Closed Bug 792955 Opened 13 years ago Closed 13 years ago

Build file upload filter

Categories

(developer.mozilla.org :: Security, defect)

Product:
developer.mozilla.org
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: openjck, Unassigned)

References

Details

Based on the decisions that are shared in the following page, implement a file upload filter. https://wiki.mozilla.org/MDN/Development/Features/File_upload_filter
A proof of concept for discussion is in this pull request: https://github.com/mozilla/kuma/pull/629 Uses a whitelist, configured through constance (so editable in admin for easy tweaking) to control the set of allowed types.
cc'ing docs team to look over https://github.com/mozilla/kuma/pull/638/files#L3R1012 and tell us which file types should be included so we don't break stuff.
image/svg+xml text/html :)
Noob question: that doesn't concern already-loaded files, only the new upload?
:teoli : correct, but we will probably use the same white-list of file-types for other things in the future. so we need to get it right for both existing files and new files.
In fact, I would like to clean these existing files because some types look really weird (Word documents, x-trash documents, even a Wordperfect I think). I suspect that some of these documents are just residue of old spamming. The first step to achieve this is to prevent new strange files to be uploaded without us knowing it. The second step would be to review these strange documents (and likely to get rid of them for more open or at least appropriate format). Finally, I prefer to be restrictive first, and to open progressively. (We don't upload new types of files every day so it won't be something to PR every day.) -- Jean-Yves
Okay, so the initial list should be: image/gif image/jpeg image/png image/svg+xml text/html And that's it?
Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/28b62e1eb8b8b3943b3e9d4a97ddf5e353a8c0c2 Fix bug 792955: Build file upload filter This adds a mime-type check to the process of uploading an attachment to the wiki, and will disallow files outside of a specific whitelist of permitted types. The whitelist is specified through constance, with a simple default of just the common image formats, but as a constance key it'll be editable through the admin without needing to tweak code. https://github.com/mozilla/kuma/commit/cdff28dc2fa71a3d5280c84777ef7ce18ab4bbfe Merge pull request #638 from ubernostrum/file-type-filter Fix bug 792955: Build file upload filter
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.