00318: option to disable upload filetype checking
Description: File type checking is provided for security and upload passwords are also provided for security. If an admin wishes to only allow uploads from him/herself then it is too restrictive to also apply file type checking. I would like to see an option in the config.php file to opt out entirely of file type checking on uploads. I think this would be simpler than providing a somewhat user friendly method of editing the allowed file types. Incidently I took a stab at editing the upload.php file but it didn't work, its likely me, I am a non-programmer. I also don't like changing scripts because the changes will get overwritten on software load updates.
If editing of file types were going to be added it would seem to me to make more sense to specify what isn't allowed rather than what is allowed. I suspect the list would be shorter that way, com, exe, cgi, php, jar etc.
It's a traditional point of security that it's always safer to only accept what is explicitly allowed as opposed to denying what isn't allowed.
For example, suppose we accept any file extension except .php and the other well-known filetypes. Suddenly the webserver administrator (who may not be the wiki administrator) installs PHP 5.0.0, and enables files with a ".php5" extension to be executable. Unless the wiki administrator realizes this has happened and immediately disallows the .php5 extension, then arbitrary scripts can be uploaded and executed on the server without anyone realizing the potential problem.
However, if you wish to allow arbitrary files to be uploaded, you should be able to do it with the following in config.php:
function UploadVerifyNone($pagename, $uploadfile, $filepath) { return ''; } $UploadVerifyFunction = 'UploadVerifyNone';
This turns off all upload file checking (including file extension and file sizes).
--Pm
Thanks - markndennis@hotmail.com