Closed
Bug 792955
Opened 12 years ago
Closed 12 years ago
Build file upload filter
Categories
(developer.mozilla.org :: Security, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: openjck, Unassigned)
References
Details
Based on the decisions that are shared in the following page, implement a file upload filter. https://wiki.mozilla.org/MDN/Development/Features/File_upload_filter
|
||
Comment 1•12 years ago
|
||
A proof of concept for discussion is in this pull request: https://github.com/mozilla/kuma/pull/629 Uses a whitelist, configured through constance (so editable in admin for easy tweaking) to control the set of allowed types.
|
||
Comment 2•12 years ago
|
||
cc'ing docs team to look over https://github.com/mozilla/kuma/pull/638/files#L3R1012 and tell us which file types should be included so we don't break stuff.
|
||
Comment 3•12 years ago
|
||
image/svg+xml text/html :)
|
||
Comment 4•12 years ago
|
||
Noob question: that doesn't concern already-loaded files, only the new upload?
|
|
||
Comment 5•12 years ago
|
||
:teoli : correct, but we will probably use the same white-list of file-types for other things in the future. so we need to get it right for both existing files and new files.
|
|
||
Comment 6•12 years ago
|
||
In fact, I would like to clean these existing files because some types look really weird (Word documents, x-trash documents, even a Wordperfect I think). I suspect that some of these documents are just residue of old spamming. The first step to achieve this is to prevent new strange files to be uploaded without us knowing it. The second step would be to review these strange documents (and likely to get rid of them for more open or at least appropriate format). Finally, I prefer to be restrictive first, and to open progressively. (We don't upload new types of files every day so it won't be something to PR every day.) -- Jean-Yves
|
|
||
Comment 7•12 years ago
|
||
Okay, so the initial list should be: image/gif image/jpeg image/png image/svg+xml text/html And that's it?
|
||
Comment 8•12 years ago
|
||
Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/28b62e1eb8b8b3943b3e9d4a97ddf5e353a8c0c2 Fix bug 792955: Build file upload filter This adds a mime-type check to the process of uploading an attachment to the wiki, and will disallow files outside of a specific whitelist of permitted types. The whitelist is specified through constance, with a simple default of just the common image formats, but as a constance key it'll be editable through the admin without needing to tweak code. https://github.com/mozilla/kuma/commit/cdff28dc2fa71a3d5280c84777ef7ce18ab4bbfe Merge pull request #638 from ubernostrum/file-type-filter Fix bug 792955: Build file upload filter
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•