Last modified: 2009-09-25 17:26:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T20684, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 18684 - Uploading office 2007 files (docx, pptx etc) results in error
Uploading office 2007 files (docx, pptx etc) results in error
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
1.16.x
All All
: Normal normal (vote)
: ---
Assigned To: Jack D. Pond
: patch
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-05 09:47 UTC by Amit Ray
Modified: 2009-09-25 17:26 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
see patch in 'function verify( $tmpfile, $extension )' (59.63 KB, patch)
2009-05-05 09:52 UTC, Amit Ray 		Details
Patch of above file to trunk (1.96 KB, patch)
2009-07-02 02:30 UTC, Chad H. 		Details
Patch for mime.types to allow MS Office 2007 doc types (825 bytes, patch)
2009-07-29 21:51 UTC, Jack D. Pond 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Amit Ray 2009-05-05 09:47:53 UTC 
Overview:
With Mediawiki 1.14.0, trying to upload a word 2007 file (docx extension) resulted in an error message that it as application/zip and the file could be harmful, hence cannot be uploaded.
The LocalSettings.php had already been updated with 'docx' extension included in the array variable $wgFileExtensions. Also, the IIS server (5.0) has 'docx' extension type configured for allowable file transfer.

Temporary Work-around implemented at the local server:

In file "includes\Specials\SpecialUpload.php", in "function verify($tmpfile, $extension )", I bypass the checks "if ( $this->checkFileExtension( $mime, $wgMimeTypeBlacklist )", if the file extension is 'docx'.

Comments:
Not sure if it is a known issue in MediaWiki 1.14.0.
If it is a bug, I would be looking forward to a permanent solution to the above.
Comment 1 Amit Ray 2009-05-05 09:52:05 UTC 
Created attachment 6090 [details]
see patch in 'function verify( $tmpfile, $extension )'
Comment 2 Chad H. 2009-05-06 00:19:35 UTC 
Downgrading status from blocker.
Comment 3 Roan Kattouw 2009-05-07 10:09:11 UTC 
(In reply to comment #1)
> Created an attachment (id=6090) [details]
> see patch in 'function verify( $tmpfile, $extension )'
> 

Please submit a real patch in unified diff format.
Comment 4 Chad H. 2009-07-02 02:30:53 UTC 
Created attachment 6291 [details]
Patch of above file to trunk

Here's a diff of patching the above file into trunk. That being said, I won't commit it.

It's a nasty hack with a very easily exploitable vector: rename any file to one of the MSFT files, and you skip all of Tim's content-detection work.
Comment 5 Jack D. Pond 2009-07-29 21:51:54 UTC 
Created attachment 6403 [details]
Patch for mime.types to allow MS Office 2007 doc types

This problem could also be fixed by patching the includes/mime.types file to identify the MS 2007 Office docs (see attached patch).  If someone will assign to me, I would be glad to fix and submit.
Comment 6 Bryan Tong Minh 2009-09-25 16:43:36 UTC 
Looks ok.(In reply to comment #5)
> Created an attachment (id=6403) [details]
> Patch for mime.types to allow MS Office 2007 doc types
> 
> This problem could also be fixed by patching the includes/mime.types file to
> identify the MS 2007 Office docs (see attached patch).  If someone will assign
> to me, I would be glad to fix and submit.
> 

Looks ok.
Comment 7 Jack D. Pond 2009-09-25 17:26:21 UTC 
Committed to revision 56923
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links