PKP Bugzilla – Bug 6696
Uploads must not use supplied file extension
Last modified: 2014-10-07 12:38:26 PDT
File uploads into public should use a file extension validated via whitelist by the file manager (e.g. PublicFileManager::getImageExtension) rather than the file extension supplied by the client (e.g. PublicFileManager::getExtension) or detected by the server (e.g. mime_content_type).
Created attachment 3568 [details]
Patch against OJS 2.3.3, 2.3.4, 2.3.5
Created attachment 3569 [details]
Patch against OJS 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2
NOTE: The patch for bug #6689 must be applied before these patches will apply cleanly.
(In reply to comment #0)
> File uploads into public should use a file extension validated via whitelist by
> the file manager (e.g. PublicFileManager::getImageExtension) rather than the
> file extension supplied by the client (e.g. PublicFileManager::getExtension) or
> detected by the server (e.g. mime_content_type).
I applied this patch after #6689, but the behaviour is now a bit strange. When uploading a cover image file for an issue, I could still upload a file named "setup.exe", however now it gets renamed to "cover_issue_120_en_US.flv". I tried also extensions php, js, tlp, pdf, and they were not accepted. Then I tried several other .exe files and all were accepted and renamed to .flv after upload.
Ales, the file type check works by getting the file's MIME type, then mapping that to a file extension according to this list:
image/jpeg, image/pjpeg: .jpg
image/png, image/x-png: .png
image/vnd.microsoft.icon, image/x-icon, image/ico: .ico
video/x-flv, application/x-flash-video, flv-application/octet-stream, application/octet-stream: .flv
Anything not in this list is not allowed. It's used for many parts of the system to allow multimedia content (e.g. images in articles).
What you're probably seeing is an .exe detected as application/octet-stream, which maps to .flv for flash video. (This entry is for compatibility with systems that don't have a specific MIME entry for .flv files.) As long as the file extension is NOT trusted i.e. as .exe or .php, the web server shouldn't invoke the executable.
I suppose as a tune-up we could limit certain areas to only plain old image files, i.e. PDF, PNG, and GIF, as per the error messages...