[00:15:12] 10Multimedia, 10MediaWiki-Uploading, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10Aklapper) > Logins should definitely be disabled for those. This feels off-topic for this task. See https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations#For_Users_of_Microsoft... [09:59:20] 10Multimedia, 10MediaWiki-Uploading: JPEG2000 images should not be uploadable as .jpg files - https://phabricator.wikimedia.org/T20803 (10Peachey88) [13:53:24] 10Multimedia, 10MediaWiki-Uploading, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10AlexisJazz) >>! In T27707#4921089, @Aklapper wrote: >> Logins should definitely be disabled for those. > This feels off-topic for this task. See https://wikitech.wikimedia.org/wiki/HTTPS/B... [17:19:00] 10Multimedia, 10MediaWiki-Uploading, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10brion) @Aklapper I believe it's very on-topic to discuss the security implications of a suggested feature change. Where would you suggest we discuss this if not here, on this task? [17:41:24] 10Multimedia, 10MediaWiki-Uploading, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10brion) >>! In T27707#4920735, @AlexisJazz wrote: > Though this is not needed to remove this MIME sniffing check (or at the very least, make it optional), as I've shown it can't be exploite... [18:39:35] 10Multimedia, 10MediaWiki-Uploading, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10brion) Ok, looking at the actual current code now... `UploadBase::detectScript` does the check, and combines several things: * looks at first 1024 bytes (more than IE checks) if binary, or... [19:56:41] 10Multimedia, 10MediaWiki-Uploading, 10Patch-For-Review, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10brion) The above patch https://gerrit.wikimedia.org/r/487527 removes some of the non-scripting tags from the checks in `UploadBase::detectScript`, and makes the conse... [22:18:48] 10Multimedia, 10MediaWiki-Uploading, 10Patch-For-Review, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10AlexisJazz) >>! In T27707#4921804, @brion wrote: >>>! In T27707#4920735, @AlexisJazz wrote: >> Though this is not needed to remove this MIME sniffing check (or at the... [22:38:06] 10Multimedia, 10MediaWiki-Uploading, 10Patch-For-Review, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10AlexisJazz) >>! In T27707#4921905, @brion wrote: > The above patch https://gerrit.wikimedia.org/r/487527 removes some of the non-scripting tags from the checks in `Up... [22:52:44] 10Multimedia, 10MediaWiki-Uploading, 10Patch-For-Review, 10Security: Allow "html" in exif tags - https://phabricator.wikimedia.org/T27707 (10brion) >>! In T27707#4922017, @AlexisJazz wrote: > https://www.flickr.com/photos/tinto/30943950124/ and other photos from this Flickr user. Perfect! Confirmed that t...