Allowing uploads of arbitrary files in MediaWiki

I did RTFM and I did what it said, and still my Mediawiki complained when I tried to upload executable files and things with funny file extensions or mime types. if $wgFileExtensions is empty but $wgEnableUploads = true and $wgStrictFileExtensions = false it should just let me upload anything. I can't think what other behaviour one would expect there, but set like that I can't upload my dodgy files.

So I've removed the code it uses to check.

Here's a pair of diffs if you'd also like to do this. These are on version 1.17.0 but I suspect it's not changed very much.

This just comments out the two blocks of code in UploadBase.php which check whether files are considered safe and warn if they're not - it prevents the checking and the warning:

  1. wiki:/home/wiki/public_html# diff includes/upload/UploadBase.php includes/upload/UploadBase.php.bak
  2. 447,455c447,454
  3. < // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
  4. < // // Check whether the file extension is on the unwanted list
  5. < // global $wgCheckFileExtensions, $wgFileExtensions;
  6. < // if ( $wgCheckFileExtensions ) {
  7. < // if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
  8. < // $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
  9. < // }
  10. < // }
  11. < //
  12. ---
  13. > // Check whether the file extension is on the unwanted list
  14. > global $wgCheckFileExtensions, $wgFileExtensions;
  15. > if ( $wgCheckFileExtensions ) {
  16. > if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
  17. > $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
  18. > }
  19. > }
  20. >
  21. 557,570c556,569
  22. < // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
  23. < // /* Don't allow users to override the blacklist (check file extension) */
  24. < // global $wgCheckFileExtensions, $wgStrictFileExtensions;
  25. < // global $wgFileExtensions, $wgFileBlacklist;
  26. < // if ( $this->mFinalExtension == '' ) {
  27. < // $this->mTitleError = self::FILETYPE_MISSING;
  28. < // return $this->mTitle = null;
  29. < // } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
  30. < // ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
  31. < // !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
  32. < // $this->mTitleError = self::FILETYPE_BADTYPE;
  33. < // return $this->mTitle = null;
  34. < // }
  35. < //
  36. ---
  37. >
  38. > /* Don't allow users to override the blacklist (check file extension) */
  39. > global $wgCheckFileExtensions, $wgStrictFileExtensions;
  40. > global $wgFileExtensions, $wgFileBlacklist;
  41. > if ( $this->mFinalExtension == '' ) {
  42. > $this->mTitleError = self::FILETYPE_MISSING;
  43. > return $this->mTitle = null;
  44. > } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
  45. > ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
  46. > !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
  47. > $this->mTitleError = self::FILETYPE_BADTYPE;
  48. > return $this->mTitle = null;
  49. > }
  50. >

And this just stops Setup.php making-safe the $wgFileExtensions array by removing whatever's in $wgFileBlacklist from it, which I think wouldn't complain had I not already done Bad Things to those two variables, but it's late and it can't hurt to turn this off, too:

  1. wiki:/home/wiki/public_html# diff includes/Setup.php includes/Setup.php.bak
  2. 296,298c296,297
  3. < // ## Avi Commented this out so we can upload whatever we like to our server. That was nice of him
  4. < //# Blacklisted file extensions shouldn't appear on the "allowed" list
  5. < //$wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
  6. ---
  7. > # Blacklisted file extensions shouldn't appear on the "allowed" list
  8. > $wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
  9.