(bug 1672) Add $wgDisableUploadScriptChecks to allow disabling of the HTML/JS detecti...

diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19
index b92622d..9dd94ec 100644 (file)
--- a/RELEASE-NOTES-1.19
+++ b/RELEASE-NOTES-1.19
@@ -91,6 +91,8 @@ production.
 * (bug 8859) Database::update should take array of tables too
 * (bug 19698) Inverse selection for Special:Contributions
 * (bug 24037) Add byte length of revision to Special:Contributions
+* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files
+  containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
 
 === Bug fixes in 1.19 ===
 * $wgUploadNavigationUrl should be used for file redlinks if

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 7cde88c..92fe00a 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -557,6 +557,13 @@ $wgCheckFileExtensions = true;
  */
 $wgStrictFileExtensions = true;
 
+/**
+ * Setting this to true will disable the upload system's checks for HTML/JavaScript.
+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
+ * TO RESTRICT UPLOADING to only those that you trust
+ */
+$wgDisableUploadScriptChecks = false;
+
 /** Warn if uploaded files are larger than this (in bytes), or false to disable*/
 $wgUploadSizeWarning = false;
 
@@ -2960,7 +2967,7 @@ $wgTidyInternal = extension_loaded( 'tidy' );
 $wgDebugTidy = false;
 
 /** Allow raw, unchecked HTML in <html>...</html> sections.
- * THIS IS VERY DANGEROUS on a publically editable site, so USE wgGroupPermissions
+ * THIS IS VERY DANGEROUS on a publicly editable site, so USE wgGroupPermissions
  * TO RESTRICT EDITING to only those that you trust
  */
 $wgRawHtml = false;

diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index fc5c738..39b4ad2 100644 (file)
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -357,7 +357,7 @@ abstract class UploadBase {
         * @return mixed true of the file is verified, array otherwise.
         */
        protected function verifyFile() {
-               global $wgAllowJavaUploads;
+               global $wgAllowJavaUploads, $wgDisableUploadScriptChecks;
                # get the title, even though we are doing nothing with it, because
                # we need to populate mFinalExtension
                $this->getTitle();
@@ -372,13 +372,15 @@ abstract class UploadBase {
                }
 
                # check for htmlish code and javascript
-               if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
-                       return array( 'uploadscripted' );
-               }
-               if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
-                       if( $this->detectScriptInSvg( $this->mTempPath ) ) {
+               if ( !$wgDisableUploadScriptChecks ) {
+                       if( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
                                return array( 'uploadscripted' );
                        }
+                       if( $this->mFinalExtension == 'svg' || $mime == 'image/svg+xml' ) {
+                               if( $this->detectScriptInSvg( $this->mTempPath ) ) {
+                                       return array( 'uploadscripted' );
+                               }
+                       }
                }
 
                # Check for Java applets, which if uploaded can bypass cross-site