PKP Bugzilla – Full Text Bug Listing
|Summary:||Uploads must not use supplied file extension|
|Product:||OJS||Reporter:||Alec Smecher <alec>|
|Component:||Editors||Assignee:||PKP Support <pkp-support>|
|Version Reported In:||2.3.5||Also Affects:|
Patch against OJS 2.3.3, 2.3.4, 2.3.5
Patch against OJS 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2
Description Alec Smecher 2011-06-20 11:19:38 PDT
File uploads into public should use a file extension validated via whitelist by the file manager (e.g. PublicFileManager::getImageExtension) rather than the file extension supplied by the client (e.g. PublicFileManager::getExtension) or detected by the server (e.g. mime_content_type).
Comment 1 Alec Smecher 2011-06-20 11:30:10 PDT
Created attachment 3568 [details] Patch against OJS 2.3.3, 2.3.4, 2.3.5
Comment 2 Alec Smecher 2011-06-20 11:36:44 PDT
Created attachment 3569 [details] Patch against OJS 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2
Comment 3 Alec Smecher 2011-06-20 11:40:46 PDT
NOTE: The patch for bug #6689 must be applied before these patches will apply cleanly.
Comment 4 Ales Kladnik 2011-06-21 03:33:46 PDT
(In reply to comment #0) > File uploads into public should use a file extension validated via whitelist by > the file manager (e.g. PublicFileManager::getImageExtension) rather than the > file extension supplied by the client (e.g. PublicFileManager::getExtension) or > detected by the server (e.g. mime_content_type). I applied this patch after #6689, but the behaviour is now a bit strange. When uploading a cover image file for an issue, I could still upload a file named "setup.exe", however now it gets renamed to "cover_issue_120_en_US.flv". I tried also extensions php, js, tlp, pdf, and they were not accepted. Then I tried several other .exe files and all were accepted and renamed to .flv after upload.
Comment 5 Alec Smecher 2011-06-21 08:41:42 PDT