summaryrefslogtreecommitdiff
path: root/includes/upload/UploadStash.php
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2013-05-22 00:45:21 +0200
committerPierre Schmitz <pierre@archlinux.de>2013-05-22 00:45:21 +0200
commit393e0d71f4c5478bea53ff62ff818aebbabb3e40 (patch)
treea40f0a205ee71a5c61fec5bf23557b7d1813340a /includes/upload/UploadStash.php
parent953618714cb41a89b1f1078325f94579fc154b8a (diff)
Update to MediaWiki 1.20.6
Diffstat (limited to 'includes/upload/UploadStash.php')
-rw-r--r--includes/upload/UploadStash.php11
1 files changed, 10 insertions, 1 deletions
diff --git a/includes/upload/UploadStash.php b/includes/upload/UploadStash.php
index c7fd23a9..53a90582 100644
--- a/includes/upload/UploadStash.php
+++ b/includes/upload/UploadStash.php
@@ -422,6 +422,7 @@ class UploadStash {
* @return string
*/
public static function getExtensionForPath( $path ) {
+ global $wgFileBlacklist;
// Does this have an extension?
$n = strrpos( $path, '.' );
$extension = null;
@@ -441,7 +442,15 @@ class UploadStash {
throw new UploadStashFileException( "extension is null" );
}
- return File::normalizeExtension( $extension );
+ $extension = File::normalizeExtension( $extension );
+ if ( in_array( $extension, $wgFileBlacklist ) ) {
+ // The file should already be checked for being evil.
+ // However, if somehow we got here, we definitely
+ // don't want to give it an extension of .php and
+ // put it in a web accesible directory.
+ return '';
+ }
+ return $extension;
}
/**