog/2008/12/secure-web-uploads/>.
>
> I don't have any comments on whether it's still needed, but if it's
> determined that MediaWiki can drop the checks, I'd like to see it
> turned into a PHP library...mostly because it's some neat code.
>
Heck yes. :)
My provisional patch is still keeping the code, but using it more
conservatively:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/487527
The exact IE-based heuristics are still checked but will trip only on files
matching the exact conditions that would affect old IE versions. Most
uploaded JPEG or PNG files with HTML-ish links in EXIF metadata should not
trigger it, as the tag strings won't appear in the first 256 bytes of the
file.
The less-exact heuristics (held over from before Tim's addition of the
reverse-engineered exact checks) are now less overbearing, and should no
longer trigger on <a href, <img, <pre, <table, or <title tags. This also
obsoletes the $wgAllowTitlesInSVG setting, which will now be always true.
Feel free to help with review and testing -- especially welcome if folks
have samples of JPEG, PDF, DjVu, or other files that were blocked before
but should work so we can double-check. Thanks all!
-- brion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20190201/6ff9b0e4/attachment.html>
More information about the Engineering
mailing list