Allowing uploads of arbitrary files in MediaWiki

I did RTFM and I did what it said, and still my Mediawiki complained when I tried to upload executable files and things with funny file extensions or mime types. if $wgFileExtensions is empty but $wgEnableUploads = true and $wgStrictFileExtensions = false it should just let me upload anything. I can’t think what other behaviour one would expect there, but set like that I can’t upload my dodgy files.

So I’ve removed the code it uses to check.

Here’s a pair of diffs if you’d also like to do this. These are on version 1.17.0 but I suspect it’s not changed very much.

This just comments out the two blocks of code in UploadBase.php which check whether files are considered safe and warn if they’re not – it prevents the checking and the warning:

wiki:/home/wiki/public_html# diff includes/upload/UploadBase.php includes/upload/UploadBase.php.bak
447,455c447,454
< // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
< //            // Check whether the file extension is on the unwanted list
< //            global $wgCheckFileExtensions, $wgFileExtensions;
< //            if ( $wgCheckFileExtensions ) {
< //                    if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
< //                            $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
< //                    }
< //            }
< //
---
>               // Check whether the file extension is on the unwanted list
>               global $wgCheckFileExtensions, $wgFileExtensions;
>               if ( $wgCheckFileExtensions ) {
>                       if ( !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) {
>                               $warnings['filetype-unwanted-type'] = $this->mFinalExtension;
>                       }
>               }
> 
557,570c556,569
< // ## Avi Commented this out so that we can upload whatever we like to our server. That was nice of him
< //            /* Don't allow users to override the blacklist (check file extension) */
< //            global $wgCheckFileExtensions, $wgStrictFileExtensions;
< //            global $wgFileExtensions, $wgFileBlacklist;
< //            if ( $this->mFinalExtension == '' ) {
< //                    $this->mTitleError = self::FILETYPE_MISSING;
< //                    return $this->mTitle = null;
< //            } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
< //                            ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
< //                                    !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
< //                    $this->mTitleError = self::FILETYPE_BADTYPE;
< //                    return $this->mTitle = null;
< //            }
< //
---
> 
>               /* Don't allow users to override the blacklist (check file extension) */
>               global $wgCheckFileExtensions, $wgStrictFileExtensions;
>               global $wgFileExtensions, $wgFileBlacklist;
>               if ( $this->mFinalExtension == '' ) {
>                       $this->mTitleError = self::FILETYPE_MISSING;
>                       return $this->mTitle = null;
>               } elseif ( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
>                               ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
>                                       !$this->checkFileExtension( $this->mFinalExtension, $wgFileExtensions ) ) ) {
>                       $this->mTitleError = self::FILETYPE_BADTYPE;
>                       return $this->mTitle = null;
>               }
> 

And this just stops Setup.php making-safe the $wgFileExtensions array by removing whatever’s in $wgFileBlacklist from it, which I think wouldn’t complain had I not already done Bad Things to those two variables, but it’s late and it can’t hurt to turn this off, too:

wiki:/home/wiki/public_html# diff includes/Setup.php includes/Setup.php.bak
296,298c296,297
< // ## Avi Commented this out so we can upload whatever we like to our server. That was nice of him
< //# Blacklisted file extensions shouldn't appear on the "allowed" list
< //$wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );
---
> # Blacklisted file extensions shouldn't appear on the "allowed" list
> $wgFileExtensions = array_diff ( $wgFileExtensions, $wgFileBlacklist );