6696 2011-06-20 11:19:00 -0700 Uploads must not use supplied file extension 2012-06-06 15:26:35 -0700 1 1 1 Unclassified OJS Editors 2.3.6 All All RESOLVED FIXED P3 normal --- 1 alec pkp-support ales.kladnik colin.prince 2.3.5 24065 alec 2011-06-20 11:19:38 -0700 File uploads into public should use a file extension validated via whitelist by the file manager (e.g. PublicFileManager::getImageExtension) rather than the file extension supplied by the client (e.g. PublicFileManager::getExtension) or detected by the server (e.g. mime_content_type). 24066 3568 alec 2011-06-20 11:30:10 -0700 Created attachment 3568 Patch against OJS 2.3.3, 2.3.4, 2.3.5 24067 3569 alec 2011-06-20 11:36:44 -0700 Created attachment 3569 Patch against OJS 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2 24068 alec 2011-06-20 11:40:46 -0700 NOTE: The patch for bug #6689 must be applied before these patches will apply cleanly. 24081 ales.kladnik 2011-06-21 03:33:46 -0700 (In reply to comment #0) > File uploads into public should use a file extension validated via whitelist by > the file manager (e.g. PublicFileManager::getImageExtension) rather than the > file extension supplied by the client (e.g. PublicFileManager::getExtension) or > detected by the server (e.g. mime_content_type). I applied this patch after #6689, but the behaviour is now a bit strange. When uploading a cover image file for an issue, I could still upload a file named "setup.exe", however now it gets renamed to "cover_issue_120_en_US.flv". I tried also extensions php, js, tlp, pdf, and they were not accepted. Then I tried several other .exe files and all were accepted and renamed to .flv after upload. 24083 alec 2011-06-21 08:41:42 -0700 Ales, the file type check works by getting the file's MIME type, then mapping that to a file extension according to this list: image/gif: .gif image/jpeg, image/pjpeg: .jpg image/png, image/x-png: .png image/vnd.microsoft.icon, image/x-icon, image/ico: .ico application/x-shockwave-flash: .swf video/x-flv, application/x-flash-video, flv-application/octet-stream, application/octet-stream: .flv audio/mpeg: .mp3 audio/x-aiff: .aiff audio/x-wav: .wav video/mpeg: .mpg video/quicktime: .mov video/mp4: .mp4 text/javascript: .js Anything not in this list is not allowed. It's used for many parts of the system to allow multimedia content (e.g. images in articles). What you're probably seeing is an .exe detected as application/octet-stream, which maps to .flv for flash video. (This entry is for compatibility with systems that don't have a specific MIME entry for .flv files.) As long as the file extension is NOT trusted i.e. as .exe or .php, the web server shouldn't invoke the executable. I suppose as a tune-up we could limit certain areas to only plain old image files, i.e. PDF, PNG, and GIF, as per the error messages... 3568 2011-06-20 11:30:00 -0700 2011-06-20 11:30:10 -0700 Patch against OJS 2.3.3, 2.3.4, 2.3.5 6696-ojs2.3.3.diff text/plain 2177 alec ZGlmZiAtLWdpdCBhL2NsYXNzZXMvaXNzdWUvZm9ybS9Jc3N1ZUZvcm0uaW5jLnBocCBiL2NsYXNz ZXMvaXNzdWUvZm9ybS9Jc3N1ZUZvcm0uaW5jLnBocAppbmRleCAyYzc5ODViLi4wMTk5MjBmIDEw MDY0NAotLS0gYS9jbGFzc2VzL2lzc3VlL2Zvcm0vSXNzdWVGb3JtLmluYy5waHAKKysrIGIvY2xh c3Nlcy9pc3N1ZS9mb3JtL0lzc3VlRm9ybS5pbmMucGhwCkBAIC0zNTMsNyArMzUzLDggQEAgY2xh c3MgSXNzdWVGb3JtIGV4dGVuZHMgRm9ybSB7CiAJCWlmICgkcHVibGljRmlsZU1hbmFnZXItPnVw bG9hZGVkRmlsZUV4aXN0cygnY292ZXJQYWdlJykpIHsKIAkJCSRqb3VybmFsID0gUmVxdWVzdDo6 Z2V0Sm91cm5hbCgpOwogCQkJJG9yaWdpbmFsRmlsZU5hbWUgPSAkcHVibGljRmlsZU1hbmFnZXIt PmdldFVwbG9hZGVkRmlsZU5hbWUoJ2NvdmVyUGFnZScpOwotCQkJJG5ld0ZpbGVOYW1lID0gJ2Nv dmVyX2lzc3VlXycgLiAkaXNzdWVJZCAuICdfJyAuICR0aGlzLT5nZXRGb3JtTG9jYWxlKCkgLiAn LicgLiAkcHVibGljRmlsZU1hbmFnZXItPmdldEV4dGVuc2lvbigkb3JpZ2luYWxGaWxlTmFtZSk7 CisJCQkkdHlwZSA9ICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0VXBsb2FkZWRGaWxlVHlwZSgnY292 ZXJQYWdlJyk7CisJCQkkbmV3RmlsZU5hbWUgPSAnY292ZXJfaXNzdWVfJyAuICRpc3N1ZUlkIC4g J18nIC4gJHRoaXMtPmdldEZvcm1Mb2NhbGUoKSAuICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0SW1h Z2VFeHRlbnNpb24oJHR5cGUpOwogCQkJJHB1YmxpY0ZpbGVNYW5hZ2VyLT51cGxvYWRKb3VybmFs RmlsZSgkam91cm5hbC0+Z2V0SWQoKSwgJ2NvdmVyUGFnZScsICRuZXdGaWxlTmFtZSk7CiAJCQkk aXNzdWUtPnNldE9yaWdpbmFsRmlsZU5hbWUoJHB1YmxpY0ZpbGVNYW5hZ2VyLT50cnVuY2F0ZUZp bGVOYW1lKCRvcmlnaW5hbEZpbGVOYW1lLCAxMjcpLCAkdGhpcy0+Z2V0Rm9ybUxvY2FsZSgpKTsK IAkJCSRpc3N1ZS0+c2V0RmlsZU5hbWUoJG5ld0ZpbGVOYW1lLCAkdGhpcy0+Z2V0Rm9ybUxvY2Fs ZSgpKTsKZGlmZiAtLWdpdCBhL2NsYXNzZXMvc3VibWlzc2lvbi9mb3JtL01ldGFkYXRhRm9ybS5p bmMucGhwIGIvY2xhc3Nlcy9zdWJtaXNzaW9uL2Zvcm0vTWV0YWRhdGFGb3JtLmluYy5waHAKaW5k ZXggYTM4ZTNlZC4uNjM0NDllNCAxMDA2NDQKLS0tIGEvY2xhc3Nlcy9zdWJtaXNzaW9uL2Zvcm0v TWV0YWRhdGFGb3JtLmluYy5waHAKKysrIGIvY2xhc3Nlcy9zdWJtaXNzaW9uL2Zvcm0vTWV0YWRh dGFGb3JtLmluYy5waHAKQEAgLTMwNiw3ICszMDYsOCBAQCBjbGFzcyBNZXRhZGF0YUZvcm0gZXh0 ZW5kcyBGb3JtIHsKIAkJaWYgKCRwdWJsaWNGaWxlTWFuYWdlci0+dXBsb2FkZWRGaWxlRXhpc3Rz KENPVkVSX1BBR0VfSU1BR0VfTkFNRSkpIHsKIAkJCSRqb3VybmFsID0gUmVxdWVzdDo6Z2V0Sm91 cm5hbCgpOwogCQkJJG9yaWdpbmFsRmlsZU5hbWUgPSAkcHVibGljRmlsZU1hbmFnZXItPmdldFVw bG9hZGVkRmlsZU5hbWUoQ09WRVJfUEFHRV9JTUFHRV9OQU1FKTsKLQkJCSRuZXdGaWxlTmFtZSA9 ICdjb3Zlcl9hcnRpY2xlXycgLiAkdGhpcy0+YXJ0aWNsZS0+Z2V0SWQoKSAuICdfJyAuICR0aGlz LT5nZXRGb3JtTG9jYWxlKCkgLiAnLicgLiAkcHVibGljRmlsZU1hbmFnZXItPmdldEV4dGVuc2lv bigkb3JpZ2luYWxGaWxlTmFtZSk7CisJCQkkdHlwZSA9ICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0 VXBsb2FkZWRGaWxlVHlwZShDT1ZFUl9QQUdFX0lNQUdFX05BTUUpOworCQkJJG5ld0ZpbGVOYW1l ID0gJ2NvdmVyX2FydGljbGVfJyAuICR0aGlzLT5hcnRpY2xlLT5nZXRJZCgpIC4gJ18nIC4gJHRo aXMtPmdldEZvcm1Mb2NhbGUoKSAuICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0SW1hZ2VFeHRlbnNp b24oJHR5cGUpOwogCQkJJHB1YmxpY0ZpbGVNYW5hZ2VyLT51cGxvYWRKb3VybmFsRmlsZSgkam91 cm5hbC0+Z2V0SWQoKSwgQ09WRVJfUEFHRV9JTUFHRV9OQU1FLCAkbmV3RmlsZU5hbWUpOwogCQkJ JGFydGljbGUtPnNldE9yaWdpbmFsRmlsZU5hbWUoJHB1YmxpY0ZpbGVNYW5hZ2VyLT50cnVuY2F0 ZUZpbGVOYW1lKCRvcmlnaW5hbEZpbGVOYW1lLCAxMjcpLCAkdGhpcy0+Z2V0Rm9ybUxvY2FsZSgp KTsKIAkJCSRhcnRpY2xlLT5zZXRGaWxlTmFtZSgkbmV3RmlsZU5hbWUsICR0aGlzLT5nZXRGb3Jt TG9jYWxlKCkpOwo= 3569 2011-06-20 11:36:00 -0700 2011-06-20 11:40:06 -0700 Patch against OJS 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2 6696-ojs2.3.0.diff text/plain 2304 alec ZGlmZiAtdSAtciBvanMtMi4zLjAtbW9kL2NsYXNzZXMvaXNzdWUvZm9ybS9Jc3N1ZUZvcm0uaW5j LnBocCBvanMtMi4zLjAvY2xhc3Nlcy9pc3N1ZS9mb3JtL0lzc3VlRm9ybS5pbmMucGhwCi0tLSBv anMtMi4zLjAtbW9kL2NsYXNzZXMvaXNzdWUvZm9ybS9Jc3N1ZUZvcm0uaW5jLnBocAkyMDA5LTA1 LTI3IDEyOjI3OjA2LjAwMDAwMDAwMCAtMDcwMAorKysgb2pzLTIuMy4wL2NsYXNzZXMvaXNzdWUv Zm9ybS9Jc3N1ZUZvcm0uaW5jLnBocAkyMDExLTA2LTIwIDExOjMyOjI2LjAwMDAwMDAwMCAtMDcw MApAQCAtMzUzLDcgKzM1Myw4IEBACiAJCWlmICgkcHVibGljRmlsZU1hbmFnZXItPnVwbG9hZGVk RmlsZUV4aXN0cygnY292ZXJQYWdlJykpIHsKIAkJCSRqb3VybmFsID0gUmVxdWVzdDo6Z2V0Sm91 cm5hbCgpOwogCQkJJG9yaWdpbmFsRmlsZU5hbWUgPSAkcHVibGljRmlsZU1hbmFnZXItPmdldFVw bG9hZGVkRmlsZU5hbWUoJ2NvdmVyUGFnZScpOwotCQkJJG5ld0ZpbGVOYW1lID0gJ2NvdmVyX2lz c3VlXycgLiAkaXNzdWVJZCAuICdfJyAuICR0aGlzLT5nZXRGb3JtTG9jYWxlKCkgLiAnLicgLiAk cHVibGljRmlsZU1hbmFnZXItPmdldEV4dGVuc2lvbigkb3JpZ2luYWxGaWxlTmFtZSk7CisJCQkk dHlwZSA9ICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0VXBsb2FkZWRGaWxlVHlwZSgnY292ZXJQYWdl Jyk7CisJCQkkbmV3RmlsZU5hbWUgPSAnY292ZXJfaXNzdWVfJyAuICRpc3N1ZUlkIC4gJ18nIC4g JHRoaXMtPmdldEZvcm1Mb2NhbGUoKSAuICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0SW1hZ2VFeHRl bnNpb24oJHR5cGUpOwogCQkJJHB1YmxpY0ZpbGVNYW5hZ2VyLT51cGxvYWRKb3VybmFsRmlsZSgk am91cm5hbC0+Z2V0Sm91cm5hbElkKCksICdjb3ZlclBhZ2UnLCAkbmV3RmlsZU5hbWUpOwogCQkJ JGlzc3VlLT5zZXRPcmlnaW5hbEZpbGVOYW1lKCRwdWJsaWNGaWxlTWFuYWdlci0+dHJ1bmNhdGVG aWxlTmFtZSgkb3JpZ2luYWxGaWxlTmFtZSwgMTI3KSwgJHRoaXMtPmdldEZvcm1Mb2NhbGUoKSk7 CiAJCQkkaXNzdWUtPnNldEZpbGVOYW1lKCRuZXdGaWxlTmFtZSwgJHRoaXMtPmdldEZvcm1Mb2Nh bGUoKSk7CmRpZmYgLXUgLXIgb2pzLTIuMy4wLW1vZC9jbGFzc2VzL3N1Ym1pc3Npb24vZm9ybS9N ZXRhZGF0YUZvcm0uaW5jLnBocCBvanMtMi4zLjAvY2xhc3Nlcy9zdWJtaXNzaW9uL2Zvcm0vTWV0 YWRhdGFGb3JtLmluYy5waHAKLS0tIG9qcy0yLjMuMC1tb2QvY2xhc3Nlcy9zdWJtaXNzaW9uL2Zv cm0vTWV0YWRhdGFGb3JtLmluYy5waHAJMjAxMS0wNi0yMCAxMToyNToyMi4wMDAwMDAwMDAgLTA3 MDAKKysrIG9qcy0yLjMuMC9jbGFzc2VzL3N1Ym1pc3Npb24vZm9ybS9NZXRhZGF0YUZvcm0uaW5j LnBocAkyMDExLTA2LTIwIDExOjMxOjUzLjAwMDAwMDAwMCAtMDcwMApAQCAtMjgzLDcgKzI4Myw4 IEBACiAJCWlmICgkcHVibGljRmlsZU1hbmFnZXItPnVwbG9hZGVkRmlsZUV4aXN0cyhDT1ZFUl9Q QUdFX0lNQUdFX05BTUUpKSB7CiAJCQkkam91cm5hbCA9IFJlcXVlc3Q6OmdldEpvdXJuYWwoKTsK IAkJCSRvcmlnaW5hbEZpbGVOYW1lID0gJHB1YmxpY0ZpbGVNYW5hZ2VyLT5nZXRVcGxvYWRlZEZp bGVOYW1lKENPVkVSX1BBR0VfSU1BR0VfTkFNRSk7Ci0JCQkkbmV3RmlsZU5hbWUgPSAnY292ZXJf YXJ0aWNsZV8nIC4gJHRoaXMtPmFydGljbGUtPmdldEFydGljbGVJZCgpIC4gJ18nIC4gJHRoaXMt PmdldEZvcm1Mb2NhbGUoKSAuICcuJyAuICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0RXh0ZW5zaW9u KCRvcmlnaW5hbEZpbGVOYW1lKTsKKwkJCSR0eXBlID0gJHB1YmxpY0ZpbGVNYW5hZ2VyLT5nZXRV cGxvYWRlZEZpbGVUeXBlKENPVkVSX1BBR0VfSU1BR0VfTkFNRSk7CisJCQkkbmV3RmlsZU5hbWUg PSAnY292ZXJfYXJ0aWNsZV8nIC4gJHRoaXMtPmFydGljbGUtPmdldEFydGljbGVJZCgpIC4gJ18n IC4gJHRoaXMtPmdldEZvcm1Mb2NhbGUoKSAuICRwdWJsaWNGaWxlTWFuYWdlci0+Z2V0SW1hZ2VF eHRlbnNpb24oJHR5cGUpOwogCQkJJHB1YmxpY0ZpbGVNYW5hZ2VyLT51cGxvYWRKb3VybmFsRmls ZSgkam91cm5hbC0+Z2V0Sm91cm5hbElkKCksIENPVkVSX1BBR0VfSU1BR0VfTkFNRSwgJG5ld0Zp bGVOYW1lKTsKIAkJCSRhcnRpY2xlLT5zZXRPcmlnaW5hbEZpbGVOYW1lKCRwdWJsaWNGaWxlTWFu YWdlci0+dHJ1bmNhdGVGaWxlTmFtZSgkb3JpZ2luYWxGaWxlTmFtZSwgMTI3KSwgJHRoaXMtPmdl dEZvcm1Mb2NhbGUoKSk7CiAJCQkkYXJ0aWNsZS0+c2V0RmlsZU5hbWUoJG5ld0ZpbGVOYW1lLCAk dGhpcy0+Z2V0Rm9ybUxvY2FsZSgpKTsK