[pmwiki-users] Is allowing uploading of html files a security problem?

Patrick R. Michaud pmichaud at pobox.com
Fri Aug 4 12:33:41 CDT 2006

On Thu, Aug 03, 2006 at 03:36:25PM -0700, info at theburroughsproject.com wrote:
> I've set my uploads so that htm and html files are not allowed. I
> figured that I didn't want someone uploading webpages with javascripts
> embedded into them. I thought that was supposed to be a security issue.

It is.

> But then I noticed that if I remove the .html extension, I can upload
> the file, which will still open in a browser as an html file. 

Depends on the browser -- in particular, IE is broken here.  

PmWiki's default upload configuration allows files w/o extensions 
to be uploaded, and it returns such files as Content-type "text/plain".
Unfortunately, IE is broken here -- if a file appears to contain
HTML, then IE will display it as such regardless of the type
indicated by the server.

So, the solution is to also disable uploading of files with .htm,
.html, or no extension:

    $UploadExtSize[''] = 0;
    $UploadExtSize['htm'] = 0;
    $UploadExtSize['html'] = 0;

> Then I noticed that pmwiki allows uploading of htm files. Am I missing
> something? Is this not a security issue? 

I think you're referring to pmwiki.org here; yes, pmwiki.org currently
allows .htm files to be uploaded, and it is technically a security 
issue (but one I'm willing to deal with if exploited).  All security
choices are a risk assessment of some sort, and pmwiki.org simply has
a more liberal policy than what many sites would want.

As noted in the PmWiki.UploadsAdmin page:

    Keep in mind that letting users (anonymously!) upload files to 
    your web server does entail some amount of risk. 

That risk exists simply by virtue of enabling uploads, which
is why PmWiki ships with uploads totally disabled by default,
and even when they're enabled a password is required by default.

Some might suggest that we simply disallow "risky" file types
such as .htm and .html, but the truth is that nearly all 
filetypes are "risky" because of the IE behavior described above
and because of various Windows flaws in general.  The filetypes 
that would have to be considered "unsafe" would include .htm, 
.html, .txt, .jpeg, .jpg, .exe, .doc, and .xls, and possibly more.


More information about the pmwiki-users mailing list