More file validity checks due to IE stupidity

Brion Vibber · Brion Vibber · commit 622df8f5db80 · 2004-09-28T23:50:32.000Z
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
@@ -3,7 +3,24 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
-== Version 1.3.4, 2004-??-?? ==
+== Version 1.3.4, 2004-09-28 ==
+
+************************** SECURITY NOTE! ******************************
+
+As of 1.3.4, MediaWiki performs some screening of newly uploaded files for
+validity. (Some)  corrupt image files, and HTML files mistakenly or
+maliciously masquerading as images, should now be rejected.
+
+These checks protect against Internet Explorer security holes relating
+to type autodetection which are a potential cross-site scripting attack
+vector, and also rejects at least one known version of the "JPEG virus"
+which might attack unpatched clients.
+
+If you already have invalid files uploaded this will not protect against
+them. If you have expanded the filetype whitelist or disabled the strict
+type checking, other dangerous file types may still get through. You should
+always be careful when allowing uploads!
+
 
 Changes from 1.3.3:
 * Fixed lots of template-related bugs, esp. for cases where template
diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
@@ -349,7 +349,21 @@ function mainUploadForm( $msg )
 	</td></tr></table></form>\n" );
 	}
 	
+	/**
+	 * Returns false if the file is of a known type but can't be recognized,
+	 * indicating a corrupt file.
+	 * Returns true otherwise; unknown file types are not checked if given
+	 * with an unrecognized extension.
+	 *
+	 * @param string $tmpfile Pathname to the temporary upload file
+	 * @param string $extension The filename extension that the file is to be served with
+	 * @return bool
+	 */
 	function verify( $tmpfile, $extension ) {
+		if( $this->triggersIEbug( $tmpfile ) ) {
+			return false;
+		}
+		
 		$fname = 'SpecialUpload::verify';
 		$mergeExtensions = array(
 			'jpg' => 'jpeg',
@@ -418,5 +432,30 @@ function verify( $tmpfile, $extension ) {
 		wfDebug( "$fname: all clear; passing.\n" );
 		return true;
 	}
+	
+	/**
+	 * Internet Explorer for Windows performs some really stupid file type
+	 * autodetection which can cause it to interpret valid image files as HTML
+	 * and potentially execute JavaScript, creating a cross-site scripting
+	 * attack vectors.
+	 *
+	 * Returns true if IE is likely to mistake the given file for HTML.
+	 *
+	 * @param string $filename
+	 * @return bool
+	 */
+	function triggersIEbug( $filename ) {
+		$file = fopen( $filename, 'rb' );
+		$chunk = strtolower( fread( $file, 200 ) );
+		fclose( $file );
+		
+		$tags = array( '<html', '<head', '<body', '<script' );
+		foreach( $tags as $tag ) {
+			if( false !== strpos( $chunk, $tag ) ) {
+				return true;
+			}
+		}
+		return false;
+	}
 }
 ?>
