2e83387666
Allows uploaded files to include some HTML tag strings that were previously forbidden in the first 1k or so of the file: * <a href * <img * <pre * <table * <title They are now allowed as long as the IE MIME type detection heuristic would not change their types. This should reduce the number of false positive checks in JPEGs with EXIF data with links. Also deprecates $wgAllowTitlesInSVG and allows it by default. This should still protect against malformed PNG attacks on old IE versions, though false positive checks are conceivable on PNG files containing comments very close to the beginning of the file. Adds $wgVerifyMimeTypeIE config var to allow disabling the IE checks entirely, if desired, but leaves it in place by default. These are more conservative than the checks that were removed. Added test cases for the old IE5/6 bug and the particular sort of JPEG metadata that struck false positives previously. Bug: T27707 Change-Id: I66642a74fce1a1894cad67d62b0da61020db469a
9.3 KiB
100x100px
9.3 KiB
100x100px
