by

Allowing uploads of arbitrary files in MediaWiki

I did RTFM and I did what it said, and still my Mediawiki complained when I tried to upload executable files and things with funny file extensions or mime types. if $wgFileExtensions is empty but $wgEnableUploads = true and $wgStrictFileExtensions = false it should just let me upload anything. I can't think what other behaviour one would expect there, but set like that I can't upload my dodgy files.

So I've removed the code it uses to check.

Here's a pair of diffs if you'd also like to do this. These are on version 1.17.0 but I suspect it's not changed very much.

This just comments out the two blocks of code in UploadBase.php which check whether files are considered safe and warn if they're not - it prevents the checking and the warning:

  1. wiki:/home/wiki/public_html# diff includes/upload/UploadBase.php includes/upload/UploadBase.php.bak
  2. 447,455c447,454
  3. < // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
  4. < //            // Check whether the file extension is on the unwanted list
  5. < //            global $wgCheckFileExtensions, $wgFileExtensions;
  6. < //            if ( $wgCheckFileExtensions ) {
  7. < //                    if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
  8. < //                            $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
  9. < //                    }
  10. < //            }
  11. < //
  12. ---
  13. >               // Check whether the file extension is on the unwanted list
  14. >               global $wgCheckFileExtensions, $wgFileExtensions;
  15. >               if ( $wgCheckFileExtensions ) {
  16. >                       if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
  17. >                               $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
  18. >                       }
  19. >               }
  20. > 
  21. 557,570c556,569
  22. < // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
  23. < //            /* Don't allow users to override the blacklist (check file extension) */
  24. < //            global $wgCheckFileExtensions, $wgStrictFileExtensions;
  25. < //            global $wgFileExtensions, $wgFileBlacklist;
  26. < //            if ( $this->mFinalExtension == '' ) {
  27. < //                    $this->mTitleError = self::FILETYPE_MISSING;
  28. < //                    return $this->mTitle = null;
  29. < //            } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
  30. < //                            ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
  31. < //                                    !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
  32. < //                    $this->mTitleError = self::FILETYPE_BADTYPE;
  33. < //                    return $this->mTitle = null;
  34. < //            }
  35. < //
  36. ---
  37. > 
  38. >               /* Don't allow users to override the blacklist (check file extension) */
  39. >               global $wgCheckFileExtensions, $wgStrictFileExtensions;
  40. >               global $wgFileExtensions, $wgFileBlacklist;
  41. >               if ( $this->mFinalExtension == '' ) {
  42. >                       $this->mTitleError = self::FILETYPE_MISSING;
  43. >                       return $this->mTitle = null;
  44. >               } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
  45. >                               ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
  46. >                                       !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
  47. >                       $this->mTitleError = self::FILETYPE_BADTYPE;
  48. >                       return $this->mTitle = null;
  49. >               }
  50. >

And this just stops Setup.php making-safe the $wgFileExtensions array by removing whatever's in $wgFileBlacklist from it, which I think wouldn't complain had I not already done Bad Things to those two variables, but it's late and it can't hurt to turn this off, too:

  1. wiki:/home/wiki/public_html# diff includes/Setup.php includes/Setup.php.bak
  2. 296,298c296,297
  3. < // ## Avi Commented this out so we can upload whatever we like to our server. That was nice of him
  4. < //# Blacklisted file extensions shouldn't appear on the "allowed" list
  5. < //$wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
  6. ---
  7. > # Blacklisted file extensions shouldn't appear on the "allowed" list
  8. > $wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
  9.